Configuration Guide - Ethernet -...

S2700&S3700 Series Ethernet Switches

V100R006C05

Configuration Guide - Ethernet

Issue 04

Date 2014-01-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://enterprise.huawei.com

Issue 04 (2014-01-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://enterprise.huawei.com

About This Document

Intended AudienceThis document describes how to configure the components for Ethernet switching services.

This document provides procedures and examples to illustrate the methods and applicationscenarios for the Ethernet switching configurations.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

Indicates an imminently hazardous situationwhich, if not avoided, will result in death orserious injury.

Indicates a potentially hazardous situationwhich, if not avoided, could result in death orserious injury.

Indicates a potentially hazardous situationwhich, if not avoided, may result in minor ormoderate injury.

Indicates a potentially hazardous situationwhich, if not avoided, could result inequipment damage, data loss, performancedeterioration, or unanticipated results.NOTICE is used to address practices notrelated to personal injury.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet About This Document


ii

Symbol Description

NOTE Calls attention to important information, bestpractices and tips.NOTE is used to address information notrelated to personal injury, equipment damage,and environment deterioration.

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering ConventionsInterface numbers used in this manual are examples. In device configuration, use the existinginterface numbers on devices.

Security Conventionsl Password setting



iii

– When configuring a password, the cipher text is recommended. To ensure devicesecurity, change the password periodically.

– When you configure a password in cipher text that starts and ends with %$%$ (thepassword can be decrypted by the device), the password is displayed in the same manneras the configured one in the configuration file. Do not use this setting.

l Encryption algorithmCurrently, the device uses the following encryption algorithms: DES, AES, SHA-1, SHA-2,and MD5. DES and AES are reversible, and SHA-1, SHA-2, and MD5 are irreversible.The encryption algorithm depends on actual networking. If protocols are used forinterconnection, the locally stored password must be reversible. It is recommended that theirreversible encryption algorithm be used for the administrator password.

l Personal dataSome personal data may be obtained or used during operation or fault location of yourpurchased products, services, features, so you have an obligation to make privacy policiesand take measures according to the applicable law of the country to protect personal data.

Change HistoryChanges between document issues are cumulative. Therefore, the latest document versioncontains all updates made to previous versions.

Changes in Issue 04 (2014-01-20)This version has the following updates:

The following information is modified:l 3 VLAN Mapping Configuration


The following information is modified:

l 2.2 VLAN Features Supported by the Devicel 2.4.3 Dividing a LAN into VLANs Based on IP Subnetsl 2.4.4 Dividing a LAN into VLANs Based on Protocols


The following information is modified:

l 2.4.2 Dividing a LAN into VLANs Based on MAC Addresses

Changes in Issue 01 (2013-02-08)Initial commercial release.



iv

Contents

About This Document.....................................................................................................................ii

1 Link Aggregation Configuration................................................................................................11.1 Link Aggregation Overview...........................................................................................................................................21.2 Link Aggregation Features Supported by the Switch.....................................................................................................21.3 Default Settings..............................................................................................................................................................31.4 Configuring Link Aggregation in Manual Load Balancing Mode.................................................................................41.4.1 Creating an LAG.........................................................................................................................................................41.4.2 Setting the Manual Load Balancing Mode..................................................................................................................41.4.3 Adding Member Interfaces to an Eth-Trunk...............................................................................................................51.4.4 (Optional) Setting the Lower Threshold for the Number of Active Interfaces...........................................................61.4.5 (Optional) Configuring the Load Balancing Mode.....................................................................................................71.4.6 Checking the Configuration.........................................................................................................................................81.5 Configuring Link Aggregation in LACP Mode.............................................................................................................81.5.1 Creating an LAG.........................................................................................................................................................81.5.2 Setting the LACP Mode..............................................................................................................................................81.5.3 Adding Member Interfaces to an Eth-Trunk...............................................................................................................91.5.4 (Optional) Limiting the Number of Active Interfaces...............................................................................................111.5.5 (Optional) Configuring the Load Balancing Mode...................................................................................................121.5.6 (Optional) Setting the LACP System Priority...........................................................................................................121.5.7 (Optional) Setting the LACP Priority for an Interface..............................................................................................131.5.8 (Optional) Configuring LACP Preemption...............................................................................................................141.5.9 (Optional) Setting the Timeout Interval for Receiving LACPDUs...........................................................................151.5.10 Checking the Configuration.....................................................................................................................................151.6 Maintaining Link Aggregation.....................................................................................................................................161.6.1 Clearing LACP Packet Statistics...............................................................................................................................161.6.2 Monitoring the Operating Status of an LAG.............................................................................................................161.7 Configuration Examples...............................................................................................................................................171.7.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode.......................................................171.7.2 Example for Configuring Link Aggregation in LACP Mode....................................................................................191.8 Common Configuration Errors.....................................................................................................................................231.8.1 Traffic Is Unevenly Load Balanced Between Eth-Trunk Member Interfaces Due to the Incorrect Load BalancingMode...................................................................................................................................................................................23

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet Contents


v

2 VLAN Configuration..................................................................................................................242.1 VLAN Overview..........................................................................................................................................................262.2 VLAN Features Supported by the Device....................................................................................................................262.3 Default Configuration...................................................................................................................................................342.4 Assigning a LAN to VLANs........................................................................................................................................342.4.1 Dividing a LAN into VLANs Based on Ports...........................................................................................................342.4.2 Dividing a LAN into VLANs Based on MAC Addresses.........................................................................................362.4.3 Dividing a LAN into VLANs Based on IP Subnets..................................................................................................382.4.4 Dividing a LAN into VLANs Based on Protocols....................................................................................................392.4.5 Checking the Configuration.......................................................................................................................................412.5 Configuring VLANIF Interfaces for Inter-VLAN Communication.............................................................................412.6 Configuring VLAN Aggregation to Save IP Addresses...............................................................................................432.6.1 Creating a Sub-VLAN...............................................................................................................................................432.6.2 Creating a Super-VLAN............................................................................................................................................442.6.3 Assigning an IP Address to the VLANIF Interface of a Super-VLAN.....................................................................452.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN........................................................452.6.5 Checking the Configuration.......................................................................................................................................462.7 Configuring MUX VLAN............................................................................................................................................462.7.1 Configuring a Principal VLAN for a MUX VLAN..................................................................................................472.7.2 Configuring a Group VLAN for a Subordinate VLAN.............................................................................................472.7.3 Configuring a Separate VLAN for a Subordinate VLAN.........................................................................................482.7.4 Enabling the MUX VLAN Function on a Port..........................................................................................................482.7.5 Checking the Configuration.......................................................................................................................................492.8 Configuring an mVLAN to Implement Integrated Management.................................................................................492.9 Maintaining VLAN.......................................................................................................................................................512.9.1 Collecting Statistics on VLAN Traffic......................................................................................................................512.9.2 Clearing the Statistics of VLAN Packets..................................................................................................................512.9.3 Enable GMAC ping to detect Layer 2 network connectivity....................................................................................522.9.4 Enable GMAC trace to locate faults..........................................................................................................................522.10 Configuration Examples.............................................................................................................................................542.10.1 Example for Assigning VLANs Based on Ports.....................................................................................................542.10.2 Example for Assigning VLANs based on MAC Addresses....................................................................................562.10.3 Example for Assigning VLANs Based on IP Subnets............................................................................................582.10.4 Example for Assigning VLANs Based on Protocols...............................................................................................612.10.5 Example for Implementing Inter-VLAN Communication Using VLANIF Interfaces...........................................642.10.6 Example for Configuring VLAN Aggregation........................................................................................................662.10.7 Example for Configuring MUX VLAN..................................................................................................................682.11 Common Configuration Errors...................................................................................................................................712.11.1 User Terminals in the Same VLAN Cannot Ping Each Other.................................................................................712.11.2 VLANIF Interface Goes Down...............................................................................................................................73

3 VLAN Mapping Configuration................................................................................................74



vi

3.1 VLAN Mapping Overview...........................................................................................................................................753.2 VLAN Mapping Features Supported by Devices.........................................................................................................753.3 Configuring Interface-based VLAN Mapping..............................................................................................................753.4 Configuring Global VLAN Mapping...........................................................................................................................763.5 Configuration Examples...............................................................................................................................................773.5.1 Example for Configuring Interface-based VLAN Mapping......................................................................................773.5.2 Example for Configuring Interface-based N:1 VLAN Mapping...............................................................................813.5.3 Example for Configuring Global VLAN Mapping...................................................................................................823.6 Common Configuration Errors.....................................................................................................................................843.6.1 Communication Failure After VLAN Mapping Configuration.................................................................................84

4 Voice VLAN Configuration.......................................................................................................874.1 Voice VLAN Overview................................................................................................................................................884.2 Voice VLAN Features Supported by the Device.........................................................................................................884.3 Default Configuration...................................................................................................................................................894.4 Configuring an Automatic Voice VLAN.....................................................................................................................894.4.1 Configuring an OUI for a Voice VLAN....................................................................................................................894.4.2 Enabling the Voice VLAN Function.........................................................................................................................904.4.3 Configuring the Auto Mode of Adding a Port to the Voice VLAN..........................................................................914.4.4 (Optional) Configuring the Working Mode for a Voice VLAN................................................................................914.4.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN...............................................934.4.6 (Optional) Setting an Aging Timer for a Voice VLAN.............................................................................................934.4.7 (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor.......................................944.4.8 Checking the Configuration.......................................................................................................................................944.5 Configuring a Manual Voice VLAN............................................................................................................................954.5.1 Configuring an OUI for a Voice VLAN....................................................................................................................954.5.2 Enabling the Voice VLAN Function.........................................................................................................................964.5.3 Configuring the Mode in Which Ports Are Added to a Voice VLAN......................................................................974.5.4 (Optional) Configuring the Working Mode for a Voice VLAN................................................................................974.5.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN...............................................994.5.6 (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor.......................................994.5.7 Checking the Configuration.....................................................................................................................................1004.6 Configuration Examples.............................................................................................................................................1004.6.1 Example for Configuring a Voice VLAN in Auto Mode........................................................................................1004.6.2 Example for Configuring a Voice VLAN in Manual Mode....................................................................................103

5 QinQ Configuration..................................................................................................................1065.1 QinQ Overview...........................................................................................................................................................1075.2 QinQ Features Supported by the Device....................................................................................................................1085.3 Configuring Basic QinQ.............................................................................................................................................1105.4 Configuring Selective QinQ.......................................................................................................................................1125.5 Configuring the TPID Value for an Outer VLAN Tag...............................................................................................1135.6 Configuring QinQ Stacking on a VLANIF Interface.................................................................................................114



vii

5.7 Configuration Examples.............................................................................................................................................1165.7.1 Example for Configuring basic QinQ......................................................................................................................1165.7.2 Example for Configuring Selective QinQ...............................................................................................................1195.7.3 Example for Configuring Selective QinQ with VLAN Mapping............................................................................1215.7.4 Example for Configuring QinQ Stacking on a VLANIF Interface.........................................................................124

6 GVRP Configuration................................................................................................................1276.1 GVRP Overview.........................................................................................................................................................1286.2 Default Configuration.................................................................................................................................................1286.3 Configuring GVRP.....................................................................................................................................................1296.3.1 Enabling GVRP.......................................................................................................................................................1296.3.2 (Optional) Setting the Registration Mode for a GVRP Interface............................................................................1306.3.3 (Optional) Setting the GARP Timers......................................................................................................................1306.3.4 Checking the Configuration.....................................................................................................................................1326.4 Maintaining GVRP.....................................................................................................................................................1326.4.1 Clearing GVRP Statistics........................................................................................................................................1326.5 Configuration Examples.............................................................................................................................................1336.5.1 Example for Configuring GVRP.............................................................................................................................133

7 MAC Address Table Configuration.......................................................................................1377.1 MAC Address Table Overview..................................................................................................................................1397.2 MAC Address Features Supported by the Device......................................................................................................1417.3 Default Configuration.................................................................................................................................................1457.4 Configuring the MAC Address Table........................................................................................................................1467.4.1 Configuring a Static MAC Address Entry...............................................................................................................1467.4.2 Configuring a Blackhole MAC Address Entry........................................................................................................1467.4.3 Setting the Aging Time of Dynamic MAC Address Entries...................................................................................1477.4.4 Disabling MAC Address Learning..........................................................................................................................1477.4.5 Limiting the Number of Learned MAC Addresses.................................................................................................1487.4.6 Checking the Configuration.....................................................................................................................................1507.5 Configuring Port Security...........................................................................................................................................1507.5.1 Configuring the Secure MAC Function on an Interface..........................................................................................1517.5.2 Configuring the Sticky MAC Function on an Interface..........................................................................................1527.5.3 Checking the Configuration.....................................................................................................................................1537.6 Configuring MAC Address Flapping Detection.........................................................................................................1537.7 Enabling MAC Spoofing Defense..............................................................................................................................1557.8 Configuring the Switch to Discard Packets with an All-0 MAC Address.................................................................1557.9 Enabling MAC Address-triggered ARP Entry Update...............................................................................................1567.10 Enabling Port Bridge................................................................................................................................................1587.11 Configuration Examples...........................................................................................................................................1597.11.1 Example for Configuring the MAC Address Table...............................................................................................1597.11.2 Example for Configuring MAC Address Learning in a VLAN............................................................................1617.11.3 Example for Configuring Port Security.................................................................................................................163



viii

7.12 Common Configuration Errors.................................................................................................................................1657.12.1 Correct MAC Address Entry Cannot Be Learned on the Device..........................................................................165

8 STP/RSTP Configuration.........................................................................................................1698.1 STP/RSTP Overview..................................................................................................................................................1718.2 STP/RSTP Features Supported by the S2700&S3700...............................................................................................1758.3 Default Configuration.................................................................................................................................................1778.4 Configuring Basic STP/RSTP Functions...................................................................................................................1778.4.1 Configuring the STP/RSTP Mode...........................................................................................................................1788.4.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge....................................................................1788.4.3 (Optional) Configuring Switching Device Priorities...............................................................................................1798.4.4 (Optional) Setting the Path Cost for a Port..............................................................................................................1808.4.5 (Optional) Configuring Port Priorities.....................................................................................................................1818.4.6 Enabling STP/RSTP................................................................................................................................................1828.4.7 Checking the Configuration.....................................................................................................................................1838.5 Setting STP Parameters That Affect STP Convergence.............................................................................................1838.5.1 Setting the STP Network Diameter.........................................................................................................................1838.5.2 Setting the STP Timeout Interval............................................................................................................................1848.5.3 Setting the Values of STP Timers...........................................................................................................................1848.5.4 Setting the Maximum Number of Connections That Affect Spanning Tree Calculation........................................1868.5.5 Checking the Configuration.....................................................................................................................................1878.6 Setting RSTP Parameters That Affect RSTP Convergence.......................................................................................1878.6.1 Setting the RSTP Network Diameter.......................................................................................................................1878.6.2 Setting the RSTP Timeout Interval.........................................................................................................................1888.6.3 Setting RSTP Timers...............................................................................................................................................1898.6.4 Setting the Maximum Number of Connections That Affect Spanning Tree Calculation........................................1908.6.5 Setting the Link Type of a Port...............................................................................................................................1918.6.6 Setting the Maximum Transmission Rate of an Interface.......................................................................................1928.6.7 Switching to the RSTP mode...................................................................................................................................1928.6.8 Configuring a Port as an Edge Port and BPDU Filter Port.....................................................................................1938.6.9 Checking the Configuration.....................................................................................................................................1958.7 Configuring RSTP Protection Functions....................................................................................................................1958.7.1 Configuring BPDU Protection on a Switching Device...........................................................................................1958.7.2 Configuring TC Protection on a Switching Device.................................................................................................1968.7.3 Configuring Root Protection on a Port....................................................................................................................1968.7.4 Configuring Loop Protection on a Port...................................................................................................................1978.7.5 Checking the Configuration.....................................................................................................................................1988.8 Setting Parameters for Interworking Between the S2700&S3700 and a Non-Huawei Device..................................1988.9 Maintaining STP/RSTP..............................................................................................................................................1998.9.1 Clearing STP/RSTP Statistics.................................................................................................................................1998.9.2 Monitoring the Statistics on STP/RSTP Topology Changes...................................................................................1998.10 Configuration Examples...........................................................................................................................................200



ix

8.10.1 Example for Configuring Basic STP Functions....................................................................................................2008.10.2 Example for Configuring Basic RSTP Functions..................................................................................................204

9 MSTP Configuration.................................................................................................................2099.1 MSTP Introduction.....................................................................................................................................................2119.2 MSTP Features Supported by the S2700&S3700......................................................................................................2199.3 Default Configuration.................................................................................................................................................2219.4 Configuring Basic MSTP Functions...........................................................................................................................2229.4.1 Configuring the MSTP Mode..................................................................................................................................2229.4.2 Configuring and Activating an MST Region..........................................................................................................2239.4.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge....................................................................2259.4.4 (Optional) Configuring a Priority for a Switching Device in an MSTI...................................................................2269.4.5 (Optional) Configuring a Path Cost of a Port in an MSTI.......................................................................................2279.4.6 (Optional) Configuring a Port Priority in an MSTI.................................................................................................2289.4.7 Enabling MSTP.......................................................................................................................................................2289.4.8 Checking the Configuration.....................................................................................................................................2299.5 Configuring MSTP Parameters on an Interface.........................................................................................................2299.5.1 Setting the MSTP Network Diameter......................................................................................................................2309.5.2 Setting the MSTP Timeout Interval.........................................................................................................................2309.5.3 Setting the Values of MSTP Timers........................................................................................................................2319.5.4 Setting the Maximum Number of Connections That Affect Spanning Tree Calculation........................................2329.5.5 Setting the Link Type of a Port...............................................................................................................................2349.5.6 Setting the Maximum Transmission Rate of an Interface.......................................................................................2349.5.7 Switching to the MSTP Mode.................................................................................................................................2359.5.8 Configuring a Port as an Edge Port and BPDU Filter Port.....................................................................................2369.5.9 Setting the Maximum Number of Hops in an MST Region....................................................................................2379.5.10 Checking the Configuration...................................................................................................................................2389.6 Configuring MSTP Protection Functions...................................................................................................................2389.6.1 Configuring BPDU Protection on a Switching Device...........................................................................................2389.6.2 Configuring TC Protection on a Switching Device.................................................................................................2399.6.3 Configuring Root Protection on an Interface..........................................................................................................2409.6.4 Configuring Loop Protection on an Interface..........................................................................................................2409.6.5 Configuring Share-Link Protection on a Switching Device....................................................................................2419.6.6 Checking the Configuration.....................................................................................................................................2429.7 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices.......................................2429.7.1 Configuring a Proposal/Agreement Mechanism.....................................................................................................2429.7.2 Configuring the MSTP Protocol Packet Format on an Interface.............................................................................2439.7.3 Enabling the Digest Snooping Function..................................................................................................................2449.7.4 Checking the Configuration.....................................................................................................................................2449.8 Maintaining MSTP.....................................................................................................................................................2459.8.1 Clearing MSTP Statistics.........................................................................................................................................2459.8.2 Monitoring the Statistics on MSTP Topology Changes..........................................................................................245



x

9.9 Configuration Examples.............................................................................................................................................2459.9.1 Example for Configuring MSTP.............................................................................................................................245

10 SEP Configuration...................................................................................................................25410.1 SEP Overview...........................................................................................................................................................25610.2 SEP Features Supported by the Device....................................................................................................................27010.3 Configuring Basic SEP Functions............................................................................................................................27410.3.1 Configuring a SEP Segment..................................................................................................................................27410.3.2 Configuring a Control VLAN................................................................................................................................27410.3.3 Creating a Protected Instance................................................................................................................................27510.3.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface.....................................27610.3.5 Checking the Configuration...................................................................................................................................27910.4 Specifying an Interface to Block..............................................................................................................................27910.4.1 Setting an Interface Blocking Mode......................................................................................................................27910.4.2 Configuring the Preemption Mode........................................................................................................................28110.4.3 Checking the Configuration...................................................................................................................................28210.5 Configuring the Topology Change Notification Function.......................................................................................28210.5.1 Reporting Topology Changes in a Lower-Layer Network - SEP Topology Change Notification........................28310.5.2 Reporting Topology Changes in a Lower-Layer Network - Enabling the Devices in a SEP Segment to ProcessSmartLink Flush Packets..................................................................................................................................................28410.5.3 Reporting Topology Changes in an Upper-Layer Network - Configuring Association Between SEP and CFM..........................................................................................................................................................................................28510.5.4 Checking the Configuration...................................................................................................................................28610.6 Maintaining SEP.......................................................................................................................................................28610.6.1 Clearing SEP Statistics..........................................................................................................................................28610.7 Configuration Examples...........................................................................................................................................28610.7.1 Example for Configuring SEP on a Closed Ring Network...................................................................................28610.7.2 Example for Configuring SEP on a Multi-Ring Network.....................................................................................29310.7.3 Example for Configuring a Hybrid SEP+MSTP Ring Network...........................................................................30510.7.4 Example for Configuring a Hybrid SEP+RRPP Ring Network............................................................................314

11 Layer 2 Protocol Transparent Transmission Configuration............................................32711.1 Layer 2 Protocol Transparent Transmission Overview............................................................................................32911.2 Layer 2 Protocol Transparent Transmission Features Supported by the Device......................................................33011.3 Configuring Interface-based Layer 2 Protocol Transparent Transmission...............................................................33311.3.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol..........................................................33411.3.2 Configuring Layer 2 Protocol Transparent Transmission Mode...........................................................................33411.3.3 Enabling Layer 2 Protocol Transparent Transmission on an Interface.................................................................33511.3.4 Checking the Configuration...................................................................................................................................33611.4 Configuring VLAN-based Layer 2 Protocol Transparent Transmission..................................................................33611.4.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol..........................................................33711.4.2 Configuring Layer 2 Protocol Transparent Transmission Mode...........................................................................33711.4.3 Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an Interface...........................................338



xi

11.4.4 Checking the Configuration...................................................................................................................................33911.5 Configuring QinQ-based Layer 2 Protocol Transparent Transmission....................................................................33911.5.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol..........................................................34011.5.2 Configuring Layer 2 Protocol Transparent Transmission Mode...........................................................................34111.5.3 Enabling QinQ-based Layer 2 Transparent Transmission on an Interface............................................................34211.5.4 Checking the Configuration...................................................................................................................................34311.6 Configuration Examples...........................................................................................................................................34311.6.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission.......................................34311.6.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission..........................................34711.6.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission............................................353

12 Loopback Detection Configuration.....................................................................................36112.1 Loopback Detection Overview.................................................................................................................................36212.2 Default Configuration...............................................................................................................................................36312.3 Configuring Loopback Detection.............................................................................................................................36412.3.1 Enabling Loopback Detection...............................................................................................................................36412.3.2 (Optional) Configuring an Action to Be Taken After a Loopback Is Detected.....................................................36512.3.3 (Optional) Setting the Interface Recovery Time...................................................................................................36612.3.4 (Optional) Setting the Interval Between Sending Loopback Detection Packets on an Interface..........................36712.3.5 Checking the Configuration...................................................................................................................................36712.4 Configuration Examples...........................................................................................................................................36712.4.1 Example for Configuring Loopback Detection to Detect Loops on the Downstream Network...........................367

13 VoIP Access Configuration....................................................................................................37013.1 VoIP Access Overview.............................................................................................................................................37113.2 Configuration Examples...........................................................................................................................................37113.2.1 Example for Configuring LLDP on a Switch to Provide VoIP Access.................................................................37113.2.2 Example for Configuring a DHCP Server on a Switch to Provide VoIP Access..................................................37413.2.3 Example for Configuring an Simplified ACL on a Switch to Provide VoIP Access............................................376



xii

1 Link Aggregation Configuration

About This Chapter

Link aggregation is a technology that bundles multiple Ethernet links into a logical link toincrease bandwidth, improve reliability, and load balance traffic.

1.1 Link Aggregation OverviewThis section describes the definition, background, and functions of Link Aggregation.

1.2 Link Aggregation Features Supported by the SwitchThe Switch supports the manual load balancing mode and Link Aggregation Control Protocol(LACP) mode.

1.3 Default SettingsThis section describes default parameter settings of link aggregation.

1.4 Configuring Link Aggregation in Manual Load Balancing ModeLink aggregation implements load balancing, increases interface bandwidth, and improvestransmission reliability.

1.5 Configuring Link Aggregation in LACP ModeLink aggregation implements load balancing, increases interface bandwidth, and improvestransmission reliability.

1.6 Maintaining Link AggregationThis section describes how to maintain link aggregation.

1.7 Configuration ExamplesThis section provides several configuration examples of link aggregation.

1.8 Common Configuration ErrorsThis section describes common configuration errors.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 1 Link Aggregation Configuration


1

1.1 Link Aggregation OverviewThis section describes the definition, background, and functions of Link Aggregation.

Link aggregation is a technology that bundles a group of physical interfaces into a logicalinterface to increase link bandwidth and reliability.

An LAG is the logical link bundled by many Ethernet links, and is short for Eth-Trunk.

As the network scale expands increasingly, users propose increasingly higher requirements onthe bandwidth and reliability of links. Traditional technologies often use high-speed cards ordevices supporting high-speed interface cards to increase the bandwidth. This method, however,is costly and inflexible.

Link aggregation bundles multiple physical interfaces into a logical interface to increase thebandwidth without upgrading the hardware. The backup mechanism of link aggregationimproves reliability and loads balance traffic among different links.

As shown in Figure 1-1, DeviceA and DeviceB are connected through three Ethernet physicallinks. These three Ethernet physical links are bound to an Eth-Trunk link. The bandwidth of theEth-Trunk link is the sum of bandwidth of the three Ethernet physical links, so bandwidth isincreased. The three Ethernet physical links back up each other, which improves reliability.

Figure 1-1 Networking diagram of link aggregation

DeviceA DeviceB

Eth-Trunk

1.2 Link Aggregation Features Supported by the SwitchThe Switch supports the manual load balancing mode and Link Aggregation Control Protocol(LACP) mode.

Link Aggregation in Manual Load Balancing Mode

In manual load balancing mode, you must manually create a Eth-Trunk interface and add memberinterfaces to the Eth-Trunk interface. In this mode, all the member interfaces of an LAG sharethe traffic evenly. If an active link fails, the other active links share the traffic evenly.

Figure 1-2 Link aggregation in manual load balancing mode

DeviceA DeviceB

Eth-Trunk



2

The manual load balancing mode is used when the peer device does not support LACP.

Link Aggregation in LACP Mode

LACP uses the LACP protocol to negotiate parameters and determine active and inactiveinterfaces. In LACP mode, you must manually create an Eth-Trunk and add member interfacesto the Eth-Trunk. LACP determines active and inactive interfaces by negotiating parametersthrough LACPDUs.

The LACP mode is called M:N mode. The LACP mode can implement load balancing andbackup. In a link aggregation group (LAG), M links are in active state. They forward data andimplement load balancing. The other N links are in inactive state and do not forward data. Whena link among the M links is faulty, the link with the highest priority among the N links are selectedto replace the faulty link. This link enters the active state and starts to forward data.

Figure 1-3 LACP mode

DeviceA DeviceB

Eth-Trunk 1 Eth-Trunk 1

Eth-Trunk

Active linkBackup link

Difference between LACP and manual load balancing: LACP has backup links. In manual loadbalancing mode, all member interfaces are in forwarding state.

1.3 Default SettingsThis section describes default parameter settings of link aggregation.

Table 1-1 Default parameter settings of link aggregation

Parameter Value

Link aggregation mode Manual load balancing mode

max active-linknumber 4 on the S2700SI and 8 on the others.

least active-linknumber 1

LACP system priority 32768

LACP port priority 32768

LACP preemption Disabled

LACP preemption delay 30s

Timeout interval at which LACPDUs arereceived

90s



3

1.4 Configuring Link Aggregation in Manual LoadBalancing Mode

Link aggregation implements load balancing, increases interface bandwidth, and improvestransmission reliability.

1.4.1 Creating an LAG

Context

Each LAG corresponds to a logical interface, that is, Eth-Trunk. Before configuring linkaggregation, create an Eth-Trunk.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:interface eth-trunk trunk-id

An Eth-Trunk is created and the Eth-Trunk interface view is displayed.

If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk interfaceview.

----End

1.4.2 Setting the Manual Load Balancing Mode

Context

Link aggregation can work in manual load balancing mode and LACP mode.

In manual load balancing mode, you must manually create an Eth-Trunk and add memberinterfaces into the Eth-Trunk. All active links forward data and evenly load balance traffic. Themanual load balancing mode mode is used when the peer device does not support LACP.

Before changing the working mode of an Eth-Trunk, ensure that the Eth-Trunk interface containsno member interface.

To delete existing member interface, run the undo eth-trunk command in the interfaceview or the undo trunkport interface-type interface-number command in theEth-Trunk interface view.



4

Procedure




The Eth-Trunk interface view is displayed.

Step 3 Run:mode manual load-balance

The working mode of the Eth-Trunk is configured.

By default, an Eth-Trunk works in manual load balancing mode.

Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the localend works in manual load balancing mode, the peer end must use the manual load balancingmode.

----End

1.4.3 Adding Member Interfaces to an Eth-Trunk

ContextYou can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or memberinterface view.

Procedurel Adding member interfaces to an Eth-Trunk in the Eth-Trunk interface view

1. Run:system-view

The system view is displayed.2. Run:

interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.3. Run:

trunkport interface-type { interface-number1 [ to interface-number2 ] } &<1-8>

A member interface is added to the Eth-Trunk.

NOTE

When member interfaces are added to an Eth-Trunk in batches, if one member interface cannotbe added to the Eth-Trunk, interfaces following this interface cannot be added to the Eth-Trunk.

l Adding member interfaces to an Eth-Trunk in the member interface view1. Run:

system-view



5


2. Run:interface interface-type interface-number

The member interface view is displayed.

3. Run:eth-trunk trunk-id

The member interface is added to an Eth-Trunk.

When adding an interface to an Eth-Trunk, pay attention to the following points:

– An Eth-Trunk contains a maximum of 4 member interfaces on the S2700SI.An Eth-Trunk contains a maximum of 8 member interfaces on the other models.

– A member interface cannot be configured with some service or static MAC address.

– When adding an interface to an Eth-Trunk, ensure that the link-type of the interface isdefault link-type.

– An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk.

– An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet interfaceto another Eth-Trunk, delete it from the Eth-Trunk first.

– An Eth-trunk contains member interfaces of the same type.

– The peer interfaces directly connected to the local Eth-Trunk member interfaces mustalso be bundled into an Eth-Trunk; otherwise, the two ends cannot communicate.

– After interfaces are added to an Eth-Trunk, MAC addresses are learned on the Eth-Trunk but not the member interfaces.

– Devices on both ends of an Eth-Trunk must use the same number of physical interfaces,interface rate, duplex mode, jumbo and flow control mode.

----End

1.4.4 (Optional) Setting the Lower Threshold for the Number ofActive Interfaces

Context

The lower threshold for the number of active interfaces affects the status and bandwidth of thetrunk interface. To ensure that the trunk interface functions properly and is less affected bychanges in member link status, set the following thresholds.

When the number of active interfaces falls below this threshold, the Eth-Trunk goes Down. Thisensures that the Eth-Trunk has a minimum available bandwidth.

NOTE

The upper threshold for the number of active interfaces is inapplicable to the manual load balancing mode.

Procedure




6




Step 3 Run:least active-linknumber link-number

The lower threshold for the number of active interfaces is set.

By default, the lower threshold for the number of active interfaces is 1.

The lower threshold for the number of active interfaces on the local switch can be different fromthat on the remote switch. If the two values are different, the larger one is used.

----End

1.4.5 (Optional) Configuring the Load Balancing Mode

ContextAn Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that framesof the same data flow are forwarded on the same physical link. Different data flows are forwardedon different physical links to implement load balancing.

Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for theinterfaces at both ends of the link can be different and do not affect each other.

Procedure





Step 3 Run:load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }

The load balancing mode of the Eth-Trunk is set.

By default, the load balancing mode is src-dst-ip.

l dst-ip: Load balancing is performed based on destination IP addresses.l dst-mac: Load balancing is performed based on destination MAC addresses.l src-ip: Load balancing is performed based on source IP addresses.l src-mac: Load balancing is performed based on source MAC addresses.l src-dst-ip: Load balancing is performed based on the Exclusive-Or result of source and

destination IP addresses.



7

l src-dst-mac: Load balancing is performed based on the Exclusive-Or result of source anddestination MAC addresses.

NOTE

The preceding load balancing modes apply only to known unicast traffic. To configure the load balancingmode for unknown unicast traffic, run the unknown-unicast load-balance { dmac | smac |smacxordmac }command in the system view.

----End

1.4.6 Checking the Configuration

Procedurel Run the display eth-trunk [ trunk-id [ interface interface-type

interface-number | verbose ] ] command to check the Eth-Trunk configuration.

l Run the display trunkmembership eth-trunk trunk-id command to checkinformation about member interfaces of the Eth-Trunk.

----End

1.5 Configuring Link Aggregation in LACP ModeLink aggregation implements load balancing, increases interface bandwidth, and improvestransmission reliability.

1.5.1 Creating an LAG

ContextEach LAG corresponds to a logical interface, that is, Eth-Trunk. Before configuring linkaggregation, create an Eth-Trunk.

Procedure




An Eth-Trunk is created and the Eth-Trunk interface view is displayed.

If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk interfaceview.

----End

1.5.2 Setting the LACP Mode



8

Context

Link aggregation can work in manual load balancing mode and LACP mode.

In LACP mode, you must manually create an Eth-Trunk and add interfaces to the Eth-Trunk.LACP determines active interfaces by negotiating parameters through LACPDUs.

Before changing the working mode of an Eth-Trunk, ensure that the Eth-Trunk interface containsno member interface.

To delete existing member interface, run the undo eth-trunk command in the interfaceview or the undo trunkport interface-type interface-number command in theEth-Trunk interface view.

Procedure





Step 3 (Optional)Run:bpdu enable

The Eth-Trunk member interfaces are enabled to send the received BPDUs to the CPU.

Ensure that this function is enabled before you run the mode lacp-static command. By default,the function of sending the received BPDUs to the CPU is enabled on an interface.

Step 4 Run:mode lacp-static

The working mode of the Eth-Trunk is configured.

By default, an Eth-Trunk works in manual load balancing mode.

Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the localend works in LACP mode, the peer end must use the LACP mode.

----End

1.5.3 Adding Member Interfaces to an Eth-Trunk

Context

You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or memberinterface view.

Procedurel Adding member interfaces to an Eth-Trunk in the Eth-Trunk interface view



9

1. Run:system-view


2. Run:interface eth-trunk trunk-id


3. Run:trunkport interface-type { interface-number1 [ to interface-number2 ] } &<1-8>

A member interface is added to the Eth-Trunk.

NOTE

When member interfaces are added to an Eth-Trunk in batches, if one member interface cannotbe added to the Eth-Trunk, interfaces following this interface cannot be added to the Eth-Trunk.

l Adding member interfaces to an Eth-Trunk in the member interface view

1. Run:system-view




3. Run:eth-trunk trunk-id

The member interface is added to an Eth-Trunk.

When adding an interface to an Eth-Trunk, pay attention to the following points:

– An Eth-Trunk contains a maximum of 4 member interfaces on the S2700SI.An Eth-Trunk contains a maximum of 8 member interfaces on the other models.

– A member interface cannot be configured with some service or static MAC address.

– When adding an interface to an Eth-Trunk, ensure that the link-type of the interface isdefault link-type.

– An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk.

– An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet interfaceto another Eth-Trunk, delete it from the Eth-Trunk first.

– An Eth-trunk contains member interfaces of the same type.

– The peer interfaces directly connected to the local Eth-Trunk member interfaces mustalso be bundled into an Eth-Trunk; otherwise, the two ends cannot communicate.

– After interfaces are added to an Eth-Trunk, MAC addresses are learned on the Eth-Trunk but not the member interfaces.

– Devices on both ends of an Eth-Trunk must use the same number of physical interfaces,interface rate, duplex mode, jumbo and flow control mode.

----End



10

1.5.4 (Optional) Limiting the Number of Active Interfaces

Context

The number of Up member links affects the status and bandwidth of the trunk interface. Toensure that the trunk interface functions properly and is less affected by changes in member linkstatus, set the following thresholds.

l Lower threshold for the number of active interfaces: When the number of active interfacesfalls below this threshold, the trunk interface goes Down. This guarantees the trunkinterface a minimum available bandwidth.

l Upper threshold for the number of active interfaces: It is used for improving networkreliability with assured bandwidth. When the number of active interfaces reaches thethreshold, you can add new member interfaces to the Eth-Trunk, but excess memberinterfaces enter the Down state.

Procedure





Step 3 Run:least active-linknumber link-number

The lower threshold for the number of active interfaces is set.

By default, the minimum number of active interfaces is 1.

The minimum number of active interfaces on the local switch can be different from that on theremote switch. If the two values are different, the larger one is used.

Step 4 Run:max active-linknumber link-number

The upper threshold for the number of active interfaces is set.

By default, the maximum number of active interfaces is 4 on the S2700SI, the maximum numberof active interfaces is 8 on the other models.

The maximum number of active interfaces on the local switch can be different from that on theremote switch. If the two values are different, the smaller one is used.

NOTE

The upper threshold for the number of active interfaces must be greater than or equal to the lower thresholdfor the number of active interfaces.

----End



11

1.5.5 (Optional) Configuring the Load Balancing Mode

ContextAn Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that framesof the same data flow are forwarded on the same physical link. Different data flows are forwardedon different physical links to implement load balancing.

Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for theinterfaces at both ends of the link can be different and do not affect each other.

Procedure





Step 3 Run:load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }

The load balancing mode of the Eth-Trunk is set.

By default, the load balancing mode is src-dst-ip.

l dst-ip: Load balancing is performed based on destination IP addresses.l dst-mac: Load balancing is performed based on destination MAC addresses.l src-ip: Load balancing is performed based on source IP addresses.l src-mac: Load balancing is performed based on source MAC addresses.l src-dst-ip: Load balancing is performed based on the Exclusive-Or result of source and

destination IP addresses.l src-dst-mac: Load balancing is performed based on the Exclusive-Or result of source and

destination MAC addresses.

NOTE

The preceding load balancing modes apply only to known unicast traffic. To configure the load balancingmode for unknown unicast traffic, run the unknown-unicast load-balance { dmac | smac |smacxordmac }command in the system view.

----End

1.5.6 (Optional) Setting the LACP System Priority

ContextLACP system priority differentiates priorities of devices at both ends. In LACP mode, activeinterfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be



12

set up. To keep active interfaces consistent at both ends, you can set the priority of one deviceto be higher than that of the other device so that the other device can select active interfacesaccording to those selected by the device with a higher priority.

Procedure



Step 2 Run:lacp priority priority

The LACP system priority is set.

A smaller LACP priority value indicates a higher priority. By default, the LACP system priorityis 32768.

The end with a smaller priority value functions as the Actor. If the two ends have the samepriority, the end with a smaller MAC address functions as the Actor.

----End

1.5.7 (Optional) Setting the LACP Priority for an Interface

Context

In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.Interfaces with higher priorities are selected as active interfaces.

Procedure



Step 2 Run:interface interface-type interface-number


Step 3 Run:lacp priority priority

The LACP priority of the member interface is configured.

By default, the LACP interface priority is 32768. A smaller priority value indicates a higherLACP priority.



13

NOTE

By default, the system selects active interfaces based on interface priorities. However, low-speed memberinterfaces may be selected as active interfaces because of their high priorities. To select high-speed memberinterfaces, run the lacp selected { priority | speed } command to configure the system to selectactive interfaces based on the interface rate.

----End

1.5.8 (Optional) Configuring LACP Preemption

Context

The LACP preemption function ensures that the interface with the highest LACP priority alwaysfunctions as an active interface. For example, when the interface with the highest prioritybecomes inactive due to a failure, the LACP preemption function enables the interface to becomeactive again after it recovers. If the LACP preemption function is disabled, the interface cannotbecome an active interface again.

The LACP preemption delay is the period during which an inactive interface waits before itbecomes active. The LACP preemption delay prevents instable data transmission on an Eth-Trunk link due to frequent status changes of some links.

Procedure





Step 3 Run:lacp preempt enable

The LACP preemption function is enabled.

By default, the LACP preemption function is disabled.

NOTE

To ensure normal running of an Eth-Trunk interface, enable or disable LACP preemption on both ends ofthe Eth-Trunk interface.

Step 4 Run:lacp preempt delay delay-time

The LACP preemption delay is set.

By default, the LACP preemption delay is 30 seconds.

----End



14

1.5.9 (Optional) Setting the Timeout Interval for ReceivingLACPDUs

Context

If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred on a memberinterface in the LAG on the peer device, data on the local device is still load balanced amongoriginal active interfaces. As a result, data traffic on the faulty link is discarded.

After the timeout interval at which LACPDUs are received is set, if a local member interfacedoes not receive any LACPDUs within the configured timeout interval, it becomes Downimmediately and no longer forwards data.

Procedure





Step 3 Run:lacp timeout { fast | slow }

The timeout interval at which LACPDUs are received is set.

By default, the timeout interval for an Eth-Trunk to receive packets is 90 seconds.

NOTE

l After you run the lacp timeout command, the local end informs the peer end of the timeout intervalthrough LACP packets. If the fast keyword is used, the interval for sending LACP packets is 1 second.If the slow keyword is used, the interval for sending LACP packets is 30 seconds.

l The timeout interval for receiving LACP packets is three times the interval for sending LACP packets.In other words, when the fast keyword is used, the timeout interval for receiving LACP packets is 3seconds. When the slow keyword is used, the timeout interval for receiving LACP packets is 90 seconds.

l You can select different keywords on the two ends. However, it is recommended that you select thesame keyword on both ends to facilitate the maintenance.

l Each member interface in the Eth-Trunk processes a maximum of 20 LACPDUs every second. Theswitch processes a maximum of 100 LACPDUs every second. Extra LACPDUs are discarded.

----End



interface-number | verbose ] ] command to check the Eth-Trunk configuration.



15

l Run the display trunkmembership eth-trunk trunk-id command to checkinformation about member interfaces of the Eth-Trunk.

----End

1.6 Maintaining Link AggregationThis section describes how to maintain link aggregation.

1.6.1 Clearing LACP Packet Statistics

Context

NOTICEThe LACP packet statistics cannot be restored after you clear them.

Procedurel Run the reset lacp statistics eth-trunk [ trunk-id [ interface

interface-type interface-number ] ] command in user view to clear statisticsabout LACP packets received and sent.

----End

1.6.2 Monitoring the Operating Status of an LAG

ContextDuring daily maintenance, run the following commands in any view to check the operating statusof LAGs.


interface-number | verbose ] ] command to check the Eth-Trunk configurationand status.

l In LACP mode, run the display lacp statistics eth-trunk [ trunk-id[ interface interface-type interface-number ] ] command to check thestatistics about LACP packets sent and received.

l Run the display interface eth-trunk [ trunk-id ] command to check thestatus of an Eth-Trunk interface.

l Run the display trunkmembership eth-trunk trunk-id command todisplays information about member interfaces of an Eth-Trunk..

----End



16

1.7 Configuration ExamplesThis section provides several configuration examples of link aggregation.

1.7.1 Example for Configuring Link Aggregation in Manual LoadBalancing Mode

Networking RequirementsAs shown in Figure 1-4, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20through Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.

SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLANcommunication. Reliability of data transmission needs to be ensured.

Figure 1-4 Networking diagram for configuring link aggregation in manual load balancing mode

SwitchA SwitchB


Eth-TrunkEth0/0/1Eth0/0/2Eth0/0/3

Eth0/0/1Eth0/0/2Eth0/0/3

Eth0/0/4

Eth0/0/5

VLAN10

VLAN20

Eth0/0/4

Eth0/0/5

VLAN10

VLAN20

Configuration RoadmapThe configuration roadmap is as follows:

1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase linkbandwidth.

NOTE

An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface orremove the interface from VLAN1 before adding it to an Eth-Trunk interface.

2. Create VLANs and add interfaces to the VLANs.3. Set the load balancing mode to ensure that traffic is load balanced between member

interfaces of the Eth-Trunk.



17

Procedure

Step 1 Create an Eth-Trunk on SwitchA and add member interfaces to the Eth-Trunk. The configurationof SwitchB is similar to the configuration of SwitchA, and the configuration details are notmentioned here.<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] interface Eth-Trunk1[SwitchA-Eth-Trunk1] trunkport ethernet 0/0/1 to 0/0/3[SwitchA-Eth-Trunk1] quit

Step 2 Create VLANs and add interfaces to the VLANs. The configuration of SwitchB is similar to theconfiguration of SwitchA, and the configuration details are not mentioned here.

# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20.

[SwitchA] vlan batch 10 20[SwitchA] interface ethernet 0/0/4[SwitchA-Ethernet0/0/4] port link-type trunk[SwitchA-Ethernet0/0/4] port trunk allow-pass vlan 10[SwitchA-Ethernet0/0/4] quit[SwitchA] interface ethernet 0/0/5[SwitchA-Ethernet0/0/5] port link-type trunk[SwitchA-Ethernet0/0/5] port trunk allow-pass vlan 20[SwitchA-Ethernet0/0/5] quit

# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through.

[SwitchA] interface Eth-Trunk1[SwitchA-Eth-Trunk1] port link-type trunk[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20

Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is similar to theconfiguration of SwitchA, and the configuration details are not mentioned here.[SwitchA-Eth-Trunk1] load-balance src-dst-mac[SwitchA-Eth-Trunk1] quit

Step 4 Verify the configuration.

Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is createdand whether member interfaces are added.

[SwitchA] display eth-trunk 1Eth-Trunk1's state information is: WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8Operate status: up Number Of Up Port In Trunk: 3 --------------------------------------------------------------------------------PortName Status WeightEthernet0/0/1 Up 1Ethernet0/0/2 Up 1Ethernet0/0/3 Up 1

The preceding command output shows that Eth-Trunk 1 has three member interfaces:Ethernet0/0/1, Ethernet0/0/2, and Ethernet0/0/3. The member interfaces are both in Up state.

----End

Configuration Filesl Configuration file of SwitchA#sysname SwitchA



18

#vlan batch 10 20#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 10 20 load-balance src-dst-mac # interface Ethernet0/0/1 eth-trunk 1# interface Ethernet0/0/2 eth-trunk 1# interface Ethernet0/0/3 eth-trunk 1#interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 10#interface Ethernet0/0/5 port link-type trunk port trunk allow-pass vlan 20#return

l Configuration file of SwitchB#sysname SwitchB#vlan batch 10 20#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 10 20 load-balance src-dst-mac # interface Ethernet0/0/1 eth-trunk 1# interface Ethernet0/0/2 eth-trunk 1# interface Ethernet0/0/3 eth-trunk 1#interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 10#interface Ethernet0/0/5 port link-type trunk port trunk allow-pass vlan 20#return

1.7.2 Example for Configuring Link Aggregation in LACP Mode

Networking Requirements

To improve bandwidth and connection reliability, configure a link aggregation group on twodirectly connected Switches, as shown in Figure 1-5. The requirements are as follows:



19

l Two active links implement load balancing.l One link function as the backup link. When a fault occurs on an active link, the backup link

replaces the faulty link to maintain reliable data transmission.

Figure 1-5 Networking diagram for configuring link aggregation in LACP mode

SwitchA SwitchB


Eth-TrunkEth0/0/1Eth0/0/2Eth0/0/3

Eth0/0/1Eth0/0/2Eth0/0/3

Active linkBackup link


1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implementlink aggregation.

2. Add member interfaces to the Eth-Trunk.

NOTE

An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface orremove the interface from VLAN1 before adding it to an Eth-Trunk interface.

3. Set the system priority and determine the Actor so that the Partner selects active interfacesbased on the Actor interface priority.

4. Set the upper threshold for the number of active interfaces to improve reliability.5. Set interface priorities and determine active interfaces so that interfaces with higher

priorities are selected as active interfaces.

Procedure

Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. Theconfiguration of SwitchB is similar to the configuration of SwitchA, and the configuration detailsare not mentioned here.<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] interface eth-trunk 1[SwitchA-Eth-Trunk1] mode lacp-static[SwitchA-Eth-Trunk1] quit

Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is similar tothe configuration of SwitchA, and the configuration details are not mentioned here.[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] eth-trunk 1[SwitchA-Ethernet0/0/1] quit[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] eth-trunk 1[SwitchA-Ethernet0/0/2] quit[SwitchA] interface ethernet 0/0/3[SwitchA-Ethernet0/0/3] eth-trunk 1[SwitchA-Ethernet0/0/3] quit



20

Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.[SwitchA] lacp priority 100

Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.[SwitchA] interface eth-trunk 1[SwitchA-Eth-Trunk1] max active-linknumber 2[SwitchA-Eth-Trunk1] quit

Step 5 Set the priority of the interface and determine active links on SwitchA.[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] lacp priority 100[SwitchA-Ethernet0/0/1] quit[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] lacp priority 100[SwitchA-Ethernet0/0/2] quit


# Check information about the Eth-Trunk of the Switchs and check whether negotiation issuccessful on the link.

[SwitchA] display eth-trunk 1Eth-Trunk1's state information is:Local: LAG ID: 1 WorkingMode: STATIC Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP System Priority: 100 System ID: 00e0-fca8-0417Least Active-linknumber: 1 Max Active-linknumber: 2 Operate status: up Number Of Up Port In Trunk: 2--------------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey PortState WeightEthernet0/0/1 Selected 100M 100 6145 2865 11111100 1Ethernet0/0/2 Selected 100M 100 6146 2865 11111100 1Ethernet0/0/3 Unselect 100M 32768 6147 2865 11100000 1

Partner:------------------------------------------------------------------------------ActorPortName SysPri SystemID PortPri PortNo PortKey PortStateEthernet0/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100Ethernet0/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100Ethernet0/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000[SwitchB] display eth-trunk 1Eth-Trunk1's state information is:Local:LAG ID: 1 WorkingMode: STATICPreempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIPSystem Priority: 32768 System ID: 00e0-fca6-7f85Least Active-linknumber: 1 Max Active-linknumber: 8Operate status: Up Number Of Up Port In Trunk: 2------------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey PortState WeightEthernet0/0/1 Selected 100M 32768 6145 2609 11111100 1Ethernet0/0/2 Selected 100M 32768 6146 2609 11111100 1Ethernet0/0/3 Unselect 100M 32768 6147 2609 11100000 1



21

Partner:------------------------------------------------------------------------------ActorPortName SysPri SystemID PortPri PortNo PortKey PortStateEthernet0/0/1 100 00e0-fca8-0417 100 6145 2865 11111100Ethernet0/0/2 100 00e0-fca8-0417 100 6146 2865 11111100Ethernet0/0/3 100 00e0-fca8-0417 32768 6147 2865 11110000

The preceding information shows that the system priority of SwitchA is 100, which is higherthan the system priority of SwitchB. Member interfaces Ethernet0/0/1 and Ethernet0/0/2 becomethe active interfaces and are in Selected state. Interface Ethernet0/0/3 is in Unselect state. Twolinks are active and working in load balancing mode, and one link is the backup links.

----End

Configuration Filesl Configuration file of SwitchA#sysname SwitchA#lacp priority 100#interface Eth-Trunk1 mode lacp-static max active-linknumber 2#interface Ethernet0/0/1 eth-trunk 1 lacp priority 100#interface Ethernet0/0/2 eth-trunk 1 lacp priority 100#interface Ethernet0/0/3 eth-trunk 1#return

l Configuration file of SwitchB#sysname SwitchB#interface Eth-Trunk1 mode lacp-static#interface Ethernet0/0/1 eth-trunk 1#interface Ethernet0/0/2 eth-trunk 1#interface Ethernet0/0/3 eth-trunk 1#return



22

1.8 Common Configuration ErrorsThis section describes common configuration errors.

1.8.1 Traffic Is Unevenly Load Balanced Between Eth-TrunkMember Interfaces Due to the Incorrect Load Balancing Mode

Fault DescriptionTraffic is unevenly load balanced between Eth-Trunk member interfaces due to the incorrectload balancing mode.

Procedure1. Run the display eth-trunk command to check whether the load balancing mode of

the Eth-Trunk meets networking requirements. For example, source or destination IPaddress-based load balancing is not recommended in Layer 2 networking.

2. Run the load-balance command to set the proper load balancing mode.



23

2 VLAN Configuration

About This Chapter

VLANs have advantages of broadcast domain isolation, security hardening, flexible networking,and good extensibility.

2.1 VLAN OverviewThis section describes the definition, background, and functions of VLAN.

2.2 VLAN Features Supported by the DeviceVLAN features supported by the device include VLAN assignment, communication betweenVLANs, VLAN aggregation, MUX VLAN, and VLAN management.

2.3 Default ConfigurationThis section describes the default configuration of VLAN.

2.4 Assigning a LAN to VLANsVLANs can isolate the hosts that require no communication with each other, which improvesnetwork security, reduces broadcast traffic, and suppresses broadcast storms.

2.5 Configuring VLANIF Interfaces for Inter-VLAN CommunicationA VLANIF interface is a Layer 3 logical interface. After VLANIF interfaces are created on thedevice, communication between VLANs is allowed.

2.6 Configuring VLAN Aggregation to Save IP AddressesVLAN aggregation prevents the waste of IP addresses and implements inter-VLANcommunication.

2.7 Configuring MUX VLANConfiguring a MUX VLAN allows users in different VLANs to communicate with each other,and separates users in a certain VLAN.

2.8 Configuring an mVLAN to Implement Integrated ManagementManagement VLAN (mVLAN) configuration allows users to use the VLANIF interface of themVLAN to log in to the management switch to manage devices in a centralized manner.

2.9 Maintaining VLANThis section describes how to view and clear VLAN statistics.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 2 VLAN Configuration


24

2.10 Configuration ExamplesThis section provides several configuration examples of VLANs including networkingrequirements, configuration roadmap, and configuration procedure.

2.11 Common Configuration ErrorsThis section describes common VLAN configuration errors.



25

2.1 VLAN OverviewThis section describes the definition, background, and functions of VLAN.

The VLAN technology enables a physical LAN to be divided into multiple broadcast domains,each of which is called a VLAN.

The Ethernet technology is used to share communication media and data based on the CarrierSense Multiple Access/Collision Detection (CSMA/CD). If there are a large number of hosts onan Ethernet network, collision becomes a serious problem and can lead to broadcast storms.Switches can be used to connect LANs, preventing collision. However, broadcast packets cannotbe isolated and network quality cannot be improved.

The VLAN technology divides a physical LAN into multiple broadcast domains, each of whichis called a VLAN. Hosts within a VLAN can communicate with each other, while hosts indifferent VLANs cannot communicate with each other directly. Therefore, the broadcast packetsare limited in each VLAN.

Figure 2-1 Networking diagram for a typical VLAN application

VLAN2

VLAN3

Router

SwitchA SwitchB

Figure 2-1 shows the networking diagram for a typical VLAN application. Two switches areplaced in different locations (for example, in different floors of a building). Each switch isconnected to two PCs that respectively belong to different VLANs (for example, differentcompanies). In the diagram, each dotted box indicates a VLAN.

2.2 VLAN Features Supported by the DeviceVLAN features supported by the device include VLAN assignment, communication betweenVLANs, VLAN aggregation, MUX VLAN, and VLAN management.



26

Logical Relationships Among VLAN FeaturesThe VLAN technology helps isolate broadcast domains and implement both intra-VLAN andinter-VLAN communication.

1. VLAN assignment: VLAN assignment is a basic VLAN configuration. Users in a VLANcan communicate with each other.

2. Inter-VLAN communication: To implement communication between users in differentVLANs, configure VLANIF interfaces.

3. Extended VLAN functions are as follows:l VLAN aggregation: prevents the waste of IP addresses and implements inter-VLAN

communication.l MUX VLAN: provides a mechanism to isolate Layer 2 traffic between interfaces in a

VLAN.l VLAN management: helps implement integrated management using a remote device.

A user can log in to a switch by accessing the IP address of the VLANIF interfacecorresponding to the mVLAN.

VLAN AssignmentVLAN assignment is a basic VLAN configuration. Users in the same VLAN can communicatewith each other. Table 2-1 shows the VLAN assignment methods and their usage scenarios.

Table 2-1 VLAN assignment in different usage scenarios

VLANAssignmentMethod

Advantage Disadvantage Usage Scenario

Port-based This method is themost commonly used,and configuration issimple.

Configuration is notflexible. If a port needsto transmit frames ofanother VLAN, theport must be deletedfrom the originalVLAN and added tothe new VLAN. If anetwork has a largenumber of travelingusers, the networkadministrator mustspend more time onmaintenance.

Applicable to large-scalenetworks that do nothave high securityrequirements.



27

VLANAssignmentMethod

Advantage Disadvantage Usage Scenario

MAC address-based

VLANs do not need tobe re-assigned whenusers travel from oneplace to another. ThisVLAN assignmentmethod improvessecurity and flexibilityfor terminal users.

A networkadministrator mustconfigure MACaddresses associatedwith VLANs on theswitch. If the networkhas many terminals, itwill take a long timefor the administrator toconfigure the MACaddresses.

Applicable to networksthat have many travelingusers and require highsecurity.NOTE

The S2700SI and S2710SIdo not support thisconfiguration.

IP subnet-based

IP subnet-based andprotocol-based VLANassignment are bothnetwork layer-basedVLAN assignment.Network layer-basedVLAN assignmentgreatly reducesworkload of manualconfigurations andallows users to easilyjoin a VLAN, movefrom one VLAN toanother, or leave aVLAN.

The switch needs toparse the source IPaddresses of packetsand convert them intoMAC addresses. Thisslows down switchresponse.

Applicable to networksthat have traveling usersand require simplemanagement.NOTE

The S2700 does notsupport this configuration.

Protocol-based

The switch needs toanalyze protocoladdress formats andconvert between them.This slows downswitch response.

Currently, VLANs canbe assigned based on theAppleTalk, IPv4, IPv6,llc, IPX protocols.NOTE

The S2700 does notsupport this configuration.

When the device supports multiple VLAN assignment modes, the priorities of these VLANassignment modes are in descending order:

1. MAC address-based VLAN assignment and IP subnet-based VLAN assignmentBy default, MAC address-based VLAN assignment is set as the preference. You can runthe vlan precedence command to change priorities of these two VLAN assignmentmodes.

2. Protocol-based VLAN assignment3. Port-based VLAN assignment

Port-based VLAN assignment has the lowest priority, but is most commonly used.

Port-based VLAN assignment supports different types of ports, as described in Table 2-2.

NOTE

Other VLAN assignment methods must be configured on a hybrid interface.



28

Table 2-2 Port Types

PortType

Untagged FrameProcessing

Tagged FrameProcessing

FrameTransmission

Usage

Access

Accepts an untaggedframe and adds a tagwith the defaultVLAN ID to theframe.

l Accepts thetagged frame ifthe frame'sVLAN IDmatches thedefault VLANID.

l Discards thetagged frame ifthe frame'sVLAN ID differsfrom the defaultVLAN ID.

After the PVIDtag is stripped,the frame istransmitted.

An access portcan belong toonly one VLAN.The accessinterface isdirectlyconnected to acomputer.

Trunk l Adds a tag withthe defaultVLAN ID to theuntagged frameand thentransmits it if thedefault VLAN IDis permitted bythe port

l Adds a tag withthe defaultVLAN ID to theuntagged frameand then discardsit if the defaultVLAN ID isdenied by theport.

l Accepts thetagged frame ifthe frame'sVLAN ID ispermitted by theport.

l Discards thetagged frame ifthe frame'sVLAN ID isdenied by theport.

l If the frame'sVLAN IDmatches thedefaultVLAN IDand theVLAN ID ispermitted bythe port, thedeviceremoves thetag andtransmits theframe.

l If the frame'sVLAN IDdiffers fromthe defaultVLAN ID,but theVLAN ID isstillpermitted bythe port, theswitch willdirectlytransmit theframe.

A trunk portallows packets ofmultiple VLANsto pass through.It usuallyconnectsnetwork devices.



29

PortType

Untagged FrameProcessing

Tagged FrameProcessing

FrameTransmission

Usage

Hybrid

If the frame'sVLAN ID ispermitted by theport, the frame istransmitted. Theport can beconfiguredwhether totransmit frameswith tags.

A hybrid portallows packets ofmultiple VLANsto pass through.It can be used toconnect networkdevices ornetwork devicesand user devices.

QinQ QinQ ports are enabled with the IEEE 802.1QinQ protocol. A QinQ port can adddouble VLAN tags to a data frame, that is, a QinQ port can add a tag to a single-tagged frame. Therefore, a QinQ port supports a maximum of 4094 x 4094 VLANtags, which meets the requirement on the number of VLANs. For details, see QinQOverview.NOTE

The S2700SI and S2710SI do not support QinQ.

Each access, trunk, hybrid, or QinQ port can be configured with a default VLAN, namely, theport default VLAN ID (PVID) to specify the VLAN to which the port belongs.

l The PVID of an access port indicates the VLAN to which the port belongs.

l As a trunk or hybrid port can be added to multiple VLANs, the port must be configuredwith PVIDs.

NOTE

Because all interfaces join VLAN 1 by default, broadcast storms may occur if unknown unicast, multicast,or broadcast packets exist in VLAN 1. To prevent loops, delete interfaces that do not need to be added toVLAN 1 from VLAN 1.

Inter-VLAN Communication

After VLANs are configured, users in the same VLAN can communication with each other whileusers in different VLANs cannot. To implement inter-VLAN communication, configure theVLANIF interfaces which are Layer 3 logical interfaces, as shown in Figure 2-2.

Layer 3 switching combines routing and switching techniques, improving the overallperformance of the network. After sending the first data flow, a Layer 3 switch generates amapping table on which it records the mapping between the MAC address and the IP addressfor the data flow. If the switch needs to send the same data flow again, it directly sends the dataflow at Layer 2 (not Layer 3) based on the mapping table.

In order to ensure that new data flows can be correctly forwarded, the routing table must havethe correct routing entries. Therefore, VLANIF interfaces are used to configure routing protocolson the switch in order to implement IP route reachability.



30

Figure 2-2 Inter-VLAN communication using VLANIF interfaces

Switch

VLAN2 VLAN3

VLANIF2 VLANIF3

As shown in Figure 2-2, VLANIF interfaces are configured on the switch. IP addresses of theVLANIF interfaces are the addresses of default gateways for hosts in VLANs. Packets sent fromhosts in VLAN 2 are all sent to the gateway first to implement Layer 3 forwarding.

VLAN AggregationOn a large-scale network, many VLANs may be assigned to transmit services. To implementinter-VLAN communication, many IP addresses will be wasted if an IP address is assigned toa VLANIF interface in each VLAN. VLAN aggregation can be used to save IP addresses.

In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical portscannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and anIP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN butno VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use thesame IP address with the VLANIF interface of the super-VLAN. In different sub-VLANs, Layer2 isolation and Layer 3 connectivity by using the same VLANIF interface as the gateway canbe implemented. VLAN aggregation allows each sub-VLAN to function as a broadcast domainand reduces the waste of IP addresses to be assigned to ordinary VLANs.



31

Figure 2-3 Networking diagram of typical VLAN aggregation

Super VLAN4

Switch

Sub-VLAN 2

Switch1

Sub-VLAN 3

Switch2

Figure 2-3 shows a typical networking diagram of VLAN aggregation. Sub-VLANs areassociated with the super-VLAN on the switch so that VLAN 2 and VLAN 3 use the same subnetsegment, which saves IP addresses.

NOTE

The S2700SI and S2710SI do not support VLAN aggregation.

MUX VLANThe MUX VLAN function isolates Layer 2 traffic and implements interworking betweeninterfaces in a VLAN. This function involves a MUX VLAN and several subordinate VLANs.Subordinate VLANs are classified into subordinate group VLANs and subordinate separateVLANs. The principal VLAN and subordinate VLAN can implement communication, anddifferent subordinate VLANs cannot implement communication. Subordinate group VLANscan implement .

On an enterprise network, all users of the enterprise can access the enterprise's server. It isrequired that some users can communicate with each other while others cannot communicatewith each other. You can configure MUX VLAN. As shown in Figure 2-4, the principal portconnects the switch to the enterprise's server; separate ports connect the switch to users that donot communicate with each other; group ports connect the switch to users that need tocommunicate with each other. This saves VLAN IDs on the network and facilitates networkmanagement.



32

Figure 2-4 Networking of the MUX VLAN application

Enterprise server

Switch

Group PORT Separate PORT

Principal PORT

Enterprise employee1

Enterprise employee2

Table 2-3 describes the MUX VLAN assignment based on the port type.

Table 2-3 MUX VLAN assignment

MUX VLAN VLAN Type Port Type CommunicationRights

Principal VLAN - Principal port A principal port cancommunicate withevery port in theMUX VLAN.

Subordinate VLAN Separate VLAN Separate port A separate port canonly communicatewith principal ports.Each separate VLANmust be associatedwith a principalVLAN.

Group VLAN Group port A group port cancommunicate withboth principal portsand other group portsin the same groupVLAN but cannotcommunicate withgroup ports in othergroup VLANs orseparate ports. Eachgroup VLAN mustbe associated with aprincipal VLAN.



33

NOTE

The S2700 does not support MUX VLAN.

VLAN ManagementTo use a network management system to manage multiple devices, create a VLANIF interfaceon each device and configure a management IP address for the VLANIF interface. You can thenlog in to a device and manage it using its management IP address. If a user-side interface isadded to the VLAN, users connected to the interface can also log in to the device. This bringssecurity risks to the device.

After a VLAN is configured as a management VLAN, no access interface or dot1q-tunnelinterface can be added to the VLAN. An access interface or a dot1q-tunnel interface is connectedto users. The management VLAN forbids users connected to access and dot1q-tunnel interfacesto log in to the device, improving device performance.

2.3 Default ConfigurationThis section describes the default configuration of VLAN.

Table 2-4 Default configuration of VLAN

Parameter Default Setting

Port connection mode Hybrid

Default VLAN ID 1

Damping time 0s

2.4 Assigning a LAN to VLANsVLANs can isolate the hosts that require no communication with each other, which improvesnetwork security, reduces broadcast traffic, and suppresses broadcast storms.

2.4.1 Dividing a LAN into VLANs Based on Ports

ContextPorts on a Layer 2 switching device can be bound to a specific VLAN. After a port is added toa VLAN, packets of the user that is connected to the port can only be forwarded within theVLAN, but not forwarded to another VLAN. This implementation ensures that broadcast packetsare forwarded only within a single VLAN.

You must create VLANs, configure the port type, and associate ports with VLANs.

Procedure

Step 1 Run:



34

system-view


Step 2 Run:vlan vlan-id

A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,the VLAN view is directly displayed.

The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlanbatch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches,and then run the vlan vlan-id command to enter the view of a specified VLAN.

Step 3 Run:quit


Step 4 Configure the port type and features.

1. Run the interface interface-type interface-number command to enter theview of an Ethernet port to be added to the VLAN.

2. Run the port link-type { access | dot1q-tunnel | hybrid | trunk |negotiation-desirable | negotiation-auto } command to configure the porttype.By default, the link type of an interface is hybrid.l If an Ethernet port is directly connected to a terminal, set the port type to access or

hybrid.l If an Ethernet port is connected to another switch, set the port type to trunk or hybrid.l To add the outer tag to tagged packets, configure the dot1q-tunnel type. For details, see

5 QinQ Configuration.

Step 5 Add ports to the VLAN.

Run either of the following commands as needed:

l For access ports:Run the port default vlan vlan-id command to add a port to a specified VLAN.

To add ports to a VLAN in batches, run the port interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the VLAN view.

l For trunk ports:

– Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to add the port to specified VLANs.

– (Optional) Run the port trunk pvid vlan vlan-id command to specify thedefault VLAN for a trunk interface.

l For hybrid ports:

– Run either of the following commands to add a port to VLANs in untagged or taggedmode:

– Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to add a port to VLANs in untagged mode.



35

In untagged mode, a port removes tags from frames and then forwards the frames.This is applicable to scenarios in which Ethernet ports are connected to terminals.

– Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to add a port to VLANs in tagged mode.

In tagged mode, a port forwards frames without removing their tags. This is applicableto scenarios in which Ethernet ports are connected to switches.

– (Optional) Run the port hybrid pvid vlan vlan-id command to specify thedefault VLAN of a hybrid interface.

By default, all ports are added to VLAN 1.

----End

2.4.2 Dividing a LAN into VLANs Based on MAC Addresses

ContextMAC address-based VLAN division is used if user locations do not need to be concerned. Thisimproves security and flexibility for terminal users.

VLANs configured based on MAC addresses process only untagged frames, and treat taggedframes in the same manner as VLANs configured based on ports.

After receiving an untagged frame, a port searches for a MAC-VLAN mapping based on thesource MAC address in the frame.l If a mapping is found, the port forwards the frame based on the VLAN ID and priority

value in the mapping.l If no matching mapping is found, the port matches the frame with other matching rules.

NOTE

The S2700SI and S2710SI do not support this configuration.

Procedure






Step 3 Run:mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length ] [ priority priority ]

A MAC address is mapped to the VLAN.



36

NOTE

If you run the mac-vlan mac-address command multiple times in the same VLAN view and specifythe same mac-address value, MAC-VLAN takes effect according to the longest match principle.

l The mac-address value is in H-H-H format. H is a hexadecimal number that contains oneto four digits, such as 00e0 and fc01. If an H contains less than four digits, 0s are paddedahead. For example, if you specify an H as e0, it is displayed as 00e0. A MAC address cannotbe set to all 0s, all Fs or multicast addresses.

l If [ mac-address-mask | mac-address-mask-length ] is specified to configurethe MAC address mask except for the 48–bit mask or the mask with all Fs, to modify thevalue of priority, run the undo mac-vlan mac-address command to disassociatethe MAC address from the VLAN and run the mac-vlan mac-address command.

l priority specifies the 802.1p priority relevant to the MAC addresses. The value rangesfrom 0 to 7. A larger value indicates a higher priority. The default value is 0. After the 802.1ppriority is specified, frames with high priorities are first forwarded when traffic is congested.

NOTE

Only the S2700-52P-EI, S2700-52P-PWR-EI, and S3700 support this parameter.

Step 4 Run:quit


Step 5 Configure attributes for Ethernet interfaces.

1. Run the interface interface-type interface-number command to enter theview of the interface that is configured to allow frames with a specified VLAN ID to passthrough.

2. Run the port link-type hybrid command to set the link type of the interface tohybrid.

The interface where MAC address-based VLAN assignment is to be enabled is a hybridinterface.

3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to configure the hybrid interface to allow frames with aspecified VLAN ID to pass through.

Step 6 Run the vlan precedence mac-vlan command to configure a higher priority for MACaddress-based VLAN division.

NOTE

Only theS3700 supports the vlan precedence command.

By default, MAC address-based VLAN division is set as the preference.

Step 7 Run:mac-vlan enable

MAC address-based VLAN division is enabled.

By default, MAC address-based VLAN division is disabled.



37

NOTE

MAC address-based VLAN assignment conflict with MUX VLAN. They cannot be configured on the sameinterface.

----End

2.4.3 Dividing a LAN into VLANs Based on IP Subnets

Context

IP subnet-based and protocol-based VLAN division are called network layer-based VLANdivision, which reduces manual VLAN configuration workload and allows users to easily joina VLAN, transfer from one VLAN to another, and exit from a VLAN. IP subnet-based VLANdivision is applicable to networks that have traveling users and require simple management.

VLANs configured based on IP subnets process only untagged frames. and treat tagged framesin the same manner as VLANs configured based on ports.

After receiving untagged frames, a device determines the VLANs to which the frames belongbased on their source IP addresses before sending them to corresponding VLANs.

NOTE

The S2700 does not support this configuration.

Procedure






Step 3 Run:ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length } [ priority priority ]

An IP subnet is associated with the VLAN.

l The optional parameter ip-subnet-index specifies the IP subnet index. The subnetindex can be specified by a user or automatically generated by the system.

l The parameter ip-address specifies the source IP address or network address based onwhich a VLAN is configured. The value is in dotted decimal notation.

l The optional parameter priority specifies the 802.1p priority value related to the VLANconfigured based on the IP address or network address. The value ranges from 0 to 7. The



38

greater the value, the higher the priority. The default value is 0. After the 802.1p priorityvalue is specified, frames with high priorities are first forwarded when traffic is congested.

Step 4 Run:quit



1. Run the interface interface-type interface-number command to enter theview of the port to be configured to allow frames with the specified VLAN ID to passthrough.

2. Run the port link-type hybrid command to set the link type of the interface tohybrid.

The interface where MAC address-based VLAN assignment is to be enabled is a hybridinterface.

3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to allow frames with the specified VLAN ID to pass through.

Step 6 (Optional) Run:vlan precedence ip-subnet-vlan

IP subnet-based VLAN division is configured with a higher priority.

Step 7 Run:ip-subnet-vlan enable

IP subnet-based VLAN division is enabled.

By default, IP subnet-based VLAN division is disabled.

----End

2.4.4 Dividing a LAN into VLANs Based on Protocols

ContextIP subnet-based and protocol-based VLAN division are called network layer-based VLANdivision, which reduces manual VLAN configuration workload and allows users to easily joina VLAN, transfer from one VLAN to another, and exit from a VLAN.

VLANs configured based on protocols process only untagged frames. and treat tagged framesin the same manner as VLANs configured based on ports.

After receiving an untagged frame, a port identifies the protocol template used by the frame todetermine the VLAN to which the frame belongs.

l If the port has been added to VLANs corresponding to some protocols, and the protocoltemplate adopted by the frame matches one of these protocols, the port adds thecorresponding VLAN ID to the frame.

l If the port has been added to VLANs corresponding to some protocols, but the protocoltemplate adopted by the frame does not match any one of these protocols, the port adds thePVID to the frame.



39

NOTE


Procedure






Step 3 Run:protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw | snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id | snap-etype etype-id2 } }

A protocol is associated with a VLAN and the protocol template is specified.

l The optional parameter protocol-index specifies the protocol template index.

The protocol template is determined by the protocol type and encapsulation format. Aprotocol VLAN can be defined by a protocol template.

l When configuring the source and destination service access points, note the following points:

– dsap-id and ssap-id cannot be both set to 0xaa.

– dsap-id and ssap-id cannot be both set to 0xe0, which corresponds to the Logical LinkControl (LLC) encapsulation format for IPX packets.

– dsap-id and ssap-id cannot be both set to 0xff, which corresponds to the RAWencapsulation format for IPX packets.


1. Run the interface interface-type interface-number command to enter theview of the port to be configured to allow frames with the specified VLAN ID to passthrough.

2. Run the port link-type hybrid command to set the link type of the interface tohybrid.The interface where MAC address-based VLAN assignment is to be enabled is a hybridinterface.

3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to allow frames with the specified VLAN ID to pass through.

4. Run:protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] } [ priority priority ]

The port is associated with the VLAN.



40

l The parameter vlan-id specifies the ID of a VLAN configured based on a protocol.

l The optional parameter priority specifies the 802.1p priority value related to theprotocol. The value ranges from 0 to 7. The greater the value, the higher the priority.The default value is 0. After the 802.1p priority value is specified, frames with highpriorities are first forwarded when traffic is congested.

----End


Procedurel Run the display vlan command to check information about all VLANs or a specified

VLAN.

l Run the display mac-vlan command to check information about VLANs configuredbased on MAC addresses.

l Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] }command to check information about IP subnet associated with VLANs.

l Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check the types and indexes of the protocols associated with VLANs.

l Run the display protocol-vlan interface { all | interface-typeinterface-number } command to check information about VLANs configured basedon protocols associated with ports.

----End

2.5 Configuring VLANIF Interfaces for Inter-VLANCommunication

A VLANIF interface is a Layer 3 logical interface. After VLANIF interfaces are created on thedevice, communication between VLANs is allowed.

Context

After VLANs are configured, users in the same VLAN can communication with each other whileusers in different VLANs cannot. To implement inter-VLAN communication, configureVLANIF interfaces which are Layer 3 logical interfaces.

If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reportsthe VLAN Down event to the corresponding VLANIF interface, instructing the VLANIFinterface to go Down. To prevent network flapping caused by changes of VLANIF interfacestatus, enable VLAN damping on the VLANIF interface. After the last Up port in a VLAN goesDown, the system starts a delay timer and informs the corresponding VLANIF interface of theVLAN Down event after the timer expires. If a port in the VLAN goes Up during the delayperiod, the VLANIF interface remains Up.

MTU is short for maximum transmission unit. An MTU value determines the maximum numberof bytes each time a sender can send. If the size of packets exceeds the MTU supported by atransit node or a receiver, the transit node or receiver fragments the packets or even discards



41

them, aggravating the network transmission load. To avoid this problem, set the MTU value ofthe VLANIF interface.

NOTE

To implement communication between VLANs, hosts in each VLAN must use the IP address of thecorresponding VLANIF interface as the gateway address.

Pre-configuration Tasks

Before creating a VLANIF interface, complete the following tasks:

l Create a VLAN.

l Associate the VLAN with the physical interface.

Procedure



Step 2 Run:interface vlanif vlan-id

A VLANIF interface is created and the VLAIF interface view is displayed.

The VLAN ID specified in this command must be the ID of an existing VLAN.

A VLANIF interface is Up only when at least one physical port added to the correspondingVLAN is Up.

Step 3 Run:ip address ip-address { mask | mask-length } [ sub ]

An IP address is assigned to the VLANIF interface for communication at the network layer.

If IP addresses assigned to VLANIF interfaces belong to different network segments, a routingprotocol must be configured on the switch to provide reachable routes. Otherwise, VLANIFinterfaces cannot communicate with each other at the network layer.

Step 4 (Optional) Run:damping time delay-time

The delay period of VLAN damping is configured.

The delay-time value ranges from 0 to 20, in seconds. By default, the delay is 0 second,indicating that VLAN damping is disabled.

Step 5 (Optional) Run:mtu (VLANIF interface view) mtu

The MTU value of the VLANIF interface is configured.

The mtu value ranges from 128 to 9216. By default, the value is 1500.



42

NOTE

l After changing the maximum transmission unit (MTU) using the mtu (VLANIF interfaceview) command on a VLANIF interface, you need to restart the VLANIF interface to make the newMTU take effect. To restart the VLANIF interface, run the shutdown command and then the undoshutdown command, or run the restart (interface view) command in the VLANIFinterface view.

l If IPv6 is running on an Ethernet interface and the MTU of the interface is smaller than 1280 bytes,IPv6 cannot work properly on this interface. To prevent this problem, set the MTU of the Ethernetinterface to a value greater than or equal to 1280.

l The mtu value plus the Layer 2 frame header of a VLANIF interface must be smaller than thejumboframe value of the peer interface; otherwise, some packets may be discarded.

----End

Checking the Configurationl Run the display interface vlanif [ vlan-id ] command to verify that the VLANIF

interface and protocol are enabled and view the interface description and IP address.

2.6 Configuring VLAN Aggregation to Save IP AddressesVLAN aggregation prevents the waste of IP addresses and implements inter-VLANcommunication.

NOTE


2.6.1 Creating a Sub-VLAN

Context

In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF interfacecan be created for the sub-VLAN. All the interfaces in the sub-VLAN use the same IP addresswith the VLANIF interface of the super-VLAN. Some subnet IDs, default gateway addressesof the subnets, and directed broadcast addresses of the subnets are saved and different broadcastdomains can use the addresses in the same subnet segment. As a result, subnet differences areeliminated, addressing becomes flexible and idle addresses are reduced. VLAN aggregationallows each sub-VLAN to function as a broadcast domain to implement broadcast isolation andsaves IP address resources.

Procedure




The interface view is displayed.



43

Step 3 Run:port link-type access

The link type of the interface is set to access.

Step 4 Run:quit

Return to the system view.


A sub-VLAN is created and the sub-VLAN view is displayed.

Step 6 Run:port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>

A port is added to the sub-VLAN.

----End

2.6.2 Creating a Super-VLAN

ContextA super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN,but a VLANIF interface can be configured for the super-VLAN and an IP address can be assignedto the VLANIF interface.

NOTE

Before configuring a super-VLAN, ensure that sub-VLANs have been configured.

Procedure




A VLAN is created, and the VLAN view is displayed.

The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.

Step 3 Run:aggregate-vlan

A super-VLAN is created.

A super-VLAN cannot contain any physical interfaces.

VLAN 1 cannot be configured as a super-VLAN.

Step 4 Run:



44

access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

A sub-VLAN is added to a super-VLAN.

Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not configuredwith VLANIF interfaces.

The device supports 256 super-VLANs and 1024 sub-VLANs globally. The maximum amountof sub-VLANs supported in a super-VLAN is 16 on the and 24 on the other models.

----End

2.6.3 Assigning an IP Address to the VLANIF Interface of a Super-VLAN

ContextThe IP address of the VLANIF interface of a super-VLAN must contain the subnet segmentswhere users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIFinterface of the super-VLAN, saving IP addresses.

Procedure




A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface isdisplayed.


An IP address is assigned to the VLANIF interface.

----End

2.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface of aSuper-VLAN

ContextVLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs indifferent sub-VLANs from communicating with each other at the network layer.

PCs in ordinary VLANs can communicate with each other at the network layer by using differentgateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet addressand gateway address. As PCs in different sub-VLANs belong to one subnet, they communicatewith each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer2. Consequently, PCs in different sub-VLANs cannot communicate with each other.



45

Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another sub-VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request andreply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the networklayer.

NOTE

An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.Otherwise, proxy ARP cannot take effect.

VLAN aggregation simplifies configurations for the network where many VLANs areconfigured and PCs in different VLANs need to communicate with each other.

Procedure




The view of the VLANIF interface of the super-VLAN is displayed.

Step 3 Run:arp-proxy inter-sub-vlan-proxy enable

Inter-sub-VLAN proxy ARP is enabled.

----End


Procedurel Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN

information.

l Run the display interface vlanif [ vlan-id ] command to check informationabout a specific VLANIF interface.

----End

2.7 Configuring MUX VLANConfiguring a MUX VLAN allows users in different VLANs to communicate with each other,and separates users in a certain VLAN.


Before configuring a MUX VLAN, complete the following task:

l Creating VLANs



46

NOTE


2.7.1 Configuring a Principal VLAN for a MUX VLAN

ContextPorts added to a principal VLAN can communicate with every port in the MUX VLAN.

Procedure






Step 3 Run:mux-vlan

The VLAN is configured as a principal VLAN.

The VLAN ID assigned to a principal VLAN can no longer be used to configure any VLANIFinterface, VLAN Mapping, VLAN Stacking, super-VLAN, or sub-VLAN.

----End

2.7.2 Configuring a Group VLAN for a Subordinate VLAN

Context

A VLAN associated with a group port is called a group VLAN. Group ports in a group VLANcan communicate with each other.

Procedure






47

The view of a created principal VLAN is displayed.

Step 3 Run:subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>

A group VLAN is configured for the subordinate VLAN.

A maximum of 128 group VLANs can be configured for a principal VLAN.

The VLAN ID assigned to a group VLAN can no longer be used to configure any VLANIFinterface, VLAN Mapping, VLAN Stacking, Super-VLAN, or Sub-VLAN.

----End

2.7.3 Configuring a Separate VLAN for a Subordinate VLAN

Context

A VLAN associated with separate ports is called a separate VLAN. Ports in a separate VLANcannot communicate with each other.

Procedure




The view of a created principal VLAN is displayed.

Step 3 Run:subordinate separate vlan-id

A separate VLAN is configured for a subordinate VLAN.

Only one separate VLAN can be configured for a principal VLAN.

Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.

The VLAN ID assigned to a separate VLAN can no longer be used to configure any VLANIFinterface, VLAN Mapping, VLAN Stacking, Super-VLAN, or Sub-VLAN.

----End

2.7.4 Enabling the MUX VLAN Function on a Port

Context

After the MUX VLAN function is enabled on a port, the principal VLAN and subordinate VLANcan communicate with each other; ports in a group VLAN can communicate with each other;ports in a separate VLAN cannot communicate with each other.



48

Pre-configuration TasksBefore enable MUX VLAN function, complete the following task:l The port has been added to only a VLAN. If the port has been added to multiple VLANs,

the MUX VLAN function cannot be enabled on this port.l The port has been added to a principal or subordinate VLAN in untagged mode as an access

or hybrid interface.

Procedure





Step 3 Run:port mux-vlan enable

The MUX VLAN function is enabled.

After the MUX VLAN function is enabled on an interface, VLAN mapping and VLAN stackingcannot be configured on the interface.

NOTE

l Disabling MAC address learning or limiting the number of learned MAC addresses on an interfaceaffects the MUX VLAN function on the interface.

l The MUX VLAN and port security functions cannot be enabled on the same interface.

l The MUX VLAN and MAC address authentication cannot be enabled on the same interface.

l The MUX VLAN and 802.1x authentication cannot be enabled on the same interface.

l When both DHCP snooping and MUX VLAN are configured, if DHCP snooping is configured in thesubordinate VLAN and DHCP clients are configured in the principal VLAN, the DHCP clients mayfail to obtain IP addresses. In this case, configure the DHCP server in the principal VLAN.

----End


Procedurel Run the display mux-vlan command to check information about the MUX VLAN.

----End

2.8 Configuring an mVLAN to Implement IntegratedManagement

Management VLAN (mVLAN) configuration allows users to use the VLANIF interface of themVLAN to log in to the management switch to manage devices in a centralized manner.



49

Context

To use a network management system to manage multiple devices, create a VLANIF interfaceon each device and configure a management IP address for the VLANIF interface. You can thenlog in to a device and manage it using its management IP address. If a user-side interface isadded to the VLAN, users connected to the interface can also log in to the device. This bringssecurity risks to the device.

After a VLAN is configured as a management VLAN, no access interface or dot1q-tunnelinterface can be added to the VLAN. An access interface or a dot1q-tunnel interface is connectedto users. The management VLAN forbids users connected to access and dot1q-tunnel interfacesto log in to the device, improving device performance.


Before creating a VLANIF interface, complete the following tasks:

l Create a VLAN.

l Associate the VLAN with the physical interface.

Procedure




The VLAN view is displayed.

Step 3 Run:management-vlan

An mVLAN is configured.

After an mVLAN is configured, an interface added to the mVLAN must be a trunk or hybridinterface.

VLAN 1 cannot be configured as an mVLAN.

Step 4 Run:quit

The VLAN view is quit.


A VLANIF interface is created and the VLANIF interface view is displayed.


The IP address of the VLANIF interface is configured.



50

After assigning an IP address to the VLANIF interface, you can run the stelnet command to login to a management switch to manage attached devices.

----End

Checking the Configurationl Run the display vlan command to check information about the mVLAN. The

command output shows information about the mVLAN in the line started with an asterisksign (*).

2.9 Maintaining VLANThis section describes how to view and clear VLAN statistics.

NOTE

The S2700SI and S2710SI do not support the traffic statistics function on VLANs.

2.9.1 Collecting Statistics on VLAN Traffic

Context

You can enable the traffic statistics function on VLANs to view traffic statistics on VLANs,which implements VLAN traffic policing.

Procedurel View traffic statistics on VLANs.

1. Run the statistic enable (VLAN view) command in the VLAN view toenable the traffic statistics function on VLANs.

2. Run the display vlan vlan-id statistics command in any view to view traffic statisticson a specified VLAN.

----End

2.9.2 Clearing the Statistics of VLAN Packets

Context

Before collecting traffic statistics in a specified time period on an interface, you need to resetthe original statistics on the interface.

NOTICEStatistics about VLAN packets cannot be restored after you clear it. So, confirm the action beforeyou use the command.



51

To clear the Statistics of VLAN Packets, run the following reset vlan statisticscommand in the user view:

Procedurel Run the reset vlan vlan-id statistics command to clear packets of a specified

VLAN statistics.

----End

2.9.3 Enable GMAC ping to detect Layer 2 network connectivity

ContextSimilar to IP ping, GMAC ping detects whether a fault occurs on an Ethernet link or monitorsthe link quality. GMAC ping efficiencly detects and locates Ethernet faults.

GMAC ping is applicable to networks without reference to MD, MA, and MEP configurations.

Procedure



Step 2 Run:ping mac enable

GMAC ping is enabled globally.

By default, GMAC ping is disabled.

After GMAC ping is enabled on the device, the device can ping the remote device and respondto received GMAC ping packets.

Step 3 Run:ping mac mac-address vlan vlan-id [ interface interface-type interface-number | -c count | -s packetsize | -t timeout ] *

GMAC ping is performed to check connectivity of the link between the local device and theremote device.

A MEP is not required to initiate GMAC ping. The destination node can be not a MEP or MIP.You can perform GMAC ping without configuring the MD, MA, or MEP on the source device,intermediate device, and destination device.

The two devices must be configured with IEEE 802.1ag of the same version. If the local deviceis configured with IEEE 802.1ag Draft 7 and the peer device is configured with IEEE Standard802.1ag-2007, the ping mac command does not take effect. That is, the local device cannotping the peer device.

----End

2.9.4 Enable GMAC trace to locate faults



52

Context

Similar to IP traceroute, GMAC ping detects whether a fault occurs on an Ethernet link ormonitors the link quality. GMAC trace efficiencly detects and locates Ethernet faults.

GMAC trace can be applicable to the network where no MD, MA, or MEP is configured.

Procedure

Step 1 Configuring the devices at both ends of a link and intermediate device

Perform the following operations on the devices at both ends of the link to be tested andintermediate device.

1. Run:system-view


2. Run:trace mac enable

GMAC trace is enabled globally.

By default, GMAC trace is disabled.

After GMAC ping is enabled on the device, the device can ping the remote device andrespond to received GMAC ping packets.

Step 2 Performing GMAC trace

Perform the following operations on the device at one end of the link to be tested.

1. Run:system-view


2. Run:trace mac mac-address vlan vlan-id [ interface interface-type interface-number | -t timeout | -h ]*

A connectivity fault between the local device and the remote device is located.

A MEP is not required to initiate GMAC trace. The destination node can be not a MEP orMIP. The destination node can be not a MEP or MIP. That is, GMAC trace can beimplemented without configuring the MD, MA, or MEP on the source device, intermediatedevice, and the destination device. All the intermediate devices can respond with an LTR.

The two devices must be configured with IEEE 802.1ag of the same version. If the localdevice is configured with IEEE 802.1ag Draft 7 and the peer device is configured withIEEE Standard 802.1ag-2007, the trace mac command does not take effect. That is, theconnectivity fault cannot be located.

----End



53

2.10 Configuration ExamplesThis section provides several configuration examples of VLANs including networkingrequirements, configuration roadmap, and configuration procedure.

2.10.1 Example for Assigning VLANs Based on Ports

Networking RequirementsAs shown in Figure 2-5, multiple user terminals are connected to switches in an enterprise.Users who use the same service access the enterprise network using different devices.

To ensure the communication security and avoid broadcast storms, the enterprise wants to allowusers who use the same service to communicate with each other but isolate users who usedifferent services.

Configure port-based VLANs on the switch and add ports connecting to terminals of users whouse the same service to the same VLAN. Users in different VLANs cannot perform Layer 2communication. Users in the same VLAN can communicate directly.

Figure 2-5 Networking diagram for assigning VLANs based on ports

Eth0/0/2Eth0/0/1

SwitchA

User3VLAN3

User1VLAN2

Eth0/0/3

Eth0/0/2Eth0/0/1

User4VLAN3

User2VLAN2

Eth0/0/3SwitchB


1. Create VLANs and add ports connecting to user terminals to VLANs to isolate Layer 2traffic between users who use different services.

2. Configure the type of link between SwitchA and SwitchB and VLANs to allow users whouse the same service to communicate.

Procedure

Step 1 Create VLAN2 and VLAN3 on SwitchA, and add ports connecting to user terminals to differentVLANs. Configuration of SwitchB is similar to that of SwitchA.<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] vlan batch 2 3[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] port link-type access



54

[SwitchA-Ethernet0/0/1] port default vlan 2[SwitchA-Ethernet0/0/1] quit[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] port link-type access[SwitchA-Ethernet0/0/2] port default vlan 3[SwitchA-Ethernet0/0/2] quit

Step 2 Configure the type of port connecting to SwitchB on SwitchA and VLANs. Configuration ofSwitchB is similar to that of SwitchA.

[SwitchA] interface ethernet 0/0/3[SwitchA-Ethernet0/0/3] port link-type trunk[SwitchA-Ethernet0/0/3] port trunk allow-pass vlan 2 3


Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24. AddUser3 and User4 to the same IP address segment, for example, 192.168.200.0/24.

Only User1's and User2's terminals can ping each other. Only User3's and User4's terminals canping each other.

----End

Configuration FilesConfiguration file of SwitchA

#sysname SwitchA#vlan batch 2 to 3#interface Ethernet0/0/1 port link-type access port default vlan 2#interface Ethernet0/0/2 port link-type access port default vlan 3#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 3#return

Configuration file of SwitchB

#sysname SwitchB#vlan batch 2 to 3#interface Ethernet0/0/1 port link-type access port default vlan 2#interface Ethernet0/0/2 port link-type access port default vlan 3 #interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 3



55

#return

2.10.2 Example for Assigning VLANs based on MAC Addresses


On a company intranet, the network administrator adds the PCs in a department to the sameVLAN. To improve information security, only employees in this department are allowed toaccess the intranet.

As shown in Figure 2-6, only PC1, PC2, and PC3 are allowed to access the intranet throughSwitch.

You can assign VLANs based on MAC addresses and associate MAC addresses of PCs with thespecified VLAN.

NOTE


Figure 2-6 Networking diagram for assigning VLANs based on MAC addresses

User1 User2 User3

Switch

Enterprise network

Eth0/0/2

Eth0/0/1

MAC:22-22-22 MAC:33-33-33 MAC:44-44-44

VLAN 10

Eth0/0/4

Eth

0/0/

3

Configuration Roadmap

The configuration roadmap is as follows:

1. Create VLANs and determine which VLAN the PCs of employees belong to.

2. Add Ethernet interfaces to VLANs so that packets of the VLANs can pass through theinterfaces.



56

3. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that theVLAN of the packet can be determined based on the source MAC address.

Procedure

Step 1 Configure the Switch.

# Create VLANs.

<Quidway> system-view[Quidway] sysname Switch[Switch] vlan batch 10

# Add interfaces to the VLANs. The configuration of Eth0/0/3 or Eth0/0/4 is similar to theconfiguration of Eth0/0/2 and the configuration details are not mentioned here.

[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port hybrid tagged vlan 10[Switch-Ethernet0/0/1] quit[Switch] interface ethernet 0/0/2[Switch-Ethernet0/0/2] port hybrid untagged vlan 10[Switch-Ethernet0/0/2] quit

# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.

[Switch] vlan 10[Switch-vlan10] mac-vlan mac-address 22-22-22[Switch-vlan10] mac-vlan mac-address 33-33-33[Switch-vlan10] mac-vlan mac-address 44-44-44[Switch-vlan10] quit

# Enable MAC address-based VLAN assignment on Eth0/0/2. The configuration of Eth0/0/3 orEth0/0/4 is similar to the configuration of Eth0/0/2 and the configuration details are notmentioned here.

[Switch] interface ethernet 0/0/2[Switch-Ethernet0/0/2] mac-vlan enable[Switch-Ethernet0/0/2] quit


PC1, PC2, and PC3 can access the intranet, whereas other PCsUsers cannot access the intranet.

----End

Configuration Files

Configuration file of the Switch

#sysname Switch#vlan batch 10#vlan 10 mac-vlan mac-address 0022-0022-0022 priority 0 mac-vlan mac-address 0033-0033-0033 priority 0 mac-vlan mac-address 0044-0044-0044 priority 0#interface Ethernet0/0/1 port hybrid tagged vlan 10#interface Ethernet0/0/2



57

port hybrid untagged vlan 10 mac-vlan enable#interface Ethernet0/0/3 port hybrid untagged vlan 10 mac-vlan enable#interface Ethernet0/0/4 port hybrid untagged vlan 10 mac-vlan enable#return

2.10.3 Example for Assigning VLANs Based on IP Subnets


A company has multiple services, including IPTV, VoIP, and Internet access. Each service usesa unique IP subnet. Packets of the same service must be transmitted in the same VLAN, andpackets of different services must be transmitted in different VLANs.

On the network shown in Figure 2-7, the Switch receives Internet, IPTV, and voice servicesfrom users with diverse IP subnets. Packets of different services need to be transmitted indifferent VLANs, and packets of each service need to be sent to a specified remote server.

NOTE


Figure 2-7 Networking diagram for assigning VLANs based on IP subnets

Internet

IPTV server Voice

Network

192.168.1.2/24 192.168.2.2

/24

192.168.3.2/24

Eth0/0/5

Eth0/0/3

Eth0/0/2Switch

RouterA

Eth0/0/4

RouterBRouterC

Eth

0/0/

6 Eth0/0/7



58


1. Create VLANs and determine which VLAN each service belongs to.2. Associate IP subnets with VLANs so that VLANs of packets can be determined based on

the source IP addresses or specified network segments.3. Add interfaces to VLANs so that packets of the IP subnet-based VLANs can pass through

the interfaces.4. Enable IP subnet-based VLAN assignment.

Procedure

Step 1 Create VLANs.

# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.

<Quidway> system-view[Quidway] vlan batch 100 200 300

Step 2 Configure interfaces.

# Set the link type of Eth0/0/5,Eth0/0/6, and Eth0/0/7 to hybrid and add it to VLAN 100, VLAN200, and VLAN 300 respectively in untagged mode. And enable IP subnet-based VLANassignment on Eth0/0/5,Eth0/0/6, and Eth0/0/7.

[Quidway] interface ethernet 0/0/5[Quidway-Ethernet0/0/5] port link-type hybrid[Quidway-Ethernet0/0/5] port hybrid untagged vlan 100[Quidway-Ethernet0/0/5] ip-subnet-vlan enable[Quidway-Ethernet0/0/5] quit[Quidway] interface ethernet 0/0/6[Quidway-Ethernet0/0/6] port link-type hybrid[Quidway-Ethernet0/0/6] port hybrid untagged vlan 200[Quidway-Ethernet0/0/6] ip-subnet-vlan enable[Quidway-Ethernet0/0/6] quit[Quidway] interface ethernet 0/0/7[Quidway-Ethernet0/0/7] port link-type hybrid[Quidway-Ethernet0/0/7] port hybrid untagged vlan 300[Quidway-Ethernet0/0/7] ip-subnet-vlan enable[Quidway-Ethernet0/0/7] quit

# Add Eth0/0/2 of the Switch to VLAN 100.

[Quidway] interface ethernet 0/0/2[Quidway-Ethernet0/0/2] port link-type trunk[Quidway-Ethernet0/0/2] port trunk allow-pass vlan 100[Quidway-Ethernet0/0/2] quit







59

Step 3 Configure IP subnet-based VLAN assignment.

# Associate 192.168.1.2/24 to VLAN 100 and set the 802.1p priority of VLAN 100 to 2.

[Quidway] vlan 100[Quidway-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2[Quidway-vlan100] quit

# Associate 192.168.2.2/24 to VLAN 200 and set the 802.1p priority of VLAN 200 to 3.


# Associate IP subnet 192.168.3.2/24 to VLAN 100 and set the 802.1p priority of VLAN 300to 4.



Run the display ip-subnet-vlan vlan all command on the Switch. The following informationis displayed:

[Quidway] display ip-subnet-vlan vlan all---------------------------------------------------------------- Vlan Index IpAddress SubnetMask Priority ---------------------------------------------------------------- 100 1 192.168.1.2 255.255.255.0 2 200 1 192.168.2.2 255.255.255.0 3 300 1 192.168.3.2 255.255.255.0 4 ---------------------------------------------------------------- ip-subnet-vlan count: 3 total count: 3

----End

Configuration Filesl Configuration file of the Switch

# sysname Quidway# vlan batch 100 200 300#vlan 100 ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2vlan 200 ip-subnet-vlan 1 ip 192.168.2.2 255.255.255.0 priority 3vlan 300 ip-subnet-vlan 1 ip 192.168.3.2 255.255.255.0 priority 4#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 100#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 200#interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 300#



60

interface Ethernet0/0/5 port hybrid untagged vlan 100 ip-subnet-vlan enable#interface Ethernet0/0/6 port hybrid untagged vlan 200 ip-subnet-vlan enable#interface Ethernet0/0/7 port hybrid untagged vlan 300 ip-subnet-vlan enable#return

2.10.4 Example for Assigning VLANs Based on Protocols


A company has multiple services, including IPTV, VoIP, and Internet access. Each service usesa unique protocol. To facilitate network management, each service is added to a different VLAN.

As shown in Figure 2-8, Swithc1 receives packets of multiple services that use differentprotocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in VLAN20 use IPv6 to communicate with the servers. Switch1 needs to assign VLANs to packets ofdifferent services and transmit packets with different VLAN IDs to different servers.

NOTE


Figure 2-8 Networking diagram for assigning VLANs based on protocols

Internet

Eth0/0/1

Eth0/0/3Eth0/0/2

Switch

RouterA

IPv6VLAN 20

IPv4VLAN 10

RouterB

VoiceNetwork

Eth0/0/1

Eth0/0/2 Eth0/0/3Switch1



61


1. Create VLANs and determine which VLAN each service belongs to.2. Associate protocols with VLANs so that VLAN IDs that received packets belong to can

be assigned based on the protocol types.3. Add interfaces to VLANs so that packets of the protocol-based VLANs can pass through

the interfaces.4. Associate ports with VLANs.

After the Switch receives a frame of a specified protocol, it assigns the VLAN ID associatedwith the protocol to the frame.

Procedure

Step 1 Create VLANs.<Quidway> system-view[Quidway] sysname Switch1[Switch1] vlan batch 10 20

Step 2 Configure protocol-based VLANs.

# Associate IPv4 with VLAN 10 on Switch1.

[Switch1] vlan 10[Switch1-vlan10] protocol-vlan ipv4[Switch1-vlan10] quit

# Associate IPv6 with VLAN 20 on Switch1.

[Switch1] vlan 20[Switch1-vlan20] protocol-vlan ipv6[Switch1-vlan20] quit

Step 3 Associate interfaces with protocol-based VLANs.

# Associate Eth0/0/2 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5 on Switch1.

[Switch1] interface ethernet 0/0/2[Switch1-Ethernet0/0/2] protocol-vlan vlan 10 all priority 5[Switch1-Ethernet0/0/2] quit

# Associate Eth0/0/3 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6 on Switch1.

[Switch1] interface ethernet 0/0/3[Switch1-Ethernet0/0/3] protocol-vlan vlan 20 all priority 6[Switch1-Ethernet0/0/3] quit

Step 4 Configure interfaces.

# Add Eth0/0/1 to VLAN 10 and VLAN 20 in trunk mode on Switch1.

[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port link-type trunk[Switch-Ethernet0/0/1] port trunk allow-pass vlan 10 20[Switch-Ethernet0/0/1] quit

# Add Eth0/0/2 to VLAN 10 in untagged mode on Switch1.

[Switch] interface ethernet 0/0/2[Switch-Ethernet0/0/2] port link-type hybrid



62

[Switch-Ethernet0/0/2] port hybrid untagged vlan 10[Switch-Ethernet0/0/2] quit

# Add Eth0/0/3 to VLAN 20 in untagged mode on Switch1.

[Switch] interface ethernet 0/0/3[Switch-Ethernet0/0/3] port link-type hybrid[Switch-Ethernet0/0/3] port hybrid untagged vlan 20[Switch-Ethernet0/0/3] quit

# Add Eth0/0/1 to VLAN 10 and VLAN 20 in trunk mode on Switch.

[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port link-type trunk[Switch-Ethernet0/0/1] port trunk allow-pass vlan 10 20[Switch-Ethernet0/0/1] quit

# Add Eth0/0/2 to VLAN 10 in trunk mode on Switch.

[Switch] interface ethernet 0/0/2[Switch-Ethernet0/0/2] port link-type trunk[Switch-Ethernet0/0/2] port trunk allow-pass vlan 10[Switch-Ethernet0/0/2] quit

# Add Eth0/0/3 to VLAN 20 in trunk mode on Switch.

[Switch] interface ethernet 0/0/3[Switch-Ethernet0/0/3] port link-type trunk[Switch-Ethernet0/0/3] port trunk allow-pass vlan 20[Switch-Ethernet0/0/3] return


After you complete the configuration, run the display protocol-vlan interfaceall command on Switch1 to view the protocol-based VLAN assignment.

<Switch1> display protocol-vlan interface all------------------------------------------------------------------------------- Interface VLAN Index Protocol Type Priority------------------------------------------------------------------------------- Ethernet0/0/2 10 0 IPv4 5 Ethernet0/0/3 20 0 IPv6 6

----End

Configuration Filesl Configuration file of the Switch1

#sysname Switch1#vlan batch 10 20#vlan 10 protocol-vlan 0 ipv4vlan 20 protocol-vlan 0 ipv6#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 20#interface Ethernet0/0/2 port hybrid untagged vlan 10 protocol-vlan vlan 10 0 priority 5#



63

interface Ethernet0/0/3 port hybrid untagged vlan 20 protocol-vlan vlan 20 0 priority 6#return

l Configuration file of the Switch#sysname Switch#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 20#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 10#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 20#return

2.10.5 Example for Implementing Inter-VLAN CommunicationUsing VLANIF Interfaces


Users in an enterprise use different services and locate at different network segments. Users whouse the same service belong to different VLANs and they want to communicate with each other.

As shown in Figure 2-9, User 1 and User 2 use the same service but belong to different VLANsand locate at different network segments. User 1 wants to communicate with User 2.

Figure 2-9 Networking diagram for implementing inter-VLAN communication using VLANIFinterfaces

Switch

VLAN 10 VLAN 20

10.10.10.3/24 20.20.20.3/24User1 User2

Eth0/0/1VLANIF10

10.10.10.2/24

Eth0/0/2VLANIF2020.20.20.2/24



1. Create VLANs on the switches for different users.2. Add interfaces to VLANs so that packets of the VLANs can pass through the interfaces.



64

3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces toimplement Layer 3 communication.

NOTE

To implement communication between VLANs, hosts in each VLAN must use the IP address of thecorresponding VLANIF interface as the gateway address.

Procedure


# Create VLANs.

<Quidway> system-view[Quidway] sysname Switch[Switch] vlan batch 10 20

# Add interfaces to VLANs.

[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port link-type access[Switch-Ethernet0/0/1] port default vlan 10[Switch-Ethernet0/0/1] quit[Switch] interface ethernet 0/0/2[Switch-Ethernet0/0/2] port link-type access[Switch-Ethernet0/0/2] port default vlan 20[Switch-Ethernet0/0/2] quit

# Assign IP addresses to the VLANIF interfaces.

[Switch] interface vlanif 10[Switch-Vlanif10] ip address 10.10.10.2 24[Switch-Vlanif10] quit[Switch] interface vlanif 20[Switch-Vlanif20] ip address 20.20.20.2 24[Switch-Vlanif20] quit


Configure the IP address 10.10.10.3/24 on user 1's host, configure the VLANIF 10 interface IPaddress 10.10.10.2/24 as the gateway address.

Configure the IP address 20.20.20.3/24 on user 1's host, configure the VLANIF 10 interface IPaddress 20.20.20.2/24 as the gateway address.

After the preceding configurations are complete, User 1 in VLAN 10 and User 2 in VLAN 20can communicate.

----End

Configuration FilesConfiguration file of the Switch

#sysname Switch#vlan batch 10 20#interface Vlanif10 ip address 10.10.10.2 255.255.255.0#



65

interface Vlanif20 ip address 20.20.20.2 255.255.255.0#interface Ethernet0/0/1 port link-type access port default vlan 10#interface Ethernet0/0/2 port link-type access port default vlan 20#return

2.10.6 Example for Configuring VLAN Aggregation

Networking RequirementsMultiple departments in an enterprise locate at the same network segment. To improve theservice security, assign departments to different VLANs. Some departments need tocommunicate.

As shown in Figure 2-10, departments in VLAN 2 and VLAN 3 want to communicate with eachother.

You can configure VLAN aggregation on the switch to isolate VLAN 2 from VLAN 3 at Layer2 and allow them to communicate at Layer 3. VLAN 2 and VLAN 3 use the same subnet segment,saving IP addresses.

NOTE


Figure 2-10 Networking diagram for configuring VLAN aggregation

VLAN 2 VLAN 3

VLAN4

Switch

VLAN3VLAN2

VLANIF4:100.1.1.12/24

Eth0/0/1 Eth0/0/2

Eth0/0/3

Eth0/0/4




66

1. Add interfaces of the Switch to sub-VLANs to isolate sub-VLANs at Layer 2.2. Add the sub-VLANs to a super-VLAN.3. Configure the IP address for the VLANIF interface.4. Configure proxy ARP for the super-VLAN to allow sub-VLANs to communicate at Layer

3.

Procedure

Step 1 Set the interface type.

# Configure Eth 0/0/1 as an access interface.

<Quidway> system-view[Quidway] sysname Switch[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port link-type access[Switch-Ethernet0/0/1] quit

Configurations of Eth0/0/2, Eth0/0/3, and Eth0/0/4 are the same as that of Eth0/0/1.

Step 2 Create VLAN 2 and add Eth0/0/1 and Eth0/0/2 to VLAN 2.[Switch] vlan 2[Switch-vlan2] port ethernet 0/0/1 0/0/2[Switch-vlan2] quit

Step 3 Create VLAN 3 and add Eth0/0/3 and Eth0/0/4 to VLAN 3.[Switch] vlan 3[Switch-vlan3] port ethernet 0/0/3 0/0/4[Switch-vlan3] quit

Step 4 Configure VLAN 4.

# Configure the super-VLAN.

[Switch] vlan 4[Switch-vlan4] aggregate-vlan[Switch-vlan4] access-vlan 2 to 3[Switch-vlan4] quit

# Configure the VLANIF interface.

[Switch] interface vlanif 4[Switch-Vlanif4] ip address 100.1.1.12 255.255.255.0[Switch-Vlanif4] quit

Step 5 Configure the PCs.

Configure an IP address for each PC. Ensure that the PC IP addresses are in the same networksegment as VLAN 4.

When the configuration is complete, the PCs and the Switch can ping each other, but the PCs inVLAN 2 and the PCs in VLAN 3 cannot ping each other. You need to configure proxy ARP onthe switch.

Step 6 Configure proxy ARP.[Switch] interface vlanif 4 [Switch-Vlanif4] arp-proxy inter-sub-vlan-proxy enable[Switch-Vlanif4] quit




67

When the configuration is complete, the PCs in VLAN 2 and VLAN 3 can ping each other.

----End


#sysname switch#vlan batch 2 to 4#vlan 4 aggregate-vlan access-vlan 2 to 3#interface Vlanif4 ip address 100.1.1.12 255.255.255.0 arp-proxy inter-sub-vlan-proxy enable#interface Ethernet0/0/1 port link-type access port default vlan 2#interface Ethernet0/0/2 port link-type access port default vlan 2#interface Ethernet0/0/3 port link-type access port default vlan 3#interface Ethernet0/0/4 port link-type access port default vlan 3#return

2.10.7 Example for Configuring MUX VLAN

Networking RequirementsOn an enterprise network, all users can access the enterprise server. Some users need tocommunicate with each other, whereas some users must be isolated each other.

As shown in Figure 2-11, MUX VLAN can be configured on the Switch to meet the enterprise'srequirements using fewer VLAN IDs. In addition, MUX VLAN reduces the configurationworkload of the network administrator, and facilitates network maintenance.

NOTE




68

Figure 2-11 MUX VLAN configuration

VLAN3(Group VLAN) VLAN4(Separate VLAN)

VLAN2(Principal VLAN)

HostEHostDHostCHostB

Eth0/0/2

Eth0/0/1

Eth0/0/3 Eth0/0/4

Eth0/0/5

SwitchServer


1. Configure the principal VLAN.2. Configure the group VLAN.3. Configure the separate VLAN.4. Add interfaces to the VLANs and enable the MUX VLAN function.

Procedure

Step 1 Configure the MUX VLAN.

# Create VLAN 2, VLAN 3, and VLAN 4.

<Quidway> system-view[Quidway] vlan batch 2 3 4

# Configure the Group VLAN and Separate VLAN in the MUX VLAN.

[Quidway] vlan 2[Quidway-vlan2] mux-vlan[Quidway-vlan2] subordinate group 3[Quidway-vlan2] subordinate separate 4[Quidway-vlan2] quit

# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port link-type access[Quidway-Ethernet0/0/1] port default vlan 2[Quidway-Ethernet0/0/1] port mux-vlan enable[Quidway-Ethernet0/0/1] quit[Quidway] interface ethernet 0/0/2[Quidway-Ethernet0/0/2] port link-type access[Quidway-Ethernet0/0/2] port default vlan 3[Quidway-Ethernet0/0/2] port mux-vlan enable[Quidway-Ethernet0/0/2] quit[Quidway] interface ethernet 0/0/3[Quidway-Ethernet0/0/3] port link-type access[Quidway-Ethernet0/0/3] port default vlan 3[Quidway-Ethernet0/0/3] port mux-vlan enable[Quidway-Ethernet0/0/3] quit



69

[Quidway] interface ethernet 0/0/4[Quidway-Ethernet0/0/4] port link-type access[Quidway-Ethernet0/0/4] port default vlan 4[Quidway-Ethernet0/0/4] port mux-vlan enable[Quidway-Ethernet0/0/4] quit[Quidway] interface ethernet 0/0/5[Quidway-Ethernet0/0/5] port link-type access[Quidway-Ethernet0/0/5] port default vlan 4[Quidway-Ethernet0/0/5] port mux-vlan enable[Quidway-Ethernet0/0/5] quit


The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.

HostB can communicate with HostC at Layer 2.

HostD cannot communicate with HostE at Layer 2.

HostB and HostC cannot communicate with HostD and HostE at Layer 2.

----End

Configuration Files


# sysname Quidway#vlan batch 2 to 4#vlan 2 mux-vlan subordinate separate 4 subordinate group 3#interface Ethernet0/0/1 port link-type access port default vlan 2 port mux-vlan enable#interface Ethernet0/0/2 port link-type access port default vlan 3 port mux-vlan enable#interface Ethernet0/0/3 port link-type access port default vlan 3 port mux-vlan enable#interface Ethernet0/0/4 port link-type access port default vlan 4 port mux-vlan enable#interface Ethernet0/0/5 port link-type access port default vlan 4 port mux-vlan enable#return



70

2.11 Common Configuration ErrorsThis section describes common VLAN configuration errors.

2.11.1 User Terminals in the Same VLAN Cannot Ping Each Other

Fault Description

User terminals in the same VLAN cannot ping each other.

Procedure

Step 1 Check that the interfaces connected to the user terminals are in Up state.

Run the display interface interface-type interface-number command inany view to check the status of the interfaces.

l If the interface is Down, rectify the interface fault.

l If the interface is Up, go to Step 2.

Step 2 Check whether the IP addresses of user terminals are in the same network segment.

l If they are in different network segments, change the IP addresses of the user terminals.

l If they are in the same network segment, go to Step 3

Step 3 Check that the MAC address entries on the Switch are correct.

Run the display mac-address command on the Switch to check whether the MACaddresses, interfaces, and VLANs in the learned MAC address entries are correct. If the learnedMAC address entries are incorrect, run the undo mac-address mac-address vlanvlan-id command on the system view to delete the current entries so that the Switch can learnMAC address entries again.

After the MAC address table is updated, check the MAC address entries again.

l If the MAC address entries are incorrect, go to Step 4.

l If the MAC address entries are correct, go to Step 5.

Step 4 Check that the VLAN is properly configured.

l Check the VLAN configuration according to the following table.

Check Item Method

Whether theVLAN has beencreated

Run the display vlan vlan-id command in any view to checkwhether the VLAN has been created. If not, run the vlan commandin system view to create the VLAN.



71

Check Item Method

Whether theinterfaces areadded to theVLAN

Run the display vlan vlan-id command in any view to checkwhether the VLAN contains the interfaces. If not, add the interfacesto the VLAN.NOTE

If the interfaces are located on different devices, add the interfaces connectingthe devices to the VLAN.

The default type of an Switch interface is Hybrid. You can run the portlink-type command to change the interface type.

l Add an access interface to the VLAN using either of thefollowing methods:1. Run the port default vlan command in the interface

view.2. Run the port command in the VLAN view.

l Add a trunk interface to the VLAN.Run the port trunk allow-pass vlan command in theinterface view.

l Add a hybrid interface to the VLAN using either of the followingmethods:1. Run the port hybrid tagged vlan command in the

interface view.2. Run the port hybrid untagged vlan command in

the interface view.

Whetherconnectionsbetween interfacesand user terminalsare correct

Check the connections between interfaces and user terminalsaccording to the network plan. If any user terminal is connected toan incorrect interface, connect it to the correct interface.

After the preceding operations, if the MAC address entries are correct, go to Step 5.

Step 5 Check whether port isolation is configured.

Run the interface interface-type interface-number command in the systemview to enter the interface view, and then run the display this command to check whetherport isolation is configured on the interface.

l If port isolation is not configured, go to Step 6.

l If port isolation is configured, run the undo port-isolate enable command on theinterface to disable port isolation. If the fault persists, go to Step 6.

Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on theuser terminals. If the static ARP entries are incorrect, modify them.

----End



72

2.11.2 VLANIF Interface Goes Down

Fault SymptomA VLANIF interface is in Down state.

Common causes and solutionsTable 2-5 lists the common causes and solutions.

Table 2-5 Common causes and solutions

Common Cause Solution

No interface is added to the correspondingVLAN.

Add interfaces to the corresponding VLAN.

All interfaces added to the VLAN arephysically Down.

Rectify the fault. A VLANIF interface is Upas long as an interface in the correspondingVLAN is Up.

No IP address is assigned to the VLANIFinterface.

Run the ip address command in the viewof the VLANIF interface to assign an IPaddress to the VLANIF interface.

The VLANIF interface is shut down. Run the undo shutdown (interfaceview) command in the view of the VLANIFinterface to enable the VLANIF interface.



73

3 VLAN Mapping Configuration

About This Chapter

VLAN mapping is configured on the edge device of the public network so that the VLANs ofprivate networks are isolated from S-VLANs. This saves S-VLAN resources.

NOTE

The S2700SI and S2710SI do not support VLAN Mapping.

3.1 VLAN Mapping OverviewVLAN mapping can implement translation between C-VLAN IDs and S-VLAN IDs.

3.2 VLAN Mapping Features Supported by DevicesThis section describes VLAN mapping modes supported by the switch.

3.3 Configuring Interface-based VLAN Mapping1 to 1 VLAN mapping is configured on the primary interface to map the single VLAN tag inpackets to a single S-VLAN tag.

3.4 Configuring Global VLAN MappingTo apply VLAN mapping to multiple interfaces, you can configure global VLAN mapping tosimplify configuration.

3.5 Configuration ExamplesThis section provides several configuration examples of VLAN mapping including networkingrequirements, configuration roadmap, and configuration procedure.

3.6 Common Configuration ErrorsThis section describes common faults caused by incorrect VLAN mapping configurations andprovides the troubleshooting procedure.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 3 VLAN Mapping Configuration


74

3.1 VLAN Mapping OverviewVLAN mapping can implement translation between C-VLAN IDs and S-VLAN IDs.

VLAN effectively controls the scale of broadcast domains and isolates users. Some low-endswitches do not support VLAN IDs ranging from 1 to 4094. They support a limited range suchas 1 to 512. Some VLAN IDs are reserved and unavailable to users, and C-VLAN IDs conflictwith S-VLAN IDs. VLAN mapping is used to resolve this problem.

VLAN mapping, also called VLAN translation, implements the mapping between C-VLAN tagsand S-VLAN tags by replacing VLAN tags of packets. VLAN mapping allows services to betransmitted based on the provider's network plan.

3.2 VLAN Mapping Features Supported by DevicesThis section describes VLAN mapping modes supported by the switch.

The switch supports the following VLAN mapping features:l Single-tag VLAN mapping based on the interface.l Global VLAN mapping

3.3 Configuring Interface-based VLAN Mapping1 to 1 VLAN mapping is configured on the primary interface to map the single VLAN tag inpackets to a single S-VLAN tag.

ContextWhen receiving a tagged packet, an interface maps the VLAN ID in the packet to an S-VLANID.

After the port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3[ remark-8021p 8021p-value ] command is used on an interface, vlan-id1 [ to vlan-id2 ] is mapped to vlan-id3 in the inbound direction, and vlan-id3 is mapped to vlan-id1 [ tovlan-id2 ] in the outbound direction.

Pre-configuration Tasksl Creating the specified VLANl Adding the primary interface to the translated VLAN

NOTE

VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid interface must beadded to the translated VLAN in tagged mode.

Procedure




75




Step 3 Run:qinq vlan-translation enable

VLAN translation is enabled on the interface.

Step 4 Run:port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3 [ remark-8021p 8021p-value ]

Single-tagged VLAN mapping is configured on the interface.

NOTE

l If a VLAN ID range is specified by vlan-id1 to vlan-id2, the interface needs to be added tothese VLANs in tagged mode. The translated VLAN cannot have a VLANIF interface.

l If VLAN mapping and DHCP are configured on the same interface, the interface must be added to theoriginal VLANs (VLANs before mapping) in tagged mode.

l Configuring mac-limit and N:1 VLAN mapping simultaneously causes a high CPU usage on somelow-end switches. Therefore, such configuration is not recommended.

l On the S2700EI series except the S2700-52P-EI and S2700-52P-PWR-EI, if IP source guard, DynamicARP Inspection (DAI), MFF, traffic policy, or QoS car is configured in the VLAN specified by thePVID on an interface, VLAN mapping cannot be configured on the interface. If VLAN mapping isconfigured on the interface, traffic forwarding fails.

----End

3.4 Configuring Global VLAN MappingTo apply VLAN mapping to multiple interfaces, you can configure global VLAN mapping tosimplify configuration.

Context

Perform the following operations on the switch requiring the global VLAN mappingconfiguration.

NOTE

Global VLAN mapping and interface-based VLAN mapping can be configured simultaneously onanS2700-52P-EI, S2700-52P-PWR-EI, or S3700. Such configuration is not allowed on the other models.


Before configuring global VLAN mapping, complete the following tasks:

l Creating the VLANs involved in VLAN mapping

l Adding the related interfaces to the translated VLAN in tagged mode



76

Procedure





Step 3 Run:vlan-mapping map-vlan vlan-id [ remark-8021p 8021p-value ]

Global VLAN mapping is configured.

NOTE

Only the S2700-52P-EI, S2700-52P-PWR-EI, and S3700 support the remark-8021p 8021p-valueparameter.

To enable global VLAN mapping to take effect on an interface, ensure that:

l The interface is a hybrid or trunk interface.

l VLAN translation is enabled on the interface by using the qinq vlan-translation enablecommand.

----End

3.5 Configuration ExamplesThis section provides several configuration examples of VLAN mapping including networkingrequirements, configuration roadmap, and configuration procedure.

3.5.1 Example for Configuring Interface-based VLAN Mapping

Networking RequirementsAs shown in Figure 3-1, users in VLAN 6 need to communicate with users in VLAN 5 throughVLAN 10 on the network.



77

Figure 3-1 Networking diagram of single-tag VLAN mapping configurations

VLAN10SwitchC SwitchD

SwitchBSwitchA

Eth0/0/1

Eth0/0/1

Eth0/0/3Eth0/0/2

VLAN6

172.16.0.1/16 172.16.0.2/16 172.16.0.3/16 172.16.0.5/16 172.16.0.6/16 172.16.0.7/16

VLAN5Eth0/0/1

Eth0/0/1

Eth0/0/2 Eth0/0/3

Network



1. Create VLANs on SwitchA, SwitchB, SwitchC, and SwitchD.

2. Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs.

3. Configure single-tag VLAN mapping on Eth 0/0/1 of SwitchA.

4. Configure single-tag VLAN mapping on Eth 0/0/1 of SwitchB.

Procedure

Step 1 Create VLANs on the Switches.

# Create VLAN 6 on SwitchA.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] vlan 6

# Create VLAN 5 on SwitchB.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] vlan 5

# Create VLAN 10 on SwitchC.

<Quidway> system-view[Quidway] sysname SwitchC[SwitchC] vlan 10

# Create VLAN 10 on SwitchD.



78

<Quidway> system-view[Quidway] sysname SwitchD[SwitchD] vlan 10

Step 2 Add interfaces to VLANs.

# Add Eth 0/0/2 and Eth 0/0/3 of SwitchA to VLAN 6.

[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] port link-type trunk[SwitchA-Ethernet0/0/2] port trunk allow-pass vlan 6[SwitchA-Ethernet0/0/2] quit[SwitchA] interface ethernet 0/0/3[SwitchA-Ethernet0/0/3] port link-type trunk[SwitchA-Ethernet0/0/3] port trunk allow-pass vlan 6[SwitchA-Ethernet0/0/3] quit

# Add Eth 0/0/1 of SwitchA to VLAN 6.

[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] port link-type trunk[SwitchA-Ethernet0/0/1] port trunk allow-pass vlan 6[SwitchA-Ethernet0/0/1] quit

# Add Eth 0/0/2 and Eth 0/0/3 of SwitchB to VLAN 5.

[SwitchB] interface ethernet 0/0/2[SwitchB-Ethernet0/0/2] port link-type trunk[SwitchB-Ethernet0/0/2] port trunk allow-pass vlan 5[SwitchB-Ethernet0/0/2] quit[SwitchB] interface ethernet 0/0/3[SwitchB-Ethernet0/0/3] port link-type trunk[SwitchB-Ethernet0/0/3] port trunk allow-pass vlan 5[SwitchB-Ethernet0/0/3] quit

# Add Eth 0/0/1 of SwitchB to VLAN 5.

[SwitchB] interface ethernet 0/0/1[SwitchB-Ethernet0/0/1] port link-type trunk[SwitchB-Ethernet0/0/1] port trunk allow-pass vlan 5[SwitchB-Ethernet0/0/1] quit

# Add Eth 0/0/1 of SwitchC to VLAN 10.

[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] port link-type trunk[SwitchC-Ethernet0/0/1] port trunk allow-pass vlan 10[SwitchC-Ethernet0/0/1] quit

# Add Eth 0/0/1 of SwitchD to VLAN 10.

[SwitchD] interface ethernet 0/0/1[SwitchD-Ethernet0/0/1] port link-type trunk[SwitchD-Ethernet0/0/1] port trunk allow-pass vlan 10[SwitchD-Ethernet0/0/1] quit

Step 3 Configure single-tag VLAN mapping on the Switches.

# Configure single-tag VLAN mapping on Eth 0/0/1 of SwitchA.

[SwitchA-Ethernet0/0/1] qinq vlan-translation enable[SwitchA-Ethernet0/0/1] port vlan-mapping vlan 10 map-vlan 6

# Configure single-tag VLAN mapping on Eth 0/0/1 of SwitchB.

[SwitchB-Ethernet0/0/1] qinq vlan-translation enable[SwitchB-Ethernet0/0/1] port vlan-mapping vlan 10 map-vlan 5



79


The hosts in VLAN 6 and the hosts in VLAN 5 can ping each other.

----End

Configuration Filesl Configuration file of SwitchA# sysname SwitchA#vlan batch 6#interface Ethernet0/0/1 qinq vlan-translation enable port link-type trunk port trunk allow-pass vlan 6 port vlan-mapping vlan 10 map-vlan 6#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 6#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 6#return

l Configuration file of SwitchB# sysname SwitchB#vlan batch 5#interface Ethernet0/0/1 qinq vlan-translation enable port link-type trunk port trunk allow-pass vlan 5 port vlan-mapping vlan 10 map-vlan 5#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 5#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 5#return

l Configuration file of SwitchC# sysname SwitchC#vlan batch 10#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10#return

l Configuration file of SwitchD



80

# sysname SwitchD#vlan batch 10#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10#return

3.5.2 Example for Configuring Interface-based N:1 VLAN Mapping


As shown in Figure 3-2, users in VLAN 100 to VLAN 110 connect to the Internet through theaggregate switch (Switch) of the carrier.

After user devices are powered on, they send service request packets to the switch of the carrier.After the user devices pass the authentication, services can be used.

Figure 3-2 Networking diagram of N:1 VLAN mapping

Eth0/0/1Switch

…… ……

SwitchA

SwitchE

VLAN100~110

……

SwitchDSwitchCSwitchB

Internet





81

1. Configure the original and translated VLAN IDs.2. Add Eth 0/0/1 of the Switch to the original and translated VLANs in tagged mode.3. Configure VLAN mapping on Eth 0/0/1 of the Switch.

Procedure


# Create VLANs.

<Quidway> system-view[Quidway] vlan batch 10 100 to 110

# Add related Eth 0/0/1 to the VLANs.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port hybrid tagged vlan 10 100 to 110

# Configure VLAN mapping on Eth 0/0/1.

[Quidway-Ethernet0/0/1] qinq vlan-translation enable[Quidway-Ethernet0/0/1] port vlan-mapping vlan 100 to 110 map-vlan 10[Quidway-Ethernet0/0/1] quit


Users in VLAN 100 to VLAN 110 can connect to the Internet through the Switch.

----End

Configuration Filesl Configuration file of the Switch# sysname Quidway#vlan batch 10 100 to 110#interface Ethernet0/0/1 qinq vlan-translation enable port hybrid tagged vlan 10 100 to 110 port vlan-mapping vlan 100 to 110 map-vlan 10#return

3.5.3 Example for Configuring Global VLAN Mapping

Networking RequirementsAs shown in Figure 3-3, users in VLAN 10 connect to network through the Switch.



82

Figure 3-3 Networking of global VLAN mapping

Switch

……

SwitchA

VLAN 10

……

SwitchDSwitchCSwitchB

InternetVLAN 20

Eth0/0/1

……



1. Create the VLANs before and after mapping on the Switch.2. Add Eth0/0/1 of the Switch to the translated VLAN in tagged mode.3. Enable VLAN translation on Eth0/0/1 of the Switch.4. Configure other downlink interfaces of the Switch in the same way.5. Configuring global VLAN mapping on the Switch.

Procedure


# Create VLANs.

<Quidway> system-view[Quidway] vlan batch 10 20

# Add Eth0/0/1 to the VLANs.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port hybrid tagged vlan 20

# Enable VLAN translation on Eth0/0/1.

[Quidway-Ethernet0/0/1] qinq vlan-translation enable[Quidway-Ethernet0/0/1] quit



83

# Configure global VLAN mapping.

[Quidway] vlan 10[Quidway-vlan10] vlan-mapping map-vlan 20 [Quidway-vlan10] quit


Users in VLAN 10 can connect to the Internet through the Switch.

----End

Configuration Filesl Configuration file of the Switch#sysname Quidway#vlan batch 10 20#interface Ethernet0/0/1 qinq vlan-translation enable port hybrid tagged vlan 20 #vlan 10 vlan-mapping map-vlan 20 #return

3.6 Common Configuration ErrorsThis section describes common faults caused by incorrect VLAN mapping configurations andprovides the troubleshooting procedure.

3.6.1 Communication Failure After VLAN Mapping Configuration

SymptomAs shown in Figure 3-4, users in VLAN 6 need to communicate with users in VLAN 5 over anISP network. The carrier assigns VLAN 10 as the S-VLAN. Single-tag VLAN mapping isconfigured on Eth 0/0/1 of SwitchC and SwitchD to map C-VLANs 5 and 6 to S-VLAN 10.



84

Figure 3-4 VLAN mapping networking diagram

VLAN10ISP network

SwitchC SwitchD

SwitchA SwitchBEth0/0/1 Eth0/0/1

Eth0/0/1

Eth0/0/3Eth0/0/2

172.16.0.1/16 172.16.0.2/16 172.16.0.3/16 172.16.0.6/16 172.16.0.7/16172.16.0.5/16

Eth0/0/1

Eth0/0/2 Eth0/0/3VLAN6 VLAN5

After VLAN mapping is configured on the interfaces, users in different VLANs cannotcommunicate with each other. This fault is commonly caused by one of the following:

l The translated VLAN (map-vlan) has not been created.

l The interfaces configured with VLAN mapping are not added to the translated VLAN.

l The translated VLAN ID configured on SwitchC and SwitchD is different from the S-VLAN ID assigned by the carrier.

l The interfaces configured with VLAN mapping are faulty.

Procedure1. Run the display vlan command to verify that the translated VLAN (map-vlan) is

created.

l If the translated VLAN has not been created, run the vlan command to create it.

l If the translated VLAN is created, go to the next step.2. Run the display this command to verify that the interfaces configured with VLAN

mapping have been added to the translated VLAN in tagged mode.

NOTE

l VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid interface mustbe added to the translated VLAN in tagged mode.

l If a range of original VLANs is specified by vlan-id1 to vlan-id2 on an interface, the interface mustbe added to all the original VLANs in tagged mode, and the translated VLAN cannot have a VLANIFinterface.

l Limiting MAC address learning on an interface may affect N to 1 VLAN mapping on the interface.

l If the interfaces configured with VLAN mapping have not been added to the translatedVLAN in tagged mode, run the port trunk allow-pass vlan or port



85

hybrid tagged vlan command in the interface view to add the interfaces to thetranslated VLAN in tagged mode.

l If the interfaces have been added to the translated VLAN in tagged mode, go to the nextstep.

3. Run the display this command to verify that the translated VLAN ID configured onthe interface is the same as the S-VLAN ID assigned by the carrier.l If the translated VLAN ID on an interface is different from the S-VLAN ID assigned

by the carrier, run the undo port vlan-mapping command on the interface todelete the VLAN mapping configuration, and run the port vlan-mappingvlan command to set the translated VLAN ID to the S-VLAN ID.

l If the translated VLAN ID is the same as the S-VLAN ID assigned by the carrier, go tothe next step.

4. Run the display vlan vlan-id command to verify that user-side interfaces are addedto C-VLANs.l If the user-side interfaces are not in the C-VLANs, run the port trunk allow-

pass vlan, port hybrid tagged vlan, or port default vlancommand to add the interfaces to the C-VLANs.



86

4 Voice VLAN Configuration

About This Chapter

This chapter describes the concepts and configuration procedure of voice VLAN, and providesconfiguration examples.

NOTE

The S2700SI and S2710SI do not support Voice VLAN.

4.1 Voice VLAN OverviewA voice VLAN changes the priority of voice data packets to improve the voice data transmissionquality.

4.2 Voice VLAN Features Supported by the DeviceThis section describes the voice VLAN features supported by the device.

4.3 Default ConfigurationThis section describes default voice VLAN settings that can be changed in practical applications.

4.4 Configuring an Automatic Voice VLANThis section describes how to set the mode in which interfaces are added to a voice VLAN toauto.

4.5 Configuring a Manual Voice VLANThis section describes how to set the mode in which interfaces are added to a voice VLAN tomanual.

4.6 Configuration ExamplesThis section provides configuration examples for voice VLAN.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 4 Voice VLAN Configuration


87

4.1 Voice VLAN OverviewA voice VLAN changes the priority of voice data packets to improve the voice data transmissionquality.

As shown in Figure 4-1, data flows of the high-speed Internet (HSI), voice over IP (VoIP), andInternet Protocol television (IPTV) services are transmitted on a network. Packet loss and delaygreatly affect the voice quality. To ensure high voice quality for users, voice data flows must betransmitted with a high priority and through an exclusive path.

A voice VLAN transmits voice data flows. You can create a voice VLAN and add an interfaceconnected to a voice device to the voice VLAN. Then voice data flows can be transmitted in thevoice VLAN. By configuring a voice VLAN, you can set quality of service (QoS) parametersfor the voice data flows to increase the priority of the voice service and improve the call quality.

Figure 4-1 Networking diagram of the voice VLAN

Device

HSI VoIP IPTV

4.2 Voice VLAN Features Supported by the DeviceThis section describes the voice VLAN features supported by the device.

Voice Data Flow Identification

After being enabled with the voice VLAN function, a device determines voice data based onsource MAC addresses of received frames, and automatically applies priority rules to ensurehigh priorities and good qualities of voice data. This simplifies user configuration and facilitatesmanagement on voice data.

Mode for Adding an Interface to the Voice VLAN

You can use either of the following modes to add an interface to the voice VLAN according tothe data flows on the interface:



88

l Auto modeIn auto mode, the system adds an interface connected to a voice device to the voice VLANif the source MAC address of packets sent from the voice device matches the OUI. Theinterface is automatically deleted from the voice VLAN if the interface does not receiveany voice data packets from the voice device within the aging time.

l Manual modeIn manual mode, the interface connected to a voice device can forward voice data packetsonly after the interface is added to the voice VLAN manually.

4.3 Default ConfigurationThis section describes default voice VLAN settings that can be changed in practical applications.


Voice VLAN function Disabled

Mode in which an interface isadded to the voice VLAN

Auto mode

802.1p priority of the voiceVLAN

6

DSCP priority of the voiceVLAN

46

Working mode of the voiceVLAN

Security mode

Compatibility with non-Huaweivoice devices

Disabled

4.4 Configuring an Automatic Voice VLANThis section describes how to set the mode in which interfaces are added to a voice VLAN toauto.

Pre-configuration TasksBefore configuring an automatic voice VLAN, complete the following tasks:

l Creating related VLANsl Setting the type of interfaces to be added to the voice VLAN to trunk or hybrid

4.4.1 Configuring an OUI for a Voice VLAN

ContextAn Organizationally Unique Identifier (OUI) is the first 24 bits of a MAC address, and is aunique identifier assigned to a device vendor.



89

An OUI represents a MAC address segment that is obtained by performing the AND operationbetween a 48-bit MAC address and a mask. If the first 24 bits of the MAC address of a deviceare the same as an OUI, a voice VLAN-enabled port considers the device as a voice device anddata from the device as voice data.

Procedure



Step 2 Run:voice-vlan mac-address mac-address mask oui-mask [ description text ]

An OUI is configured.

When configuring an OUI for a voice VLAN, note the following:

l The mac-address value cannot be all 0s or a multicast or broadcast address.

l The S2700 can be configured with a maximum of 16 OUIs. When the device is configuredwith 16 OUIs, subsequent configurations will not take effect.The S3700 can be configuredwith a maximum of 100 OUIs. When the device is configured with 100 OUIs, subsequentconfigurations will not take effect.

l When using the undo voice-vlan mac-address mac-address command todelete an OUI, specify the mac-address value in this command as the result of the ANDoperation by using the configured MAC address and mask.

----End

4.4.2 Enabling the Voice VLAN Function

Context

When source MAC addresses of packets match the OUI of a voice VLAN, the device enabledwith voice VLAN identifies voice data packets based on the source MAC addresses and changesthe priority of voice data packets to improve the voice data transmission quality.

Procedure





Step 3 Run:voice-vlan vlan-id enable

A voice VLAN is configured and the voice VLAN function is enabled on the port.



90

By default, the voice VLAN function is disabled on a port.

NOTE

l VLAN 1 cannot be configured as a voice VLAN.

l The voice VLAN and default VLAN on a port must be assigned different VLAN IDs to ensure thatevery function works properly.

l Only one VLAN on a port can be configured as a voice VLAN at a time.

l Before deleting a voice VLAN, run the undo voice-vlan enable command to disable the voiceVLAN function.

l The port enabled with the voice VLAN function cannot be configured with VLAN mapping, VLANstacking, or traffic policies.

l You can not set the VLAN ID to 0 on an IP phone.

----End

4.4.3 Configuring the Auto Mode of Adding a Port to the VoiceVLAN

Procedure





Step 3 Run:voice-vlan mode auto

The mode in which ports are added to a voice VLAN is set to auto.

By default, ports are automatically added to a voice VLAN.

NOTE

In Access ports cannot be automatically added to a voice VLAN. To add a port of the access type to thevoice VLAN, run the port link-type command to change the port type to trunk or hybrid.

----End

4.4.4 (Optional) Configuring the Working Mode for a Voice VLAN

Context

Based on the data filtering mechanism, a voice VLAN works in either secure or normal mode.

l Security modeThe inbound interface enabled with the voice VLAN function allows only the voice packetswhose source MAC addresses match the OUI address of the voice VLAN. Non-voicepackets from the voice VLAN are discarded and packets from other VLANs are forwarded.



91

The security mode prevents a voice VLAN from being attacked by malicious data flows,but consumes system resources to check frames.

NOTE

The security mode takes effect only when the voice-vlan remark-mode mac-addresscommand is configured to increase the priority of voice packets based on MAC addresses.

l Ordinary mode

The inbound interface enabled with the voice VLAN function transmits both voice packetsand non-voice packets. In ordinary mode, the interface is vulnerable to attacks frommalicious data traffic.

NOTE

Transmitting voice and service data at the same time in a voice VLAN is not recommended. If a voiceVLAN must transmit both voice and service data, ensure that the voice VLAN works in ordinary mode.

Table 4-1 shows how to process frames in different voice VLAN working modes.

Table 4-1 Frame processing in different voice VLAN working modes

Voice VLANWorking Mode

Frame Processing Mode

Security mode If the source MAC address of a frame does not match the OUI, thepriority of the frame is not changed and the frame is prohibited fromforwarding in the voice VLAN.If the source MAC address of a frame matches the OUI, the priorityof the frame is changed and the frame is forwarded in the voiceVLAN.

Ordinary mode If the source MAC address of a frame does not match the OUI, thepriority of the frame is not changed and the frame is allowed to beforwarded in the voice VLAN.If the source MAC address of a frame matches the OUI, the priorityof the frame is changed and the frame is forwarded in the voiceVLAN.

Procedurel Security mode

1. Run the system-view command to enter the system view.

2. Run the interface interface-type interface-number command toenter the view of interface.

3. Run the voice-vlan security enable command to configure the voiceVLAN work in security mode.

By default, a voice VLAN works in security mode.

l Normal mode




92


3. Run the undo voice-vlan security enable command to configure thevoice VLAN work in normal mode.By default, a voice VLAN works in security mode.

----End

4.4.5 (Optional) Configuring an 802.1p Priority and a DSCP Valuefor the Voice VLAN

ContextBy default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.Manual configuration of the 802.1p priority and DSCP value will allow you to plan prioritiesfor different voice services at will.

The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN frame.This field determines the transmission priority for data packets when a switching device iscongested.

The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4 packetheader. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks. Thetraffic controller on the network gateway takes actions merely based on the information carriedby the 6 bits.

Procedure



Step 2 Run:voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *

An 802.1p priority and a DSCP value are configured for a voice VLAN.

By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.

----End

4.4.6 (Optional) Setting an Aging Timer for a Voice VLAN

ContextThe aging timer of a voice VLAN is effective only when ports are automatically added to thevoice VLAN.

If a voice VLAN-enabled port does not receive voice data from a voice device before the agingtimer expires, the port will be automatically deleted from the voice VLAN. If the port receivesvoice data from the voice device again, the port will be automatically added to the voice VLANand the aging timer will be reset.



93

Procedure



Step 2 Run:voice-vlan aging-time minutes

The aging timer is set for a voice VLAN.

The aging timer value ranges from 5 to 43200, in minutes. The default value is 1440 minutes.

----End

4.4.7 (Optional) Configuring a Port to Communicate with a VoiceDevice of Another Vendor

Context

The switch can encapsulate voice VLAN information into LLDPDUs and send them toconnected IP phones. However, IP phones of some vendors send CDP(Cisco Discovery Protocol)packets. You can run the voice-vlan legacy enable command to enable CDP-compatible LLDPso that the switch encapsulates voice VLAN information in CDP packets and sends them toconnected IP phones.

Procedure





Step 3 Run:voice-vlan legacy enable

The port is configured to communicate with a voice device of another vendor.

By default, ports on Huawei devices cannot communicate with voice devices of other vendors.

----End


Procedurel Run the display voice-vlan [ vlan-id ] status command to check information

about the voice VLAN, including the working mode, security mode, and the 802.1p priority



94

and DSCP value as well as the configuration of the port enabled with the voice VLANfunction.

l Run the display voice-vlan oui command to check information about the OUIof the voice VLAN, including the mask and description of the OUI.

----End

4.5 Configuring a Manual Voice VLANThis section describes how to set the mode in which interfaces are added to a voice VLAN tomanual.


Before configuring a manual voice VLAN, complete the following task:

l Creating related VLANs

4.5.1 Configuring an OUI for a Voice VLAN

Context

An Organizationally Unique Identifier (OUI) is the first 24 bits of a MAC address, and is aunique identifier assigned to a device vendor.

An OUI represents a MAC address segment that is obtained by performing the AND operationbetween a 48-bit MAC address and a mask. If the first 24 bits of the MAC address of a deviceare the same as an OUI, a voice VLAN-enabled port considers the device as a voice device anddata from the device as voice data.

Procedure



Step 2 Run:voice-vlan mac-address mac-address mask oui-mask [ description text ]

An OUI is configured.

When configuring an OUI for a voice VLAN, note the following:

l The mac-address value cannot be all 0s or a multicast or broadcast address.

l The S2700 can be configured with a maximum of 16 OUIs. When the device is configuredwith 16 OUIs, subsequent configurations will not take effect.The S3700 can be configuredwith a maximum of 100 OUIs. When the device is configured with 100 OUIs, subsequentconfigurations will not take effect.



95

l When using the undo voice-vlan mac-address mac-address command todelete an OUI, specify the mac-address value in this command as the result of the ANDoperation by using the configured MAC address and mask.

----End

4.5.2 Enabling the Voice VLAN Function

Context

When source MAC addresses of packets match the OUI of a voice VLAN, the device enabledwith voice VLAN identifies voice data packets based on the source MAC addresses and changesthe priority of voice data packets to improve the voice data transmission quality.

Procedure




The view of the interface is displayed.

Step 3 (Optional) Run:port link-type { trunk | hybrid }

The port type is configured.

By default, the link type of a port is hybrid.

Step 4 Run:voice-vlan vlan-id enable

A voice VLAN is configured and the voice VLAN function is enabled on the port.

By default, the voice VLAN function is disabled on a port.

NOTE

l VLAN 1 cannot be configured as a voice VLAN.

l The voice VLAN and default VLAN on a port must be assigned different VLAN IDs to ensure thatevery function works properly.

l Only one VLAN on a port can be configured as a voice VLAN at a time.

l Before deleting a voice VLAN, run the undo voice-vlan enable command to disable the voiceVLAN function.

l The port enabled with the voice VLAN function cannot be configured with VLAN mapping, VLANstacking, or traffic policies.

l You cannot set the VLAN ID to 0 on an IP phone.

----End



96

4.5.3 Configuring the Mode in Which Ports Are Added to a VoiceVLAN

Procedure





Step 3 Add ports to a voice VLAN.

l If access ports are connected to voice devices, run the port default vlan vlan-id command to manually add these ports to a voice VLAN.

l If trunk ports are connected to voice devices, run the port trunk allow-passvlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to manually addthese ports to a voice VLAN.

l If hybrid ports are connected to voice devices, do as follows as required:

– Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to manually add these ports to a voice VLAN in untaggedmode.

– Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to manually add these ports to a voice VLAN in taggedmode.

Step 4 Run:voice-vlan mode manual

The mode in which ports are added to a voice VLAN is set to manual.

By default, ports are automatically added to a voice VLAN.

----End

4.5.4 (Optional) Configuring the Working Mode for a Voice VLAN

Context

Based on the data filtering mechanism, a voice VLAN works in either secure or normal mode.

l Security mode

The inbound interface enabled with the voice VLAN function allows only the voice packetswhose source MAC addresses match the OUI address of the voice VLAN. Non-voicepackets from the voice VLAN are discarded and packets from other VLANs are forwarded.

The security mode prevents a voice VLAN from being attacked by malicious data flows,but consumes system resources to check frames.



97

NOTE

The security mode takes effect only when the voice-vlan remark-mode mac-addresscommand is configured to increase the priority of voice packets based on MAC addresses.

l Ordinary mode

The inbound interface enabled with the voice VLAN function transmits both voice packetsand non-voice packets. In ordinary mode, the interface is vulnerable to attacks frommalicious data traffic.

NOTE

Transmitting voice and service data at the same time in a voice VLAN is not recommended. If a voiceVLAN must transmit both voice and service data, ensure that the voice VLAN works in ordinary mode.

Table 4-2 shows how to process frames in different voice VLAN working modes.

Table 4-2 Frame processing in different voice VLAN working modes

Voice VLANWorking Mode

Frame Processing Mode

Security mode If the source MAC address of a frame does not match the OUI, thepriority of the frame is not changed and the frame is prohibited fromforwarding in the voice VLAN.If the source MAC address of a frame matches the OUI, the priorityof the frame is changed and the frame is forwarded in the voiceVLAN.

Ordinary mode If the source MAC address of a frame does not match the OUI, thepriority of the frame is not changed and the frame is allowed to beforwarded in the voice VLAN.If the source MAC address of a frame matches the OUI, the priorityof the frame is changed and the frame is forwarded in the voiceVLAN.

Procedurel Security mode



3. Run the voice-vlan security enable command to configure the voiceVLAN work in security mode.


l Normal mode





98

3. Run the undo voice-vlan security enable command to configure thevoice VLAN work in normal mode.


----End

4.5.5 (Optional) Configuring an 802.1p Priority and a DSCP Valuefor the Voice VLAN

Context

By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.Manual configuration of the 802.1p priority and DSCP value will allow you to plan prioritiesfor different voice services at will.

The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN frame.This field determines the transmission priority for data packets when a switching device iscongested.

The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4 packetheader. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks. Thetraffic controller on the network gateway takes actions merely based on the information carriedby the 6 bits.

Procedure



Step 2 Run:voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *

An 802.1p priority and a DSCP value are configured for a voice VLAN.

By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.

----End

4.5.6 (Optional) Configuring a Port to Communicate with a VoiceDevice of Another Vendor

Context

The switch can encapsulate voice VLAN information into LLDPDUs and send them toconnected IP phones. However, IP phones of some vendors send CDP(Cisco Discovery Protocol)packets. You can run the voice-vlan legacy enable command to enable CDP-compatible LLDPso that the switch encapsulates voice VLAN information in CDP packets and sends them toconnected IP phones.



99

Procedure





Step 3 Run:voice-vlan legacy enable

The port is configured to communicate with a voice device of another vendor.

By default, ports on Huawei devices cannot communicate with voice devices of other vendors.

----End


Procedurel Run the display voice-vlan [ vlan-id ] status command to check information

about the voice VLAN, including the working mode, security mode, and the 802.1p priorityand DSCP value as well as the configuration of the port enabled with the voice VLANfunction.

l Run the display voice-vlan oui command to check information about the OUIof the voice VLAN, including the mask and description of the OUI.

----End

4.6 Configuration ExamplesThis section provides configuration examples for voice VLAN.

4.6.1 Example for Configuring a Voice VLAN in Auto Mode

Networking RequirementsAs shown in Figure 4-2, data flows of the HSI, VoIP, and IPTV services are transmitted on thenetwork. Users require high quality of the VoIP service. Therefore, voice data flows must betransmitted with a high priority. Voice packets are transmitted in VLAN 2, and other packetsare transmitted in VLAN 6. IP phones can obtain voice VLAN information through LLDP.



100

Figure 4-2 Configuring a voice VLAN in auto mode

Switch

Internet

DHCP Server

HSI VoIP IPTV

Eth0/0/1

HG



1. Create VLANs and VLANIF interfaces on Switch and configure interfaces so that userscan access the WAN.

2. Configure a voice VLAN and set the mode in which interfaces are added to the voice VLANto auto so that voice data packets are transmitted in the voice VLAN with a high priority.

Procedure

Step 1 Create VLANs and configure the interface on the Switch.

# Create VLAN 2 and VLAN 6.


# Enable LLDP.

[Quidway] lldp enable

# Configure the link type and default VLAN of the interface.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port hybrid pvid vlan 6[Quidway-Ethernet0/0/1] port hybrid untagged vlan 6[Quidway-Ethernet0/0/1] quit

Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.



101

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] voice-vlan 2 enable

# Set the voice VLAN mode to auto so that the interface can be automatically added to or deletedfrom the voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan mode auto[Quidway-Ethernet0/0/1] quit

# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

# Set the working mode of the voice VLAN.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] voice-vlan security enable


Run the display voice-vlan oui command to check the OUI of the voice VLAN.

<Quidway> display voice-vlan oui---------------------------------------------------OuiAddress Mask Description---------------------------------------------------0011-2200-0000 ffff-ff00-0000

Run the display voice-vlan 2 status command to check the voice VLAN mode, voice securitymode, and voice VLAN aging time.

<Quidway> display voice-vlan 2 statusVoice VLAN Configurations:---------------------------------------------------Voice VLAN ID : 2Voice VLAN status : EnableVoice VLAN aging time : 1440(minutes)Voice VLAN 8021p remark : 6Voice VLAN dscp remark : 46----------------------------------------------------------Port Information:-----------------------------------------------------------Port Add-Mode Security-Mode Legacy-----------------------------------------------------------Ethernet0/0/1 Auto Security Disable

----End

Configuration Files


#sysname Quidway# vlan batch 2 6# lldp enable# voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000#interface Ethernet0/0/1 voice-vlan 2 enable port hybrid pvid vlan 6 port hybrid untagged vlan 6



102

#return

4.6.2 Example for Configuring a Voice VLAN in Manual Mode


As shown in Figure 4-3, data flows of the HSI, VoIP, and IPTV services are transmitted on thenetwork. Users require high quality of the VoIP service. Therefore, voice data flows must betransmitted with a high priority. Voice packets are transmitted in VLAN 2, and other packetsare transmitted in VLAN 6. IP phones can obtain voice VLAN information through LLDP.

Figure 4-3 Configuring a voice VLAN in manual mode

Switch

Internet

DHCP Server

HSI VoIP IPTV

Eth0/0/1

HG



1. Create VLANs and VLANIF interfaces on Switch and configure interfaces so that userscan access the WAN.

2. Configure a voice VLAN and set the mode in which interfaces are added to the voice VLANto manual so that voice data packets are transmitted in the voice VLAN with a high priority.

Procedure

Step 1 Create VLANs and configure the interface on the Switch.





103

# Enable LLDP.

[Quidway] lldp enable

# Configure the link type and default VLAN of the interface.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port hybrid pvid vlan 6[Quidway-Ethernet0/0/1] port hybrid untagged vlan 6[Quidway-Ethernet0/0/1] quit

Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] voice-vlan 2 enable

# Set the voice VLAN mode to manual and add the interface to the voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan mode manual[Quidway-Ethernet0/0/1] port hybrid tagged vlan 2[Quidway-Ethernet0/0/1] quit

# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

# Set the working mode of the voice VLAN.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] voice-vlan security enable


Run the display voice-vlan oui command to check the OUI of the voice VLAN.

<Quidway> display voice-vlan oui---------------------------------------------------OuiAddress Mask Description---------------------------------------------------0011-2200-0000 ffff-ff00-0000

Run the display voice-vlan 2 status command to check the voice VLAN mode, voice securitymode, and voice VLAN aging time.

<Quidway> display voice-vlan 2 statusVoice VLAN Configurations:---------------------------------------------------Voice VLAN ID : 2Voice VLAN status : EnableVoice VLAN aging time : 1440(minutes)Voice VLAN 8021p remark : 6Voice VLAN dscp remark : 46----------------------------------------------------------Port Information:-----------------------------------------------------------Port Add-Mode Security-Mode Legacy-----------------------------------------------------------Ethernet0/0/1 Manual Security Disable

----End




104

#sysname Quidway# vlan batch 2 6# lldp enable# voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000#interface Ethernet0/0/1 voice-vlan 2 enable voice-vlan mode manual port hybrid pvid vlan 6 port hybrid tagged vlan 2 port hybrid untagged vlan 6#return



105

5 QinQ Configuration

About This Chapter

This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ),and provides configuration examples.

NOTE

The S2700SI and S2710SI do not support QinQ.

5.1 QinQ OverviewThe QinQ technology improves the utilization of VLANs by adding another 802.1Q tag to apacket with an 802.1Q tag. In this manner, services from the private VLAN can be transparentlytransmitted through the public network.

5.2 QinQ Features Supported by the DeviceQinQ plays an important role in solutions due to its simplicity and flexibility.

5.3 Configuring Basic QinQAfter basic QinQ is configured, the device adds a public VLAN tag to an incoming packet sothat the user packet can be forwarded on the public network.

5.4 Configuring Selective QinQAfter a Layer 2 interface is configured with selective QinQ, the interface adds a public VLANtag to the user packet that carries a private VLAN tag so that the user packet can be forwardedon the public network.

5.5 Configuring the TPID Value for an Outer VLAN TagTo ensure that devices from different vendors can communicate with each other, set the TPIDvalue of an outer VLAN tag.

5.6 Configuring QinQ Stacking on a VLANIF InterfaceTo log in to a remote device to manage it, configure QinQ stacking on the VLANIF interfacecorresponding to the management VLAN on the remote device.

5.7 Configuration ExamplesThis section provides several configuration examples of QinQ.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 5 QinQ Configuration


106

5.1 QinQ OverviewThe QinQ technology improves the utilization of VLANs by adding another 802.1Q tag to apacket with an 802.1Q tag. In this manner, services from the private VLAN can be transparentlytransmitted through the public network.

In intercommunication between Layer 2 LANs on the basis of the traditional IEEE 802.1Qprotocol, when two user networks access each other through an ISP, the ISP must assign VLANIDs to users of different VLANs, as shown in Figure 5-1. Suppose User Network1 and UserNetwork2 access the backbone network through PE1 and PE2 of an ISP.

To connect VLAN 100 - VLAN 200 on User Network1 to VLAN 100 - VLAN 200 on UserNetwork2, you must change the attribute of the interfaces of CE1, PE1, and P that connect PE2and CE2 to the trunk and allow packets of VLAN 100 - VLAN 200 to pass.

This configuration makes user's VLANs visible on the backbone network. In this case, the VLANID resources (4094 VLAN IDs) of an ISP are wasted. In addition, the ISP has to manage userVLAN IDs. If the network structure is too solid, a change of the ISP or customer network planwill affect the entire network, causing low network flexibility.

Figure 5-1 Intercommunication between Layer 2 LANs based on the traditional IEEE 802.1Qprotocol

PE1

P

PE2

CE2

UserNetwork2

TrunkVLAN100~200CE1

UserNetwork1

Trunk

VLAN100~200

Trunk

VLAN100~200

Trunk

VLAN10

0~20

0

ISPNetwork

QinQ technology encapsulates a packet that carries an 802.1Q tag in another 802.1Q tag. Packetsthat are forwarded over the backbone network carry two 802.1Q tags, one for the public networkand the other for the private network. The ISP network only provides one VLAN ID for differentVLANs from the same user network. This saves VLAN IDs of an ISP. In addition, private VLANtags can be transparently transmitted on the public network. QinQ offers a simple Layer 2 VPNsolution for small-scale MANs or LANs.

QinQ has the following features:



107

l Private networks are effectively segregated from the public network.l ISP's VLAN IDs are saved to the maximum.

QinQ technology has been widely used on ISPs' networks because of its easy application. TheQinQ technology can be applied to multiple services in a metropolitan area Ethernet solution.The emergence of selective QinQ enables QinQ services to widely spread among ISPs.

5.2 QinQ Features Supported by the DeviceQinQ plays an important role in solutions due to its simplicity and flexibility.

Basic QinQBasic QinQ, also called QinQ Layer 2 tunneling, is implemented based on interfaces. Basic QinQenables the device to add the default VLAN tag of an interface to a received packet. Afterencapsulation, the received tagged packet has double VLAN tags or the received untagged packethas the default VLAN tag of the interface.

Selective QinQSelective QinQ is implemented based on interfaces and VLAN IDs. In addition to functions ofbasic QinQ, selective QinQ has the following functions:l VLAN ID-based selective QinQ: adds different outer VLAN tags based on different VLAN

IDs.

NOTE

Only the S3700 supports Selective QinQ.

TPID Value in an Outer VLAN TagFigure 5-2 shows the IEEE 802.1Q Ethernet frame format. The Tag Protocol Identifier (TPID)in a VLAN tag specifies the protocol type of the tag. The TPID value is 0x8100 defined in IEEE802.1Q.

Figure 5-2 802.1Q Encapsulation

DA6 Bytes

802.1 Q Encapsulation

TPID 2 Bytes TCI 2 Bytes

0X8100 Priority CFI VLAN ID

3bits 1bit 12bits

SA6 Bytes

802.1Q Header4 Bytes

Length/Type2 Bytes

Data46 Bytes~1500 Bytes

FCS4 Bytes

Devices of different vendors may set the TPID field in a QinQ packet's outer VLAN tag todifferent values. To communicate with devices of other vendors, the device supports



108

modification of the TPID value. You can set the TPID value in outer VLAN tags to be the sameas the TPID value used by devices of other vendors so that the device can communicate withthese devices.

To avoid faults when packets are forwarded and processed on the network, the TPID value cannotbe one of values in the table.

Table 5-1 Description of protocol types and values

Protocol Type Value

ARP 0x0806

RARP 0x8035

IP 0x0800

IPv6 0x86DD

PPPoE 0x8863/0x8864

MPLS 0x8847/0x8848

IPX/SPX 0x8137

LACP 0x8809

802.1x 0x888E

HGMP 0x88A7

Reserved 0xFFFD/0xFFFE/0xFFFF

Sub-interface for VLAN Tag TerminationA sub-interface for VLAN tag termination identifies one tag or double tags of packets and thenstrips one tag or double tags or sends the packets according to the subsequent forwarding action.

l The sub-interface that terminates a single tag is called a sub-interface for dot1q VLAN tagtermination.

l The sub-interface that terminates double tags is called a sub-interface for QinQ VLAN tagtermination.

The implementation and functions of sub-interfaces for VLAN tag termination are relevant totheir usage scenarios. Table 5-2 shows services supported by sub-interfaces for Dot1qtermination and QinQ termination.



109

Table 5-2 Services supported by sub-interfaces for VLAN tag termination

Sub-interfaceType

SupportedService

ServiceSub-type

Description

Sub-interfaceforQinQ/Dot1qVLAN tagtermination

VPNservice

VLL l The access of a sub-interface for VLAN tag terminationto a VLL network means that the sub-interface for VLANtag termination is configured with VLL functions.

Sub-interfaceforQinQVLAN tagtermination

802.1pandDSCPRemark

- After a user packet is terminated, it is sent to the ISP IPnetwork. To retain original QoS information in the packet,configure the mapping from 802.1p priorities in outer andinner tags to DSCP priorities.

802.1pandEXP(MPLS)priorityre-marking

- After a user packet is terminated, it is sent to the ISP MPLSnetwork. To retain original QoS information in the packet,configure the mapping from 802.1p priorities in outer andinner tags to EXP priorities.

Access to L2VPN Through the Sub-interface for QinQ Stackingl Access to a PWE3/VLL Network Through the Sub-interface for QinQ stacking

VLL is a point-to-point L2VPN, which is not supported by the VLANIF interface. In thiscase, users can access the L2VPN only through a main interface. However, a physicalinterface is unable to access multiple users to the L2VPN at the same time. To solve theproblem, you can configure the VLAN-based QinQ function at different sub-interfaces. Inthis scenario, CE-VLANs on both sides must be symmetrical.

5.3 Configuring Basic QinQAfter basic QinQ is configured, the device adds a public VLAN tag to an incoming packet sothat the user packet can be forwarded on the public network.



110

Background Information

To separate private networks from the public network and save VLAN resources, configuredouble 802.1Q tags on QinQ interfaces of the device. Private VLAN tags are used on privatenetworks such as enterprise networks, and public VLAN tags are used on external networks suchas ISP networks. QinQ expands the VLAN space to 4094x4094 and allows packets on differentprivate networks with same VLAN IDs to be transparently transmitted.

Procedure




The outer VLAN is created.

Step 3 Run:quit




Step 5 Run:port link-type dot1q-tunnel

The link type of the interface is set to dot1q-tunnel.

By default, the link type of an interface is Hybrid.

Dot1q-tunnel interfaces do not support Layer 2 multicast.

Step 6 Run:port default vlan vlan-id

The VLAN ID (default VLAN) in the outer VLAN tag is specified.

By default, all ports are added to VLAN 1.

----End

Checking the Configurationl Run the display current-configuration interface interface-type

interface-number command to check the QinQ configuration on the interface.



111

5.4 Configuring Selective QinQAfter a Layer 2 interface is configured with selective QinQ, the interface adds a public VLANtag to the user packet that carries a private VLAN tag so that the user packet can be forwardedon the public network.

ContextAfter VLAN ID-based selective QinQ is configured on an interface, outer VLAN tags are addedto packets based on VLAN IDs.

NOTE

l Selective QinQ can only be enabled on hybrid interfaces and applied to incoming packets.

l The outer VLAN ID must exist and the interface must be added to the outer VLAN in untagged mode.

l An interface learns the MAC address from the outer VLAN tag of a QinQ packet.

NOTE


Procedure





Step 3 Run:port link-type hybrid

The link type of the interface is set to hybrid.

By default, the link type of an interface is hybrid.

Step 4 Run:port hybrid untagged vlan vlan-id

The interface is added to the VLAN in untagged mode.

You must specify an existing VLAN ID on the device in this command. You do not need tocreate the VLANs specified by the original VLAN tags of received packets.



Step 6 Run:port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3 [ remark-8021p 8021p-value ]

Selective QinQ is configured.



112

By default, the priority in the stacked outer VLAN tag is the same as the priority in the innerVLAN tag.

----End

Checking the Configurationl Run the display current-configuration interface interface-type

interface-number command to display the selective QinQ configuration on theinterface.

5.5 Configuring the TPID Value for an Outer VLAN TagTo ensure that devices from different vendors can communicate with each other, set the TPIDvalue of an outer VLAN tag.

Context

Devices from different vendors or different network plans may use different values for TPIDfields in outer VLAN tags of QinQ packets. To be compatible with an existing network plan,the AR router supports configuration of the TPID value. You can set the TPID value on the ARrouter to be the same as the TPID value in the network plan so that the AR router can becompatible on the existing network.

NOTE

l To implement the connectivity between the devices of different vendors, ensure that the protocol typein the outer VLAN tag can be identified by the peer device.

l The qinq protocol command identifies incoming packets, and adds or changes the TPID valueof outgoing packets.

l The protocol IDs set by the qinq protocol command cannot be the same as well-known protocolIDs. Otherwise, the interface cannot distinguish packets of these protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.

Procedure





Step 3 Run:qinq protocol protocol-id

The protocol type in the outer VLAN tag is set.

The qinq protocol command is invalid on the interface of dot1q tunnel type.

By default, the TPID value in the outer VLAN tag is 0x8100.



113

NOTE

Only the S2700-52P-EI, S2700-52P-PWR-EI, and S2710SI support this command.

----End

5.6 Configuring QinQ Stacking on a VLANIF InterfaceTo log in to a remote device to manage it, configure QinQ stacking on the VLANIF interfacecorresponding to the management VLAN on the remote device.

Background Information

As shown in Figure 5-3, SwitchA is connected to SwitchB through a third-party network. Themanagement VLAN on SwitchB is the same as the VLAN for users connected to SwitchA. TheVLAN ID provided by the carrier, however, is different from the management VLAN ID.

Figure 5-3 Networking for QinQ stacking on a VLANIF interface

Internet

SwitchA

SwitchB

user1

user2

VLAN 10

IP10

IP1020

Management VLAN 10Interface VLANIF 10

To log in to SwitchB to manage it from SwitchA, you can configure QinQ stacking on theVLANIF interface corresponding to the management VLAN on SwitchB.

After QinQ stacking is configured, data packets are processed as follows:

l Packets sent from SwitchA to SwitchB

The user-side interface of SwitchA, which is configured with QinQ, sends double-taggedpackets to the ISP network. The outer VLAN tag is assigned by the carrier so that the packetscan be transparently transmitted over the ISP network to SwitchB.

When SwitchB receives double-tagged packets, it compares the VLAN tags of the packetswith the VLAN tags configured on the VLANIF interface. If the outer tag of the packetsis the same as the outer tag configured on the VLANIF interface, SwitchB removes theouter tag and sends the packets to the IP layer for processing.

l Packets sent from SwitchB to SwitchA



114

When the VLANIF interface of SwitchB receives data packets, SwitchB adds a VLAN tagto the packets according to the QinQ stacking configuration. The new outer VLAN tag isassigned by the carrier so that the double-tagged data packets can be transparentlytransmitted to SwitchA across the ISP network. SwitchA removes the outer VLAN tag ofthe packets and forwards the packets to users.


Before configuring QinQ stacking on a VLANIF interface, complete the following tasks:

l Creating VLANs

l Configuring the management VLAN

Procedure




The VLANIF interface corresponding to the management VLAN is created.

Before running this command, ensure that the management VLAN exists.

Step 3 Run:qinq stacking vlan vlan-id

QinQ stacking is configured on the VLANIF interface.

NOTE

l When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interfacecorresponds to the management VLAN. VLANIF interfaces corresponding to other VLANs do notsupport QinQ stacking.

l To change the configured outer VLAN tag, run the undo qinq stacking vlan command todisable QinQ stacking, and then run the qinq stacking vlan command to configure a new outerVLAN tag.

l The qinq stacking vlan command conflicts with the icmp host-unreachable sendcommand. Therefore, you must run the undo icmp host-unreachable send command beforeusing the qinq stacking vlan command.

----End

Follow-up Procedurel Run the display vlan [ vlan-id [ verbose ] ] command to check the management

VLAN.

l Run the display this command in the VLANIF interface view to check the QinQstacking configuration.



115

5.7 Configuration ExamplesThis section provides several configuration examples of QinQ.

5.7.1 Example for Configuring basic QinQ

Networking RequirementsAs shown in Figure 5-4, there are two enterprises on the network, Enterprise 1 and Enterprise2. Enterprise 1 has two office locations, and Enterprise 2 has 2 office locations. The officelocations of the two enterprises access SwitchA and SwitchB of the ISP network. A non-Huaweidevice with the TPID value 0x9100 exists on the public network.

The requirements are as follows:l Enterprise 1 and Enterprise 2 plans their VLANs independently.l Traffic of the two branches is transparently transmitted on the public network. Users using

the same services in the two branches are allowed to communicate and users using differentservices are isolated.

You can configure QinQ to meet the preceding requirements. VLAN 100 provided by the publicnetwork can be used to implement communication of Enterprise 1 in the two branches and VLAN200 is used for Enterprise 2. You can set the TPID value in the outer VLAN on the interface thatconnects the non-Huawei device to implement communication between devices.

Figure 5-4 Configuring basic QinQ

VLAN 10 to 50 VLAN 20 to 60Enterprise 2

ISP

VLAN 100,200TPID=0x9100

Switch A Switch B

Eth0/0/3 Eth0/0/3

Eth0/0/2Eth0/0/1 Eth0/0/1

Enterprise 1VLAN 10 to 50 VLAN 20 to 60

Enterprise 2

Eth0/0/2

Enterprise 1



116



1. Configure VLAN 100 and VLAN 200 on both SwitchA and SwitchB. Set the link type ofthe interface to QinQ and add the interfaces to VLAN. In this way, different outer VLANtags are added to different services.

2. Add interfaces connecting to the public network on SwitchA and SwitchB to VLAN 100and VLAN 200 to permit packets from these VLANs to pass through.

3. Set the TPID values in the outer VLAN tag on interfaces connecting to the public networkon SwitchA and SwitchB to implement communication between the device with devicesfrom other vendors.

Procedure


# Create VLAN 100 and VLAN 200 on SwitchA.

<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan batch 100 200

# Create VLAN 100 and VLAN 200 on SwitchB.

<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan batch 100 200

Step 2 Set the link type of the interface to QinQ.

# Configure Eth0/0/1 and Eth0/0/2 of SwitchA as QinQ interfaces. Set the VLAN of Eth0/0/1to VLAN 100 and the VLAN of Eth0/0/2 to VLAN 200.

[SwitchA] interface ethernet 0/0/1 [SwitchA-Ethernet0/0/1] port link-type dot1q-tunnel [SwitchA-Ethernet0/0/1] port default vlan 100 [SwitchA-Ethernet0/0/1] quit [SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] port link-type dot1q-tunnel[SwitchA-Ethernet0/0/2] port default vlan 200 [SwitchA-Ethernet0/0/2] quit

# Configure Eth0/0/1 and Eth0/0/2 of SwitchB as QinQ interfaces. Set the VLAN of Eth0/0/1to VLAN 100 and the VLAN of Eth0/0/2 to VLAN 200. The configuration procedure of SwitchBis the same as that of SwitchA.

Step 3 Configure the interface connecting to the public network on the switch.

# Add Eth0/0/3 of SwitchA to VLAN 100 and VLAN 200.

[SwitchA] interface ethernet 0/0/3 [SwitchA-Ethernet0/0/3] port link-type trunk [SwitchA-Ethernet0/0/3] port trunk allow-pass vlan 100 200 [SwitchA-Ethernet0/0/3] quit

# Add Eth0/0/3 of SwitchB to VLAN 100 and VLAN 200. The configuration procedure ofSwitchB is the same as that of SwitchA.

Step 4 Configure the TPID value for an outer VLAN tag



117

# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchA.

[SwitchA] interface ethernet 0/0/3[SwitchA-Ethernet0/0/3] qinq protocol 9100

# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchB.

[SwitchB] interface ethernet 0/0/3 [SwitchB-Ethernet0/0/3] qinq protocol 9100


In Enterprise 1, ping a PC of a VLAN in a branch from a PC of the same VLAN in anotherbranch. If the two PCs can ping each other, internal users of Enterprise 1 can communicate.

In Enterprise 2, ping a PC of a VLAN in a branch from a PC of the same VLAN in anotherbranch. If the two PCs can ping each other, internal users of Enterprise 2 can communicate.

Ping a PC in a VLAN of Enterprise 2 in a branch from a PC in the same VLAN of Enterprise 1in either branch. If the two PCs cannot ping each other, users in Enterprise 1 and Enterprise 2are isolated.

----End

Configuration FilesConfiguration file of SwitchA

#sysname SwitchA #vlan batch 100 200 #interface Ethernet0/0/1 port link-type dot1q-tunnel port default vlan 100 #interface Ethernet0/0/2 port link-type dot1q-tunnel port default vlan 200 #interface Ethernet0/0/3 qinq protocol 9100 port link-type trunk port trunk allow-pass vlan 100 200# return

Configuration file of SwitchB

# sysname SwitchB # vlan batch 100 200# interface Ethernet0/0/1 port link-type dot1q-tunnel port default vlan 100 # interface Ethernet0/0/2 port link-type dot1q-tunnel port default vlan 200 #



118

interface Ethernet0/0/3 qinq protocol 9100 port link-type trunk port trunk allow-pass vlan 100 200 # return

5.7.2 Example for Configuring Selective QinQ

Networking RequirementsAs shown in Figure 5-5, Internet access users (using PCs) and VoIP users (using VoIP terminals)connect to the ISP network through SwitchA and SwitchB and communicate with each otherthrough the ISP network.

It is required that packets of PCs and VoIP terminals be tagged VLAN 2 and VLAN 3 when thepackets are transmitted through the ISP network.

NOTE


Figure 5-5 Networking diagram for configuring selective QinQ

PC PCVoIP VoIP

NetworkEth0/0/2 Eth0/0/2

Eth0/0/1 Eth0/0/1

SwitchA SwitchB


1. Create VLANs on SwitchA and SwitchB.2. Configure link types of interfaces on SwitchA and SwitchB and add interfaces to VLANs.3. Configure selective QinQ on the interfaces of SwitchA and SwitchB.

Procedure


# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to beadded.



119

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] vlan batch 2 3

# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to beadded.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] vlan batch 2 3

Step 2 Configure selective QinQ on interfaces.

# Configure Eth0/0/1 on SwitchA.

[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] port link-type hybrid[SwitchA-Ethernet0/0/1] port hybrid untagged vlan 2 3[SwitchA-Ethernet0/0/1] qinq vlan-translation enable[SwitchA-Ethernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2[SwitchA-Ethernet0/0/1] port vlan-stacking vlan 300 stack-vlan 3[SwitchA-Ethernet0/0/1] quit

# Configure Eth0/0/1 on SwitchB.

[SwitchB] interface ethernet 0/0/1[SwitchB-Ethernet0/0/1] port link-type hybrid[SwitchB-Ethernet0/0/1] port hybrid untagged vlan 2 3[SwitchB-Ethernet0/0/1] qinq vlan-translation enable[SwitchB-Ethernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2[SwitchB-Ethernet0/0/1] port vlan-stacking vlan 300 stack-vlan 3[SwitchB-Ethernet0/0/1] quit

Step 3 Configure other interfaces.

# Add Eth0/0/2 to VLAN 2 and VLAN 3 on SwitchA.

[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] port link-type trunk[SwitchA-Ethernet0/0/2] port trunk allow-pass vlan 2 3[SwitchA-Ethernet0/0/2] quit

# Add Eth0/0/2 to VLAN 2 and VLAN 3 on SwitchB.

[SwitchB] interface ethernet 0/0/2[SwitchB-Ethernet0/0/2] port link-type trunk[SwitchB-Ethernet0/0/2] port trunk allow-pass vlan 2 3[SwitchB-Ethernet0/0/2] quit


If the configurations on SwitchA and SwitchB are correct:

l PCs can communicate with each other through the ISP network.l VoIP terminals can communicate with each other through the ISP network.

----End

Configuration Filesl Configuration file of SwitchA# sysname SwitchA# vlan batch 2 to 3



120

#interface Ethernet0/0/1 qinq vlan-translation enable port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 stack-vlan 2 port vlan-stacking vlan 300 stack-vlan 3#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3#return

l Configuration file of SwitchB# sysname SwitchB# vlan batch 2 to 3#interface Ethernet0/0/1 qinq vlan-translation enable port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 stack-vlan 2 port vlan-stacking vlan 300 stack-vlan 3#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3#return

5.7.3 Example for Configuring Selective QinQ with VLANMapping

Networking RequirementsAs shown in Figure 5-6, the Internet access, IPTV, and VoIP services are provided for usersthrough home gateways.

The corridor switches allocate VLANs to the services as follows:

l VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100l Shared VLAN for the IPTV service: VLAN 1101l Shared VLAN for the VoIP service: VLAN 1102l Shared VLAN for home gateways: VLAN 1103

Each community switch is connected to 50 downstream corridor switches, and maps the VLANIDs in the Internet access service packets from the corridor switches to VLAN 101 to VLAN150.

The aggregate switch of the carrier is connected to 50 downstream community switches, andadds outer VLAN IDs 21 to 70 to the packets sent from the community switches.

NOTE




121

Figure 5-6 Networking diagram for configuring selective QinQ-VLAN mapping

……

…… ……

…… …… ……

Community switch

Corridor switch

Home gateway

SwitchAAggregate switch of carrier

SwitchB

Eth0/0/1

Eth0/0/1

Internet

Eth0/0/2

…………

ME60

…………


1. Create VLANs on SwitchA and SwitchB.2. Configure VLAN mapping on SwitchB and add Eth 0/0/1 and Eth 0/0/2 to the VLANs.3. Configure selective QinQ on SwitchA and add Eth 0/0/1 to VLANs.4. Add other downlink interfaces of SwitchA and SwitchB to the VLANs. The configurations

are similar to the configurations of their Eth 0/0/1 interfaces5. Configure other community switches. The configuration is similar to the configuration on

SwitchB.

Procedure

Step 1 Configure SwitchA.

# Create VLANs.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] vlan batch 21 to 70 1101 to 1103


[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] port hybrid untagged vlan 21



122

[SwitchA-Ethernet0/0/1] port hybrid tagged vlan 1101 to 1103[SwitchA-Ethernet0/0/1] quit

# Configure selective QinQ on interfaces.

[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] qinq vlan-translation enable[SwitchA-Ethernet0/0/1] port vlan-stacking vlan 101 to 150 stack-vlan 21[SwitchA-Ethernet0/0/1] quit

Step 2 Configure SwitchB.

# Create VLANs.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] vlan batch 101 to 150 1000 to 1103


[SwitchB] interface ethernet 0/0/1[SwitchB-Ethernet0/0/1] port hybrid tagged vlan 101 1000 to 1103[SwitchB-Ethernet0/0/1] quit[SwitchB] interface ethernet 0/0/2[SwitchB-Ethernet0/0/2] port hybrid tagged vlan 101 to 150 1101 to 1103[SwitchB-Ethernet0/0/2] quit

# Configure VLAN mapping on interfaces.

[SwitchB] interface ethernet 0/0/1[SwitchB-Ethernet0/0/1] qinq vlan-translation enable[SwitchB-Ethernet0/0/1] port vlan-mapping vlan 1000 to 1100 map-vlan 101[SwitchB-Ethernet0/0/1] quit


The Internet access service, IPTV service, and VoIP service can be used.

----End

Configuration FilesConfiguration file of Switch A

# sysname SwitchA# vlan batch 21 to 70 1101 to 1103#interface Ethernet0/0/1 qinq vlan-translation enable port hybrid tagged vlan 1101 to 1103 port hybrid untagged vlan 21 port vlan-stacking vlan 101 to 150 stack-vlan 21 #return

Configuration file of Switch B

# sysname SwitchB# vlan batch 101 to 150 1000 to 1103#interface Ethernet0/0/1 qinq vlan-translation enable



123

port hybrid tagged vlan 101 1000 to 1103 port vlan-mapping vlan 1000 to 1100 map-vlan 101#interface Ethernet0/0/2 port hybrid tagged vlan 101 to 150 1101 to 1103#return

5.7.4 Example for Configuring QinQ Stacking on a VLANIFInterface

Networking RequirementsThe management VLAN is deployed on the remote SwitchB and the VLAN ID of SwitchA isthe same as the management VLAN ID. However, the VLAN ID provided by the carrier isdifferent from the management VLAN ID. To remotely log in to the remote SwitchB on SwitchA,you can configure VLAN stacking according to this example. As shown in Figure 5-7, SwitchAis connected to the remote SwitchB through the third-party network. The management VLANis deployed on the remote SwitchB and the VLAN ID of SwitchA is the same as the managementVLAN ID. However, the VLAN ID provided by the carrier is different from the managementVLAN ID.

Figure 5-7 Networking diagram for configuring QinQ stacking on the VLANIF interface

Internet

SwitchA

SwitchB

Eth0/0/1

Eth0/0/2 Eth0/0/2

user1VLAN 10

IP10

IP1020

Eth0/0/1

Eth0/0/2

SwitchC

To remotely log in to the remote SwitchB for managing VLAN services on SwitchA, you canconfigure QinQ stacking on the VLANIF interface corresponding to the management VLAN onSwitchB.

NOTE

When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interface correspondsto the management VLAN. VLANIF interfaces corresponding to other VLANs do not support QinQstacking.



124


1. Configure QinQ on SwitchA.2. Do as follows on the remote SwitchB:

a. Create VLAN 10 and configure VLAN 10 as the management VLAN.b. Create a VLANIF interface on VLAN 10.c. Configure QinQ stacking on the VLANIF interface.

Procedure

Step 1 Configure SwitchC.

# Allow packets from VLAN 10 to pass through Eth0/0/1 and Eth0/0/2.

<Quidway> system-view[Quidway] sysname SwitchC[SwitchC] vlan batch 10[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] port link-type hybrid[SwitchC-Ethernet0/0/1] port hybrid tagged vlan 10[SwitchC-Ethernet0/0/1] quit[SwitchC] interface ethernet 0/0/2[SwitchC-Ethernet0/0/2] port link-type hybrid[SwitchC-Ethernet0/0/2] port hybrid tagged vlan 10[SwitchC-Ethernet0/0/2] quit


# Configure QinQ so that the packets sent from SwitchA to the remote SwitchB carry doubletags.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] vlan batch 20[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] port link-type hybrid[SwitchA-Ethernet0/0/1] qinq vlan-translation enable[SwitchA-Ethernet0/0/1] port vlan-stacking vlan 10 stack-vlan 20[SwitchA-Ethernet0/0/1] port hybrid untagged vlan 20[SwitchA-Ethernet0/0/1] quit[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] port link-type hybrid[SwitchA-Ethernet0/0/2] port hybrid tagged vlan 20[SwitchA-Ethernet0/0/2] quit

Step 3 Configure the remote SwitchB.

# Permit packets from VLAN 20 to pass through Eth0/0/2.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] vlan batch 10 20[SwitchB] interface ethernet 0/0/2[SwitchB-Ethernet0/0/2] port link-type hybrid[SwitchB-Ethernet0/0/2] port hybrid tagged vlan 10 20[SwitchB-Ethernet0/0/2] quit

# Configure QinQ stacking.

[SwitchB] vlan 10



125

[SwitchB-vlan10] management-vlan[SwitchB-vlan10] quit[SwitchB] interface vlanif 10[SwitchB-Vlanif10] undo icmp host-unreachable send[SwitchB-Vlanif10] qinq stacking vlan 20[SwitchB-Vlanif10] ip address 10.10.10.1 24[SwitchB-Vlanif10] quit


You can log in to the remote SwitchB for managing VLAN services on SwitchA.

----End

Configuration Filesl Configuration file of SwitchA

# sysname SwitchA# vlan batch 20#interface Ethernet0/0/1 qinq vlan-translation enable port hybrid untagged vlan 20 port vlan-stacking vlan 10 stack-vlan 20#interface Ethernet0/0/2 port hybrid tagged vlan 20#return

l Configuration file of SwitchC# sysname SwitchC# vlan batch 10#interface Ethernet0/0/1 port hybrid tagged vlan 10#interface Ethernet0/0/2 port hybrid tagged vlan 10#return

l Configuration file of the remote SwitchB# sysname SwitchB# vlan batch 10 20 #vlan 10 management-vlan#interface Vlanif10 ip address 10.10.10.1 255.255.255.0 undo icmp host-unreachable send qinq stacking vlan 20#interface Ethernet0/0/2 port hybrid tagged vlan 10 20#return



126

6 GVRP Configuration

About This Chapter

This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludeswith a GVRP configuration example.

ContextNOTE

The S2700SI and the 2710SI do not support GVRP.

6.1 GVRP OverviewThis section describes concepts of Generic Attribute Registration Protocol (GARP) and GARPVLAN Registration Protocol (GVRP).

6.2 Default ConfigurationThis section describes default GVRP settings that can be changed in actual applications.

6.3 Configuring GVRPThis section describes how to configure the GVRP function.

6.4 Maintaining GVRPThis section describes how to clear the GVRP statistics.

6.5 Configuration ExamplesThis section provides a configuration example for GVRP.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 6 GVRP Configuration


127

6.1 GVRP OverviewThis section describes concepts of Generic Attribute Registration Protocol (GARP) and GARPVLAN Registration Protocol (GVRP).

VLANs are mainly manually configured on devices. As shown in Figure 6-1, VLAN 2 isconfigured on Device A, and VLAN 1 is configured on Device B and Device C. The three devicesare connected though trunk links. To configure VLANs on all devices on the network, thenetwork administrator needs to manually create these VLANs on each device. To forwardpackets of VLAN 2 from Device A to Device C, the network administrator must manually createVLAN 2 on Device B and Device C.

When a network is complicated and the network administrator is unfamiliar with the networktopology or when many VLANs are configured on the network, huge workload of manualconfiguration is required. In addition, configuration errors may occur.

GVRP is an application of GARP. In this scenario, GVRP can be configured on the network toimplement automatic VLAN registration.

Figure 6-1 Networking of GVRP application

Device A

Device B

Device C

6.2 Default ConfigurationThis section describes default GVRP settings that can be changed in actual applications.


GVRP function The GVRP function is disabled globally and on interfaces.

Registration mode of the GVRPinterface

normal

LeaveAll timer 1000 centiseconds

Hold timer 10 centiseconds

Join timer 20 centiseconds



128


Leave timer 60 centiseconds

6.3 Configuring GVRPThis section describes how to configure the GVRP function.

6.3.1 Enabling GVRP

Context

Before enabling GVRP on an interface, you must enable GVRP globally. GVRP can be enabledonly on trunk interfaces. You must perform related configurations to ensure that all dynamicallyregistered VLANs can pass the trunk interfaces.

Procedure



Step 2 Run:gvrp

GVRP is enabled globally.



Step 4 Run:port link-type trunk

The link type of the interface is set to trunk.

Step 5 Run:port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

The interface is added to the specified VLANs.

Step 6 Run:gvrp

GVRP is enabled on the interface.

By default, GVRP is disabled globally and on each interface.



129

NOTE

The S2700EI and S2752EI support a maximum of 256 dynamic VLANs. The S3700 supports a maximumof 4094 dynamic VLANs.

----End

6.3.2 (Optional) Setting the Registration Mode for a GVRP Interface

Context

A GVRP interface supports three registration modes:

l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,and transmit dynamic VLAN registration information and static VLAN registrationinformation.

l Fixed: In this mode, the GVRP interface is disabled from dynamically registering andderegistering VLANs and can transmit only the static VLAN registration information. Ifthe registration mode is set to fixed for a trunk interface, the interface allows only themanually configured VLANs to pass even if it is configured to allow all the VLANs topass.

l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering andderegistering VLANs and can transmit only information about VLAN 1. If the registrationmode is set to forbidden for a trunk interface, the interface allows only VLAN 1 to passeven if it is configured to allow all the VLANs to pass.

Procedure





Step 3 Run:gvrp registration { fixed | forbidden | normal }

The registration mode is set for the interface.

By default, the registration mode of a GVRP interface is normal.

NOTE

Before setting the registration mode for an interface, enable GVRP on the interface.

----End

6.3.3 (Optional) Setting the GARP Timers



130

Context

When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timerexpires, the GARP participant sends LeaveAll messages to request other GARP participants tore-register all its attributes. Then the LeaveAll timer restarts.

Devices on a network may have different settings for the LeaveAll timer. In this case, all thedevices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of adevice expires, the device sends LeaveAll messages to other devices. After other devices receivethe LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll timerwith the smallest value takes effect even if devices have different settings for the LeaveAll timer.

When using the garp timer command to set the GARP timers, pay attention to the followingpoints:

l The undo garp timer command restores the default values of GARP timers. If thedefault value of a timer is out of the valid range, the undo garp timer command doesnot take effect.

l The value range of each timer changes with the values of the other timers. If a value youset for a timer is not in the allowed range, you can change the value of the timer thatdetermines the value range of this timer.

l To restore the default values of all the GARP timers, restore the Hold timer to the defaultvalue, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to thedefault values.

NOTE

It is recommended that you use the following values for the GVRP timers:

l GARP Hold timer: 100 centiseconds (1 second)

l GARP Join timer: 600 centiseconds (6 seconds)

l GARP Leave timer: 3000 centiseconds (30 seconds)

l GARP LeaveAll timer: 12000 centiseconds (2 minutes)

When more than 80 dynamic VLANs are created or more than three devices are running GVRP on thenetwork, set the GVRP timer to be larger than or equal to the reconmmended value. Otherwise, the deviceCPU is affected. When the number of dynamic VLANs or GVRP devices increases, increase lengths ofthe GARP timers.

Procedure



Step 2 Run:garp timer leaveall timer-value

The value of the LeaveAll timer is set.

The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).

The Leave timer length on an interface is restricted by the global LeaveAll timer length. Whenconfiguring the global LeaveAll timer, ensure that all the interfaces configured with a GARPLeave timer are working properly.



131



Step 4 Run:garp timer { hold | join | leave } timer-value

The value of the Hold timer, Join timer, or Leave timer is set.

By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20centiseconds, and the value of the Leave timer is 60 centiseconds.

----End


Procedurel Run the display gvrp status command to view the status of global GVRP.

l Run the display gvrp statistics [ interface { interface-typeinterface-number [ to interface-type interface-number ] }&<1-10> ]command to view the GVRP statistics on an interface.

l Run the display garp timer [ interface { interface-type interface-number [ to interface-type interface-number ] }&<1-10> ] command toview the values of the GARP timers.

----End

6.4 Maintaining GVRPThis section describes how to clear the GVRP statistics.

6.4.1 Clearing GVRP Statistics

Context

NOTICEGVRP statistics cannot be restored after being cleared. Confirm your action before using thiscommand.



132

Procedure

Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type interface-number ] }&<1-10> ] command in the userview to clear GARP statistics on the specified interfaces.

----End

6.5 Configuration ExamplesThis section provides a configuration example for GVRP.

6.5.1 Example for Configuring GVRP


As shown in Figure 6-2, company A, a branch of company A, and company B are connectedusing switches. To implement dynamic VLAN registration, enable GVRP. The branch ofcompany A can communicate with the headquarters using SwitchA and SwitchB. Company Bcan communicate with company A using SwitchB and SwitchC. Interfaces connected tocompany A allow only the VLAN to which company B belongs to pass.

Figure 6-2 Configuring GVRP

SwitchA

SwitchB

SwitchC

Branch of company A

Company A

Company B

Eth0/0/1

Eth0/0/1 Eth0/0/2Eth0/0/1

Eth0/0/2Eth0/0/2



1. Enable GVRP to implement dynamic VLAN registration.

2. Configure GVRP on all switches of company A and set the registration mode to normal forthe interfaces to simplify configurations.

3. Configure GVRP on all switches of company A and set the registration mode to fixed forthe interfaces connecting to company A to allow only the VLAN to which company Bbelongs to pass.



133

Procedure


# Enable GVRP globally.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] gvrp

# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and configure the interfaces to allow allVLANs to pass through.

[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] port link-type trunk[SwitchA-Ethernet0/0/1] port trunk allow-pass vlan all[SwitchA-Ethernet0/0/1] quit[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] port link-type trunk[SwitchA-Ethernet0/0/2] port trunk allow-pass vlan all[SwitchA-Ethernet0/0/2] quit

# Enable GVRP and set the registration mode on the interfaces.

[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] gvrp[SwitchA-Ethernet0/0/1] gvrp registration normal[SwitchA-Ethernet0/0/1] quit[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] gvrp[SwitchA-Ethernet0/0/2] gvrp registration normal[SwitchA-Ethernet0/0/2] quit

The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentionedhere.

Step 2 Configure SwitchC.

# Create VLAN 101 to VLAN 200.

<Quidway> system-view[Quidway] sysname SwitchC[SwitchC] vlan batch 101 to 200

# Enable GVRP globally.

[SwitchC] gvrp

# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and configure the interfaces to allow allVLANs to pass through.

[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] port link-type trunk[SwitchC-Ethernet0/0/1] port trunk allow-pass vlan all[SwitchC-Ethernet0/0/1] quit[SwitchC] interface ethernet 0/0/2[SwitchC-Ethernet0/0/2] port link-type trunk[SwitchC-Ethernet0/0/2] port trunk allow-pass vlan all[SwitchC-Ethernet0/0/2] quit

# Enable GVRP and set the registration mode on the interfaces.

[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] gvrp[SwitchC-Ethernet0/0/1] gvrp registration fixed[SwitchC-Ethernet0/0/1] quit



134

[SwitchC] interface ethernet 0/0/2[SwitchC-Ethernet0/0/2] gvrp[SwitchC-Ethernet0/0/2] gvrp registration normal[SwitchC-Ethernet0/0/2] quit


After the configuration is complete, the branch of Company A can communicate with theheadquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with usersin Company B.

Run the display gvrp status command on SwitchA to check whether GVRP is enabled globally.The following information is displayed:

[SwitchA] display gvrp status GVRP is enabled

Run the display gvrp statistics command on SwitchA to view GVRP statistics on GVRPinterfaces, including the GVRP state of each interface, number of GVRP registration failures,source MAC address of the last GVRP PDU, and registration mode of each interface.

[SwitchA] display gvrp statistics GVRP statistics on port Ethernet0/0/1 GVRP status : Enabled GVRP registrations failed : 0 GVRP last PDU origin : 0000-0000-0000 GVRP registration type : Normal

GVRP statistics on port Ethernet0/0/2 GVRP status : Enabled GVRP registrations failed : 0 GVRP last PDU origin : 0000-0000-0000 GVRP registration type : Normal

Verify the configurations of SwitchB and SwitchC in the same way.

----End

Configuration Filesl Configuration file of SwitchA# sysname SwitchA# gvrp#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp#return

l Configuration file of SwitchB# sysname SwitchB# gvrp#



135

interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp#return

l Configuration file of SwitchC# sysname SwitchC# vlan batch 101 to 200# gvrp#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp gvrp registration fixed#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp#return



136

7 MAC Address Table Configuration

About This Chapter

This chapter provides the basics for MAC address table configuration, configuration procedure,and configuration examples.

7.1 MAC Address Table OverviewA MAC address table records the MAC address, VLAN ID and outbound interfaces learnedfrom other devices.

7.2 MAC Address Features Supported by the DeviceThis section describes the MAC address features supported by the switch and provides usagescenarios of the features to help you complete configuration.

7.3 Default ConfigurationThis section describes the default configuration of the MAC address table.

7.4 Configuring the MAC Address TableThis section describes procedures to configure static, blackhole, and dynamic MAC addressentries, prevent an interface from learning MAC addresses, limit the number of learned MACaddresses.

7.5 Configuring Port SecurityThe port security function changes MAC addresses learned on an interface into secure MACaddresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hostsusing secure MAC addresses or static MAC addresses can communicate with the device throughthe interface. This function enhances security of the device.

7.6 Configuring MAC Address Flapping DetectionMAC address flapping detection detects all MAC addresses on the device. If MAC addressflapping occurs, the device sends an alarm to the NMS.

7.7 Enabling MAC Spoofing DefenseMAC spoofing defense ensures that a MAC address learned on an interface will not be learnedon other interfaces, protecting the system against MAC spoofing attacks.

7.8 Configuring the Switch to Discard Packets with an All-0 MAC Address

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 7 MAC Address Table Configuration


137

A faulty network device may send a packet with an all-0 source or destination MAC address tothe switch. You can configure the switch to discard such packets and send an alarm to the networkmanagement system (NMS). You can locate the faulty device according to the alarm.

7.9 Enabling MAC Address-triggered ARP Entry UpdateThe MAC address-triggered ARP entry update enables the switch to update the correspondingARP entry when the outbound interface in a MAC address entry changes.

7.10 Enabling Port BridgeThe port bridge function enables an interface to forward packets in which the source anddestination MAC addresses are the same.

7.11 Configuration ExamplesThis section provides several configuration examples of MAC address.

7.12 Common Configuration ErrorsThis section describes how to process common configuration errors in MAC address entries.



138

7.1 MAC Address Table OverviewA MAC address table records the MAC address, VLAN ID and outbound interfaces learnedfrom other devices.

Each device maintains a MAC address table. A MAC address table records the MAC address,VLAN ID and outbound interfaces learned from other devices. When forwarding a data frame,the device searches the MAC table for the outbound interface according to the destination MACaddress and VLAN ID in the frame. This helps the device reduce broadcasting.

Packet Forwarding Based on the MAC Address TableThe device forwards packets based on the MAC address table in either of the following modes:

l Unicast mode: If the destination MAC address of a packet can be found in the MAC addresstable, the device forwards the packet through the outbound interface specified in thematching entry.

l Broadcast mode: If a packet is a broadcast or multicast packet or its destination MACaddress cannot be found in the MAC address table, the device broadcasts the packet to allthe interfaces in the VLAN except the inbound interface.

Categories of MAC Address EntriesThe MAC address entry can be classified into the dynamic entry, the static entry and theblackhole entry.

l The dynamic entry is created by learning the source MAC address. It has aging time.l The static entry is set by users. It does not age.l The blackhole entry is used to discard the frame with the specified source MAC address or

destination MAC address. Users manually set the blackhole entries. Blackhole entries haveno aging time.

The dynamic entry will be lost after the system is reset. The static entry and the blackhole entry,however, will not be lost.

Generation of a MAC address entryMAC address entries are generated automatically or configured manually.

l Automatically Generated MAC Address EntriesMAC address entries are learned by the system automatically. For example, SwitchA andHostB are connected. When HostB sends a frame to SwitchA, SwitchA obtains the sourceMAC address (the MAC address of HostB) from the frame and adds the source MACaddress and the interface number to the MAC address table. When SwitchA receives aframe sent to HostB again, SwitchA can search the MAC address table to find the correctoutbound interface.The entries in the MAC table will not be valid all the time. Each entry has its own lifetime.If the entry has not been refreshed at the expiration of its lifetime, the device will deletethat entry from the MAC table. That lifetime is called aging time. If the entry is refreshedbefore its lifetime expires, the device resets the aging time for it.



139

l Manually Configured MAC Address Entries

When creating MAC address entries by itself, the device cannot identify whether thepackets are from the legal users or the hackers. This threatens the network safety.

Hackers can fake the source MAC address in attack packets. The packet with a forgedaddress enters the device from the other port. Then the device learns a fault MAC tableentry. That is why the packets sent to the legal users are forwarded to the hackers.

For security, the network administrator can add static entries to the MAC table manuallyto bind the user's device and the port of the device. In this way, the device can stop theillegal users from stealing data.

By configuring blackhole MAC address entries, you can configure the specified user trafficnot to pass through a device to prevent attacks from unauthorized users.

The priority of MAC entries set up by users is higher than that generated by the deviceitself.

Aging Time of MAC Addresses

To adapt to the changes of networks, the MAC table needs to be updated constantly. The dynamicentries automatically created in a MAC address table are not always valid. Each entry has a lifecycle. The entry that has never been updated till its life cycle ends will be deleted. This life cycleis called aging time. If the entry is updated before its life cycle ends, the aging time of the entryis recalculated.

Figure 7-1 Aging of MAC addresses

Time

1T

2T

3T

4T

t1

0

t2 t3

As shown in the preceding figure, the aging time of MAC addresses is set to T. At t1, packetswith the source MAC address 00e0-fc00-0001 and VLAN ID 1 reach an interface. Assume thatthe interface is added to VLAN 1. If no entry with the MAC address as 00e0-fc00-0001 and theVLAN ID as 1 exists in the MAC address table, the MAC address is added to the MAC addresstable as a dynamic MAC address entry and the flag of the matching entry is set to 1.

The device checks all learned dynamic MAC address entries at an interval of T. For example,at t2, if the device discovers that the flag of the matching dynamic MAC address entry with theMAC address as 00e0-fc00-0001 and the VLAN ID as 1 is 1, the flag of the matching MACaddress entry is set to 0 and the MAC address entry is not deleted. If packets with the sourceMAC address as 00e0-fc00-0001 and the VLAN ID as 1 enter the device between t2 and t3, theflag of the matching MAC address entry is set to 1 again. If no packet with the source MACaddress as 00e0-fc00-0001 and the VLAN ID as 1 enters the device between t2 and t3, the flagof the matching MAC address entry is always 0. At t3, after discovering that the flag of thematching MAC address entry is 0, the device assumes that the aging time of the MAC addressentry expires and deletes the MAC address entry.

As stated above, the minimum holdtime of a dynamic MAC address entry in the MAC addresstable ranges from the aging time T to 2 T configured on the device through automatic aging.



140

The aging time of MAC addresses is configurable. By setting the aging time of MAC addresses,you can flexibly control the holdtime of learned dynamic MAC address entries in the MACaddress table.

7.2 MAC Address Features Supported by the DeviceThis section describes the MAC address features supported by the switch and provides usagescenarios of the features to help you complete configuration.

1. You can configure the following MAC address features to improve device security andcontrol the number of entries in the MAC address table.

Table 7-1 Basic functions of MAC address entries

Function Usage Scenario

StaticMACaddressentry

Create static MAC address entries for MAC addresses of fixed upstreamdevices or trusted user devices to improve communication security.

BlackholeMACaddressentry

It can prevent hackers from attacking a network using bogus MACaddresses.

Aging timeof adynamicMACaddressentry

Set a proper aging time for dynamic MAC addresses to prevent sharpincrease of dynamic MAC address entries.

DisablingMACaddresslearning

This method can be used on a network where the topology seldom changesor forwarding paths are specified in static MAC address entries. Thismethod prevents users with unknown MAC addresses from accessing thenetwork, protects the network from MAC address attacks, and improvesnetwork security.

Limitingthe numberof MACaddressesthat can belearned

MAC address limiting protects the switch from MAC address attacks onan insecure network.

2. You can use the following methods to improve security or meet special requirements:



141

Table 7-2 Extended functions of MAC address entries

Function Usage Scenario

Portsecurity

If a network requires high security, port security can be configured on theinterfaces connected to trusted devices. The port security functionprevents devices with untrusted MAC addresses from accessing theseinterfaces and improves device security.

MACspoofingdefense

This function ensures that a MAC address learned on an interface will notbe learned on other interfaces, protecting the system against MACspoofing attacks.

MACaddressflappingdetection

This function reduces the impact of loops on the switch.

Discardingpacketswith an all-zero MACaddress

A faulty device may send packets with an all-zero source or destinationMAC address. You can configure the switch to discard such packets andsend an alarm to the network management system (NMS). You can locatethe faulty device according to the trap message.

MACaddresstriggeredARP entryupdate

This function enables the switch to update the corresponding ARP entrywhen the outbound interface in a MAC address entry changes.

Port bridge This function enables an interface to process packets in which the sourceand destination MAC addresses are the same. It can be configured on aswitch connected to a device without Layer 2 forwarding capability or aswitch functioning as an access device in a data center.

Table 7-3 Functions supported by different types of switches

Function S2700SI/S2710SI S2700EI S3700SI/S3700EI

Static MAC addressentry

Y Y Y

Blackhole MACaddress entry

Y Y Y

Aging time of adynamic MACaddress entry

Y Y Y

Disabling MACaddress learning

N Y Y



142

Function S2700SI/S2710SI S2700EI S3700SI/S3700EI

Limiting the numberof MAC addressesthat can be learned

Y Y Y

Port security N Y Y

MAC spoofingdefense

N N Y

MAC addressflapping detection

N N Y

Discarding packetswith an all-zeroMAC address

N Y Y

MAC addresstriggered ARP entryupdate

N N Y

Port bridge N N Y

Static MAC Address EntriesAs shown in Figure 7-2, an interface on the Switch is connected to an upstream device or aserver. Attackers may set the source MAC address of packets to the server MAC address andsend the packets to the Switch to intercept data of the server. To protect the server and ensurecommunication between users and the server, you can configure a static MAC address entry inwhich the destination MAC address is the server MAC address and the outbound interface is theinterface connected to the server.

Figure 7-2 Network diagram of static MAC address entry configuration

Network Server

Switch

PC1 PC2

LAN Switch



143

Blackhole MAC Address Entry

To save the MAC address table space, protect user devices or network devices from MACaddress attacks, you can configure untrusted MAC addresses as blackhole MAC addresses.Packets with source or destination MAC addresses matching the blackhole MAC address entriesare discarded.

MAC Address Aging

Dynamic MAC address entries are learned by the switch from source MAC addresses of receivedpackets. Dynamic MAC address entries are not always valid. An aging timer is configured foreach dynamic MAC address entry. If a dynamic MAC address entry is not updated within acertain period (twice the aging time), the entry is deleted. If the entry is updated within thisperiod, the aging timer of this entry is reset.

The network topology changes frequently, and the switch will learn many MAC addresses. Afterthe aging time of dynamic MAC address entries is set, the device can delete unneeded MACaddress entries to prevent sharp increase of MAC address entries.

Disabling MAC Address Learning

When an switch with MAC address learning enabled receives an Ethernet frame, it records thesource MAC address and inbound interface of the Ethernet frame in a MAC address entry. Whenreceiving other Ethernet frames destined for this MAC address, the switch forwards the framesthrough the outbound interface according to the MAC address entry. The MAC address learningfunction reduces broadcast packets on a network.

After MAC address learning is disabled on an interface, the switch does not learn source MACaddresses of packets received by the interface.

Limiting the Number of Learned MAC Addresses

The switch can limit the number of MAC addresses learned on an interface, VLAN. When thenumber of learned MAC address entries reaches the limit, the device stops learning MACaddresses. You can configure the device to generate an alarm. This prevents hackers fromattacking user devices or the network using MAC addresses.

Port Security

The port security function changes MAC addresses learned on an interface into secure MACaddresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hostsusing secure MAC addresses or static MAC addresses can communicate with the device throughthe interface. This function enhances security of the device.

MAC Address Flapping Detection

MAC address flapping occurs when a MAC address is learned by two interfaces in the sameVLAN. The MAC address entry learned later replaces the earlier one.



144

MAC address flapping occurs on a network when the network has a loop or is attacked. As shownin Figure 7-3, a loop occurs on a user network because network cables between two devices areincorrectly connected. The loop causes MAC address flapping and MAC address table flapping.

MAC address flapping detection enables the device to check all MAC addresses. If MAC addressflapping occurs, the device sends an alarm to the NMS. You can locate the faulty deviceaccording to the alarm and MAC address flapping history records. This greatly improves networkmaintainability. If the user network connected to the device does not support loop preventionprotocols, configure the device to shut down the interfaces where MAC address flapping occurs.This reduces the impact of MAC address flapping on the user network.

Figure 7-3 Networking diagram of MAC address flapping detection

Switch

Network

Incorrect connection

7.3 Default ConfigurationThis section describes the default configuration of the MAC address table.

Table 7-4 Default values of a MAC address entry

Parameter Default Value

Aging time of a dynamic MAC address entry 300 seconds

Whether MAC address learning is enabled Enable

Port security Disabled

Limit on the number of MAC addresseslearned by an interface

1

Action to be taken when the number oflearned MAC addresses reaches the limit

Restrict

Aging time of flapping MAC addresses 300 seconds



145

Parameter Default Value

Discarding packets with all-0 invalid MACaddresses

Disabled

Alarms generated when receiving packetswith all-0 invalid MAC addresses

Disabled

Port bridge Disabled

MAC address triggered ARP entry update Disabled

7.4 Configuring the MAC Address TableThis section describes procedures to configure static, blackhole, and dynamic MAC addressentries, prevent an interface from learning MAC addresses, limit the number of learned MACaddresses.

7.4.1 Configuring a Static MAC Address Entry

ContextTo ensure communication security, you can configure MAC addresses of trusted upstreamdevices or users as static MAC address entries.

Procedure



Step 2 Run:mac-address static mac-address interface-type interface-number vlan vlan-id

A static MAC address entry is configured.

NOTE

A static MAC address entry takes precedence over a dynamic MAC address entry. The system discards packetswith configured static MAC addresses that have been learned by other interfaces.

----End

7.4.2 Configuring a Blackhole MAC Address Entry

ContextTo save the MAC address table space, protect user devices or network devices from MACaddress attacks, you can configure untrusted MAC addresses as blackhole MAC addresses.Packets with source or destination MAC addresses matching the blackhole MAC address entriesare discarded.



146

NOTE

The S2700SI and S2710SI do not support global Blackhole MAC Address Entry.

Procedure



Step 2 Run:mac-address blackhole mac-address [ vlan vlan-id ]

A blackhole MAC address entry is configured.

----End

7.4.3 Setting the Aging Time of Dynamic MAC Address Entries

ContextThe network topology changes frequently, and the switch will learn many MAC addresses. Afterthe aging time of dynamic MAC address entries is set, the device can delete unneeded MACaddress entries to prevent sharp increase of MAC address entries. A shorter aging time isapplicable to networks where network topology changes frequently, and a longer aging time isapplicable to stable networks.

Procedure



Step 2 Run:mac-address aging-time aging-time

The aging time of a dynamic MAC address entry is set.

The value of aging-time is 0 or an integer that ranges from 10 to 1000000, in seconds. Thedefault value is 300. The value 0 indicates that dynamic MAC address entries will not be agedout.

----End

7.4.4 Disabling MAC Address Learning

ContextWhen an switch with MAC address learning enabled receives an Ethernet frame, it records thesource MAC address and inbound interface of the Ethernet frame in a MAC address entry. Whenreceiving other Ethernet frames destined for this MAC address, the switch forwards the framesthrough the outbound interface according to the MAC address entry. The MAC address learning



147

function reduces broadcast packets on a network. After MAC address learning is disabled on aninterface, the switch does not learn source MAC addresses of packets received by the interface.

NOTE


Configuration Processl Disabling MAC address learning in the interface view

1. Run:system-view


interface interface-type interface-number

The interface view is displayed.3. Run:

mac-address learning disable [ action { discard | forward } ]

MAC address learning is disabled on the interface.By default, MAC address learning is enabled on an interface.By default, the switch performs the forward action after MAC address learning isdisabled. That is, the switch forwards packets according to the MAC address table.When the action is configured to discard, the switch matches the source MACaddresses of packets with the MAC address entries. If the inbound interface and sourceMAC address of a packet matches a MAC address entry, the switch forwards thepacket. Otherwise, the switch discards the packet.

l Disabling MAC address learning in the VLAN view

1. Run:system-view


vlan vlan-id

The VLAN view is displayed.3. Run:

mac-address learning disable

MAC address learning is disabled in the VLAN.By default, MAC address learning is enabled in a VLAN.

7.4.5 Limiting the Number of Learned MAC Addresses

ContextThe network with low security may be attacked by MAC address attacks. The capacity of a MACaddress table is limited. Therefore, when hackers forge a large quantity of packets with differentsource MAC addresses and send the packets to the switch, the MAC address table of theswitch may reach its full capacity. When the MAC address table is full, the switch cannot learnsource MAC addresses of valid packets.



148

You can limit the number of MAC addresses learned on the switch. When the number of learnedMAC address entries reaches the limit, the switch does not learn new MAC addresses. Packetswhose source MAC addresses are not in the MAC address table are forwarded, but their MACaddresses are not recorded in the MAC address table. You can enable the device to send trapsto the NMS. This prevents MAC address attacks and improves network security.

NOTE

The S2700SI and S2710SI do not support limiting the number of MAC addresses learned by a GE interface.

Only the S3700 supports limiting the number of MAC addresses learned in a VLAN.

Procedurel Limiting the number of MAC addresses learned by an interface

1. Run:system-view




3. Run:mac-limit maximum max-num

The maximum number of MAC addresses learned on the interface is set.

By default, the number of MAC addresses learned on an interface is not limited.

4. Run:mac-limit alarm { disable | enable }

The switch is configured to (or not to) send a trap to the NMS when the number oflearned MAC addresses reaches the limit.

By default, the switch sends a trap to the NMS when the number of learned MACaddresses reaches the limit.

l Limiting the number of MAC addresses learned in a VLAN

1. Run:system-view


2. Run:vlan vlan-id


3. Run:mac-limit maximum max-num

The maximum number of MAC addresses learned in the VLAN is set.

By default, the number of MAC addresses learned in a VLAN is not limited.

4. Run:mac-limit alarm { disable | enable }



149

The switch is configured to (or not to) send a trap to the NMS when the number oflearned MAC addresses reaches the limit.

By default, the switch sends a trap to the NMS when the number of learned MACaddresses reaches the limit.

----End


Procedurel Run the display mac-address command to view all MAC address entries.

l Run the display mac-address static command to view static MAC address entries.

l Run the display mac-address dynamic command to view dynamic MAC addressentries.

l Run the display mac-address blackhole command to view blackhole MACaddress entries.

l Run the display mac-address aging-time command to view the aging time ofdynamic MAC address entries.

l Run the display mac-address summary command to view statistics on all theMAC address entries.

l Run the display mac-address total-number command to view the number ofMAC address entries.

l Run the display mac-limit command to view the limit of the number of learnedMAC addresses.

----End

7.5 Configuring Port SecurityThe port security function changes MAC addresses learned on an interface into secure MACaddresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hostsusing secure MAC addresses or static MAC addresses can communicate with the device throughthe interface. This function enhances security of the device.


Before configuring port security on an interface, complete the following tasks:

l Disabling MAC address limiting on the interface

l Disabling MUX VLAN on the interface

l Disabling MAC address authentication on the interface

l Disabling 802.1x authentication on the interface

l Disabling MAC address security for DHCP snooping on the interface

NOTE

The S2700SI and S2710SI do not support Port Security.



150

7.5.1 Configuring the Secure MAC Function on an Interface

ContextIf a network requires high access security, you can configure port security on specified interfaces.MAC addresses learned by these interfaces change to secure dynamic MAC addresses or stickyMAC addresses. When the number of learned MAC addresses reaches the limit, the interfacedoes not learn new MAC addresses and allows only the devices with the learned MAC addressesto communicate with the switch. This prevents devices with untrusted MAC addresses fromaccessing these interfaces, improving security of the switch and the network.

By default, secure dynamic MAC addresses will not be aged out. You can set the aging time forsecure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addressesare lost after the device restarts and the device needs to learn the MAC addresses again.

Procedure





Step 3 Run:port-security enable

Port security is enabled.

By default, port security is disabled on an interface.

Step 4 (Optional) Run:port-security max-mac-num max-number

The limit on the number of secure dynamic MAC addresses is set.

By default, the limit on the number of secure dynamic MAC addresses is 1.

Step 5 (Optional) Run:port-security protect-action { protect | restrict | shutdown }

The protection action is configured.

The default action is restrict.

The protection actions are as follows:

l protect: discards packets with new source MAC addresses when the number of learnedMAC addresses reaches the limit.

l restrict: discards packets with new source MAC addresses and sends a trap messagewhen the number of learned MAC addresses exceeds the limit.

l shutdown: set the interface status to error down and sends a trap message when the numberof learned MAC addresses exceeds the limit.



151

By default, an interface cannot automatically restore to Up state after it is shut down. Torestore the interface, run the shutdown and undo shutdown commands on the interface insequence. Alternatively, run the restart command on the interface to restart the interface.

Step 6 (Optional) Run:port-security aging-time time [ type { absolute | inactivity } ]

The aging time of secure dynamic MAC addresses is set.

By default, secure dynamic MAC addresses will not be aged out.

----End

7.5.2 Configuring the Sticky MAC Function on an Interface

ContextIf a network requires high access security, you can configure port security on specified interfaces.MAC addresses learned by these interfaces change to secure dynamic MAC addresses or stickyMAC addresses. When the number of learned MAC addresses reaches the limit, the interfacedoes not learn new MAC addresses and allows only the devices with the learned MAC addressesto communicate with the switch. This prevents devices with untrusted MAC addresses fromaccessing these interfaces, improving security of the switch and the network.

The sticky MAC function changes MAC addresses learned by an interface to sticky MACaddresses. Sticky MAC addresses will not be aged out. After you save the configuration andrestart the switch, sticky MAC addresses still exist.

Procedure





Step 3 Run:port-security enable

Port security is enabled.

By default, port security is disabled on an interface.

Step 4 Run:port-security mac-address sticky

The sticky MAC function is enabled on the interface.

By default, the sticky MAC function is disabled on an interface.

Step 5 (Optional) Run:port-security max-mac-num max-number

The limit on the number of sticky MAC addresses is set on the interface.



152

By default, the limit on the number of sticky MAC addresses is 1.

Step 6 (Optional) Run:port-security protect-action { protect | restrict | shutdown }

The protection action is configured.

The default action is restrict.

The protection actions are as follows:

l protect: discards packets with new source MAC addresses when the number of learnedMAC addresses reaches the limit.

l restrict: discards packets with new source MAC addresses and sends a trap messagewhen the number of learned MAC addresses exceeds the limit.

l shutdown: set the interface status to error down and sends a trap message when the numberof learned MAC addresses exceeds the limit.

By default, an interface cannot automatically restore to Up state after it is shut down. Torestore the interface, run the shutdown and undo shutdown commands on the interface insequence. Alternatively, run the restart command on the interface to restart the interface.

Step 7 (Optional) Run:port-security mac-address sticky mac-address vlan vlan-id

A sticky MAC address entry is configured.

----End


Procedurel Run the display current-configuration interface interface-type

interface-number command to view the current configuration of an interface.

l Run the display mac-address security [ vlan vlan-id | interface-type interface-number ] * [ verbose ] command to view secure dynamic MACaddress entries.

l Run the display mac-address sticky [ vlan vlan-id | interface-typeinterface-number ] * [ verbose ] command to view sticky MAC address entries.

----End

7.6 Configuring MAC Address Flapping DetectionMAC address flapping detection detects all MAC addresses on the device. If MAC addressflapping occurs, the device sends an alarm to the NMS.

Context

After MAC address flapping detection is configured in a VLAN, the device checks all the MACaddresses in the VLAN to detect MAC address flapping. When MAC address flapping occurs



153

on an interface, the device blocks the interface, blocks the MAC address, or reports a trapaccording to the configuration.

NOTE

Only the S3700 supports MAC Address Flapping Detection.

Procedure




A VLAN is created and the VLAN view is displayed.

Step 3 Run:loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times | alarm-only }

MAC address flapping detection is configured in the VLAN.

When the device detects MAC address flapping in the VLAN, it performs either of the followingactions:

l Blocks the interface or MAC address. When the block-mac keyword is used in the command,the switch does not block the interface but blocks the traffic from the flapping MAC address.

l Sends a trap to the NMS.

----End

Checking the Configuration

Run the display loop-detect eth-loop [ vlan vlan-id ] command to viewinformation about MAC address flapping detection in a VLAN.

Follow-up Procedure

After an interface or a MAC address is permanently blocked because of MAC address flapping,you must run the reset loop-detect eth-loop command in the corresponding VLANif you want to restore the interface or MAC address.


2. Run the reset loop-detect eth-loop vlan vlan-id { all | interfaceinterface-type interface-number | mac-address mac-address } tounblock the specified interface or MAC address.

Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop command to check the blocked interfaces or MAC addresses.



154

7.7 Enabling MAC Spoofing DefenseMAC spoofing defense ensures that a MAC address learned on an interface will not be learnedon other interfaces, protecting the system against MAC spoofing attacks.

Applicable Environment

A user device may send bogus packets with a server's MAC address to prevent other users fromaccessing the server. To prevent such attacks, enable MAC spoofing defense on the network-side interface connected to the server so that the interface becomes a trusted interface. MACaddresses learned by this interface will not be learned by other interfaces; therefore, the MACaddress entry of the server cannot be modified by attack packets.

NOTE

Only the S3700 supports MAC spoofing defense.

Procedure



Step 2 Run:mac-spoofing-defend enable

Global MAC spoofing defense is enabled.

By default, global MAC spoofing defense is disabled.



Step 4 Run:mac-spoofing-defend enable

MAC spoofing defense is enabled on the interface so that the interface becomes a trustedinterface.

By default, MAC spoofing defense is disabled on an interface.

----End

7.8 Configuring the Switch to Discard Packets with an All-0MAC Address

A faulty network device may send a packet with an all-0 source or destination MAC address tothe switch. You can configure the switch to discard such packets and send an alarm to the networkmanagement system (NMS). You can locate the faulty device according to the alarm.



155

ContextYou can configure the switch to discard packets with an all-0 source or destination MAC address.

NOTE


Procedure



Step 2 Run:drop illegal-mac enable

The switch is configured to discard packets with an all-0 MAC address.

By default, the switch does not discard packets with an all-0 MAC address.

Step 3 (Optional) Run:drop illegal-mac alarm

The switch is configured to send a trap to the NMS when receiving packets with an all-0 MACaddress.

By default, the switch does not send a trap to the NMS when receiving packets with an all-0MAC address.

NOTE

The switch sends only one trap after receiving packets with an all-0 MAC address. To enable the switchto send a trap again after receiving packets with an all-0 MAC address, run the drop illegal-macalarm command.

----End

Checking the ConfigurationRun the display current-configuration command to check whether the switch isconfigured to discard packets with an all-0 MAC address.

7.9 Enabling MAC Address-triggered ARP Entry UpdateThe MAC address-triggered ARP entry update enables the switch to update the correspondingARP entry when the outbound interface in a MAC address entry changes.

ContextEach network device uses an IP address to communicate with other devices. On an Ethernetnetwork, a device sends and receives Ethernet data frames based on MAC addresses. The ARPprotocol maps IP addresses to MAC addresses. When a device communicates with a device ona different network segment, it finds the MAC address and outbound interface of a packetaccording to the corresponding ARP entry.



156

Generally, MAC address entries and ARP entries are consistent. In some scenarios, MACaddress entries are updated, but ARP entries are not updated immediately. In Figure 7-4,SwitchA and SwitchB function as gateways of the server and have VRRP enabled to enhancereliability. VRRP packets are transmitted on the directly connected link between the twoswitches. When the server sends packets, only one network interface is selected to forwardpackets. When a network fault or traffic exception is detected, another network interface is used.l SwitchA functions as the master device and the server uses Port2 to send packets. SwitchA

learns the ARP entry and MAC entry on Port2, and SwitchB learns the server MAC addresson Port1.

l When the server detects that Port2 is faulty, the server uses Port1 to forward service packets.SwitchA learns the server MAC address on Port1. If the server does not send an ARPRequest packet to SwitchA, SwitchA still learns the ARP entry on Port2. In this case,packets sent from SwitchA to the server are forwarded through Port2 until the ARP entryis aged out.

To solve the problem, configure MAC address-triggered ARP entry update. This functionenables the device to update the corresponding ARP entry when the outbound interface in aMAC address entry changes.

Figure 7-4 Networking for configuring MAC address-triggered ARP entry update when a VRRPactive/backup switchover is performed

Server

Switch A(VRRP Master) Switch B(VRRP Backup)

Port2

Port1

Port2Port1

Port1

Port2

NOTE

Only the S3700 supports this configuration.

Procedure



Step 2 Run:mac-address update arp

MAC address-triggered ARP entry update is enabled.



157

By default, the switch does not update the corresponding ARP entry when the outbound interfacein a MAC address entry changes.

NOTE

l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated whenthe corresponding MAC address entries change.

l The mac-address update arp command does not take effect after ARP entry fixing is enabled by usingthe arp anti-attack entry-check { fixed-mac | fixed-all | send-ack }enable command.

l After the mac-address update arp command is run, the switch updates an ARP entry only if theoutbound interface in the corresponding MAC address entry changes.

----End

Checking the Configuration

Run the display current-configuration command to check whether the MACaddress triggered ARP entry update function is enabled.

7.10 Enabling Port BridgeThe port bridge function enables an interface to forward packets in which the source anddestination MAC addresses are the same.

Context

By default, an interface does not forward packets whose source and destination MAC addressesare both learned by this interface. When the interface receives such a packet, it discards thepacket as an invalid packet.

After the port bridge function is enabled on the interface, the interface forwards such a packetif the destination MAC address of the packet is in the MAC address table.

The port bridge function is used in the following scenarios:

l The device connects to devices that do not support Layer 2 forwarding. When usersconnected to these devices need to send packets, the packets are directly sent to the deviceand forwarded by the device. These packets have the same source and destination MACaddress; therefore, you need to enable port bridge to forward packets with the same sourceand destination MAC address.

l The device is used as an access device in a data center and is connected to servers. Eachserver is configured with multiple virtual machines. The virtual machines need to transmitdata to each other. If data between virtual machines is transmitted on the server, the datatransmission rate and server performance may be affected. To improve the datatransmission rate and server performance, enable the port bridge function on the interfacesconnected to the servers so that the device forwards data packets between the virtualmachines.

NOTE

Only the S3700 supports this configuration.



158

Procedure





Step 3 Run:port bridge enable

The port bridge function is enabled.

By default, the port bridge function is disabled on an interface.

----End

Checking the ConfigurationRun the display current-configuration command to check whether the port bridgefunction is enabled.

7.11 Configuration ExamplesThis section provides several configuration examples of MAC address.

7.11.1 Example for Configuring the MAC Address Table

Networking RequirementsAs shown in Figure 7-5, the MAC address of the user host PC1 is 0002-0002-0002 and that ofthe user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through theLSW. The LSW is connected to Eth0/0/1 of the Switch, which belongs to VLAN 2. The MACaddress of the server is 0004-0004-0004. The server is connected to Eth0/0/2 of the Switch.Eth0/0/2 belongs to VLAN 2.

l To prevent hackers from using MAC addresses to attack the network, configure two staticMAC address entries for each user host on the Switch.

l To prevent hackers from stealing user information by forging the MAC address of theserver, configure a static MAC address entry on the Switch for the server.



159

Figure 7-5 Configuring the MAC address table

Network

Switch

Server

PC1 PC2

MAC address: 2-2-2 MAC address: 3-3-3

LSW

Eth0/0/1

Eth0/0/2MAC address: 4-4-4



1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.

2. Configure static MAC address entries to prevent MAC address attacks.

3. Configure the aging time of dynamic MAC address entries to update the entries.

Procedure

Step 1 Configure static MAC address entries.

# Create VLAN 2 and add Ethernet0/0/1 and Ethernet0/0/2 to VLAN 2.

<Quidway> system-view[Quidway] sysname Switch[Switch] vlan 2[Switch-vlan2] quit[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port hybrid pvid vlan 2[Switch-Ethernet0/0/1] port hybrid untagged vlan 2[Switch-Ethernet0/0/1] quit[Switch] interface ethernet 0/0/2[Switch-Ethernet0/0/2] port hybrid pvid vlan 2[Switch-Ethernet0/0/2] port hybrid untagged vlan 2[Switch-Ethernet0/0/2] quit

# Configure a static MAC address entry.

[Switch] mac-address static 2-2-2 Ethernet 0/0/1 vlan 2[Switch] mac-address static 3-3-3 Ethernet 0/0/1 vlan 2[Switch] mac-address static 4-4-4 Ethernet 0/0/2 vlan 2

Step 2 Set the aging time of a dynamic MAC address entry.[Switch] mac-address aging-time 500




160

# Run the display mac-address static command in any view to check whether the static MACaddress entries are successfully added to the MAC address table.

[Switch] display mac-address static vlan 2------------------------------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type -------------------------------------------------------------------------------0002-0002-0002 2/- Eth0/0/1 static 0003-0003-0003 2/- Eth0/0/1 static 0004-0004-0004 2/- Eth0/0/2 static -------------------------------------------------------------------------------Total items displayed = 3

# Run the display mac-address aging-time command in any view to check whether the agingtime of dynamic entries is set successfully.

[Switch] display mac-address aging-time Aging time: 500 seconds

----End

Configuration Files


#sysname Switch#vlan batch 2# mac-address aging-time 500#interface Ethernet0/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2#interface Ethernet0/0/2 port hybrid pvid vlan 2 port hybrid untagged vlan 2# mac-address static 0002-0002-0002 Ethernet0/0/1 vlan 2 mac-address static 0003-0003-0003 Ethernet0/0/1 vlan 2 mac-address static 0004-0004-0004 Ethernet0/0/2 vlan 2#return

7.11.2 Example for Configuring MAC Address Learning in a VLAN


As shown in Figure 7-6, user network 1 is connected to Switch on the Ethernet0/0/1 through anLSW. User network 2 is connected to Switch on the Ethernet0/0/2 through another LSW. BothEthernet0/0/1 and Ethernet0/0/2 belong to VLAN 2. To prevent MAC address attacks and limitthe number of access users on the device, limit MAC address learning on all the interfaces inVLAN 2.

NOTE

Only the S3700 supports limiting the number of MAC addresses learned in a VLAN.



161

Figure 7-6 Networking diagram for MAC address limiting in a VLAN

Network

Usernetwork 1

Usernetwork 2VLAN 2

Eth0/0/1 Eth0/0/2

Switch

LSW LSW



1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.

2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC addressattacks and limit the number of access users.

Procedure

Step 1 Limit MAC address learning.

# Add Ethernet0/0/1 and Ethernet0/0/2 to VLAN 2.

<Quidway> system-view[Quidway] sysname Switch[Switch] vlan 2[Switch-vlan2] quit[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port hybrid pvid vlan 2[Switch-Ethernet0/0/1] port hybrid untagged vlan 2[Switch-Ethernet0/0/1] quit[Switch] interface ethernet 0/0/2[Switch-Ethernet0/0/2] port hybrid pvid vlan 2[Switch-Ethernet0/0/2] port hybrid untagged vlan 2[Switch-Ethernet0/0/2] quit

# Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MACaddresses can be learned. When the number of learned MAC addresses reaches the limit, thedevice and sends an alarm.

[Switch] vlan 2[Switch-vlan2] mac-limit maximum 100 alarm enable[Switch-vlan2] return



162


# Run the display mac-limit command in any view to check whether the MAC address limitingrule is successfully configured.

<Switch> display mac-limitMAC limit is enabledTotal MAC limit rule count : 1

PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm----------------------------------------------------------------------------- 2 - 100 - forward enable

----End

Configuration FilesThe following lists only the configuration file of Switch.

#sysname Switch#vlan batch 2#vlan 2 mac-limit maximum 100#interface Ethernet0/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2#interface Ethernet0/0/2 port hybrid pvid vlan 2 port hybrid untagged vlan 2#return

7.11.3 Example for Configuring Port Security

Networking RequirementsAs shown in Figure 7-7, a company wants to prevent computers of non-employees fromaccessing the intranet of the company to protect information security. To achieve this goal, thecompany needs to enable port security on the interface connected to computers of employeesand set the maximum number of MAC addresses learned by the interface to be the same as thenumber of trusted computers.

NOTE

The S2700SI and S2710SI do not support Port Security.



163

Figure 7-7 Network diagram of port security

Switch

SwitchA

Intranet

PC1 PC2 PC3

VLAN 10

Eth0/0/1


1. Configure a VLAN to implement Layer 2 forwarding.2. Configure port security to prevent the learned MAC addresses from aging.

Procedure

Step 1 Create a VLAN and set the link type of the interface.<Quidway> system-view[Quidway] sysname Switch[Switch] vlan 10[Switch-vlan10] quit[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port link-type trunk[Switch-Ethernet0/0/1] port trunk allow-pass vlan 10

Step 2 Configure port security.

# Enable port security.

[Switch-Ethernet0/0/1] port-security enable

# Enable the sticky MAC function.

[Switch-Ethernet0/0/1] port-security mac-address sticky

# Configure the security protection action.

[Switch-Ethernet0/0/1] port-security protect-action protect

# Set the limit on the number of MAC addresses that can be learned on the interface.

[Switch-Ethernet0/0/1] port-security max-mac-num 4[Switch-Ethernet0/0/1] quit

To enable the port security function on other interfaces, repeat the preceding steps.



164

NOTE

Assume that MAC addresses of four devices (three PCs and one access switch) connected to the Switchhave been learned. The maximum number of MAC addresses to be learned is 4.


If PC1 is replaced by another device, the device cannot access the intranet of the company.

----End

Configuration Files

Configuration file of the switch

#sysname Switch#vlan batch 10#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 port-security enable port-security protect-action protect port-security max-mac-num 4 port-security mac-address sticky#return

7.12 Common Configuration ErrorsThis section describes how to process common configuration errors in MAC address entries.

7.12.1 Correct MAC Address Entry Cannot Be Learned on the Device

Fault DescriptionMAC address entries cannot be learned on the device, so Layer 2 forwarding fails.

Procedure

Step 1 Check that the configurations on the interface are correct.

Run the display mac-address command in any view to check whether the bindingrelationships between the MAC address, VLAN, and interface are correct.

<Quidway> display mac-address ------------------------------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------------------------------- 0025-9e80-2494 1/- Eth0/0/1 dynamic ------------------------------------------------------------------------------- Total items displayed = 1

If not, re-configure the binding relationships between the MAC address, VLAN, and interface.



165

If yes, go to step 2.

Step 2 Check whether a loop on the network causes MAC address flapping.

l Remove the loop from the network. See Loop Troubleshooting.

If no loop exists, go to step 3.

Step 3 Check that MAC address learning is enabled.Check whether MAC address learning is enabled in the interface view and the VLAN view.[Quidway-Ethernet0/0/1] display this#interface Ethernet0/0/1 mac-address learning disable port hybrid tagged vlan 10 undo negotiation auto speed 100#return[Quidway-vlan10] display this #vlan 10 mac-address learning disable#return

If the command output contains mac-address learning disable, MAC address learning isdisabled on the interface or VLAN.

l If MAC address learning is disabled, run the undo mac-address learningdisable command in the interface view or VLAN view to enable MAC address learning.

l If MAC address learning is enabled on the interface, go to step 4.

Step 4 Check whether any blackhole MAC address entry or MAC address limiting is configured.If a blackhole MAC address entry or MAC address limiting is configured, the interface discardspackets.

l Blackhole MAC address entry

Run the display mac-address blackhole command to check whether anyblackhole MAC address entry is configured.[Quidway] display mac-address blackhole-------------------------------------------------------------------------------MAC Address VLAN/VSI Learned-From Type-------------------------------------------------------------------------------0001-0001-0001 3333/- - blackhole

-------------------------------------------------------------------------------Total items displayed = 1

If a blackhole MAC address entry is displayed, run the undo mac-addressblackhole command to delete it.

l MAC address limiting on the interface or VLAN

– Run the display this command in the interface view or VLAN view. If thecommand output contains mac-limit maximum, the number of learned MAC addressesis limited. Run either of the following commands:



166

– Run the undo mac-limit command in the interface view or VLAN view todisable MAC address limiting.

– Run the mac-limit command in the interface view or VLAN view to increase themaximum number of learned MAC addresses.

– Run the display this command in the interface view. If the command outputcontains port-security max-mac-num or port-security enable, the number of securedynamic MAC addresses is limited on the interface. Run either of the followingcommands:

NOTE

By default, the limit on the number of secure dynamic MAC addresses is 1 after port security isenabled.

– Run the undo port-security enable command in the interface view todisable port security.

– Run the port-security max-mac-num command in the interface view toincrease the maximum number of secure dynamic MAC addresses on the interface.

If the fault persists, go to step 5.

Step 5 Check whether the number of learned MAC addresses has reached the maximum supported bythe switch.

Run the display mac-address summary command to check the number of MACaddresses in the MAC address table.

l If the number of learned MAC addresses has reached the maximum supported by theswitch, no MAC address entry can be created. Run the display mac-addresscommand to view all MAC address entries.– If the number of MAC addresses learned on an interface is much greater than the number

of devices on the network connected to the interface, a user on the network maymaliciously update the MAC address table. Check the device connected to the interface:– If the interface is connected to a device, run the display mac-address

command on the device to view its MAC address table. Locate the interfaceconnected to the malicious user according to the displayed MAC address entries. Ifthe interface that you find is connected to another device, repeat this step until youfind the user of the malicious user.

– If the interface is connected to a computer, perform either of the following operationsafter obtaining permission of the administrator:– Disconnect the computer. When the attack stops, connect the computer to the

network again.– Run the port-security enable command on the interface to enable port

security or run the mac-limit command to set the maximum number of MACaddresses that the interface can learn to 1.

– If the interface is connected to a hub, perform either of the following operations:– Configure port mirroring or other tools to observe packets received by the

interface. Analyze the packet types to locate the attacking computer. Disconnectthe computer after obtaining permission of the administrator. When the attackstops, connect the computer to the hub again.

– Disconnect computers connected to the hub one by one after obtainingpermission of the administrator. If the fault is rectified after a computer is



167

disconnected, the computer is the attacker. After it stops the attack, connect it tothe hub again.

– If the number of MAC addresses on the interface is equal to or smaller than the numberof devices connected to the interface, the number of devices connected to the switchhas exceeded the maximum supported by the switch. Adjust network deployment.

----End



168

8 STP/RSTP Configuration

About This Chapter

This chapter describes the concepts and configuration procedure of STP/RSTP, and providesconfiguration examples.

8.1 STP/RSTP OverviewThe STP or RSTP eliminates loops on a Layer 2 network by blocking redundant links to prunethe network into a tree structure.

8.2 STP/RSTP Features Supported by the S2700&S3700This section describes STP/RSTP features supported by the S2700&S3700.

8.3 Default ConfigurationThis section describes the default STP/RSTP configuration. You can change the configurationbased on actual needs.

8.4 Configuring Basic STP/RSTP FunctionsYou can configure STP/RSTP on switches on an Ethernet to trim a network into a tree topologyfree from loops.

8.5 Setting STP Parameters That Affect STP ConvergenceSTP cannot implement rapid convergence. However, you can set STP parameters including thenetwork diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delaytimer value.

8.6 Setting RSTP Parameters That Affect RSTP ConvergenceRSTP implements rapid convergence by configuring the link type of a port and fast transitionmechanism.

8.7 Configuring RSTP Protection FunctionsHuawei datacom devices provide the following RSTP protection functions. You can configureone or more functions.

8.8 Setting Parameters for Interworking Between the S2700&S3700 and a Non-Huawei DeviceTo implement interworking between the S2700&S3700 and a non-Huawei device, select the fasttransition mode based on the Proposal/Agreement mechanism of the non-Huawei device.

8.9 Maintaining STP/RSTP

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 8 STP/RSTP Configuration


169

STP/RSTP maintenance includes resetting STP/RSTP statistics.

8.10 Configuration ExamplesThis section provides several configuration examples of STP/RSTP.



170

8.1 STP/RSTP OverviewThe STP or RSTP eliminates loops on a Layer 2 network by blocking redundant links to prunethe network into a tree structure.

Introduction to STP/RSTPThe Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It preventsreplication and circular propagation of packets. The Rapid Spanning Tree Protocol (RSTP) wasdeveloped based on STP to implement faster convergence. RSTP defines edge ports and providesprotection functions.

Loops often occur on a complex network. On a complex network, to implement redundancy,network designers tend to deploy multiple physical links between two devices, one of which isthe master and the others are the backup.

Loops cause broadcast storms. Consequently, network resources are exhausted and the networkbreaks down. Loops also damage MAC addresses.

To remove loops, run STP at the data link layer. Devices running STP exchange STP BPDUsto discover loops on the network and block some ports to prune the network into a loop-free treenetwork. STP prevents infinite looping of packets to ensure packet processing capabilities ofswitches.

Because STP provides slow convergence, IEEE 802.1w released RSTP in 2001. RSTP enhancesSTP and speeds up network convergence.

STP/RSTP Conceptsl Root bridge

Every tree network must have a root. The root bridge is the root of the STP network.An STP/RSTP network has only one root bridge. The root bridge is the logical center ofthe network, but may be not the physical center. The root bridge may vary with the networktopology change.

l Bridge IDs (BIDs)IEEE 802.1D defines that a BID is composed of a 2-bit bridge priority and a bridge MACaddress. That is, BID (8 bits) = Bridge priority (2 bits) + Bridge MAC address (6 bits).On the STP network, the device with the smallest BID is selected as the root bridge. Thebridge priority that is allowed to be configured on a Huawei device can be configuredmanually.

l Port IDs (PIDs)A 16-bit PID is composed of a 4-bit port priority and a 12-bit port number.The PID is used when the designated port needs to be selected. That is, when the root pathcosts and the sender BIDs of two ports are the same, the port with a smaller PID is selectedas the designated port.

l Path costThe path cost is used by STP/RSTP to select a link. STP/RSTP calculates the path cost toselect the robust link and blocks redundant links to trim the network into a loop-free treetopology. The root path of a port on the root device is 0.



171

On an STP/RSTP network, the accumulated cost of path from a port to the root bridgeconsists of all path costs of ports on the passed bridges. This cost is called root path cost,which determines root port selection.

l Port role

– STP-capable portRoot port: is the port that is nearest to the root bridge. The root port is responsible forforwarding data to the root bridge and receiving BPDUs and user traffic from theupstream device. The root port is determined based on the path cost. Among all theSTP-enabled ports, the port with the least root path cost is a root port. There is only oneroot port on an STP/RSTP-capable device, but there is no root port on the root bridge.Designated port: forwards BPDUs to the downstream switching device. All the portson the root bridge are designated ports. A designated port is selected on each networksegment. The device where the designated port resides is called the designated bridgeon the network segment.

– RSTP-capable portCompared with STP, RSTP has three additional types of ports: alternate port, backupport, and edge port. More port roles are defined, which helps you to learn and deploySTP.



172

Figure 8-1 Port roles

S2 S3

A

AB

A a

S2 S3A

AB

A aBb

S1Root bridge

S1Root bridge

Root port

Designated port

Alternate port

Backup port

Edge port

As shown in Figure 8-1, RSTP defines five port roles: root port, designated port,alternate port, backup port, and edge port.

The functions of the root port and designated port are the same as those defined in STP.The alternate port and backup port are described as follows:

Alternate port: An alternate port is blocked after the device learns the configurationBPDUs sent by other devices. The alternate port backs up the root port and provides analternate path from the designated bridge to the root bridge.

Backup port: A backup port is blocked after the device learns the configuration BPDUssent by itself. The backup port backs up the designated port and provides an alternatepath from the root node to the leaf node.

Edge port: An edge port is located at the edge of an MST region and does not connectto any switching device. Generally, edge ports are directly connected to terminals.

l Port status



173

– STP port statusTable 8-1 shows the status of an STP-capable port.

Table 8-1 STP port status

PortStatus

Purpose Description

Forwarding

A port in Forwarding state canforward user traffic and processBPDUs.

Only the root port or designatedport can enter the Forwarding state.

Learning

When a port is in Learning state, adevice creates a MAC address tablebased on the received user trafficbut does not forward user traffic.

This is a transition state, which isdesigned to prevent temporaryloops.

Listening

When a port is in Listening state,the root bridge, root port, anddesignated port are to be selected.

This is a transition state.

Blocking

A port in Blocking state receivesand forwards only BPDUs, butdoes not forward user traffic.

This is the final state of a blockedport.

Disabled A port in Disabled state does notprocess BPDUs or forward usertraffic.

The port is Down.

– RSTP port statusTable 8-2 shows the port status of an RSTP-capable port.

Table 8-2 RSTP port status

Port Status Description

Forwarding A port in Forwarding state can forward user traffic and processBPDUs.

Learning This is a transition state. When a port is in Learning state, adevice creates a MAC address table based on the received usertraffic but does not forward user traffic.A port in the Learning state processes BPDUs, but does notforward user traffic.

Discarding A port in discarding state can receive only BPDUs.



174

NOTE

l An MSTP-capable port supports the same port states as those supported by an RSTP-capableport.

l Huawei datacom devices use the MSTP mode by default. After a device transits from the MSTPmode to the STP mode, an STP-capable port supports the same port states as those supported byan MSTP-capable port, including the Forwarding, Learning, and Discarding states. For details,see Table 8-2.

l Three timers

Table 8-3 STP timers

Timer Description

Hello Time Sets the interval at which BPDUs are sent.

Forward Delay Timer Sets the duration when a port remains inListening and Learning states.

Max Age Sets the maximum lifetime of a BPDU.When the Max Age timer expires, theconnection with the root bridge fails.

8.2 STP/RSTP Features Supported by the S2700&S3700This section describes STP/RSTP features supported by the S2700&S3700.

STP/RSTP eliminates loops on a Layer 2 network by blocking redundant links to prune thenetwork into a tree structure.

l To remove loops between devices, configure basic STP/RSTP functions.l To speed up convergence, set parameters that affect STP/RSTP convergence.l To communicate with a non-Huawei device, set proper parameters on the STP/RSTP-

enabled Huawei device.

To meet requirements for special applications and extended functions, RSTP supports thefollowing functions:l Provides a feedback mechanism to confirm topology convergence. This implements rapid

convergence.l Provides the following protection functions listed in Table 8-4.



175

Table 8-4 RSTP protection functions

ProtectionFunction

Scenario Configuration Impact

BridgeProtocol DataUnit( BPDU )protection

An edge port changes into anon-edge port afterreceiving a BPDU, whichtriggers spanning treerecalculation. If an attackerkeeps sending pseudoBPDUs to a switchingdevice, network flappingoccurs.

After BPDU protection is enabled, theswitching device shuts down the edge port ifthe edge port receives an RST BPDU. Thenthe device notifies the NMS of the shutdownevent. The attributes of the edge port are notchanged.The shutdown edge port can only be restoredby the administrator. To enable the shutdownedge port to restore automatically, set therecovery delay.

TC-BPDUattackdefense

Generally, after receivingTC BPDUs (packets foradvertising networktopology changes), aswitching device needs todelete MAC entries and ARPentries. Frequent deletionsexhaust CPU resources.

TC protection is used to suppress TC BPDUs.You can configure the number of times aswitching device processes TC BPDUswithin a given time period. If the number ofTC BPDUs that the switching device receiveswithin a given time exceeds the specifiedthreshold, the switching device processesonly the specified number of TC BPDUs.After the specified time period expires, thedevice processes the excess TC BPDUs foronce. This function prevents the switchingdevice from frequently deleting MAC entriesand ARP entries, saving CPU resources.

Rootprotection

Due to incorrectconfigurations or maliciousattacks on the network, aroot bridge may receiveBPDUs with a higherpriority than its own priority.Consequently, the legitimateroot bridge is no longer ableto serve as the root bridgeand the network topology ischanged, triggeringspanning tree recalculation.This may transfer trafficfrom high-speed links tolow-speed links, causingtraffic congestion.

If a designated port is enabled with the rootprotection function, the role of the port cannotbe changed. Once a designated port that isenabled with root protection receives RSTBPDUs with a higher priority, the port entersthe Discarding state and does not forwardpackets. If the port does not receive any RSTBPDUs with a higher priority before a period(generally two Forward Delay periods)expires, the port automatically enters theForwarding state.



176

ProtectionFunction


Loopprotection

A root port or an alternateport will age if linkcongestion or a one-way linkfailure occurs. After the rootport ages, a switching devicemay re-select a root portincorrectly. After thealternate port ages, the portenters the Forwarding state.Loops may occur in such asituation.

After loop protection is configured, if the rootport or alternate port does not receive RSTBPDUs from the upstream switching devicefor a long time, the switching device notifiesthe NMS that the port enters the Discardingstate. The blocked port remains in theBlocked state and no longer forwards packets.This function helps prevent loops on thenetwork. The root port transitions to theForwarding state after receiving new BPDUs.

8.3 Default ConfigurationThis section describes the default STP/RSTP configuration. You can change the configurationbased on actual needs.


Working mode MSTP

STP/RSTP status STP/RSTP is enabled globally and on an interface.

Switching device priority 32768

Port priority 128

Algorithm used to calculate thedefault path cost

dot1t, IEEE 802.1t

Forward Delay Time 1500 centiseconds

Hello Time 200 centiseconds

Max Age Time 2000 centiseconds

8.4 Configuring Basic STP/RSTP FunctionsYou can configure STP/RSTP on switches on an Ethernet to trim a network into a tree topologyfree from loops.



177

8.4.1 Configuring the STP/RSTP Mode

ContextThe device supports three working modes: STP, RSTP, and MSTP. A switching device canselect only the STP mode on a ring network running only STP, and can select only the RSTPmode on a ring network running only RSTP. In other scenarios, the MSTP mode is used bydefault.

Procedure



Step 2 Run:stp mode { stp | rstp }

The working mode of the switching device is set to STP or RSTP.

By default, the working mode of a switching device is MSTP. MSTP is compatible with STPand RSTP.

----End

8.4.2 (Optional) Configuring the Root Bridge and Secondary RootBridge

ContextThe root bridge can be calculated through calculation. You can also manually configure the rootbridge or secondary root bridge.l In a spanning tree, only one root bridge takes effect. When two or more devices are specified

as root bridges of a spanning tree, the device with the smallest MAC address is used as theroot bridge.

l You can specify multiple secondary root bridges for each spanning tree. When the rootbridge fails or is powered off, the secondary root bridge becomes the new root bridge. If anew root bridge is specified, the secondary root bridge will not become the root bridge. Ifmultiple backup bridges are configured, the backup bridge with smallest MAC address willbecome the root bridge of the spanning tree.

NOTE

It is recommended that the root bridge and secondary root bridge be configured manually.

Procedurel Perform the following operations on the device to be used as the root bridge.

1. Run:system-view




178

2. Run:stp root primary

The device is configured as the root bridge.

By default, a switching device does not function as the root bridge. After theconfiguration is complete, the BIDof the device is 0 and cannot be changed.

l Perform the following operations on the device to be used as the secondary root bridge.

1. Run:system-view


2. Run:stp root secondary

The device is configured as the secondary root bridge.

By default, a switching device does not function as the secondary root bridge. Afterthe configuration is complete, the BID of the device is 4096 and cannot be changed.

----End

8.4.3 (Optional) Configuring Switching Device Priorities

Context

On an STP/RSTP-capable network, there is only one root bridge, which is the logic center ofthe entire spanning tree. During root bridge selection, a high-performance switching device ata high network layer should be selected as the root bridge; however, the priority of such a devicemay not be the highest on the network. It is therefore necessary to set a high priority for theswitching device to ensure that the device functions as a root bridge.

Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,set low priorities for these devices.

A smaller value of the priority indicates a higher priority of the switching device. The switchingdevice with a higher priority is more likely to be elected as the root bridge. A larger value of thepriority indicates a lower priority of the switching device. The switching device with a lowerpriority is less likely to be elected as the root bridge.

Procedure



Step 2 Run:stp priority priority

The priority of a switching device is configured.

The default priority value of a switching device is 32768.



179

NOTE

If the stp root primary or stp root secondary command has been executed to configure thedevice as the root bridge or secondary root bridge, to change the device priority, run the undo stproot command to disable the root bridge or secondary root bridge function and run the stppriority priority command to set a priority.

----End

8.4.4 (Optional) Setting the Path Cost for a Port

Context

A path cost is used by STP/RSTP to select a link.

The path cost value range is determined by the calculation method. After the calculation methodis determined, it is recommended that you set a relatively small path cost value for the ports withhigh link rates.

In the Huawei calculation method for example, the link rate determines the recommended valuefor the path cost. Table 8-5 lists the recommended path costs for ports with different link rates.

Table 8-5 Mappings between link rates and path cost values

Link Rate RecommendedPath Cost

RecommendedPath Cost Range

Path Cost Range

10 Mbit/s 2000 200 to 20000 1 to 200000

100 Mbit/s 200 20 to 2000 1 to 200000

1 Gbit/s 20 2 to 200 1 to 200000

10 Gbit/s 2 2 to 20 1 to 200000

Over 10 Gbit/s 1 1 to 2 1 to 200000

If a network has loops, it is recommended that you set a relatively large path cost for ports withlow link rates. STP/RSTP then blocks these ports.

Procedure



Step 2 (Optional)Run:stp pathcost-standard { dot1d-1998 | dot1t | legacy }

A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.



180

All switching devices on a network must use the same path cost calculation method.


The view of the interface participating in STP calculation is displayed.

Step 4 Run:stp cost cost

A path cost is set for the interface.

l When the Huawei calculation method is used, cost ranges from 1 to 200000.

l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.

l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.

----End

8.4.5 (Optional) Configuring Port Priorities

ContextIn spanning tree calculation, the priority of the switching device port affects designated portelection.

To block one switching device port, set the port priority to be higher than the default value.

Procedure





Step 3 Run:stp port priority priority

The port priority is configured.

The default priority value of a port on a switching device is 128.

----End



181

8.4.6 Enabling STP/RSTP

Context

NOTICEAfter STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning treeson the network. Configurations on the switching device, such as the switching device priorityand port priority, will affect spanning tree calculation. Any change to the configurations maycause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, performbasic configurations on the switching device and its ports, and enable STP/RSTP.

Procedure



NOTE

STP/RSTP-enabled devices calculate spanning trees by exchanging BPDUs. Therefore, all the interfacesparticipating in spanning tree calculation must be enabled to send BPDUs to the CPU for processing. By default,an interface participating in spanning tree calculation is enabled to send BPDUs to the CPU. You can run thebpdu enable command to enable an interface to send BPDUs to the CPU.

Step 2 Run:stp enable

STP/RSTP is enabled on the switching device.

By default, STP/RSTP is enabled on a device.

----End

Follow-up Procedure

When the topology of a spanning tree changes, the forwarding paths to associated VLANs arechanged. The ARP entries corresponding to those VLANs on the switching device need to beupdated. STP/RSTP processes ARP entries in either fast or normal mode.

l In fast mode, ARP entries to be updated are directly deleted.

l In normal mode, ARP entries to be updated are rapidly aged.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidlyprocesses these aged entries. If the number of ARP aging probe attempts is not set to 0,ARP implements aging probe for these ARP entries.

You can run the stp converge { fast | normal } command in the system view to configurethe STP/RSTP convergence mode.

By default, the normal STP/RSTP convergence mode is used.



182

NOTE

The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,causing the CPU usage on the device to reach 100%. As a result, network flapping will frequently occur.


Procedurel Run the display stp [ interface interface-type interface-number ]

[ brief ] command to view the spanning-tree status and statistics.

----End

8.5 Setting STP Parameters That Affect STP ConvergenceSTP cannot implement rapid convergence. However, you can set STP parameters including thenetwork diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delaytimer value.

Pre-configuration TasksBefore setting STP parameters that affect STP convergence, complete the following task:

l Configuring basic STP functions

8.5.1 Setting the STP Network Diameter

ContextOn a switched network, any two terminals on the switching network are connected through aspecific path along which multiple devices reside. The network diameter is the maximum numberof devices between any two terminals. A larger network diameter indicates a larger networkscale.

An improper network diameter may cause slow network convergence and affectscommunication. Run the stp bridge-diameter command to set a network diameter basedon the network scale, which helps speed up convergence.

It is recommended that all devices use the same network diameter.

Procedure



Step 2 Run:stp bridge-diameter diameter

The network diameter is configured.

By default, the network diameter is 7.



183

NOTE

l RSTP uses a single spanning tree instance on the entire network. As a result, performance deteriorationcannot be prevented when the network scale grows. Therefore, the network diameter cannot be largerthan 7.

l It is recommended that you run the stp bridge-diameter diameter command to set thenetwork diameter. Then, the switching device calculates the optimal Forward Delay period, Hello timervalue, and Max Age timer value based on the set network diameter.

----End

8.5.2 Setting the STP Timeout Interval

Context

If the device does not receive any BPDU from the upstream device in the set period, the deviceconsiders that the upstream device fails and then it re-calculates its spanning tree.

Sometimes, the device cannot receive the BPDU in a long time from the upstream device becausethe upstream device is very busy. In this case, the device should not re-calculate its spanningtree. Therefore, you can set a long period for the device on a stable network to avoid waste ofnetwork resources.

If the local switching device does not receive a BPDU from the upstream switching device withinthe timeout interval, spanning tree recalculation is performed. The timeout interval is calculatedas follows:

l Timeout interval = Hello time x 3 x Timer Factor

Procedure



Step 2 Run:stp timer-factor factor

The timeout period for waiting for BPDUs from the upstream device is set.

By default, the timeout period is 9 times the Hello timer value.

----End

8.5.3 Setting the Values of STP Timers

Context

The following parameters are used in spanning tree calculation:

l Forward Delay: determines the interval for port status transition. To prevent temporaryloops, an interface first enters the Learning state when transiting from Discarding toForwarding. The status transition lasts for the time specified by Forward Delay so that thelocal device can synchronize the status with the remote switch.



184

l Hello Time: is the interval at which hello packets are sent. The switching device sendsconfiguration BPDUs at an interval of Hello Time to check whether links are faulty. If theswitching device does not receive any BPDU at an interval of Hello Time, the switchingdevice recalculates the spanning tree due to BPDU timeout.

l Max Age: determines whether BPDUs expire. The switching device determines whetherthe received BPDU expires based on this value. If the received BPDU expires, the spanningtree needs to be recalculated.

Devices on a ring network must use the same values of Forward Delay, Hello Time, and MaxAge.

Generally, you are not advised to directly adjust the preceding three parameters. This is becausethe three parameters are relevant to the network scale. It is recommended that the networkdiameter be adjusted so that the spanning tree protocol automatically adjusts the threeparameters. When the default network diameter is used, the default values of the three parametersare used.

NOTICETo prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Ageconform to the following formulas:l 2 x (Forward Delay - 1.0 second) >= Max Agel Max Age >= 2 x (Hello Time + 1.0 second)

Procedure



Step 2 Set Forward Delay, Hello Time, and Max Age.1. Run:

stp timer forward-delay forward-delay

The value of Forward Delay of the switching device is set.

By default, the value of Forward Delay of the switching device is 1500 centiseconds.2. Run:

stp timer hello hello-time

The value of Hello Time of the switching device is set.

By default, the value of Hello Time of the switching device is 200 centiseconds.3. Run:

stp timer max-age max-age

The value of Max Age of the switching device is set.

By default, the value of Max Age of the switching device is 2000 centiseconds.

----End



185

8.5.4 Setting the Maximum Number of Connections That AffectSpanning Tree Calculation

ContextThe interface path cost affects spanning tree calculation. When the path cost changes, the systemperforms spanning tree recalculation. The interface path cost is affected by the bandwidth, soyou can change the interface bandwidth to affect spanning tree calculation.

As shown in Figure 8-2, deviceA and deviceB are connected through two Eth-Trunks. Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces inUp state. If each member link has the same bandwidth, deviceA is selected as the root bridge.l Eth-Trunk 1 has larger bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1

on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.l If the maximum number of connections is 1 in Eth-Trunk 1, the path cost of Eth-Trunk 1

is larger than the path cost of Eth-Trunk 2. The system performs spanning tree recalculation.Then Eth-Trunk 1 on deviceB becomes the alternate port and Eth-Trunk 2 becomes theroot port.

Figure 8-2 Setting the maximum number of connections

SwitchA SwitchB

Eth-Trunk1Eth-Trunk2

Alternate port

Before configuration

After configuration

SwitchA SwitchB

Root Bridge

Root Bridge

Designated port

Root port


NOTE

The maximum number of connections affects only the path cost of an interface where spanning treecalculation is performed, but does not affect the actual link bandwidth. The actual bandwidth for an Eth-Trunk to forward traffic depends on the number of active interfaces.

Procedure



Step 2 Run:



186

interface eth-trunk trunk-id


Step 3 Run:max bandwidth-affected-linknumber link-number

The maximum number of connections is set.

By default, the upper threshold for the number of interfaces that determine the bandwidth of anEth-Trunk is 4 on the S2700SI and 8 on other models.

----End




----End

8.6 Setting RSTP Parameters That Affect RSTP ConvergenceRSTP implements rapid convergence by configuring the link type of a port and fast transitionmechanism.


Before configuring RSTP parameters that affect RSTP convergence, configure basic RSTPfunctions.

8.6.1 Setting the RSTP Network Diameter

Context

On a switched network, any two terminals on the switching network are connected through aspecific path along which multiple devices reside. The network diameter is the maximum numberof devices between any two terminals. A larger network diameter indicates a larger networkscale.



Procedure




187





NOTE



----End

8.6.2 Setting the RSTP Timeout Interval

Context

If the device does not receive any BPDU from the upstream device in the set period, the deviceconsiders that the upstream device fails and then it re-calculates its spanning tree.

Sometimes, the device cannot receive the BPDU in a long time from the upstream device becausethe upstream device is very busy. In this case, the device should not re-calculate its spanningtree. Therefore, you can set a long period for the device on a stable network to avoid waste ofnetwork resources.



Procedure






----End



188

8.6.3 Setting RSTP Timers

ContextThe following parameters are used in spanning tree calculation:l Forward Delay: determines the interval for port status transition. To prevent temporary

loops, an interface first enters the Learning state when transiting from Discarding toForwarding. The status transition lasts for the time specified by Forward Delay so that thelocal device can synchronize the status with the remote switch.





NOTICETo prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Ageconform to the following formulas:l 2 x (Forward Delay - 1.0 second) >= Max Agel Max Age >= 2 x (Hello Time + 1.0 second)

Procedure










189


By default, the value of Hello Time of the switching device is 200 centiseconds.

3. Run:stp timer max-age max-age



----End


Context

The interface path cost affects spanning tree calculation. When the path cost changes, the systemperforms spanning tree recalculation. The interface path cost is affected by the bandwidth, soyou can change the interface bandwidth to affect spanning tree calculation.

As shown in Figure 8-3, deviceA and deviceB are connected through two Eth-Trunks. Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces inUp state. If each member link has the same bandwidth, deviceA is selected as the root bridge.

l Eth-Trunk 1 has larger bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.

l If the maximum number of connections is 1 in Eth-Trunk 1, the path cost of Eth-Trunk 1is larger than the path cost of Eth-Trunk 2. The system performs spanning tree recalculation.Then Eth-Trunk 1 on deviceB becomes the alternate port and Eth-Trunk 2 becomes theroot port.


SwitchA SwitchB


Alternate port


After configuration

SwitchA SwitchB

Root Bridge

Root Bridge

Designated port

Root port




190

NOTE


Procedure








----End

8.6.5 Setting the Link Type of a Port

Context

It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P linkare root or designated ports, the ports can transit to the forwarding state quickly by sendingProposal and Agreement packets. This reduces the forwarding delay.

Procedure




The view of the Ethernet interface participating in STP calculation is displayed.

Step 3 Run:stp point-to-point { auto | force-false | force-true }

The link type is configured for the interface.

By default, an interface automatically determines whether to connect to a P2P link. The P2P linksupports rapid network convergence.



191

l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In thiscase, force-true can be configured to implement rapid network convergence.

l If the Ethernet port works in half-duplex mode, you can run stp point-to-pointforce-true to forcibly set the link type to P2P.

----End

8.6.6 Setting the Maximum Transmission Rate of an Interface

Context

A larger value of packet-number indicates more BPDUs sent in a hello interval and thereforemore system resources occupied. Setting the proper value of packet-number prevents excessbandwidth usage when route flapping occurs.

Procedure





Step 3 Run:stp transmit-limit packet-number

The maximum number of BPDUs sent by a port in a specified period is set.

By default, the maximum number of BPDUs that a port sends within each Hello time is 147.

----End

8.6.7 Switching to the RSTP mode

Context

If an interface on an RSTP-enabled device is connected to an STP-enabled device, the interfaceswitches to the STP compatible mode.

If the STP-enabled device is powered off or disconnected from the RSTP-enabled device, theinterface cannot switch to the RSTP mode. In this case, you can switch the interface to the RSTPmode by using the stp mcheck command.

In the following cases, you need to manually switch the interface to the RSTP mode:

l The STP-enabled device is shut down or disconnected.

l The STP-enabled device is switched to the RSTP mode.



192

Procedurel Switching to the RSTP mode in the interface view

1. Run:system-view



The view of the Ethernet interface that participates in spanning tree calculation isdisplayed.

3. Run:stp mcheck

The device is switched to the RSTP mode.l Switching to the RSTP mode in the system view

1. Run:system-view


stp mcheck

The device is switched to the RSTP mode.

----End

8.6.8 Configuring a Port as an Edge Port and BPDU Filter Port

ContextIf a designated port is located at the edge of a network and is directly connected to terminaldevices, this port is called edge port.

An edge port does not receive or process configuration BPDUs, or RSTP calculation. It cantransit from Disable to Forwarding without any delay.

After a designated port is configured as an edge port, the port can still send BPDUs. Then BPDUsare sent to other networks, causing flapping of other networks. You can configure a port as anedge port and BPDU filter port so that the port does not process or send BPDUs.



193

NOTICEAfter all ports are configured as edge ports and BPDU filter ports in the system view, none ofports on the device send BPDUs or negotiate the STP status with directly connected ports onthe peer device. All ports are in forwarding state. This may cause loops on the network, leadingto broadcast storms. Exercise caution when you configure a port as an edge port and BPDU filterport.After a port is configured as an edge port and BPDU filter port in the interface view, the portdoes not process or send BPDUs. The port cannot negotiate the STP status with the directlyconnected port on the peer device. Exercise caution when you configure a port as an edge portand BPDU filter port.

Procedurel Configuring all ports as edge ports and BPDU filter ports in the system view

1. Run:system-view


stp edged-port default

All ports are configured as edge ports.

By default, all ports are non-edge ports.3. Run:

stp bpdu-filter default

All ports are configured as BPDU filter ports.

By default, all ports are non-BPDU filter ports.l Configuring an edge port and BPDU filtering in the interface view

1. Run:system-view




3. Run:stp edged-port enable

The port is configured as an edge port.

By default, all ports are non-edge ports.4. Run:

stp bpdu-filter enable

The port is configured as a BPDU filter port.



194

By default, a port is a non-BPDU filter port.

----End




----End

8.7 Configuring RSTP Protection FunctionsHuawei datacom devices provide the following RSTP protection functions. You can configureone or more functions.

8.7.1 Configuring BPDU Protection on a Switching Device

Procedure



Step 2 Run:stp bpdu-protection

BPDU protection is enabled on the switching device.

By default, BPDU protection is disabled on the switching device.

----End

Follow-up Procedure

To allow an edge port to automatically start after being shut down, run the error-downauto-recovery cause bpdu-protection interval interval-valuecommand to configure the auto recovery function and set the delay on the port. After the delayexpires, the port automatically goes Up. Note the following when setting this parameter:

l By default, the auto recovery function is disabled, so there is no delay. When you enablethe auto recovery function, you must specify the recovery delay.

l A smaller value of interval-value indicates a shorter time taken for the edge port togo Up, and a more frequency at which the edge port alternates between Up and Down.

l A larger value of interval-value indicates a longer time taken for the edge port to goUp, and a longer service interruption time.

l The auto recovery function takes effect only for the interface that transitions to the error-down state after the error-down auto-recovery command is executed.



195

8.7.2 Configuring TC Protection on a Switching Device

Context

If attackers forge TC BPDUs to attack the switching device, the switching device receives alarge number of TC BPDUs within a short time. If MAC address entries and ARP entries aredeleted frequently, the switching device is heavily burdened, causing potential risks to thenetwork.

TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processedby a switching device within a given time period is configurable. If the number of TC BPDUsthat the switching device receives within a given time exceeds the specified threshold, theswitching device handles TC BPDUs only for the specified number of times. Excess TC BPDUsare processed by the switching device as a whole for once after the specified time period expires.This protects the switching device from frequently deleting MAC entries and ARP entries,therefore avoiding overburden.

Procedure



Step 2 Run:stp tc-protection

TC protection is enabled for a switching device.

By default, TC protection is not enabled on the switching device.

Step 3 Run:stp tc-protection threshold threshold

The maximum number of times the switching device processes received TC BPDUs and updatesforwarding entries within a given time is set.

By default, the device processes only one TC BPDU within a specified time.

----End

8.7.3 Configuring Root Protection on a Port

Procedure







196

Step 3 Run:stp root-protection

Root protection is enabled on the interface.

By default, root protection is disabled.

NOTE

Root protection takes effect only on designated ports.

Root protection and loop protection cannot be configured on a port simultaneously.

----End

8.7.4 Configuring Loop Protection on a Port

ContextOn a network running RSTP, a switching device maintains the root port status and status ofblocked ports by receiving BPDUs from an upstream switching device. If the switching devicecannot receive BPDUs from the upstream because of link congestion or unidirectional-linkfailure, the switching device re-selects a root port. The original root port becomes a designatedport and the original blocked ports change to the Forwarding state. This may cause networkloops. To address such a problem, configure loop protection.

After loop protection is configured, if the root port or alternate port does not receive BPDUsfrom the upstream switching device, the root port is blocked and the switching device notifiesthe NMS that the port enters the Discarding state. The blocked port remains in the Blocked stateand no longer forwards packets. This prevents loops on the network. The root port restores theForwarding state after receiving new BPDUs.

Procedure





Step 3 Run:stp loop-protection

Loop protection for the root port or the alternate port is configured on the switching device.

By default, loop protection is disabled.

NOTE

An alternate port is a backup port for a root port. If a switching device has an alternate port, you need toconfigure loop protection on both the root port and the alternate port.

Root protection and loop protection cannot be configured on a port simultaneously.

----End



197




----End

8.8 Setting Parameters for Interworking Between theS2700&S3700 and a Non-Huawei Device

To implement interworking between the S2700&S3700 and a non-Huawei device, select the fasttransition mode based on the Proposal/Agreement mechanism of the non-Huawei device.

Context

The switching device supports the following modes:

l Enhanced mode: The current interface counts a root port when it calculates thesynchronization flag bit.

1. An upstream device sends a Proposal message to a downstream device requesting faststatus transition. After receiving the message, the downstream device sets the portconnected to the upstream device as the root port and blocks all non-edge ports.

2. The upstream device then sends an Agreement message to the downstream device.After the downstream device receives the message, the root port transitions to theForwarding state.

3. The downstream device then responds with an Agreement message. After receivingthe message, the upstream device sets the port connected to the downstream deviceas the designated port, and then the status of the designated port changes toForwarding.

l Common mode: The current interface ignores the root port when it calculates thesynchronization flag bit.

1. An upstream device sends a Proposal message to a downstream device requesting fasttransition. After receiving the message, the downstream device sets the port connectedto the upstream device as the root port and blocks all non-edge ports. Then, the statusof the root port changes to Forwarding.

2. The downstream device then responds with an Agreement message. After receivingthe message, the upstream device sets the port connected to the downstream deviceas the designated port, and then the status of the designated port changes toForwarding.

On a network running STP, if the S2700&S3700 connects to a non-Huawei device that uses adifferent Proposal/Agreement mechanism, the S2700&S3700 may fail to communicate with thenon-Huawei device. Select the enhanced mode or common mode based on the Proposal/Agreement mechanism of the non-Huawei device.



198

Pre-configuration TasksBefore setting parameters for interworking between the S2700&S3700 and a non-Huaweidevice, complete the following task:

l Configuring basic STP/RSTP functions

Procedure




The view of the Ethernet interface that participates in STP calculation is displayed.

Step 3 Run:stp no-agreement-check

The fast transition mechanism in common mode is used.

By default, the fast transition mechanism in enhanced mode is configured on a port.

----End

8.9 Maintaining STP/RSTPSTP/RSTP maintenance includes resetting STP/RSTP statistics.

8.9.1 Clearing STP/RSTP Statistics

Context

NOTICESTP/RSTP statistics cannot be restored after being cleared.

Procedurel Run the reset stp [ interface interface-type interface-number ]

statistics command to clear spanning-tree statistics.

----End

8.9.2 Monitoring the Statistics on STP/RSTP Topology ChangesThe statistics about STP/RSTP topology changes can be viewed. If the statistics increase,network flapping occurs.



199

Procedurel Run the display stp topology-change command to view the statistics about STP/

RSTP topology changes.l Run the display stp [ interface interface-type interface-number |

slot slot-id ] tc-bpdu statistics command to view the statistics about sentand received TC/TCN packets.

l Run the display stp [ interface interface-type interface-number |slot slot-id ] [ brief ] command to view the spanning-tree status and statistics.

----End

8.10 Configuration ExamplesThis section provides several configuration examples of STP/RSTP.

8.10.1 Example for Configuring Basic STP Functions

Networking RequirementsNetwork designers tend to deploy multiple physical links between two devices (one link is themaster and the others are backups) to fulfill network redundancy requirements. Loops are boundto occur on such types of complex networks.

Loops will cause broadcast storms, which exhaust network resources and paralyze the network.Loops also cause MAC address flapping that damages MAC address entries.

STP can be deployed on a network to eliminate loops by blocking some ports. On the networkshown in Figure 8-4, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discoverloops by exchanging information, they trim the ring topology into a loop-free tree topology byblocking a certain port. STP prevents replication and circular propagation of packets on thenetwork and the release the switching devices from processing duplicate packets, improvingtheir processing performance.



200

Figure 8-4 Configuring basic STP functions

PC1

SwitchAEth0/0/2

Eth0/0/1 Eth0/0/1

Eth0/0/2

Eth0/0/3

Eth0/0/3

Eth0/0/1

Eth0/0/3

Network

SwitchC SwitchB

STP

Blocked port

SwitchD

Eth0/0/1

Eth0/0/3

Eth0/0/2

PC2

Eth0/0/2

RootBridge


1. Configure basic STP functions, including:

a. Configure the STP mode for the ring network.b. Configure primary and secondary root bridges.c. Set path costs for ports to block certain ports.d. Enable STP to eliminate loops.

NOTE

STP is not required on the interfaces connected to terminals because these interfaces do notneed to participate in STP calculation.

Procedure

Step 1 Configure basic STP functions.

1. Configure the STP mode for the devices on the ring network.# Configure the STP mode on SwitchA.<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] stp mode stp

# Configure the STP mode on SwitchB.<Quidway> system-view



201

[Quidway] sysname SwitchB[SwitchB] stp mode stp

# Configure the STP mode on SwitchC.<Quidway> system-view[Quidway] sysname SwitchC[SwitchC] stp mode stp

# Configure the STP mode on SwitchD.<Quidway> system-view[Quidway] sysname SwitchD[SwitchD] stp mode stp

2. Configure primary and secondary root bridges.# Configure SwitchA as a primary root bridge.[SwitchA] stp root primary

# Configure SwitchD as a secondary root bridge.[SwitchD] stp root secondary

3. Set path costs for ports in each spanning tree to block certain ports.

NOTE

l The values of path costs depend on the path-cost calculation method. Huawei calculation methodis used in this example, and the path cost of the blocked port is set to 20000 (the highest valuein the range).

l All switching devices on a network must use the same path cost calculation method.

# On Switch A, configure the path cost calculation method as the Huawei calculationmethod.[SwitchA] stp pathcost-standard legacy

# On Switch B, configure the path cost calculation method as the Huawei calculationmethod.[SwitchB] stp pathcost-standard legacy

# Set the path cost of Ethernet0/0/1 on SwitchC to 20000.[SwitchC] stp pathcost-standard legacy[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] stp cost 20000[SwitchC-Ethernet0/0/1] quit

# On SwitchD, configure the path cost calculation method as the Huawei calculationmethod.[SwitchD] stp pathcost-standard legacy

4. Enable STP to eliminate loops.

l Disable STP on interfaces connected to PCs.# Disable STP on Ethernet 0/0/2 on SwitchB.[SwitchB] interface ethernet 0/0/2[SwitchB-Ethernet0/0/2] stp disable[SwitchB-Ethernet0/0/2] quit

# Disable STP on Ethernet 0/0/2 on SwitchC.[SwitchC] interface ethernet 0/0/2[SwitchC-Ethernet0/0/2] stp disable[SwitchC-Ethernet0/0/2] quit

l Enable STP globally.# Enable STP globally on SwitchA.[SwitchA] stp enable



202

# Enable STP globally on SwitchB.[SwitchB] stp enable

# Enable STP globally on SwitchC.[SwitchC] stp enable

# Enable STP globally on SwitchD.[SwitchD] stp enable


After the previous configurations, run the following commands to verify the configuration whenthe network is stable:

# Run the display stp brief command on SwitchA to view the interface status andprotection type. The displayed information is as follows:

[SwitchA] display stp brief MSTID Port Role STP State Protection 0 Ethernet0/0/1 DESI FORWARDING NONE 0 Ethernet0/0/2 DESI FORWARDING NONE

After SwitchA is configured as a root bridge, Ethernet 0/0/2 and Ethernet 0/0/1 connected toSwitchB and SwitchD respectively are elected as designated ports in spanning tree calculation.

# Run the display stp interface ethernet 0/0/1 brief command on SwitchB to view status ofEthernet 0/0/1. The displayed information is as follows:

[SwitchB] display stp interface ethernet 0/0/1 brief MSTID Port Role STP State Protection 0 Ethernet0/0/1 DESI FORWARDING NONE

Ethernet 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwardingstate.

# Run the display stp brief command on SwitchC to view the interface status andprotection type. The displayed information is as follows:

[SwitchC] display stp brief MSTID Port Role STP State Protection 0 Ethernet0/0/1 ALTE DISCARDING NONE 0 Ethernet0/0/3 ROOT FORWARDING NONE

Ethernet 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.

Ethernet 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discardingstate.

----End


# sysname SwitchA # stp mode stp stp instance 0 root primary stp pathcost-standard legacy#return



203

l Configuration file of SwitchB# sysname SwitchB # stp mode stp stp pathcost-standard legacy# interface Ethernet0/0/2 stp disable # return

l Configuration file of SwitchC# sysname SwitchC # stp mode stp stp pathcost-standard legacy# interface Ethernet0/0/1 stp instance 0 cost 20000 # interface Ethernet0/0/2 stp disable # return

l Configuration file of SwitchD# sysname SwitchD # stp mode stp stp instance 0 root secondary stp pathcost-standard legacy# return

8.10.2 Example for Configuring Basic RSTP Functions

Networking RequirementsOn a complex network, loops are inevitable. With the requirement for network redundancybackup, network designers tend to deploy multiple physical links between two devices, one ofwhich is the master and the others are the backup. Loops are likely or bound to occur in such asituation.

Loops will cause broadcast storms, thereby exhausting network resources and paralyzing thenetwork. Loops also cause flapping of MAC address tables and damage MAC address entries.

RSTP can be deployed on a network to eliminate loops by blocking some ports. On the networkshown in Figure 8-5, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP discoverloops on the network by exchanging information with each other, they trim the ring topologyinto a loop-free tree topology by blocking a certain port. In this manner, replication and circularpropagation of packets are prevented on the network and the switching devices are released fromprocessing duplicated packets, thereby improving their processing performance.



204

Figure 8-5 Configuring basic RSTP configurations

PC1

SwitchAEth0/0/2

Eth0/0/1 Eth0/0/1

Eth0/0/2

Eth0/0/3

Eth0/0/3

Eth0/0/1

Eth0/0/3

Network

SwitchC SwitchB

RSTP

Blocked port

SwitchD

Eth0/0/1

Eth0/0/3

Eth0/0/2

PC2

Eth0/0/2

RootBridge


1. Configure basic RSTP functions, including:

a. Configure the RSTP mode for the ring network.b. Configure primary and secondary root bridges.c. Set path costs for ports in each MSTI to block certain ports.d. Enable RSTP to eliminate loops.

NOTE

The port connected to the PC does not participate in RSTP calculation, so it is configured asan edge port and BPDU filter port.

2. Configure RSTP protection functions, for example, root protection on a designated port ofa root bridge in each MSTI.

Procedure

Step 1 Configure basic RSTP functions.

1. Configure the RSTP mode for the devices on the ring network.# Configure the RSTP mode on SwitchA.<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] stp mode rstp



205

# Configure the RSTP mode on SwitchB.<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] stp mode rstp

# Configure the RSTP mode on SwitchC.<Quidway> system-view[Quidway] sysname SwitchC[SwitchC] stp mode rstp

# Configure the RSTP mode on SwitchD.<Quidway> system-view[Quidway] sysname SwitchD[SwitchD] stp mode rstp

2. Configure primary and secondary root bridges.# Configure SwitchA as a primary root bridge.[SwitchA] stp root primary

# Configure SwitchD as a secondary root bridge.[SwitchD] stp root secondary

3. Set path costs for ports in each MSTI to block certain ports.

NOTE

l The values of path costs depend on path cost calculation methods. Use the Huawei calculationmethod as an example to set the path costs of the ports to be blocked to 20000.


# On Switch A, configure the path cost calculation method as the Huawei calculationmethod.[SwitchA] stp pathcost-standard legacy

# On Switch B, configure the path cost calculation method as the Huawei calculationmethod.[SwitchB] stp pathcost-standard legacy

# Set the path cost of Ethernet0/0/1 on SwitchC to 20000.[SwitchC] stp pathcost-standard legacy[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] stp cost 20000[SwitchC-Ethernet0/0/1] quit

# On SwitchD, configure the path cost calculation method as the Huawei calculationmethod.[SwitchD] stp pathcost-standard legacy

4. Enable RSTP to eliminate loops.l Configure the port connected to the PC as an edge port and BPDU filter port.

# Configure Ethernet0/0/2 on SwitchB as an edge port and BPDU filter port.[SwitchB] interface ethernet 0/0/2[SwitchB-Ethernet0/0/2] stp edged-port enable[SwitchB-Ethernet0/0/2] stp bpdu-filter enable[SwitchB-Ethernet0/0/2] quit

# Configure Ethernet0/0/2 on SwitchC as an edge port and BPDU filter port.[SwitchC] interface ethernet 0/0/2[SwitchC-Ethernet0/0/2] stp edged-port enable[SwitchC-Ethernet0/0/2] stp bpdu-filter enable[SwitchC-Ethernet0/0/2] quit

l Enable RSTP globally.



206

# Enable RSTP globally on SwitchA.[SwitchA] stp enable

# Enable RSTP globally on SwitchB.[SwitchB] stp enable

# Enable RSTP globally on SwitchC.[SwitchC] stp enable

# Enable RSTP globally on SwitchD.[SwitchD] stp enable

Step 2 Configure RSTP protection functions, for example, root protection on a designated port of a rootbridge in each MSTI.

# Enable root protection on Eth 0/0/1 on SwitchA.

[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] stp root-protection[SwitchA-Ethernet0/0/1] quit

# Enable root protection on Eth 0/0/2 on SwitchA.



After the previous configurations, run the following commands to verify the configuration whenthe network is stable:

# Run the display stp brief command on SwitchA to view the interface status andprotection type. The displayed information is as follows:

[SwitchA] display stp brief MSTID Port Role STP State Protection 0 Ethernet0/0/1 DESI FORWARDING ROOT 0 Ethernet0/0/2 DESI FORWARDING ROOT

After SwitchA is configured as a root bridge, Ethernet0/0/2 and Ethernet0/0/1 connected toSwitchB and SwitchD respectively are elected as designated ports in spanning tree calculation.The root protection function is enabled on the designated ports.

# Run the display stp interface ethernet 0/0/1 brief command onSwitchB to view status of Ethernet0/0/1. The displayed information is as follows:

[SwitchB] display stp interface ethernet 0/0/1 brief MSTID Port Role STP State Protection 0 Ethernet0/0/1 DESI FORWARDING NONE

Ethernet0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwardingstate.

# Run the display stp brief command on SwitchC to view the interface status andprotection type. The displayed information is as follows:

[SwitchC] display stp brief MSTID Port Role STP State Protection 0 Ethernet0/0/1 ALTE DISCARDING NONE 0 Ethernet0/0/3 ROOT FORWARDING NONE

Eth0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.



207

Eth0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.

----End


# sysname SwitchA # stp mode rstp stp instance 0 root primary stp pathcost-standard legacy# interface Ethernet0/0/1 stp root-protection # interface Ethernet0/0/2 stp root-protection #return

l Configuration file of SwitchB# sysname SwitchB # stp mode rstp stp pathcost-standard legacy# interface Ethernet0/0/2 stp bpdu-filter enable stp edged-port enable# return

l Configuration file of SwitchC# sysname SwitchC # stp mode rstp stp pathcost-standard legacy# interface Ethernet0/0/1 stp instance 0 cost 20000 # interface Ethernet0/0/2 stp bpdu-filter enable stp edged-port enable# return

l Configuration file of SwitchD# sysname SwitchD # stp mode rstp stp instance 0 root secondary stp pathcost-standard legacy# return



208

9 MSTP Configuration

About This Chapter

This chapter describes the concepts and configuration procedure of MSTP, and providesconfiguration examples.

NOTE

The S2700SI does not support MSTP.

9.1 MSTP IntroductionThe MSTP incorporates the functions of the STP and RSTP, and outperforms them. It enablesrapid convergence and provides load balancing across redundant paths.

9.2 MSTP Features Supported by the S2700&S3700This section describes MSTP features supported by the S2700&S3700.

9.3 Default ConfigurationThis section describes the default MSTP configuration. You can change the configuration basedon actual needs.

9.4 Configuring Basic MSTP FunctionsMSTP based on the basic STP/RSTP function divides a switching network into multiple regions,each of which has multiple spanning trees that are independent of each other. MSTP isolatesdifferent VLANs' traffic, and load-balances VLAN traffic.

9.5 Configuring MSTP Parameters on an InterfaceProper MSTP parameter settings achieve rapid convergence.

9.6 Configuring MSTP Protection FunctionsHuawei datacom devices provide the following MSTP protection functions. You can configureone or more functions.

9.7 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei DevicesTo communicate with a non-Huawei device, set proper parameters on the MSTP-enabledHuawei device.

9.8 Maintaining MSTPThis section describes how to maintain MSTP.

9.9 Configuration Examples

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 9 MSTP Configuration


209

This section provides several configuration examples of MSTP.



210

9.1 MSTP IntroductionThe MSTP incorporates the functions of the STP and RSTP, and outperforms them. It enablesrapid convergence and provides load balancing across redundant paths.

IntroductionThe Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.It prevents replication and circular propagation of packets, provides multiple redundant pathsfor Virtual LAN (VLAN) data traffic, and enables load balancing.

Network designers tend to deploy multiple physical links between two devices (one link is themaster and the others are backups) to fulfill network redundancy requirements. Loops are boundto occur on such types of complex networks.

Loops will cause broadcast storms, thereby exhausting network resources and paralyzing thenetwork. Loops also cause MAC address flapping that damages MAC address entries.

STP/RSTP eliminates loops on a Layer 2 network by blocking redundant links to prune thenetwork into a tree structure. STP/RSTP cannot implement VLAN-based load balancing becauseall the VLANs on a LAN share a spanning tree. The blocked link does not carry any traffic,which wastes bandwidth and may cause a failure to forward certain VLAN packets.

To address the deficiencies in STP and RSTP, the IEEE released the 802.1s standard in 2002,which defines MSTP. MSTP is compatible with STP and RSTP. It implements rapidconvergence and provides multiple paths to load balance VLAN traffic.

Table 9-1 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol andtheir applicable environments.



211

Table 9-1 Comparison between STP, RSTP, and MSTP

Spanning TreeProtocols

Characteristics ApplicationScenarios

Precautions

STP Ensures a loop-free treetopology that helps preventbroadcast storms and allowsfor redundant links betweenswitches.

Irrespective ofusers or services,all VLANs shareone spanning tree.

NOTEl If the current

switchingdevicesupportsboth STPand RSTP,RSTP isrecommended. Fordetails, seeSTP/RSTPConfiguration.

l If the currentswitchingdevicesupportsSTP orRSTP, andMSTP,MSTP isrecommended.

RSTP l Ensures a loop-free treetopology that helpsprevent broadcast stormsand allows for redundantlinks between switches.

l Provides a feedbackmechanism to confirmtopology convergence,implementing rapidconvergence.

MSTP l Ensures a loop-free treetopology that helpsprevent broadcast stormsand allows for redundantlinks between switches inan MSTP region.

l Provides a feedbackmechanism to confirmtopology convergence,implementing rapidconvergence.

l Implements loadbalancing among VLANs.Traffic in differentVLANs is transmittedalong different paths.

User or service-specific loadbalancing isrequired. Trafficfor differentVLANs isforwardedthrough differentspanning trees,which areindependent ofeach other.

If MSTP is deployed on a LAN, Multiple Spanning Tree Region Instances ( MSTP divides aswitching network into multiple regions, each of which has multiple spanning trees that areindependent of each other. Each spanning tree is called a MSTI ) are generated, as shown inFigure 9-1.

l MSTI 1 uses SwitchD as the root switching device to forward packets of VLAN 2.l MSTI 2 uses SwitchF as the root switching device to forward packets of VLAN 3.

Devices within the same VLAN can communicate with each other and packets of differentVLANs are load-balanced along different paths.



212

Figure 9-1 Multiple spanning trees in an MST region

VLAN2

VLAN2

Host A

Host B

SwitchA SwitchD

SwitchB SwitchE

SwitchC SwitchF

VLAN2

VLAN2

(VLAN2)

(VLAN2)

Host C(VLAN3)

Host D(VLAN3)

VLAN2VLAN3

VLAN3

VLAN3

VLAN3

VLAN3

MSTI1 (root switch: SwitchD)MSTI2 (root switch: SwitchF)

VLAN2VLAN3

MSTI1MSTI2

Basic MSTP Conceptsl MST region

An MST region contains multiple switching devices and network segments between them.The switching devices have the following characteristics:

– MSTP-enabled

– Same region name

– Same VLAN-to-instance mapping

– Same MSTP revision numberA LAN can comprise several MST regions that are directly or indirectly connected. Youcan use MSTP configuration commands to group multiple switching devices into an MSTregion.As shown in Figure 9-2, the MST region D0 contains the switching devices S1, S2, S3,and S4. The region has three MSTIs. MSTI 0 is also called Internal Spanning Tree (IST).



213

Figure 9-2 MST region

D0

S1

other VLANs MSTI0

S2

S4

S3

VLAN1 MSTI1VLAN2,VLAN3 MSTI2

MSTI1root switch:S3

MSTI2root switch:S2

MSTI0 (IST)root switch:S1

AP1

Master Bridge

l Regional root

Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.In the region B0, C0, and D0 on the network shown in Figure 9-4, the switching devicesclosest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.An MST region can contain multiple spanning trees, each called an MSTI. An MSTIregional root is the root of the MSTI. On the network shown in Figure 9-3, each MSTI hasits own regional root.



214

Figure 9-3 MSTI

Root

VLAN10&20&30

VLAN10&20VLAN 20&30

VLAN10&30

VLAN30VLAN10&30 VLAN20

VLAN 10

MST Region

Root

MSTIcorresponding to

VLAN 10

RootMSTIcorresponding to

VLAN 20

MSTIcorresponding to

VLAN 30

MSTI linksMSTI links blocked by the protocol

l VLAN mapping table

The VLAN mapping table is an attribute of the MST region. It describes mappings betweenVLANs and MSTIs.Figure 9-2 shows the VLAN mapping table of the MST region D0:

– VLAN 1 is mapped to MSTI 1.

– VLAN 2 and VLAN 3 are mapped to MSTI 2.

– Other VLANs are mapped to MSTI 0.

MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,but a VLAN can be mapped to only one MSTI.

l IST

An IST resides within an MST region.

An IST is a special MSTI with an MSTI ID of 0, called MSTI 0.An IST is a segment of theCIST in an MST region.As shown in Figure 9-4, the switching devices in an MST regionare connected to form an IST.

l SST

A Single Spanning Tree (SST) is formed in either of the following situations:

– A switching device running STP or RSTP belongs to only one spanning tree.



215

– An MST region has only one switching device.As shown in Figure 9-4, the switching device in B0 is an SST.

l CSTA Common Spanning Tree (CST) connects all the MST regions on a switching network.Each MST region can be considered a node. A CST is calculated by using STP or RSTPbased on all the nodes.As shown in Figure 9-4, the MST regions are connected to form aCST.

l CISTA CIST, calculated by using STP or RSTP, connects all the switching devices on a switchingnetwork.As shown in Figure 9-4, the ISTs and the CST form a complete spanning tree (CIST).

l CIST rootOn the network shown in Figure 9-4, the CIST root is the root bridge of a CIST. The CISTroot is a device in A0.

Figure 9-4 MSTP network

CIST RootA0

B0

C0

D0 Region Root

Region Root

Region Root

CSTIST

l Port roles

Compared with RSTP which defined root ports, designated ports, alternate ports, backupports, and edge ports, MSTP has two additional port types: master ports and regional edgeports.



216

Table 9-2 lists all port roles in MSTP.

NOTE

Except edge ports, all ports participate in MSTP calculation.

A port can play different roles in different MSTIs.

Table 9-2 Port roles

PortRoles

Description

Root port A root port is the non-root bridge port closest to the root bridge. Root portsare responsible for sending data to root bridges. Root bridges do not haveroot ports.As shown in Figure 9-5, S1 is the root; CP1 is the root port on S3; BP1 isthe root port on S2; DP1 is the root port on S4.

Designated port

The designated port on a switching device forwards bridge protocol dataunits (BPDUs) to the downstream switching device.As shown in Figure 9-5, AP2 and AP3 are designated ports on S1; BP2 isa designated port on S2; CP2 is a designated port on S3.

Alternateport

l An alternate port is blocked after it receives a BPDU sent by otherdevices.

l An alternate port provides an alternate path to the root bridge. This pathis different than using the root port.

As shown in Figure 9-5, DP4 and AP4 are alternate ports.

Backupport

l A backup port is blocked after it receives a BPDU sent by itself.l A backup port provides a redundant path to a segment and is the backup

for the root port.As shown in Figure 9-5, CP3 is a backup port.

Masterport

A master port is on the shortest path connecting MST regions to the CISTroot.BPDUs of an MST region are sent to the CIST root through the master port.Master ports are special regional edge ports, functioning as root ports onISTs or CISTs and master ports in instances.As shown in Figure 9-5, S1, S2, S3, and S4 form an MST region. AP1 onS1, being the nearest port in the region to the CIST root, is the master port.



217

PortRoles

Description

Regionaledge port

A regional edge port is located at the edge of an MST region and connectsto another MST region or an SST.During MSTP calculation, the roles of a regional edge port in the MSTI andthe CIST instance are the same. If the regional edge port is the master portin the CIST instance, it is the master port in all the MSTIs in the region.As shown in Figure 9-5, AP1, DP2, and DP3 in an MST region are directlyconnected to other regions, and therefore they are all regional edge ports ofthe MST region.As shown in Figure 9-5, AP1 is a regional edge port and also a master portin the CIST. Therefore, AP1 is the master port in every MSTI in the MSTregion.

Edgeport

An edge port is located at the edge of an MST region and does not connectto any switching device.Generally, edge ports are directly connected to terminals.As shown in Figure 9-5, BP3 is an edge port.

Figure 9-5 Port roles

S1AP2

S2S3

AP3

CP2 CP3BP2

CP1 BP1

S4

Root Bridge

MST RegionAP1 AP4

DP1 DP4

DP2 DP3

PC

Root port

Designated portAlternate

portBackup port

Master port

Edge port

Regional edge port

BP3

l Port status

Table 9-3 lists the MSTP port status, which is the same as the RSTP port status.



218

Table 9-3 Port status

PortStatus

Description

Forwarding

A port in the Forwarding state can send and receive BPDUs as well asforward user traffic.

Learning This is a transition state. A port in the Learning state learns MAC addressesfrom user traffic to construct a MAC address table.In the Learning state, the port can send and receive BPDUs, but cannotforward user traffic.

Discarding

A port in the Discarding state can only receive BPDUs.

The port status is not determined by the port role. Table 9-4 lists the port status supportedby each port role.

Table 9-4 Status of port roles

PortStatus

Root Port/MasterPort

Designated Port

RegionalEdge Port

AlternatePort

BackupPort

Forwarding

Yes Yes Yes No No

Learning Yes Yes Yes No No

Discarding

Yes Yes Yes Yes Yes

NOTE

Yes: The port supports this status.

No: The port does not support this status.

9.2 MSTP Features Supported by the S2700&S3700This section describes MSTP features supported by the S2700&S3700.

MSTP

MSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-free tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into differentinstances to load-balance VLAN traffic. The basic configuration roadmap for MSTP is asfollows:

1. In a ring network, divide regions and create different instances for regions.



219

2. Select a switching device to function as the root bridge for each instance.3. In each instance, calculate the shortest paths from the other switching devices to the root

bridge, and select a root port for each non-root switching device.4. In each instance, select a designated port for each connection based on port IDs.

Enhanced Functions of MSTPSome networks may have master ports and backup ports. For details about master ports andbackup ports, see 9.1 MSTP Introduction.

MSTP also supports the following features to meet the requirements of special applications andextended functions:l Proposal/Agreement mechanism to implement rapid convergence.l Protection functions listed in Table 9-5.l MSTP interoperability between Huawei devices and non-Huawei devices. Certain

parameters must be set on Huawei devices to ensure uninterrupted communication.

Table 9-5 MSTP protection

MSTPProtection


BPDUprotection

An edge port changes into anon-edge port afterreceiving a BPDU, whichtriggers spanning treerecalculation. If an attackerkeeps sending pseudoBPDUs to a switchingdevice, network flappingoccurs.

After BPDU protection is enabled, aswitching device sets an edge port to errordown state if the edge port receives a BPDUand retains the port as an edge port. Inaddition, the switching device sends amessage to notify the NMS.The error-down edge port can only berestored by the administrator. To enable theerror-down edge port to restoreautomatically, set the recovery delay.

TC-BPDUattackdefense

Generally, after receivingTC BPDUs (packets foradvertising networktopology changes), aswitching device needs todelete MAC entries and ARPentries. Frequent deletionsexhaust CPU resources.

TC protection is used to suppress TC BPDUs.You can configure the number of times aswitching device processes TC BPDUswithin a given time period. If the number ofTC BPDUs that the switching device receiveswithin a given time exceeds the specifiedthreshold, the switching device processesonly the specified number of TC BPDUs.After the specified time period expires, thedevice processes the excess TC BPDUs foronce. This function prevents the switchingdevice from frequently deleting MAC entriesand ARP entries, saving CPU resources.



220

MSTPProtection


Rootprotection

Due to incorrectconfigurations or maliciousattacks on the network, aroot bridge may receiveBPDUs with a higherpriority than its own priority.Consequently, the legitimateroot bridge is no longer ableto serve as the root bridgeand the network topology ischanged, triggeringspanning tree recalculation.This may transfer trafficfrom high-speed links tolow-speed links, causingtraffic congestion.

To address this issue, the root protectionfunction can be configured to protect the rootbridge by preserving the role of thedesignated port. With this function, when thedesignated port receives RST BPDUs with ahigher priority, the port enters the Discardingstate and does not forward the BPDUs. If theport does not receive any RST BPDUs with ahigher priority for a certain period (double theForward Delay), the port transitions to theForwarding state.

Loopprotection

A root port or an alternateport will age if linkcongestion or a one-way linkfailure occurs. After the rootport ages, a switching devicemay re-select a root portincorrectly and after thealternate port ages, the portenters the Forwarding state.Loops may occur in such asituation.

The loop protection function can be used toprevent such network loops. If the root portor alternate port cannot receive RST BPDUsfrom the upstream switching device, the rootport is blocked and the switching devicenotifies the NMS that the port enters theDiscarding state. The blocked port remains inthe Blocked state and no longer forwardspackets. This function helps prevent loops onthe network. The root port or alternate porttransitions to the Forwarding state afterreceiving new BPDUs.

Share-linkprotection

When a switching device isdual-homed to a network andthe share link of multipleprocesses fails, loops mayoccur.

Share-link protection can address such aproblem. This function forcibly changes theworking mode of the local switching deviceto RSTP. Share-link protection needs to beused together with root protection to avoidnetwork loops.

9.3 Default ConfigurationThis section describes the default MSTP configuration. You can change the configuration basedon actual needs.


Working mode MSTP

MSTP status MSTP is enabled globally and on an interface.



221


Switching device priority 32768

Port priority 128

Algorithm used to calculate thedefault path cost

dot1t, IEEE 802.1t

Forward Delay Time 1500 centiseconds

Hello Time 200 centiseconds

Max Age Time 2000 centiseconds

9.4 Configuring Basic MSTP FunctionsMSTP based on the basic STP/RSTP function divides a switching network into multiple regions,each of which has multiple spanning trees that are independent of each other. MSTP isolatesdifferent VLANs' traffic, and load-balances VLAN traffic.

Context

MSTP is commonly configured on switching devices to trim a ring network to a loop-freenetwork. Devices start spanning tree calculation after the working mode is set and MSTP isenabled. Use any of the following methods if you need to intervene in the spanning treecalculation:

l Manually configure the root bridge and secondary root bridge.

l Set a priority for a switching device in an MSTI: The lower the numerical value, the higherthe priority of the switching device and the more likely the switching device becomes aroot bridge; the higher the numerical value, the lower the priority of the switching deviceand the less likely that the switching device becomes a root bridge.

l Set a path cost for a port in an MSTI: With the same calculation method, the lower thenumerical value, the smaller the cost of the path from the port to the root bridge and themore likely the port becomes a root port; the higher the numerical value, the larger the costof the path from the port to the root bridge and the less likely that the port becomes a rootport.

l Set a priority for a port in an MSTI: The lower the numerical value, the more likely the portbecomes a designated port; the higher the numerical value, the less likely that the portbecomes a designated port.

9.4.1 Configuring the MSTP Mode

Context

Before configuring basic MSTP functions, set the working mode of a switching device to MSTP.MSTP is compatible with STP and RSTP.



222

Procedure



Step 2 Run:stp mode mstp

The working mode of the switching device is set to MSTP. By default, the working mode isMSTP.

STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an MSTP-enabled switching device is connected to switching devices running STP, interfaces of theMSTP-enabled switching device connected to devices running STP automatically transition toSTP mode, and other interfaces still work in MSTP mode. This enables devices running differentspanning tree protocols to interwork with each other.

----End

9.4.2 Configuring and Activating an MST Region

ContextAn MST region contains multiple switching devices and network segments. These switchingdevices are directly connected and have the same region name, same VLAN-to-instancemapping, and the same configuration revision number after MSTP is enabled. One switchingnetwork can have multiple MST regions. You can use MSTP commands to group multipleswitching devices into one MST region.

NOTE

Two switching devices belong to the same MST region when they have the same:

l Name of the MST region

l Mapping between VLANs and MSTIs

l Revision level of the MST region

Perform the following steps on a switching device that needs to join an MST region.

Procedure



Step 2 Run:stp region-configuration

The MST region view is displayed.

Step 3 Run:region-name name

The name of an MST region is configured.



223

By default, the MST region name is the MAC address of the bridge MAC of the switching device.

Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.

l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>command to configure VLAN-to-instance mappings.

l Run the vlan-mapping modulo modulo command to enable VLAN-to-instancemapping assignment based on a default algorithm.

By default, all VLANs in an MST region are mapped to MSTI 0.

NOTE

l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulocommands cannot meet network requirements. It is recommended that you run the instanceinstance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure VLAN-to-instance mappings.

l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the formula,(VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of modulo. Thisformula is used to map a VLAN to the corresponding MSTI. The calculation result of the formula isthe ID of the mapping MSTI.

l To configure the mapping between the spanning tree instance and MUX VLAN, you are advised toconfigure the principal VLAN, and subordinate group VLANs and subordinate separate VLANs of theMUX VLAN in the same protected instance. Otherwise, loops may occur.

Step 5 (Optional) Run:revision-level level

The MSTP revision number is set.

By default, the MSTP revision number is 0.

MSTP is a standard protocol; therefore, the MSTP revision level of a device is 0 by default. Ifthe revision level of some devices from a specified manufacturer is not 0, you must change thevalue to 0 to facilitate tree calculation in an MST region.

NOTICEChanging MST region configurations (especially change of the VLAN mapping table) triggersspanning tree recalculation and causes route flapping. Therefore:

l After configuring an MST region name, VLAN-to-instance mappings, and an MSTP revisionnumber, run the check region-configuration command in the MST region viewto verify the configuration. After confirming the region configurations, run the activeregion-configuration command to activate MST region configurations.

l You are advised not to modify MST region parameters after the MST region is activated.

Step 6 Run:active region-configuration

MST region configurations are activated so that the configured region name, VLAN-to-instancemappings, and revision number can take effect.

If this step is not done, the preceding configurations cannot take effect.



224

If you have changed MST region configurations on the switching device after MSTP starts, runthe active region-configuration command to activate the MST region so that thechanged configurations can take effect.

NOTE

Before using the active region-configuration command to activate the modified STP regionparameters, run the check region-configuration command to check whether parameters arecorrect. After the active region-configuration command is executed, check whether a messageindicating an activation failure is displayed. If such a message is displayed, reconfigure STP parameters.

----End

9.4.3 (Optional) Configuring the Root Bridge and Secondary RootBridge

Context

The root bridge can be calculated through calculation. You can also manually configure the rootbridge or secondary root bridge.

l A switching device plays different roles in different spanning trees. The switching devicecan function as the root switch or secondary root switch of a spanning tree and the rootswitch or secondary root switch of another spanning tree. The switching device can functionas only the root switch or secondary root switch of the same spanning tree.

l In a spanning tree, only one root bridge takes effect. When two or more than two devicesare specified as root bridges of a spanning tree, the device with the smallest MAC addressis used as the root bridge.

l You can specify multiple secondary root bridges for each spanning tree. When the rootbridge fails or is powered off, the secondary root bridge becomes the new root bridge. If anew root bridge is specified, the secondary root bridge will not become the root bridge. Ifmultiple secondary root bridges are configured, the secondary root bridge with smallestMAC address will become the root bridge of the spanning tree.

NOTE

It is recommended that the root bridge and secondary root bridge be configured manually.

Procedurel Perform the following operations on the device to be used as the root bridge.

1. Run:system-view


2. Run:stp [ instance instance-id ] root primary

The device is configured as the root bridge.

By default, a switching device does not function as the root bridge. After theconfiguration is complete, the BID of the device is 0 and cannot be changed.

If instance is not specified, the device in MSTI 0 is a root bridge.



225

l Perform the following operations on the device to be used as the secondary root bridge.

1. Run:system-view


2. Run:stp [ instance instance-id ] root secondary

The device is configured as the secondary root bridge.

By default, a switching device does not function as the secondary root bridge. Afterthe configuration is complete, the BID of the device is 4096 and cannot be changed.

If instance is not specified, the device in MSTI 0 is a backup root bridge.

----End

9.4.4 (Optional) Configuring a Priority for a Switching Device in anMSTI

Context

In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During rootbridge selection, a high-performance switching device at a high network layer should be selectedas the root bridge; however, the priority of such a device may not be the highest on the network.It is therefore necessary to set a high priority for the switching device to ensure that the devicefunctions as a root bridge.

Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,set low priorities for these devices.

A switching device with a high priority is more likely to be selected as the root bridge in anMSTI. A smaller priority value indicates a higher priority.

Procedure



Step 2 Run:stp [ instance instance-id ] priority priority

A priority is set for the switching device in an MSTI.

The default priority value of the switching device is 32768.

If the instance-id is not designated, a priority is set for the switching device in MSTI0.



226

NOTE

If the stp [ instance instance-id ] root primary or stp [ instance instance-id ]root secondary command has been executed to configure the device as the root bridge or secondaryroot bridge, to change the device priority, run the undo stp [ instance instance-id ] rootcommand to disable the root bridge or secondary root bridge function and run the stp [ instanceinstance-id ] priority priority command to set a priority.

----End

9.4.5 (Optional) Configuring a Path Cost of a Port in an MSTI

ContextA path cost is port-specific and is used by MSTP to select a link.

Path costs of ports are an important basis for calculating spanning trees. If you set different pathcosts for a port in different MSTIs, VLAN traffic can be transmitted along different physicallinks for load balancing.

The MSTP path cost determines root port selection in an MSTI. The port with the lowest pathcost to the root bridge is selected as the root port.

If a network has loops, it is recommended that you set a relatively large path cost for ports withlow link rates. MSTP then blocks these ports.

Procedure



Step 2 Run:stp pathcost-standard { dot1d-1998 | dot1t | legacy }

A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.

All switching devices on a network must use the same path cost calculation method.


The Ethernet interface view is displayed.

Step 4 Run:stp instance instance-id cost cost

A path cost is set for the port in the current MSTI.

l When the Huawei calculation method is used, cost ranges from 1 to 200000.

l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.

l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.

----End



227

9.4.6 (Optional) Configuring a Port Priority in an MSTI

Context

During spanning tree calculation, port priorities in MSTIs determine which ports are selected asdesignated ports.

To block a port in an MSTI to eliminate loops, set the port priority value to larger than the defaultvalue. This port will be blocked during designated port selection.

Procedure





Step 3 Run:stp instance instance-id port priority priority

A port priority is set in an MSTI.

By default, the port priority is 128.

The value range of the priority is from 0 to 240, in steps of 16.

----End

9.4.7 Enabling MSTP

Context

After configuring basic MSTP functions on a switching device, enable MSTP function.

After MSTP is enabled on a ring network, it immediately calculates spanning trees on thenetwork. Configurations on the switching device, such as, the switching device priority and portpriority, will affect spanning tree calculation. Any change to the configurations may causenetwork flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basicconfigurations on the switching device and its ports and enable MSTP.

Procedure





228

NOTE

STP/RSTP-enabled devices calculate spanning trees by exchanging BPDUs. Therefore, all the interfacesparticipating in spanning tree calculation must be enabled to send BPDUs to the CPU for processing. Bydefault, an interface participating in spanning tree calculation is enabled to send BPDUs to the CPU. Youcan run the bpdu enable command to enable an interface to send BPDUs to the CPU.

Step 2 Run:stp enable

MSTP is enabled on the switching device.

By default, the MSTP function is enabled on the device.

----End

Follow-up ProcedureWhen the topology of a spanning tree changes, the forwarding paths to associated VLANs arechanged. The ARP entries corresponding to those VLANs on the switching device need to beupdated. MSTP processes ARP entries in either fast or normal mode.

l In fast mode, ARP entries to be updated are directly deleted.l In normal mode, ARP entries to be updated are rapidly aged.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidlyprocesses these aged entries. If the number of ARP aging probe attempts is not set to 0,ARP implements aging probe for these ARP entries.

You can run the stp converge { fast | normal } command in the system view to configurethe STP/RSTP convergence mode.

By default, the normal MSTP convergence mode is used.

NOTE

The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,causing the CPU usage on device to reach 100%. As a result, network flapping will frequently occur.


Procedurel Run the display stp [ instance instance-id ] [ interface interface-

type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and statistics.

l Run the display stp region-configuration command to view configurationsof activated MST regions.

l Run the display stp region-configuration digest command to view thedigest configurations of activated MST regions.

----End

9.5 Configuring MSTP Parameters on an InterfaceProper MSTP parameter settings achieve rapid convergence.



229

Pre-configuration TasksBefore configuring MSTP parameters that affect route convergence, complete the followingtask:

l Configuring MSTP

9.5.1 Setting the MSTP Network Diameter

ContextOn a switched network, any two terminals on the switching network are connected through aspecific path along which multiple devices reside. The network diameter is the maximum numberof devices between any two terminals. A larger network diameter indicates a larger networkscale.



Procedure






NOTE



----End

9.5.2 Setting the MSTP Timeout Interval

ContextIf the device does not receive any BPDU from the upstream device in the set period, the deviceconsiders that the upstream device fails and then it re-calculates its spanning tree.

Sometimes, the device cannot receive the BPDU in a long time from the upstream device becausethe upstream device is very busy. In this case, the device should not re-calculate its spanning



230

tree. Therefore, you can set a long period for the device on a stable network to avoid waste ofnetwork resources.



Procedure






----End

9.5.3 Setting the Values of MSTP Timers

Context

The following parameters are used in spanning tree calculation:

l Forward Delay: determines the interval for port status transition. To prevent temporaryloops, an interface first enters the Learning state when transiting from Discarding toForwarding. The status transition lasts for the time specified by Forward Delay so that thelocal device can synchronize the status with the remote switch.







231

NOTICETo prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Ageconform to the following formulas:

l 2 x (Forward Delay - 1.0 second) >= Max Age

l Max Age >= 2 x (Hello Time + 1.0 second)

Procedure









By default, the value of Hello Time of the switching device is 200 centiseconds.3. Run:

stp timer max-age max-age



----End


Context

The interface path cost affects spanning tree calculation. When the path cost changes, the systemperforms spanning tree recalculation. The interface path cost is affected by the bandwidth, soyou can change the interface bandwidth to affect spanning tree calculation.

As shown in Figure 9-6, deviceA and deviceB are connected through two Eth-Trunks. Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces inUp state. If each member link has the same bandwidth, deviceA is selected as the root bridge.

l Eth-Trunk 1 has larger bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.



232

l If the maximum number of connections is 1 in Eth-Trunk 1, the path cost of Eth-Trunk 1is larger than the path cost of Eth-Trunk 2. The system performs spanning tree recalculation.Then Eth-Trunk 1 on deviceB becomes the alternate port and Eth-Trunk 2 becomes theroot port.


SwitchA SwitchB


Alternate port


After configuration

SwitchA SwitchB

Root Bridge

Root Bridge

Designated port

Root port


NOTE


Procedure








----End



233

9.5.5 Setting the Link Type of a Port

ContextIt is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P linkare root or designated ports, the ports can transit to the forwarding state quickly by sendingProposal and Agreement packets. This reduces the forwarding delay.

Procedure





Step 3 Run:stp point-to-point { auto | force-false | force-true }

The link type is configured for the interface.

By default, an interface automatically determines whether to connect to a P2P link. The P2P linksupports rapid network convergence.

l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In thiscase, force-true can be configured to implement rapid network convergence.

l If the Ethernet port works in half-duplex mode, you can run stp point-to-pointforce-true to forcibly set the link type to P2P.

----End

9.5.6 Setting the Maximum Transmission Rate of an Interface

Context.A larger value of packet-number indicates more BPDUs sent in a hello interval and thereforemore system resources occupied. Setting the proper value of packet-number prevents excessbandwidth usage when route flapping occurs.

Procedure







234

Step 3 Run:stp transmit-limit packet-number

The maximum number of BPDUs sent by a port in a specified period is set.

By default, the maximum number of BPDUs that a port sends within each Hello time is 147.

----End

9.5.7 Switching to the MSTP Mode

Context

If an interface on an MSTP-enabled device is connected to an STP-enabled device, the interfaceswitches to the STP compatible mode.

If the STP-enabled device is powered off or disconnected from the MSTP-enabled device, theinterface cannot switch to the MSTP mode. In this case, you can switch the interface to the MSTPmode by using the stp mcheck command.

In the following cases, you need to manually switch the interface back to the MSTP modemanually:

l The STP-enabled device is shut down or disconnected.

l The STP-enabled device is switched to the MSTP mode.

Procedurel Switching to the MSTP mode in the interface view

1. Run:system-view




3. Run:stp mcheck

The device is switched to the MSTP mode.

l Switching to the MSTP mode in the system view

1. Run:system-view


2. Run:stp mcheck

The device is switched to the MSTP mode.

----End



235

9.5.8 Configuring a Port as an Edge Port and BPDU Filter Port

Context

If a designated port is located at the edge of a network and is directly connected to terminaldevices, this port is called edge port.

An edge port does not receive or process configuration BPDUs, or MSTP calculation. It cantransit from Disable to Forwarding without any delay.

After a designated port is configured as an edge port, the port can still send BPDUs. Then BPDUsare sent to other networks, causing flapping of other networks. You can configure a port as anedge port and BPDU filter port so that the port does not process or send BPDUs.

NOTICEAfter all ports are configured as edge ports and BPDU filter ports in the system view, none ofports on the device send BPDUs or negotiate the STP status with directly connected ports onthe peer device. All ports are in forwarding state. This may cause loops on the network, leadingto broadcast storms. Exercise caution when you configure a port as an edge port and BPDU filterport.

After a port is configured as an edge port and BPDU filter port in the interface view, the portdoes not process or send BPDUs. The port cannot negotiate the STP status with the directlyconnected port on the peer device. Exercise caution when you configure a port as an edge portand BPDU filter port.

Procedurel Configuring all ports as edge ports and BPDU filter ports in the system view

1. Run:system-view


2. Run:stp edged-port default

All ports are configured as edge ports.

By default, all ports are non-edge ports.

3. Run:stp bpdu-filter default

All ports are configured as BPDU filter ports.


l Configuring a port as an edge port and BPDU filter port in the interface view

1. Run:system-view



236




3. (Optional) Run:stp edged-port enable

The port is configured as an edge port.

By default, all ports are non-edge ports.

4. Run:stp bpdu-filter enable

The port is configured as a BPDU filter port.


----End

9.5.9 Setting the Maximum Number of Hops in an MST Region

Context

Switching devices on a Layer 2 network running MSTP communicate with each other byexchanging MST BPDUs. An MST BPDU has a field that indicates the number of remaininghops.

l The number of remaining hops in a BPDU sent by the root switching device equals themaximum number of hops.

l The number of remaining hops in a BPDU sent by a non-root switching device equals themaximum number of hops minus the number of hops from the non-root switching deviceto the root switching device.

l If a switching device receives a BPDU in which the number of remaining hops is 0, theswitching device will discard the BPDU.

Therefore, the maximum number of hops of a spanning tree in an MST region determines thenetwork scale. The stp max-hops command can be used to set the maximum number of hopsin an MST domain so that the network scale of a spanning tree can be controlled.

Procedure



Step 2 Run:stp max-hops hop

The maximum number of hops in an MST region is set.



237

By default, the maximum number of hops of the spanning tree in an MST region is 20.

----End




----End

9.6 Configuring MSTP Protection FunctionsHuawei datacom devices provide the following MSTP protection functions. You can configureone or more functions.


Before configuring MSTP protection functions, complete the following task:

l Configuring MSTP or MSTP multi-process

9.6.1 Configuring BPDU Protection on a Switching Device

Context

Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers maysend pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, theswitching device configures the edge ports as non-edge ports and triggers a new spanning treecalculation. Network flapping then occurs. BPDU protection can be used to protect switchingdevices against malicious attacks.

After BPDU protection is enabled on a switching device, the switching device shuts down anedge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.

Perform the following steps on a switching device that has an edge port.

Procedure



Step 2 Run:stp bpdu-protection

BPDU protection is enabled on the switching device.



238

By default, BPDU protection is not enabled on the switching device.

----End

Follow-up ProcedureTo allow an edge port to automatically start after being error-down, you can run the error-down auto-recovery cause bpdu-protection interval interval-valuecommand to configure the auto recovery function and set the delay on the port. After the delayexpires, the port automatically goes Up. Note the following when setting this parameter:l By default, the auto recovery function is disabled, so there is no delay. When you enable

the auto recovery function, you must specify the recovery delay.l The smaller the interval-value is, the shorter it takes for the edge port to go Up, and

the more frequently the edge port alternates between Up and Down.l The larger the interval-value is, the longer it takes for the edge port to go Up, and

the longer the service interruption lasts.l The auto recovery function takes effect only for the interface that transitions to the error

down state after the error-down auto-recovery command is executed.

9.6.2 Configuring TC Protection on a Switching Device

ContextIf attackers forge TC-BPDUs to attack the switching device, the switching device receives alarge number of TC BPDUs within a short time. If MAC address entries and ARP entries aredeleted frequently, the switching device is heavily burdened, causing potential risks to thenetwork.

TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processedby a switching device within a given time period is configurable. If the number of TC BPDUsthat the switching device receives within a given time exceeds the specified threshold, theswitching device handles TC BPDUs only for the specified number of times. Excess TC BPDUsare processed by the switching device as a whole for once after the specified time period expires.This protects the switching device from frequently deleting MAC entries and ARP entries,therefore avoiding overburden.

Procedure



Step 2 Run:stp tc-protection

TC protection is enabled for the MSTP process.

By default, TC protection is not enabled on the switching device.

Step 3 Run:stp tc-protection threshold threshold



239

The number of times the MSTP process handles the received TC BPDUs and updates forwardingentries within a given time is set.

----End

9.6.3 Configuring Root Protection on an Interface

ContextDue to incorrect configurations or malicious attacks on the network, a root bridge may receiveBPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serveas the root bridge and the network topology is changed, triggering spanning tree recalculation.This also may cause the traffic that should be transmitted over high-speed links to be transmittedover low-speed links, leading to network congestion. The root protection function on a switchingdevice is used to protect the root bridge by preserving the role of the designated port.

NOTE

Root protection takes effect only on designated ports.

Perform the following steps on the root bridge in an MST region.

Procedure





Step 3 Run:stp root-protection

Root protection is configured on the switching device.

By default, root protection is disabled.

----End

9.6.4 Configuring Loop Protection on an Interface

ContextOn a network running MSTP, a switching device maintains the root port status and status ofblocked ports by receiving BPDUs from an upstream switching device. If the switching devicecannot receive BPDUs from the upstream device because of link congestion or unidirectional-link failure, the switching device re-selects a root port. The original root port becomes adesignated port and the original blocked ports change to the Forwarding state. This switchingmay cause network loops, which can be mitigated by configuring loop protection.

After loop protection is configured, if the root port or alternate port does not receive BPDUsfrom the upstream switching device, the root port is blocked and the switching device notifies



240

the NMS that the port enters the Discarding state. The blocked port remains in the Blocked stateand no longer forwards packets. This function helps prevent loops on the network. The root portor alternate port transitions to the Forwarding state after receiving new BPDUs.

NOTE

An alternate port is a backup port for a root port. If a switching device has an alternate port, you need toconfigure loop protection on both the root port and the alternate port.

Perform the following steps on the root port and alternate port on a switching device in an MSTregion.

Procedure





Step 3 Run:stp loop-protection

Loop protection for the root port is configured on the switching device.

By default, loop protection is disabled.

Root protection and loop protection cannot be configured simultaneously.

----End

9.6.5 Configuring Share-Link Protection on a Switching Device

Context

Share-link protection is used in the scenario where a switching device is dual homed to a network.

When a share link fails, share-link protection forcibly changes the working mode of a localswitching device to RSTP. This function can also be used together with root protection to avoidnetwork loops.

Procedure



Step 2 Run:stp process process-id

The MSTP process view is displayed.



241

NOTE

This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If youperform configurations in the MSTP process 0, skip this step.

Step 3 Run:stp link-share-protection

Share-link protection is enabled.

----End




----End

9.7 Configuring MSTP Interoperability Between HuaweiDevices and Non-Huawei Devices

To communicate with a non-Huawei device, set proper parameters on the MSTP-enabledHuawei device.

9.7.1 Configuring a Proposal/Agreement Mechanism

Context

The rapid transition mechanism is also called the Proposal/Agreement mechanism. All switchingdevices support the following modes:

l Enhanced mode: The current interface counts the root port calculation when it computesthe synchronization flag bit.

– An upstream device sends a Proposal message to a downstream device, requesting rapidstatus transition. After receiving the message, the downstream device sets the portconnected to the upstream device as a root port and blocks all non-edge ports.

– The upstream device then sends an Agreement message to the downstream device. Afterthe downstream device receives the message, the root port transitions to the Forwardingstate.

– The downstream device responds to the Proposal message with an Agreement message.After receiving the message, the upstream device sets the port connected to thedownstream device as a designated port, and the designated port transitions to theForwarding state.

l Common mode: The current interface ignores the root port when it computes thesynchronization flag bit.



242

– An upstream device sends a Proposal message to a downstream device, requesting rapidstatus transition. After receiving the message, the downstream device sets the portconnected to the upstream device as a root port and blocks all non-edge ports. The rootport then transitions to the Forwarding state.

– The downstream device responds to the Proposal message with an Agreement message.After receiving the message, the upstream device sets the port connected to thedownstream device as a designated port. The designated port then transitions to theForwarding state.

When Huawei devices are connected to non-Huawei devices, select the same mode as that usedon non-Huawei devices.

Procedure





Step 3 Run:stp no-agreement-check

The common rapid transition mechanism is configured.

By default, the interface uses the enhanced rapid transition mechanism.

----End

9.7.2 Configuring the MSTP Protocol Packet Format on an Interface

ContextMSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy(proprietary protocol packets).

You can specify the packet format and use the auto mode. In auto mode, the switching deviceswitches the MSTP protocol packet format based on the received MSTP protocol packet formatso that the switching device can communicate with the peer device.

Procedure







243

Step 3 Run:stp compliance { auto | dot1s | legacy }

The MSTP protocol packet format is configured on the interface.

The auto mode is used by default.

NOTE

The negotiation will fail if the format of MSTP packets is set to dot1s at one end and legacy at theother end.

----End

9.7.3 Enabling the Digest Snooping Function

Context

Interconnected Huawei and non-Huawei devices cannot communicate with each other if theyhave the same region name, revision number, and VLAN-to-instance mappings but differentBPDU keys. To address this problem, enable the digest snooping function on the Huawei device.

Perform the following steps on a switching device in an MST region to enable the digest snoopingfunction.

Procedure





Step 3 Run:stp config-digest-snoop

The digest snooping function is enabled.

----End




----End



244

9.8 Maintaining MSTPThis section describes how to maintain MSTP.

9.8.1 Clearing MSTP Statistics

Context

NOTICEMSTP statistics cannot be restored after being cleared.

Procedurel Run the reset stp [ interface interface-type interface-number ]

statistics command to clear spanning-tree statistics.

----End

9.8.2 Monitoring the Statistics on MSTP Topology Changes

Procedurel Run the display stp [ instance instance-id ] topology-change command

to view the statistics about MSTP topology changes.l Run the display stp [ process process-id ] [ instance instance-id ]

[ interface interface-type interface-number | slot slot-id ] tc-bpdu statistics command to view the statistics about TC/TCN packets.

In the case of a non-zero process, the stp process process-id command must beused to create a process before the display stp [ process process-id ][ instance instance-id ] [ interface interface-type interface-number | slot slot-id ] tc-bpdu statistics command is used.

----End

9.9 Configuration ExamplesThis section provides several configuration examples of MSTP.

9.9.1 Example for Configuring MSTP

Networking RequirementsOn a complex network, to implement redundancy, network designers tend to deploy multiplephysical links between two devices, one of which is the master and the others are the backup.



245

Loops occur, causing broadcast storms or damaging MAC addresses. After the network designerplans a network, you can deploy MSTP on the network to prevent loops. MSTP blocks redundantlinks and prunes a network into a tree topology free from loops.

As shown in Figure 9-7,SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. to load balancetraffic from VLANs 2 to 10 and VLANs 11 to 20, use MSTP multi-instance. You can configurea VLAN mapping table to associate VLANs with MSTIs.

Figure 9-7 Networking diagram of MSTP configuration

Eth0/0/1

Eth0/0/3

Eth0/0/1

SwitchA

SwitchC

Eth0/0/1

Eth0/0/3

Eth0/0/1

SwitchB

SwitchDEth0/0/2

Eth0/0/2Eth0/0/2

Eth0/0/2

Root Switch:SwitchA

Root Switch:SwitchB

MSTI1:

MSTI2:

Blocked port

Blocked port

RG1

Network

VLAN2~10VLAN11~20

MSTI1MSTI2



246



1. Configure basic MSTP functions on the switching device on the ring network.

2. Configure protection functions to protect devices or links. You can configure rootprotection on the designated port of the root bridge.

3. Configure Layer 2 forwarding.

Procedure

Step 1 Configure basic MSTP functions.

1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region namedRG1 and create MSTI 1 and MSTI 2.

NOTE

Two switching devices belong to the same MST region when they have the same:

l Name of the MST region

l Mapping between VLANs and MSTIs

l Revision level of the MST region

# Configure an MST region on SwitchA.<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] stp region-configuration[SwitchA-mst-region] region-name RG1[SwitchA-mst-region] instance 1 vlan 2 to 10[SwitchA-mst-region] instance 2 vlan 11 to 20[SwitchA-mst-region] active region-configuration[SwitchA-mst-region] quit

# Configure an MST region on SwitchB.<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] stp region-configuration[SwitchB-mst-region] region-name RG1[SwitchB-mst-region] instance 1 vlan 2 to 10[SwitchB-mst-region] instance 2 vlan 11 to 20[SwitchB-mst-region] active region-configuration[SwitchB-mst-region] quit

# Configure an MST region on SwitchC.<Quidway> system-view[Quidway] sysname SwitchC[SwitchC] stp region-configuration[SwitchC-mst-region] region-name RG1[SwitchC-mst-region] instance 1 vlan 2 to 10[SwitchC-mst-region] instance 2 vlan 11 to 20[SwitchC-mst-region] active region-configuration[SwitchC-mst-region] quit

# Configure an MST region on SwitchD.<Quidway> system-view[Quidway] sysname SwitchD[SwitchD] stp region-configuration[SwitchD-mst-region] region-name RG1[SwitchD-mst-region] instance 1 vlan 2 to 10[SwitchD-mst-region] instance 2 vlan 11 to 20[SwitchD-mst-region] active region-configuration



247

[SwitchD-mst-region] quit

2. In the MST region RG1, configure the root bridge and secondary root bridge in MSTI 1and MSTI 2.

l Configure the root bridge and secondary root bridge in MSTI 1.

# Configure SwitchA as the root bridge in MSTI 1.[SwitchA] stp instance 1 root primary

# Configure SwitchB as the secondary root bridge in MSTI 1.[SwitchB] stp instance 1 root secondary

l Configure the root bridge and secondary root bridge in MSTI 2.

# Configure SwitchB as the root bridge in MSTI 2.[SwitchB] stp instance 2 root primary

# Configure SwitchA as the secondary root bridge in MSTI 2.[SwitchA] stp instance 2 root secondary

3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be greater than thedefault value.

NOTE

l The values of path costs depend on path cost calculation methods. This example uses the Huaweicalculation method as an example to set the path costs of the ports to be blocked to 20000.


# Configure SwitchA to use Huawei calculation method to calculate the path cost.[SwitchA] stp pathcost-standard legacy

# Configure SwitchB to use Huawei calculation method to calculate the path cost.[SwitchB] stp pathcost-standard legacy

# Configure SwitchC to use Huawei calculation method to calculate the path cost, and setthe path cost of Eth0/0/2 in MSTI 2 to 20000.[SwitchC] stp pathcost-standard legacy[SwitchC] interface ethernet 0/0/2[SwitchC-Ethernet0/0/2] stp instance 2 cost 20000[SwitchC-Ethernet0/0/2] quit

# Configure SwitchD to use Huawei calculation method to calculate the path cost, and setthe path cost of Eth0/0/2 in MSTI 1 to 20000.[SwitchD] stp pathcost-standard legacy[SwitchD] interface ethernet 0/0/2[SwitchD-Ethernet0/0/2] stp instance 1 cost 20000[SwitchD-Ethernet0/0/2] quit

4. Enable MSTP to eliminate loops.

l Enable MSTP globally.

# Enable MSTP on SwitchA.[SwitchA] stp enable

# Enable MSTP on SwitchB.[SwitchB] stp enable

# Enable MSTP on SwitchC.[SwitchC] stp enable

# Enable MSTP on SwitchD.[SwitchD] stp enable



248

l Disable MSTP on the interface connected to the terminal.# Disable STP on Eth0/0/1 of SwitchC.[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] stp disable[SwitchC-Ethernet0/0/1] quit

# Disable STP on Eth0/0/1 of SwitchD.[SwitchD] interface ethernet 0/0/1[SwitchD-Ethernet0/0/1] stp disable[SwitchD-Ethernet0/0/1] quit

Step 2 Configure root protection on the designated port of the root bridge.

# Enable root protection on Eth0/0/1 of SwitchA.


# Enable root protection on Eth0/0/1 of SwitchB.

[SwitchB] interface ethernet 0/0/1[SwitchB-Ethernet0/0/1] stp root-protection[SwitchB-Ethernet0/0/1] quit

Step 3 Configure Layer 2 forwarding on devices on the ring network.l Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.

# Create VLANs 2 to 20 on SwitchA.[SwitchA] vlan batch 2 to 20

# Create VLANs 2 to 20 on SwitchB.[SwitchB] vlan batch 2 to 20

# Create VLANs 2 to 20 on SwitchC.[SwitchC] vlan batch 2 to 20

# Create VLANs 2 to 20 on SwitchD.[SwitchD] vlan batch 2 to 20

l Add ports on switching devices to VLANs.# Add Eth0/0/1 on SwitchA to a VLAN.[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] port link-type trunk[SwitchA-Ethernet0/0/1] port trunk allow-pass vlan 2 to 20[SwitchA-Ethernet0/0/1] quit

# Add Eth0/0/2 on SwitchA to a VLAN.[SwitchA] interface ethernet 0/0/2[SwitchA-Ethernet0/0/2] port link-type trunk[SwitchA-Ethernet0/0/2] port trunk allow-pass vlan 2 to 20[SwitchA-Ethernet0/0/2] quit

# Add Eth0/0/1 on SwitchB to a VLAN.[SwitchB] interface ethernet 0/0/1[SwitchB-Ethernet0/0/1] port link-type trunk[SwitchB-Ethernet0/0/1] port trunk allow-pass vlan 2 to 20[SwitchB-Ethernet0/0/1] quit

# Add Eth0/0/2 on SwitchB to a VLAN.[SwitchB] interface ethernet 0/0/2[SwitchB-Ethernet0/0/2] port link-type trunk[SwitchB-Ethernet0/0/2] port trunk allow-pass vlan 2 to 20[SwitchB-Ethernet0/0/2] quit



249

# Add Eth0/0/1 on SwitchC to a VLAN.[SwitchC] interface ethernet 0/0/1[SwitchC-Ethernet0/0/1] port link-type access[SwitchC-Ethernet0/0/1] port default vlan 2[SwitchC-Ethernet0/0/1] quit

# Add Eth0/0/2 on SwitchC to a VLAN.[SwitchC] interface ethernet 0/0/2[SwitchC-Ethernet0/0/2] port link-type trunk[SwitchC-Ethernet0/0/2] port trunk allow-pass vlan 2 to 20[SwitchC-Ethernet0/0/2] quit

# Add Eth0/0/3 on SwitchC to a VLAN.[SwitchC] interface ethernet 0/0/3[SwitchC-Ethernet0/0/3] port link-type trunk[SwitchC-Ethernet0/0/3] port trunk allow-pass vlan 2 to 20[SwitchC-Ethernet0/0/3] quit

# Add Eth0/0/1 on SwitchD to a VLAN.[SwitchD] interface ethernet 0/0/1[SwitchD-Ethernet0/0/1] port link-type access[SwitchD-Ethernet0/0/1] port default vlan 11[SwitchD-Ethernet0/0/1] quit

# Add Eth0/0/2 on SwitchD to a VLAN.[SwitchD] interface ethernet 0/0/2[SwitchD-Ethernet0/0/2] port link-type trunk[SwitchD-Ethernet0/0/2] port trunk allow-pass vlan 2 to 20[SwitchD-Ethernet0/0/2] quit

# Add Eth0/0/3 on SwitchD to a VLAN.[SwitchD] interface ethernet 0/0/3[SwitchD-Ethernet0/0/3] port link-type trunk[SwitchD-Ethernet0/0/3] port trunk allow-pass vlan 2 to 20[SwitchD-Ethernet0/0/3] quit


After the preceding configurations are complete and the network topology becomes stable,perform the following operations to verify the configuration.

NOTE

MSTI 1 and MSTI 2 are used as examples. You do not need to focus on the interface status in MSTI 0.

# Run the display stp brief command on SwitchA to view the status and protection typeon the ports. The displayed information is as follows:

[SwitchA] display stp brief MSTID Port Role STP State Protection

0 Ethernet0/0/1 DESI FORWARDING ROOT 0 Ethernet0/0/2 DESI FORWARDING NONE 1 Ethernet0/0/1 DESI FORWARDING ROOT 1 Ethernet0/0/2 DESI FORWARDING NONE 2 Ethernet0/0/1 DESI FORWARDING ROOT 2 Ethernet0/0/2 ROOT FORWARDING NONE

In MSTI 1, Eth0/0/1 and Eth0/0/2 are designated ports because SwitchA is the root bridge. InMSTI 2, Eth0/0/1 on SwitchA is the designated port and Eth0/0/2 is the root port.

# Run the display stp brief command on SwitchB. The displayed information is asfollows:

[SwitchB] display stp brief



250

MSTID Port Role STP State Protection 0 Ethernet0/0/1 DESI FORWARDING ROOT 0 Ethernet0/0/2 ROOT FORWARDING NONE 1 Ethernet0/0/1 DESI FORWARDING ROOT 1 Ethernet0/0/2 ROOT FORWARDING NONE 2 Ethernet0/0/1 DESI FORWARDING ROOT 2 Ethernet0/0/2 DESI FORWARDING NONE

In MSTI 2, Eth0/0/1 and Eth0/0/2 are designated ports because SwitchB is the root bridge. InMSTI 1, Eth0/0/1 on SwitchB is the designated port and Eth0/0/2 is the root port.

# Run the display stp interface brief commands on SwitchC. The displayedinformation is as follows:

[SwitchC] display stp interface ethernet 0/0/3 brief MSTID Port Role STP State Protection 0 Ethernet0/0/3 ROOT FORWARDING NONE 1 Ethernet0/0/3 ROOT FORWARDING NONE 2 Ethernet0/0/3 ROOT FORWARDING NONE[SwitchC] display stp interface ethernet 0/0/2 brief MSTID Port Role STP State Protection 0 Ethernet0/0/2 DESI FORWARDING NONE 1 Ethernet0/0/2 DESI FORWARDING NONE 2 Ethernet0/0/2 ALTE DISCARDING NONE

Eth0/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. Eth0/0/2 on SwitchC is thedesignated port in MSTI 1 but is blocked in MSTI 2.

# Run the display stp interface brief commands on SwitchD. The displayedinformation is as follows:

[SwitchD] display stp interface ethernet 0/0/3 brief MSTID Port Role STP State Protection 0 Ethernet0/0/3 ALTE DISCARDING NONE 1 Ethernet0/0/3 ROOT FORWARDING NONE 2 Ethernet0/0/3 ROOT FORWARDING NONE[SwitchD] display stp interface ethernet 0/0/2 brief MSTID Port Role STP State Protection 0 Ethernet0/0/2 ROOT FORWARDING NONE 1 Ethernet0/0/2 ALTE DISCARDING NONE 2 Ethernet0/0/2 DESI FORWARDING NONE

Eth0/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. Eth0/0/2 on SwitchD is the blockedport in MSTI 1 and is the designated port in MSTI 2.

----End


#sysname SwitchA#vlan batch 2 to 20#stp instance 1 root primarystp instance 2 root secondarystp pathcost-standard legacy#stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration



251

#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 stp root-protection#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20#return

l Configuration file of SwitchB#sysname SwitchB#vlan batch 2 to 20#stp instance 1 root secondarystp instance 2 root primarystp pathcost-standard legacy#stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 stp root-protection#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20#return

l Configuration file of SwitchC#sysname SwitchC#vlan batch 2 to 20#stp pathcost-standard legacy#stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration#interface Ethernet0/0/1 port link-type access port default vlan 2 stp disable#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 stp instance 2 cost 20000#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 20



252

#return

l Configuration file of SwitchD#sysname SwitchD#vlan batch 2 to 20#stp pathcost-standard legacy#stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration#interface Ethernet0/0/1 port link-type access port default vlan 11 stp disable#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 stp instance 1 cost 20000#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 20#return



253

10 SEP Configuration

About This Chapter

Smart Ethernet Protection (SEP) is a ring network protocol specially used for the Ethernet linklayer. It blocks redundant links to prevent logical loops on a ring network.

NOTE

Only the S3700 supports SEP.

10.1 SEP OverviewSEP supports the open ring topology, closed ring topology, single ring topology, and multi-ringtopology, and implements link redundancy in these topologies.

10.2 SEP Features Supported by the DeviceThis section describes the SEP features supported by the S2700&S3700 in terms of the SEPconfiguration. The information will help you complete configuration tasks quickly andaccurately.

10.3 Configuring Basic SEP FunctionsWhen there is no faulty link on a ring network running SEP, SEP can eliminate loops on theEthernet. When a link fault occurs on the ring network, SEP can immediately restore thecommunication between the nodes on the network.

10.4 Specifying an Interface to BlockBy default, the blocked interface is one of the two interfaces that complete neighbor negotiationslast. Sometimes, the negotiated blocked interface, however, may not be the expected one. Youcan configure a blocked interface to suit your needs.

10.5 Configuring the Topology Change Notification FunctionThe topology change notification function is configured on the device that connects a lower-layer network to an upper-layer network. This function enables the device to notify the peerdevice of topology changes in the lower-layer and upper-layer networks. All the devices on thenetwork where the peer device resides then delete original MAC addresses and ARP entries andlearn new MAC addresses to ensure uninterrupted traffic forwarding.

10.6 Maintaining SEPThis section describes how to maintain SEP, including clearing SEP statistics.


S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 10 SEP Configuration


254

This section describes the typical application scenarios of SEP, networking requirements, andconfiguration roadmap.



255

10.1 SEP OverviewSEP supports the open ring topology, closed ring topology, single ring topology, and multi-ringtopology, and implements link redundancy in these topologies.

IntroductionGenerally, redundant links are used on an Ethernet switching network to provide link backupand enhance network reliability. The use of redundant links, however, may produce loops,causing broadcast storms and rendering the MAC address table unstable. As a result,communication quality deteriorates, and services may even be interrupted.

To solve the loop problem, Huawei datacom devices support the ring network protocols shownin Table 10-1.

Table 10-1 Ring Network Protocol

RingNetworkProtocol

Advantage Disadvantage

DeploymentScenario

STP/RSTP/MSTP

The Spanning Tree Protocol(STP), Rapid Spanning TreeProtocol (RSTP), and Multi-Spanning Tree Protocol(MSTP) are standard protocolsfor breaking loops on Ethernetnetworks. They are mature andwidely used. Huawei devicesrunning one of these protocolscan communicate with non-Huawei devices.

The networkconvergencetime is at thesecond level,failing to meettransmissionrequirementsof some real-time services.Theconvergencetime isaffected by thenetworktopology.

They apply to Layer 2networks that do notrequire fastconvergence.



256

RingNetworkProtocol


DeploymentScenario

RRPP The Rapid Ring ProtectionProtocol (RRPP) is a Huawei-proprietary protocol thatprovides fast convergence(less than 50 ms) and supportsload balancing for differenttypes of traffic.

l A HuaweidevicerunningRRPPcannotcommunicate withnon-Huaweidevices.

l RRPPrequires aphysicaltopology tobe dividedinto logicaltopologiesso thatmajor ringsand sub-rings canbedifferentiated.Therefore,RRPP doesnot applyto complexnetworks.

RRPP applies to singlerings, tangent rings, andintersecting rings thatrequire fastconvergence.



257

RingNetworkProtocol


DeploymentScenario

SEP l SEP is a Huawei-proprietary protocol thatboasts fast convergence(less than 50 ms).

l SEP supports various typesof networking modes. Forexample, a networkrunning SEP can connect toa network running STP,RSTP, MSTP, or RRPP.SEP supports all topologiesand network topologyquery.The blocked interface,therefore, can be quicklylocated. When a faultoccurs, SEP can quicklylocate the fault, improvingnetwork maintainability.

l SEP supports variouspolicies for specifying aninterface to block, whichimplements traffic loadbalancing.

l Devices ona SEPnetworkmust beHuaweidatacomdevices.

l Afternetworkconvergence on aSEPnetwork, aspecifiedinterface isblocked topreventdata trafficfrompassingthrough,even if thelink wheretheinterfaceresides is adirect link.

SEP applies to Layer 2networks that requirefast convergence.

DefinitionsThe SEP protocol is a ring network protocol dedicated to the Ethernet link layer. A SEP segmentis the basic unit for SEP. A SEP segment is composed of multiple interconnected Layer 2switching devices that are configured with the same SEP segment ID and control VLAN ID.

Only two interfaces on a Layer 2 switching device can be added to the same SEP segment. Toprevent loops in a SEP segment, a ring protection mechanism is used to selectively blockinterfaces to eliminate Ethernet redundant links. When a fault occurs on a ring network, thedevice running SEP immediately unblocks the interface and performs link switching to restorecommunication between nodes.

Figure 10-1 shows a typical SEP application. CE1 is connected to Network Provider Edges(NPEs) through a closed-ring formed by switches. A VRRP group is deployed on the NPEs.Initially, NPE1 serves as the master and NPE2 as backup to NPE1. When the link between NPE1and LSW5 or a node on the link becomes faulty, the following situations occur depending onwhether SEP is deployed. The following assumes that the link between LSW1 and LSW5becomes faulty.



258

l If SEP is not deployed on the closed-ring, CE1 traffic is still transmitted along the originalpath, causing traffic interruption.

l If SEP is deployed on the closed-ring, the blocked interface on LSW5 is unblocked, entersthe Forwarding state, and sends Link Status Advertisements (LSAs) to instruct other nodeson the SEP segment to refresh their LSA databases. Then CE1 traffic is transmitted alongbackup link LSW5->LSW2->LSW4->LSW3->NPE1, ensuring uninterrupted traffictransmission.



259

Figure 10-1 Schematic diagram for SEP

Block Port

Primary Edge PortSecondary Edge Port

a,SEP is not deployed on the closed-ring

b,SEP is deployed on the closed-ring

CE1

LSW1

LSW2

LSW3

LSW4

LSW5NPE2

VRRP+peer BFDNPE1

Master

Backup

IP/MPLS Core

CoreAggregationAccess

CE1

LSW1

LSW2

LSW3

LSW4

LSW5NPE2

VRRP+peer BFDNPE1

Master

Backup

IP/MPLS Core


SEP Segment

CE1

LSW1

LSW2

LSW3

LSW4

LSW5NPE2

VRRP+peer BFDNPE1

Master

Backup

IP/MPLS Core


SEP Segment

Basic Concepts

Figure 10-1 and Figure 10-2 describe basic SEP concepts.



260

Figure 10-2 Networking diagram for an open ring running SEP

VLAN/VPLS

LSW1

LSW2

LSW3

LSW4

LSW5

CE

No-Neighbor Primary Edge Port

Block Port

SEP Segment

VLAN/VPLS

LSW1

LSW2

LSW3

LSW4

LSW5

CE

SEP Segment

No-Neighbor Secondary Edge PortPrimary Edge PortSecondary Edge Port

l SEP segment

A SEP segment is the basic unit for SEP. A SEP segment consists of interconnected Layer2 switching devices configured with the same SEP segment ID and control VLAN ID.

A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a controlVLAN, edge interfaces, and common interfaces.

l Control VLAN

In a SEP segment, the control VLAN is used to transmit only SEP packets.

Each SEP segment must have a control VLAN. After an interface is added to a SEP segmentthat has a control VLAN configured, the interface is automatically added to the controlVLAN.

Different SEP segments can use the same control VLAN.

Different from a control VLAN, a data VLAN is used to transmit data packets.

l Node

Each Layer 2 switching device in a SEP segment is a node. Each node can have at mosttwo interfaces added to the same SEP segment.

l Interface role

As defined in SEP, there are two interface roles: common interfaces and edge interfaces.



261

As shown in Table 10-2, edge interfaces are further classified into primary edge interfaces,secondary edge interfaces, no-neighbor primary edge interfaces, and no-neighborsecondary edge interfaces.

NOTE

Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.

Table 10-2 Interface roles

InterfaceRole

Sub-role Description Deployment Scenario

Commoninterface

- In a SEP segment, allinterfaces except edgeinterfaces and blockedinterfaces are commoninterfaces.A common interfacemonitors the status of thedirectly-connected SEPlink. When the link statuschanges, the interface sendsa topology changenotification message tonotify its neighbors. Thenthe topology changenotification message isflooded on the link until itfinally reaches the primaryedge interface. The primaryedge interface determineshow to process the linkchange.

-

Edgeinterface

Primaryedgeinterface

A SEP segment has onlyone primary edge interface,which is determined by theconfiguration and election.The primary edge interfaceinitiates blocked interfacepreemption, terminatespackets, and sends topologychange notificationmessages to othernetworks.

Open-ring networkingClosed-ring networkMulti-ring networkingHybrid SEP+RRPP ringnetworking



262

InterfaceRole


Secondaryedgeinterface

A SEP segment has onlyone secondary edgeinterface, which isdetermined by theconfiguration and election.The secondary edgeinterface terminatespackets and sends topologychange notificationmessages to othernetworks.

No-neighborprimaryedgeinterface

An interface at the edge ofa SEP segment is a no-neighbor edge interface,which is determined by theconfiguration and election.The no-neighbor primaryedge interface terminatespackets and sends topologychange notificationmessages to othernetworks.No-neighbor primary edgeinterfaces are used tointerconnect Huaweidevices and non-Huaweidevices or interconnectHuawei devices anddevices that do not supportSEP.

Hybrid SEP+MSTP ringnetworking

No-neighborsecondaryedgeinterface

The no-neighbor secondaryedge interface terminatespackets and sends topologychange notificationmessages to othernetworks.No-neighbor secondaryedge interfaces are used tointerconnect Huaweidevices and non-Huaweidevices or interconnectHuawei devices anddevices that do not supportSEP.



263

l Blocked interfaceIn a SEP segment, some interfaces are blocked to prevent loops.Any interface in a SEP segment may be blocked if no interface is specified for blocking.A complete SEP segment has only one blocked interface.

l Status of a SEP interfaceIn a SEP segment, a SEP interface has two working states: Forwarding and Discarding, asshown in Table 10-3.

Table 10-3 Interface status

InterfaceStatus

Description

Forwarding The interface can forward user traffic, receive and send SEP packets.

Discarding The interface can receive and send SEP packets but cannot forward usertraffic.

An interface may be in Forwarding or Discarding state regardless of its role.

Process of Breaking a Loop Using SEP1. After a SEP segment is created, the interfaces on each node of the ring network are added

to the SEP segment, and a role is configured for each interface.2. The neighbor negotiation mechanism is started after the interfaces are added to the SEP

segment. One of the two interfaces that complete neighbor negotiations last becomes ablocked interface.

3. The blocked interface sends LSAs to instruct other nodes in the SEP segment to updatetheir LSA databases.The blocked interface does not allow data packets but SEP packets to pass through.

4. After receiving the LSAs, the nodes update their LSA databases and determine forwardingpaths. The loop is successfully broken.

Typical SEP Topologiesl Open-ring networking



264

Figure 10-3 Networking diagram for an open ring running SEP

VLAN/VPLS

LSW1

LSW2

LSW3

LSW4

LSW5

CE

PE-AGG1PE-AGG2

NPE1 NPE2

IP/MPLS Core

SEP Segment

Acc

ess

Agg

rega

tion

Cor

e

Block Port


VRRP+peer BFD

As shown in Figure 10-3, the network consists of the access layer, aggregation layer, andcore layer. The CE is dual-homed to the upstream Layer 2 network through LSW1 toLSW5. LSW1 to LSW5 form an open ring network. The open ring network is at the accesslayer and is used to transparently transmit Layer 2 unicast and multicast services. SEP runsat the access layer to implement link redundancy.On an open ring network, edge interfaces are located on the two edge devices in the SEPsegment.

l Closed-ring network



265

Figure 10-4 Networking diagram for a closed ring running SEP

LSW1

LSW2

LSW3

LSW4

LSW5

CE1

NPE1 NPE2

IP/MPLS Core

CE2 CE3

SEP Segment

Acc

ess

Agg

rega

tion

Cor

e

Block Port


VRRP+peer BFD

As shown in Figure 10-4, the CEs are dual-homed to the upstream Layer 2 network throughLSW1 to LSW5. LSW1 and LSW5 at the edge of the Layer 2 network are directlyconnected. This networking is called a closed ring network. The closed ring network is atthe aggregation layer and is used to aggregate unicast and multicast services. SEP runs atthe aggregation layer to implement link redundancy.On a closed ring network, two edge interfaces are located on the same edge device.

l Multi-ring networking



266

Figure 10-5 Networking diagram for multiple rings running SEP

LSW1

LSW2LSW3

LSW4

LSW5

Block Port

NPE1 NPE2

IP/MPLS Core

SEP Segment 1

LSW6

LSW7

LSW8

LSW10 LSW11

LSW12

LSW13

LSW14

LSW9

Acc

ess

Agg

rega

tion

Cor

e

SEP

Segmen

t 2

SEP

Segment 3

SEP Segment 4

SEP Segment 5

VRRP+peer BFD

As shown in Figure 10-5, LSW1 to LSW14 form multiple rings. LSW1 to LSW5 are atthe aggregation layer, and LSW6 to LSW14 are at the access layer. Layer 2 services aretransparently transmitted at the access layer and the aggregation layer. SEP runs at theaggregation layer and access layer to implement link redundancy. If the topology of theSEP segment at the access layer changes, a node in the SEP segment sends a Flush-FDBpacket to instruct other nodes in the SEP segment to refresh their MAC forwarding tablesand ARP tables. The edge devices in the SEP segment send TC packets to notify devicesat the upper layer of the topology change in the SEP segment.In multi-ring networking, the topology change notification function needs to be configuredamong ring networks.

l Hybrid networking

– Hybrid SEP+MSTP ring networking



267

Figure 10-6 Networking diagram for hybrid rings running SEP and MSTP

LSW1 LSW2

LSW3

Block Port

NPE1 NPE2

IP/MPLS Core

Acc

ess

SEPSegment

MSTP

Agg

rega

tion

Cor

e

PE1 PE2

PE4PE3

No-neighbor Primary Edge Port

No-neighbor Secondary Edge Port

Do not Support SEP

VRRP+peer BFD

As shown in Figure 10-6, LSW1 to LSW3 form a SEP segment to access an MSTPring. The networking is called hybrid SEP+MSTP ring networking. LSW1 to LSW3are at the access layer and transparently transmit Layer 2 unicast and multicast packets.SEP runs at the access layer to implement link redundancy. If the topology of the SEPsegment at the access layer changes, a node in the SEP segment sends a Flush-FDBpacket to instruct other nodes in the SEP segment to refresh their MAC forwardingtables and ARP tables. LSW1 and LSW2 in the SEP segment send TC packets to notifydevices at the upper-layer of the topology change in the SEP segment.In hybrid SEP+MSTP ring networking, no-neighbor edge interfaces need to be deployedon the edge devices of SEP networks, and the SEP networks need to report topologychanges to MSTP networks.

– Hybrid SEP+RRPP ring networking



268

Figure 10-7 Networking diagram for hybrid rings running SEP and RRPP

LSW1 LSW2

LSW3

Block Port

NPE1 NPE2

IP/MPLS Core

Acc

ess SEP

Segment

RRPP

Agg

rega

tion

Cor

e

PE1 PE2

PE4PE3

Primary Edge Port

Secondary Edge Port

VRRP+peer BFD

As shown in Figure 10-7, PE1, PE2 and LSW1 to LSW3 form a SEP segment to accessan RRPP ring. The networking is called hybrid SEP+RRPP ring networking. PE1, PE2and LSW1 to LSW3 are at the access layer and transparently transmit Layer 2 unicastand multicast packets. SEP runs at the access layer to implement link redundancy. Ifthe topology of the SEP segment at the access layer changes, a node in the SEP segmentsends a Flush-FDB packet to instruct other nodes in the SEP segment to refresh theirMAC forwarding tables and ARP tables. PE1 and PE2 at the edge of the SEP segmentsend a TC packet to notify the aggregation layer of the topology change in the SEPsegment.In hybrid SEP+RRPP ring networking, SEP networks need to report topology changesto RRPP networks on the edge devices of SEP networks.

NOTE

The SEP configurations in the preceding topologies are similar, except for the locations and configurationsof the primary edge interface, no-neighbor primary edge interface, secondary edge interface, and no-neighbor secondary edge interface. For details about these interfaces, see Table 10-2.



269

10.2 SEP Features Supported by the DeviceThis section describes the SEP features supported by the S2700&S3700 in terms of the SEPconfiguration. The information will help you complete configuration tasks quickly andaccurately.

SEP configuration roadmap is as follows:

1. After basic SEP functions are configured on devices, the devices start SEP negotiation.One of the two interfaces that complete neighbor negotiations last is blocked to eliminateredundant links.

NOTE

When logging in to nodes on a SEP semi-ring through Stelnet to configure the nodes, note thefollowing points:

l VLANIF interfaces and their IP addresses need to be configured, because these nodes are Layer2 devices. The VLANs to which these VLANIF interfaces correspond must be mapped to SEPprotected instances.

l Basic SEP functions need to be configured from the node at one end of the semi-ring to the nodeat the other end of the semi-ring.

2. In some cases, however, the negotiated blocked interface may not be the required one. Youcan specify an interface to block according to network requirements.

3. To implement load balancing and make efficient use of bandwidth, protected instancesneed to be deployed on a SEP network and mapped to VLANs.

4. A SEP network usually needs to work together with another network running other features.To ensure network reliability, if the topology of one network changes, the other networkmust be able to detect the topology change and take measures to ensure reliable datatransmission. Therefore, the topology change notification function needs to be enabled onthe SEP network.

Specifying an Interface to BlockGenerally, a blocked interface is one of the two interfaces that complete neighbor negotiationslast. In some cases, however, the negotiated blocked interface may not be the required one. Youcan flexibly configure a blocked interface to suit your needs, but this configuration does not takeeffect immediately. The blocked interface will be moved from the current blocked point to thespecified point only after the preemption mechanism works.

l Interface blocking modeYou can configure the interface blocking mode to specify a blocked interface. Table10-4 lists interface blocking modes.



270

Table 10-4 Interface blocking mode

Interface BlockingMode

Description

Specify the interfacewith the highest priorityas the blocked interface.

This mode applies to a large-scale network.After fault recovery, the interface with the highest priority ina SEP segment becomes the blocked interface. In this mode,the priorities of the interfaces in the SEP segment need to beset in advanced.

Specify the interface inthe middle of a SEPsegment as the blockedinterface.

This mode applies to a network where traffic is symmetricallydistributed.After fault recovery, the interface in the middle of a SEPsegment becomes the blocked interface.

Specify a blockedinterface based on theconfigured hop count.

This mode applies to a small-scale network.After fault recovery, a specified interface is blocked based onthe hop count. A network planner needs to be familiar withthe topology of the entire SEP segment and the number ofhops from the blocked interface to the primary edge interface.

Specify a blockedinterface based on thedevice and interfacenames.

This mode applies to a small-scale network.After fault recovery, a specified interface is blocked based onthe device and interface names. A network planner needs tobe familiar with the names of devices and interfaces in theentire SEP segment and ensures that each device name isunique.

l Preemption

After the interface blocking mode is specified, whether a specified interface will be blockedis determined by the preemption mode. Table 10-5 lists the preemption modes.

Table 10-5 Preemption mode

PreemptionMode


Non-preemptionmode

SEP is in non-preemption mode bydefault.In this mode, blockingan interface does notdisconnect any link in aSEP segment.

The blocked interface is one of the twointerfaces that complete neighbornegotiations last.



271

PreemptionMode


Preemptionmode

Delayedpreemption

Each time a fault isrectified, the systemautomaticallycompletes preemptionand ensures that thespecified interface isblocked.

l The delayed preemption mode needsto be specified in advance. There isno default delay in preemption, andthe delay time needs to be configuredusing a command.

l After delayed preemption isconfigured successfully, a fault needsto be simulated to ensure that thespecified interface is blocked.

Manualpreemption

Whether the specifiedinterface will beblocked can becontrolled manually.

l The manual preemption mode needsto be specified in advance.

l After a network fault is rectified andthe preemption action is taken,manual preemption no longer takeseffect.Manual preemption needs to beconfigured again to ensure that theblocked point can be moved to thespecified point after the next fault isrectified. This increases themaintenance workload.

NOTE

In preemption mode, blocking an interface temporarily disconnects a link in a SEP segment.

SEP Topology Change NotificationSEP considers that the topology of a SEP-enabled network changes in either of the followingsituations described in Table 10-6.

Table 10-6 SEP topology changes

SEP TopologyChange

Description

An interfacefault occurs.

If an interface on a device in a complete SEP segment becomes faulty, thetopology of the SEP segment changes.An interface fault may be a link fault or neighboring interface fault.

The fault isrectified and thepreemptionfunction takeseffect.

After faults occur in the SEP segment and the last fault is rectified, theblocked interface is preempted and the topology is considered changed.



272

Table 10-7 lists the scenarios in which topology changes are reported.

Table 10-7 SEP topology change notification

SEPTopologyChangeNotification

Scenario Description Solution

Topologychangenotificationfrom a lower-layer networkto an upper-layer network

A SEP network isconnected to anupper-layer networkrunning otherfeatures such asSEP, STP, RRPPand SmartLink.

l If the blocked interface on alower-layer SEP network ismanually changed, the topologyof the SEP segment changes.Because the upper-layernetwork is unable to detect thetopology change, traffic isinterrupted.

l If an interface on a lower-layerSEP network becomes faulty,the topology of the SEP segmentchanges but the upper-layernetwork is unable to detect thechange. As a result, traffic isinterrupted.

Configurethe SEPtopologychangenotificationfunction.

A host is connectedto a SEP networkusing a SmartLinkgroup.

During an active/standbyswitchover of member interfaces inthe SmartLink group, the host sendsa SmartLink Flush packet to notifyconnected devices in the SEPsegment of the switchover.If connected devices in the SEPsegment cannot identify theSmartLink Flush packet (that is, ifthese connected devices in the SEPsegment is unable to detect anytopology change of the lower-layernetwork), traffic is interrupted.

Enable theedge devicesin the SEPsegment toprocessSmartLinkFlushpackets.

Topologychangenotificationfrom an upper-layer networkto a lower-layernetwork

A SEP network isconnected to anupper-layer networkwhere CFM isdeployed.

If a fault occurs on the upper-layernetwork, the topology of thatnetwork changes but the lower-layer network is unable to detect thechange. As a result, traffic isinterrupted.

Configureassociationbetween SEPand CFM.



273

NOTE

The topology change notification function is configured on the devices that connect both upper-layer andlower-layer networks. When the topology of either of the networks changes, these devices can inform theother network of the change.

10.3 Configuring Basic SEP FunctionsWhen there is no faulty link on a ring network running SEP, SEP can eliminate loops on theEthernet. When a link fault occurs on the ring network, SEP can immediately restore thecommunication between the nodes on the network.


Before configuring basic SEP functions, complete the following tasks:

l Establishing the ring networking

l Ensuring that the devices are powered on correctly and operate properly

10.3.1 Configuring a SEP Segment

Context

A SEP segment is the basic unit for SEP. A SEP segment consists of interconnected Layer 2switching devices configured with the same SEP segment ID and control VLAN ID.

Procedure



Step 2 Run:sep segment segment-id

A SEP segment is created and the view of the SEP segment is displayed.

----End

10.3.2 Configuring a Control VLAN

Context

In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets,enhancing SEP security. Each SEP segment must be configured with a control VLAN. Afterbeing added to a SEP segment configured with a control VLAN, an interface is added to thecontrol VLAN automatically.

NOTE

On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot beadded to the control VLAN of the SEP segment. Otherwise, a loop will occur on the network.



274

Procedure





Step 3 Run:control-vlan vlan-id

A control VLAN is configured for the SEP segment to transmit SEP packets.

The control VLAN must be not created, and is not used by RRPP, VLAN mapping, and VLANstacking. Additionally, no interface is added to the control VLAN in trunk, access, hybrid, orqinq mode.

l Different SEP segments can use the same control VLAN.l If an interface has been added to the SEP segment, the control VLAN of the SEP segment

cannot be deleted directly. To delete the control VLAN, run the undo sep segmentsegment-id command in the interface view to delete the interface from the SEP segment,and then run the undo control-vlan command in the SEP segment view to delete thecontrol VLAN.

l If no interface is added to the SEP segment, you can run the control-vlan vlan-idcommand multiple times. Only the latest configuration takes effect.

l After the control VLAN is created successfully, the command used to create a commonVLAN will be displayed in the configuration file.Each SEP segment must be configured with a control VLAN. After an interface is added toa SEP segment configured with a control VLAN, the interface is automatically added to thecontrol VLAN.– If the interface type is trunk, in the configuration file, the port trunk allow-pass

vlan command is displayed in the view of the interface added to the SEP segment.

– If the interface type is hybrid, in the configuration file, the port hybrid taggedvlan command is displayed in the view of the interface added to the SEP segment.

----End

10.3.3 Creating a Protected Instance

ContextInterfaces can be added to a SEP segment only after the SEP segment is configured with protectedinstances.

Procedure




275




Step 3 Run:protected-instance { all | { instance-id1 [ to instance-id2 ] } &<1-10> }

A protected instance is created in a SEP segment.

By default, no protected instance is configured in a SEP segment.

----End

10.3.4 Adding a Layer 2 Interface to a SEP Segment and Configuringa Role for the Interface

ContextTo ensure that SEP packets are forwarded correctly in a SEP segment, add Layer 2 interfaces tothe SEP segment and configure different roles for the interfaces.

After an interface is added to a SEP segment, the interface sets its interface role to the primaryedge interface if the interface has the right to participate in primary edge interface election. Then,the interface periodically sends a primary edge interface election packet without waiting for thesuccess of neighbor negotiations.

A primary edge interface election packet contains the interface role (primary edge interface,secondary edge interface, or common interface), bridge MAC address of the interface, interfaceID, and integrity of the topology database.

Table 10-8 lists interface roles.



276

Table 10-8 Interface roles

InterfaceRole


Commoninterface

- In a SEP segment, allinterfaces except edgeinterfaces and blockedinterfaces are commoninterfaces.A common interfacemonitors the status of thedirectly-connected SEP link.When the link status changes,the interface sends a topologychange notification messageto notify its neighbors. Thenthe topology changenotification message isflooded on the link until itfinally reaches the primaryedge interface. The primaryedge interface determineshow to process the linkchange.

-

Edge interface Primaryedgeinterface

A SEP segment has only oneprimary edge interface,which is determined by theconfiguration and election.The primary edge interfaceinitiates blocked interfacepreemption, terminatespackets, and sends topologychange notification messagesto other networks.

Open-ring networkingClosed-ring networkingMulti-ring networkingHybrid SEP+RRPP ringnetworking

Secondaryedgeinterface

A SEP segment has only onesecondary edge interface,which is determined by theconfiguration and election.The secondary edge interfaceterminates packets and sendstopology change notificationmessages to other networks.



277

InterfaceRole


No-neighborprimaryedgeinterface

An interface at the edge of aSEP segment is a no-neighbor edge interface,which is determined by theconfiguration and election.The no-neighbor primaryedge interface terminatespackets and sends topologychange notification messagesto other networks.No-neighbor primary edgeinterfaces are used tointerconnect Huawei devicesand non-Huawei devices orinterconnect Huawei devicesand devices that do notsupport SEP.

Hybrid SEP+MSTP ringnetworking

No-neighborsecondaryedgeinterface

The no-neighbor secondaryedge interface terminatespackets and sends topologychange notification messagesto other networks.No-neighbor secondary edgeinterfaces are used tointerconnect Huawei devicesand non-Huawei devices orinterconnect Huawei devicesand devices that do notsupport SEP.

NOTE

Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.

Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the interface(except that the interface is a no-neighbor edge interface).

Before adding an interface to a SEP segment, disable Smart Link on the interface.

Before adding an interface to a SEP segment, configure protected instances for the SEP segment.

Procedure





278


The view of an Ethernet interface added to the SEP segment is displayed.

Step 3 (Optional) Run:stp disable

STP is disabled on the interface.

Step 4 Run:sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]

The Ethernet interface is added to a specified SEP segment and a role is configured for theinterface.

NOTE

An interface can be added to a maximum of two SEP segments.

----End


Procedurel Run the display sep segment { segment-id | all } command to check the

configurations of SEP segments.

l Run the display sep interface [ interface-type interface-number |segment segment-id ] [ verbose ] command to check information about interfacesthat are added to a specified SEP segment.

l Run the display sep topology [ segment segment-id ] [ verbose ]command to check the topology status of a specified SEP segment.

----End

10.4 Specifying an Interface to BlockBy default, the blocked interface is one of the two interfaces that complete neighbor negotiationslast. Sometimes, the negotiated blocked interface, however, may not be the expected one. Youcan configure a blocked interface to suit your needs.

10.4.1 Setting an Interface Blocking Mode

Context

In a SEP segment, some interfaces are blocked to prevent loops.

You can configure the interface blocking mode to specify a blocked interface. Table 10-9 listsinterface blocking modes.



279

Table 10-9 Interface blocking mode

Interface BlockingMode

Description

Specify the interface withthe highest priority as theblocked interface.

This mode applies to a large-scale network.After fault recovery, the interface with the highest priority in aSEP segment becomes the blocked interface. In this mode, thepriorities of the interfaces in the SEP segment need to be set inadvanced.

Specify the interface inthe middle of a SEPsegment as the blockedinterface.

This mode applies to a network where traffic is symmetricallydistributed.After fault recovery, the interface in the middle of a SEP segmentbecomes the blocked interface.

Specify a blockedinterface based on theconfigured hop count.

This mode applies to a small-scale network.After fault recovery, a specified interface is blocked based on thehop count. A network planner needs to be familiar with thetopology of the entire SEP segment and the number of hops fromthe blocked interface to the primary edge interface.

Specify a blockedinterface based on thedevice and interfacenames.

This mode applies to a small-scale network.After fault recovery, a specified interface is blocked based on thedevice and interface names. A network planner needs to befamiliar with the names of devices and interfaces in the entireSEP segment and ensures that each device name is unique.

Perform the following operations on the device where the primary edge interface or no-neighborprimary edge interface is located:

Procedure





Step 3 Run:block port { optimal | middle | hop hop-id | sysname sysname interface { interface-type interface-number | interface-name } }

An interface blocking mode is set.

By default, one of the interfaces at two ends of the link that is set up last or recovers from a faultlast is blocked.

----End



280

Follow-up ProcedureIf the interface with the highest priority is specified to block, run the sep segment segment-id priority priority command in the view of the interface to be blocked to increase itspriority. When a fault is rectified, the specified interface is blocked.

The default priority of an interface added to a SEP segment is 64. The priority value of aninterface is an integer that ranges from 1 to 128. A larger priority value indicates a higher priority.

10.4.2 Configuring the Preemption Mode

ContextAfter the interface blocking mode is specified, whether a specified interface will be blocked isdetermined by the preemption mode. Table 10-10 lists the preemption modes.

Table 10-10 Preemption mode

PreemptionMode


Non-preemptionmode

SEP is in non-preemption mode bydefault.In this mode, blocking aninterface does notdisconnect any link in aSEP segment.

The blocked interface is one of the twointerfaces that complete neighbornegotiations last.

Preemptionmode

Delayedpreemption

Each time a fault isrectified, the systemautomatically completespreemption and ensuresthat the specifiedinterface is blocked.

l The delayed preemption mode needs tobe specified in advance. There is nodefault delay in preemption, and thedelay time needs to be configured usinga command.

l After delayed preemption is configuredsuccessfully, a fault needs to besimulated to ensure that the specifiedinterface is blocked.

Manualpreemption

Whether the specifiedinterface will be blockedcan be controlledmanually.

l The manual preemption mode needs tobe specified in advance.

l After a network fault is rectified and thepreemption action is taken, manualpreemption no longer takes effect.Manual preemption needs to beconfigured again to ensure that theblocked point can be moved to thespecified point after the next fault isrectified. This increases themaintenance workload.



281

The following conditions must be met to trigger preemption:

l The SEP segment topology is complete.

l The primary edge interface or no-neighbor primary edge interface has been elected in theSEP segment.

l The function of flexibly specifying a blocked interface is enabled on the device where theprimary edge interface or no-neighbor primary edge interface resides.

Perform the following operations on the Layer 2 switching device where the primary edgeinterface or no-neighbor primary edge interface resides.

Procedure





Step 3 Run:preempt { manual | delay seconds }

The preemption mode is configured on the primary edge interface.

By default, no preemption mode is configured on the primary edge interface, that is, the non-preemption mode is used.

----End


Procedurel Run the display sep topology [ segment segment-id ] [ verbose ]

command to check the topology status of a specified SEP segment.

----End

10.5 Configuring the Topology Change NotificationFunction

The topology change notification function is configured on the device that connects a lower-layer network to an upper-layer network. This function enables the device to notify the peerdevice of topology changes in the lower-layer and upper-layer networks. All the devices on thenetwork where the peer device resides then delete original MAC addresses and ARP entries andlearn new MAC addresses to ensure uninterrupted traffic forwarding.



282

10.5.1 Reporting Topology Changes in a Lower-Layer Network -SEP Topology Change Notification

ContextSEP runs on devices at the access layer. The topology change notification function enablesdevices to detect topology changes on the upper and lower-layer networks.

If the upper-layer network fails to be notified of the topology change in a SEP segment, the MACaddress entries remain unchanged on the upper layer network and user traffic may be interrupted.To ensure uninterrupted traffic forwarding, configure devices on the lower-layer network toreport topology changes to the upper-layer network and specify the devices on the upper-layernetwork that will be notified of topology changes.

NOTE

Currently, topology changes in a SEP segment can be reported to other SEP segments, STP networks,RRPP networks, and SmartLink networks.

After receiving a topology change notification from a lower-layer network, a device on the upper-layer network sends TC packets to instruct other devices on the upper-layer network to clearoriginal MAC addresses and learn new MAC addresses after the topology of the lower-layernetwork changes. This ensures uninterrupted traffic forwarding.

Procedure





Step 3 Run:tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp | rrpp | smart-link send-packet vlan vlan-id }

The topology change of the specified SEP segment is reported to another SEP segment or anetwork running other ring protocols such as STP or RRPP.

By default, the topology change of a SEP segment is not reported.

----End

Follow-up ProcedureIn the networking scenario where three or more SEP ring networks exist, when a topology changenotification is sent through multiple links, the upper-layer network will receive it multiple times.This reduces packet processing efficiency on the upper-layer network. Therefore, topologychange notifications need to be suppressed. Suppressing topology change notifications frees theupper-layer network from processing multiple duplicate packets and protects the devices in theSEP segment against topology change notification attacks.



283

Run the tc-protection interval interval-value command in the SEP segmentview to set the interval for suppressing topology change notifications.

By default, the interval for suppressing topology change notifications is 2s, and three topologychange notifications with different source addresses are processed within 2s.

NOTE

l In the networking scenario where three or more SEP ring networks exist, the tc-protectioninterval interval-value command must be run. If this command is not run, the default intervalfor suppressing topology change notifications is used.

l A longer interval ensures stable SEP operation but reduces convergence performance.

10.5.2 Reporting Topology Changes in a Lower-Layer Network -Enabling the Devices in a SEP Segment to Process SmartLink FlushPackets

ContextWhen a host is connected to a SEP network using a SmartLink group, the host sends SmartLinkFlush packets to inform the remote device in the SEP segment if devices in the SmartLink groupexperience an active/standby switchover. Therefore, devices in a SEP segment must be able toprocess SmartLink Flush packets.

Procedure





Step 3 Run:deal smart-link-flush

The device in a SEP segment is configured to process SmartLink Flush packets.

By default, no device in a SEP segment is configured to process SmartLink Flush packets.

Step 4 Run:quit




Step 6 Run:smart-link flush receive control-vlan vlan-id [ password { simple | sha } password ]



284

The interface is configured to receive Flush packets.

By default, an interface is prohibited form receiving Flush packets.

The password parameter is optional. If no password is specified, no password is used forauthentication.

The control VLAN ID and password contained in Flush packets on both devices must be thesame.

----End

10.5.3 Reporting Topology Changes in an Upper-Layer Network -Configuring Association Between SEP and CFM

ContextSEP runs on devices at the access layer or aggregation layer. To enable devices running SEP todetect the topology changes in an upper-layer network, you must configure on SEP and CFMassociation the device connecting the lower-layer network to the upper-layer network.

When CFM detects a fault on the upper-layer network, the edge device sends a CFM packet tonotify the OAM module of the fault. Then the SEP status of the interface associated with CFMon the edge device changes to Down.

The peer device (on the SEP segment) of the edge device notifies other nodes in the same SEPsegment of topology changes by sending Flush-FDB packets. After a device in the SEP segmentreceives the Flush-FDB packet, the blocked interface on the device is unblocked, enters theForwarding state, and sends a Flush-FDB packet to instruct other nodes in the SEP segment torefresh their MAC forwarding tables and ARP tables. Therefore, the lower-layer network canthen detect the faults on the upper-layer network, ensuring reliable service transmission.

NOTE

IEEE 802.1ag, also known as Connectivity Fault Management (CFM), defines OAM functions, such ascontinuity check (CC), link trace (LT) and loopback (LB), for Ethernet networks. CFM is network-levelOAM and applies to large-scale end-to-end networking.

Procedure



Step 2 Run:oam-mgr

The OAM management view is displayed.

Step 3 Run:oam-bind ingress cfm md md-name ma ma-name egress sep segment segment-id interface interface-type interface-number

Association between SEP and CFM is configured.

----End



285


Procedurel Run the display sep interface verbose command to check information about

the interfaces added to a SEP segment.l Run the display this command in the OAM management view to check the

configuration of topology change notification on the upper-layer network topology.

----End

10.6 Maintaining SEPThis section describes how to maintain SEP, including clearing SEP statistics.

10.6.1 Clearing SEP StatisticsYou can run the reset command to clear existing SEP statistics before re-collecting SEP statistics.

Context

NOTICESEP statistics cannot be restored after being cleared. Therefore, exercise caution when you runreset commands.

Procedure

Step 1 Run the reset sep interface interface-type interface-numberstatistics command in the user view to clear SEP packet statistics on a specified interfacein a SEP segment.

----End

10.7 Configuration ExamplesThis section describes the typical application scenarios of SEP, networking requirements, andconfiguration roadmap.

10.7.1 Example for Configuring SEP on a Closed Ring Network

Networking RequirementsGenerally, redundant links are used to connect an Ethernet switching network to an upper-layernetwork to provide link backup and enhance network reliability. The use of redundant links,



286

however, may produce loops, causing broadcast storms and rendering the MAC address tableunstable. As a result, communication quality deteriorates, and services may even be interrupted.SEP can be deployed on the ring network to eliminate loops and restore communication if a linkfault occurs.

In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple Layer2 switching devices. The two edge devices connected to the upper-layer Layer 2 network aredirectly connected to each other. The closed ring network is deployed at the aggregation layerto transparently transmit Layer 2 unicast and multicast packets. SEP runs at the aggregation layerto implement link redundancy.

As shown in Figure 10-8, Layer 2 switching devices LSW1 to LSW5 form a ring network.

SEP runs at the aggregation layer.

l When there is no faulty link on a ring network, SEP can eliminate loops on the network.

l When a link fails on the ring network, SEP can rapidly restore communication betweennodes on the network.

Figure 10-8 Networking diagram of a closed ring SEP network

Block Port

Primary Edge Port

LSW1

LSW2LSW3

LSW4

LSW5

SEP Segment1

Eth0/0/1

Eth0/0/1

Eth0/0/1 Eth0/0/1

Eth0/0/2

Eth0/0/1

Eth0/0/2

Eth0/0/2

Secondary Edge Port

IP/MPLS Core

Eth0/0/2 Eth0/0/2

Eth0/0/3

Eth0/0/3

Eth0/0/3Eth0/0/1

CE1

VLAN 100

Acc

ess

Agg

rega

tion

Cor

e



287


1. Configure basic SEP functions.

a. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the controlVLAN of SEP segment 1.

b. Add all devices on the ring to SEP segment 1, and configure the roles of Eth0/0/1 andEth0/0/3 of LSW1 in SEP segment 1.

c. On the device where the primary edge interface is located, specify the interface withthe highest priority to block.

d. Set priorities of the interfaces in the SEP segment.Set the highest priority for Eth0/0/2 of LSW3 and retain the default priority of theother interfaces so that Eth0/0/2 of LSW3 will be blocked.

e. Configure delayed preemption on the device where the primary edge interface islocated.

2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.

Procedure

Step 1 Configure basic SEP functions.

1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLANof SEP segment 1.# Configure LSW1.<Quidway> system-view[Quidway] sysname LSW1[LSW1] sep segment 1[LSW1-sep-segment1] control-vlan 10[LSW1-sep-segment1] protected-instance all[LSW1-sep-segment1] quit

# Configure LSW2.<Quidway> system-view[Quidway] sysname LSW2[LSW2] sep segment 1[LSW2-sep-segment1] control-vlan 10[LSW2-sep-segment1] protected-instance all[LSW2-sep-segment1] quit



# Configure LSW5.<Quidway> system-view[Quidway] sysname LSW5



288

[LSW5] sep segment 1[LSW5-sep-segment1] control-vlan 10[LSW5-sep-segment1] protected-instance all[LSW5-sep-segment1] quit

NOTE

l The control VLAN must be a VLAN that has not been created or used, but the configuration fileautomatically displays the command for creating the VLAN.

l Each SEP segment must be configured with a control VLAN. After an interface is added to theSEP segment configured with a control VLAN, the interface is automatically added to the controlVLAN.

2. Add all devices on the ring to SEP segment 1 and configure interface roles on the devices.

NOTE

By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,disable STP on the interface.

# On LSW1, configure Eth0/0/1 as the primary edge interface and Eth0/0/3 as the secondaryedge interface.[LSW1] interface ethernet 0/0/1

[LSW1-Ethernet0/0/1] stp disable[LSW1-Ethernet0/0/1] sep segment 1 edge primary[LSW1-Ethernet0/0/1] quit[LSW1] interface ethernet 0/0/3

[LSW1-Ethernet0/0/3] stp disable[LSW1-Ethernet0/0/3] sep segment 1 edge secondary[LSW1-Ethernet0/0/3] quit

# Configure LSW2.[LSW2] interface ethernet 0/0/1

[LSW2-Ethernet0/0/1] stp disable[LSW2-Ethernet0/0/1] sep segment 1[LSW2-Ethernet0/0/1] quit[LSW2] interface ethernet 0/0/2

[LSW2-Ethernet0/0/2] stp disable[LSW2-Ethernet0/0/2] sep segment 1[LSW2-Ethernet0/0/2] quit









289




3. Specify an interface to block.

# On LSW1 where the primary edge interface is located, specify the interface with thehighest priority to block.[LSW1] sep segment 1[LSW1-sep-segment1] block port optimal

4. Set the priority of Eth0/0/2 on LSW3.[LSW3] interface ethernet 0/0/2[LSW3-Ethernet0/0/2] sep segment 1 priority 128[LSW3-Ethernet0/0/2] quit

5. Configure the preemption mode.

# Configure delayed preemption on LSW1.[LSW1-sep-segment1] preempt delay 30[LSW1-sep-segment1] quit

NOTE

l You must set the preemption delay when delayed preemption is used because there is no defaultdelay time.

l When the last faulty interface recovers, edge interfaces do not receive any fault notificationpacket. If the primary edge interface does not receive any fault notification packet, it starts thedelay timer. When the delay timer expires, nodes in the SEP segment start blocked interfacepreemption.

To implement delayed preemption in this example, simulate a port fault and then rectify the fault.For example:

Run the shutdown command on Eth0/0/1 of LSW2 to simulate an interface fault, and then runthe undo shutdown command on Eth0/0/2 to rectify the fault.

Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.

For details about the configuration, see the configuration files.


l Run the shutdown command on Eth0/0/1 of LSW3 to simulate an interface fault, and thenrun the display sep interface command on LSW3 to check whether Eth0/0/2 ofLSW3 has switched from the Discarding state to the Forwarding state.<LSW3> display sep interface ethernet 0/0/2SEP segment 1----------------------------------------------------------------Interface Port Role Neighbor Status Port Status----------------------------------------------------------------Eth0/0/2 common up forwarding

----End



290

Configuration Filesl Configuration file of LSW1

# sysname LSW1# vlan batch 10 100 200#sep segment 1 control-vlan 10 block port optimal preempt delay 30 protected-instance 0 to 48#interface Ethernet0/0/1

port hybrid tagged vlan 10 100 stp disable sep segment 1 edge primary#interface Ethernet0/0/2

port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200#interface Ethernet0/0/3

port hybrid tagged vlan 10 100 200 stp disable sep segment 1 edge secondary#return

l Configuration file of LSW2# sysname LSW2# vlan batch 10 100#sep segment 1 control-vlan 10 protected-instance 0 to 48#interface Ethernet0/0/1

port hybrid tagged vlan 10 100 stp disable sep segment 1#interface Ethernet0/0/2

port hybrid tagged vlan 10 100 stp disable sep segment 1#return

l Configuration file of LSW3# sysname LSW3# vlan batch 10 100#sep segment 1 control-vlan 10 protected-instance 0 to 48



291

#interface Ethernet0/0/1


port hybrid tagged vlan 10 100 stp disable sep segment 1 sep segment 1 priority 128#interface Ethernet0/0/3

port hybrid tagged vlan 100#return




l Configuration file of LSW5# sysname LSW5# vlan batch 10 100 200#sep segment 1 control-vlan 10 protected-instance 0 to 48#interface Ethernet0/0/1


port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200#interface Ethernet0/0/3



292

port hybrid tagged vlan 10 100 200 stp disable sep segment 1#return

l Configuration file of CE1# sysname CE1# vlan batch 100#interface Ethernet0/0/1


10.7.2 Example for Configuring SEP on a Multi-Ring Network

Networking RequirementsGenerally, redundant links are used to connect an Ethernet switching network to an upper-layernetwork to provide link backup and enhance network reliability. The use of redundant links,however, may produce loops, causing broadcast storms and rendering the MAC address tableunstable. As a result, communication quality deteriorates, and services may even be interrupted.SEP can be deployed on the ring network to eliminate loops and restore communication if a linkfault occurs.

In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployedat the access layer and aggregation layer. SEP runs at the access layer and aggregation layer toimplement link redundancy.

As shown in Figure 10-9, multiple Layer 2 switching devices form ring networks at the accesslayer and aggregation layer.

SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring network,SEP can eliminate loops on the network. When a link fails on the ring network, SEP can rapidlyrestore communication between nodes on the network.



293

Figure 10-9 Networking diagram of a multi-ring SEP network

Block Port

Primary Edge Port

Secondary Edge Port

IP/MPLS Core

Eth0/0/2

Cor

e

LSW1

LSW2LSW3

LSW4

LSW5

SEP Segment 1

LSW6

LSW7

LSW8

LSW10

LSW11

LSW9

Acc

ess

Agg

rega

tion

SEP

Segmen

t 2 SEP Segment 3

CE2

VLAN 200

Eth0/0/2

Eth0/0/1

CE1

VLAN 100

Eth0/0/1

Eth0/0/3

Eth0/0/2

Eth0/0/3

Eth0/0/1Eth0/0/1

Eth0/0/2Eth0/0/3

Eth0/0/1

Eth0/0/2

Eth0/0/1 Eth0/0/2Eth0/0/1

Eth0/0/2

Eth0/0/1Eth0/0/1

Eth0/0/3

Eth0/0/1

Eth0/0/3

Eth0/0/1

Eth0/0/2Eth0/0/1Eth0/0/2Eth0/0/4

Eth0/0/1Eth0/0/2

Eth0/0/3

Control VLAN 10

Control VLAN 20

Control VLAN 30



a. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30as their respective control VLANs.



294

l Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as thecontrol VLAN of SEP segment 1.

l Configure SEP segment 2 on LSW2, LSW3, and LSW6 to LSW8, and configureVLAN 20 as the control VLAN of SEP segment 2.

l Configure SEP segment 3 on LSW3, LSW4, and LSW9 to LSW11, and configureVLAN 30 as the control VLAN of SEP segment 3.

b. Add devices on the rings to the SEP segments and configure interface roles on theedge devices of the SEP segments.

l On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEPsegment 1. Configure the roles of Eth0/0/1 and Eth0/0/3 of LSW1 in SEP segment1.

l Add Eth0/0/2 of LSW2, Eth0/0/1 and Eth0/0/2 of LSW6 to LSW8, and Eth0/0/2of LSW3 to SEP segment 2. Configure the roles of Eth0/0/2 of LSW2 andEth0/0/2 of LSW3 in SEP segment 2.

l Add Eth0/0/1 of LSW3, Eth0/0/1 and Eth0/0/2 of LSW9 to LSW11, andEth0/0/1 of LSW4 to SEP segment 3. Configure the roles of Eth0/0/1 of LSW3and Eth0/0/1 of LSW4 in SEP segment 3.

c. Specify an interface to block on the device where the primary edge interface is located.

l In SEP segment 1, specify the interface with the highest priority to block.

l In SEP segment 2, specify the device and interface names to block the specifiedinterface.

l In SEP segment 3, specify the blocked interface based on the configured hop count.d. Configure the preemption mode on the device where the primary edge interface is

located.Configure delayed preemption in SEP segment 1 and manual preemption in SEPsegment 2 and SEP segment 3.

e. Configure the topology change notification function on the edge devices between SEPsegments, namely, LSW2, LSW3, and LSW4.

2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.

Procedure


1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as theirrespective control VLANs, as shown in Figure 10-9.# Configure LSW1.<Quidway> system-view[Quidway] sysname LSW1[LSW1] sep segment 1[LSW1-sep-segment1] control-vlan 10[LSW1-sep-segment1] protected-instance all[LSW1-sep-segment1] quit

# Configure LSW2.<Quidway> system-view[Quidway] sysname LSW2[LSW2] sep segment 1[LSW2-sep-segment1] control-vlan 10[LSW2-sep-segment1] protected-instance all



295

[LSW2-sep-segment1] quit[LSW2] sep segment 2[LSW2-sep-segment2] control-vlan 20[LSW2-sep-segment2] protected-instance all[LSW2-sep-segment2] quit

# Configure LSW3.<Quidway> system-view[Quidway] sysname LSW3[LSW3] sep segment 1[LSW3-sep-segment1] control-vlan 10[LSW3-sep-segment1] protected-instance all[LSW3-sep-segment1] quit[LSW3] sep segment 2[LSW3-sep-segment2] control-vlan 20[LSW3-sep-segment2] protected-instance all[LSW3-sep-segment2] quit[LSW3] sep segment 3[LSW3-sep-segment3] control-vlan 30[LSW3-sep-segment3] protected-instance all[LSW3-sep-segment3] quit

# Configure LSW4.<Quidway> system-view[Quidway] sysname LSW4[LSW4] sep segment 1[LSW4-sep-segment1] control-vlan 10[LSW4-sep-segment1] protected-instance all[LSW4-sep-segment1] quit[LSW4] sep segment 3[LSW4-sep-segment3] control-vlan 30[LSW4-sep-segment3] protected-instance all[LSW4-sep-segment3] quit


# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 toLSW5 except for the control VLANs of different SEP segments.


NOTE



2. Add devices on the rings to the SEP segments and configure interface roles according toFigure 10-9.

NOTE

By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,disable STP on the interface.

# On LSW1, configure Eth0/0/1 as the primary edge interface and Eth0/0/3 as the secondaryedge interface.



296

[LSW1] interface ethernet 0/0/1

[LSW1-Ethernet0/0/1] stp disable[LSW1-Ethernet0/0/1] sep segment 1 edge primary[LSW1-Ethernet0/0/1] quit[LSW1] interface ethernet 0/0/3

[LSW1-Ethernet0/0/3] stp disable[LSW1-Ethernet0/0/3] sep segment 1 edge secondary[LSW1-Ethernet0/0/3] quit# Configure LSW2.[LSW2] interface ethernet 0/0/1



[LSW2-Ethernet0/0/2] stp disable[LSW2-sEthernet0/0/2] sep segment 2 edge primary[LSW2-Ethernet0/0/2] quit# Configure LSW3.[LSW3] interface ethernet 0/0/3



[LSW3-Ethernet0/0/2] stp disable[LSW3-Ethernet0/0/2] sep segment 2 edge secondary[LSW3-Ethernet0/0/2] quit[LSW3] interface ethernet 0/0/1

[LSW3-Ethernet0/0/1] stp disable[LSW3-Ethernet0/0/1] sep segment 3 edge secondary[LSW3-Ethernet0/0/1] quit# Configure LSW4.[LSW4] interface ethernet 0/0/2



[LSW4-Ethernet0/0/1] stp disable[LSW4-Ethernet0/0/1] sep segment 3 edge primary[LSW4-Ethernet0/0/1] quit# Configure LSW5.



297

[LSW5] interface ethernet 0/0/1



# Configure LSW6 to LSW11.The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 toLSW5 except for the interface roles.For details about the configuration, see the configuration files.

3. Specify an interface to block.# On LSW1 where the primary edge interface of SEP segment 1 is located, specify theinterface with the highest priority to block.[LSW1] sep segment 1[LSW1-sep-segment1] block port optimal[LSW1-sep-segment1] quit

# On LSW3, set the priority of Eth0/0/4 to 128, which is the highest priority among theinterfaces so that Eth0/0/4 will be blocked.[LSW3] interface ethernet 0/0/4[LSW3-Ethernet0/0/4] sep segment 1 priority 128[LSW3-Ethernet0/0/4] quit

Retain the default priority of the other interfaces in SEP segment 1.# On LSW2 where the primary edge interface of SPE segment 2 is located, specify thedevice and interface names so that the specified interface will be blocked.Before specifying the interface to block, use the display sep topology commandto view the current topology information and obtain information about all the interfaces inthe topology. Then specify the device and interface names.[LSW2] sep segment 2[LSW2-sep-segment2] block port sysname LSW7 interface ethernet 0/0/1[LSW2-sep-segment2] quit

# On LSW4 where the primary edge interface of SEP segment 3 is located, specify theblocked interface based on the configured hop count.[LSW4] sep segment 3[LSW4-sep-segment3] block port hop 5[LSW4-sep-segment3] quit

NOTE

SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edgeinterface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction ofthe primary interface.

4. Configure the preemption mode.# Configure delayed preemption on LSW1.[LSW1] sep segment 1[LSW1-sep-segment1] preempt delay 30



298

NOTE

l You must set the preemption delay when delayed preemption is used because there is no defaultdelay time.

l When the last faulty interface recovers, edge interfaces do not receive any fault notificationpacket. If the primary edge interface does not receive any fault notification packet, it starts thedelay timer. When the delay timer expires, nodes in the SEP segment start blocked interfacepreemption.

To implement delayed preemption in this example, simulate a port fault and then rectify the fault.For example:

Run the shutdown command on Eth0/0/1 of LSW2 to simulate an interface fault, and then runthe undo shutdown command on Eth0/0/2 to rectify the fault.

# Configure manual preemption on LSW2.[LSW2] sep segment 2[LSW2-sep-segment2] preempt manual

# Configure the manual preemption mode on LSW4.[LSW4] sep segment 3[LSW4-sep-segment3] preempt manual

5. Configure the topology change notification function.# Configure devices in SEP segment 2 to notify SEP segment 1 of topology changes.# Configure LSW2.[LSW2] sep segment 2[LSW2-sep-segment2] tc-notify segment 1[LSW2-sep-segment2] quit

# Configure LSW3.[LSW3] sep segment 2[LSW3-sep-segment2] tc-notify segment 1[LSW3-sep-segment2] quit

# Configure SEP segment 3 to notify SEP segment 1 of topology changes.# Configure LSW3.[LSW3] sep segment 3[LSW3-sep-segment3] tc-notify segment 1[LSW3-sep-segment3] quit

# Configure LSW4.[LSW4] sep segment 3[LSW4-sep-segment3] tc-notify segment 1[LSW4-sep-segment3] quit

NOTE

The topology change notification function is configured on edge devices between SEP segments sothat the upper-layer network can be notified of topology changes on the lower-layer network.

Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.



After completing the preceding configurations, verify the configuration. LSW1 is used as anexample.

l Run the shutdown command on Eth0/0/1 of LSW2 to simulate an interface fault, and thenrun the display sep interface command on LSW3 to check whether Eth0/0/4 ofLSW3 has switched from the Discarding state to the Forwarding state.



299

<LSW3> display sep interface ethernet 0/0/4SEP segment 1----------------------------------------------------------------Interface Port Role Neighbor Status Port Status----------------------------------------------------------------Eth0/0/4 common up forwarding

----End


# sysname LSW1# vlan batch 10 100 200 300#sep segment 1 control-vlan 10 block port optimal preempt delay 30 protected-instance 0 to 48#interface Ethernet0/0/1

port hybrid tagged vlan 10 100 200 stp disable sep segment 1 edge primary#interface Ethernet0/0/2

port hybrid pvid vlan 300 port hybrid tagged vlan 100 200 port hybrid untagged vlan 300#interface Ethernet0/0/3

port hybrid tagged vlan 10 100 200 300 stp disable sep segment 1 edge secondary#return

l Configuration file of LSW2# sysname LSW2# vlan batch 10 20 100 200#sep segment 1 control-vlan 10 protected-instance 0 to 48sep segment 2 control-vlan 20 block port sysname LSW7 interface Ethernet0/0/1 tc-notify segment 1 protected-instance 0 to 48#interface Ethernet0/0/1

port hybrid tagged vlan 10 100 200 stp disable sep segment 1#interface Ethernet0/0/2



300



l Configuration file of LSW3# sysname LSW3# vlan batch 10 20 30 100 200#sep segment 1 control-vlan 10 protected-instance 0 to 48sep segment 2 control-vlan 20 tc-notify segment 1 protected-instance 0 to 48sep segment 3 control-vlan 30 tc-notify segment 1 protected-instance 0 to 48#interface Ethernet0/0/1

port hybrid tagged vlan 30 100 stp disable sep segment 3 edge secondary#interface Ethernet0/0/2

port hybrid tagged vlan 20 200 stp disable sep segment 2 edge secondary#interface Ethernet0/0/3


port hybrid tagged vlan 10 100 200 stp disable sep segment 1 sep segment 1 priority 128#return

l Configuration file of LSW4# sysname LSW4# vlan batch 10 30 100 200#sep segment 1 control-vlan 10 protected-instance 0 to 48sep segment 3



301

control-vlan 30 block port hop 5 tc-notify segment 1 protected-instance 0 to 48#interface Ethernet0/0/1




l Configuration file of LSW5# sysname LSW5# vlan batch 10 100 200 300#sep segment 1 control-vlan 10 protected-instance 0 to 48#interface Ethernet0/0/1


port hybrid pvid vlan 300 port hybrid tagged vlan 100 200 port hybrid untagged vlan 300#interface Ethernet0/0/3

port hybrid tagged vlan 10 100 200 300 stp disable sep segment 1#return




302










l Configuration file of LSW9# sysname LSW9



303

# vlan batch 30 100#sep segment 3 control-vlan 30 protected-instance 0 to 48#interface Ethernet0/0/1











304






10.7.3 Example for Configuring a Hybrid SEP+MSTP Ring Network


Generally, redundant links are used to connect an Ethernet switching network to an upper-layernetwork to provide link backup and enhance network reliability. The use of redundant links,however, may produce loops, causing broadcast storms and rendering the MAC address tableunstable. As a result, communication quality deteriorates, and services may even be interrupted.SEP can be deployed on the ring network to eliminate loops and restore communication if a linkfault occurs.

NOTE

In this example, devices at the aggregation layer run the MSTP protocol.

As shown in Figure 10-10, multiple Layer 2 switching devices form a ring at the access layer,and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where theaccess layer and the aggregation layer are intersected do not support SEP. You can configureSEP at the access layer to implement redundancy protection switching and configure thetopology change notification function on an edge device in a SEP segment. This function enablesan upper-layer network to detect topology changes in a lower-layer network in time.

l When there is no faulty link on the ring network, SEP can eliminate loops.

l When a link fails on the ring network, SEP can rapidly restore communication betweennodes.

l The topology change notification function must be configured on an edge device in a SEPsegment. This enables an upper-layer network to detect topology changes in a lower-layernetwork in time.



305

After receiving a message indicating the topology change in a lower-layer network, a device onan upper-layer network sends TC packets to instruct other devices to delete original MACaddresses and learn new MAC addresses after the topology of the lower-layer network changes.This ensures uninterrupted traffic forwarding.

Figure 10-10 Networking diagram of a hybrid-ring SEP network

LSW1 LSW2

LSW3

Block Port(SEP)

IP/MPLS Core

Acc

ess

SEPSegment1

Agg

rega

tion

Cor

e

PE1 PE2

PE4PE3

No-neighbor Primary Edge Port

No-neighbor Secondary Edge Port

Do not Support SEPEth0/0/1 Eth0/0/1Eth0/0/1Eth0/0/1

Eth0/0/1

Eth0/0/1Eth0/0/1

Eth0/0/2Eth0/0/2

Eth0/0/2

Eth0/0/2

Eth0/0/2

Eth0/0/2

Eth0/0/3

Eth0/0/3 Eth0/0/3Eth0/0/2

VLAN100

Eth0/0/3

Eth0/0/1

Block Port(MSTP)

CE

MSTP





306

a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the controlVLAN of SEP segment 1.

b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on the edgedevices (LSW1 and LSW2) of the SEP segment.

NOTE

PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2connected to the PEs must be no-neighbor edge interfaces.

c. On the device where the no-neighbor primary edge interface is located, specify theinterface in the middle of the SEP segment as the interface to block.

d. Configure manual preemption.e. Configure the topology change notification function so that the upper-layer network

running MSTP can be notified of topology changes in the SEP segment.2. Configure basic MSTP functions.

a. Add LSW1, LSW2, PE1 to PE4 to an MST region RG1.b. Create VLANs on LSW1, LSW2, PE1 to PE4 and add interfaces on the STP ring to

the VLANs.c. Configure PE3 as the root bridge and PE4 as the backup root bridge.

3. Configure the Layer 2 forwarding function on CE and LSW1 to LSW3.

Procedure


1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control VLANof SEP segment 1.# Configure LSW1.<Quidway> system-view[Quidway] sysname LSW1[LSW1] sep segment 1[LSW1-sep-segment1] control-vlan 10[LSW1-sep-segment1] protected-instance all[LSW1-sep-segment1] quit





307

NOTE



2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.


[LSW1-Ethernet0/0/1] sep segment 1 edge no-neighbor primary[LSW1-Ethernet0/0/1] quit[LSW1] interface ethernet 0/0/2



[LSW2-Ethernet0/0/1] sep segment 1 edge no-neighbor secondary[LSW2-Ethernet0/0/1] quit[LSW2] interface ethernet 0/0/2





3. Specify an interface to block.

# On LSW1 where the no-neighbor primary edge interface of SEP segment 1 is located,specify the interface in the middle of the SEP segment as the interface to block.[LSW1] sep segment 1[LSW1-sep-segment1] block port middle

4. Configure the preemption mode.

# Configure the manual preemption mode on LSW1.[LSW1-sep-segment1] preempt manual

5. Configure the topology change notification function.

# Configure devices in SEP segment 1 to notify the MSTP network of topology changes.

# Configure LSW1.[LSW1-sep-segment1] tc-notify stp[LSW1-sep-segment1] quit

# Configure LSW2.



308

[LSW2] sep segment 1[LSW2-sep-segment1] tc-notify stp[LSW2-sep-segment1] quit

Step 2 Configure basic MSTP functions.

1. Configure an MST region.# Configure PE1.<Quidway> system-view[Quidway] sysname PE1[PE1] stp region-configuration[PE1-mst-region] region-name RG1[PE1-mst-region] active region-configuration[PE1-mst-region] quit

# Configure PE2.<Quidway> system-view[Quidway] sysname PE2[PE2] stp region-configuration[PE2-mst-region] region-name RG1[PE2-mst-region] active region-configuration[PE2-mst-region] quit



# Configure LSW1.[LSW1] stp region-configuration[LSW1-mst-region] region-name RG1[LSW1-mst-region] active region-configuration[LSW1-mst-region] quit

# Configure LSW2.[LSW2] stp region-configuration[LSW2-mst-region] region-name RG1[LSW2-mst-region] active region-configuration[LSW2-mst-region] quit

2. Create VLANs and add interfaces to VLANs.# On PE1, create VLAN 100 and add Eth0/0/1, Eth0/0/2, and Eth0/0/3 to VLAN 100.[PE1] vlan 100[PE1-vlan100] quit[PE1] interface ethernet 0/0/1

[PE1-Ethernet0/0/1] port hybrid tagged vlan 100[PE1-Ethernet0/0/1] quit[PE1] interface ethernet 0/0/2

[PE1-Ethernet0/0/2] port hybrid tagged vlan 100[PE1-Ethernet0/0/2] quit[PE1] interface ethernet 0/0/3



309

[PE1-Ethernet0/0/3] port hybrid tagged vlan 100[PE1-Ethernet0/0/3] quit

# On PE2, PE3, and PE4, create VLAN 100 and add Eth0/0/1, Eth0/0/2, and Eth0/0/3 toVLAN 100.

The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For detailsabout the configuration, see the configuration files.

# On LSW1 and LSW2, create VLAN 100 and add Eth0/0/1 to VLAN 100. Theconfigurations of LSW1 and LSW2 are similar to the configuration of PE1. For detailsabout the configuration, see the configuration files.

3. Enable MSTP.

# Configure PE1.[PE1] stp enable




# Configure LSW1.[LSW1] stp enable

# Configure LSW2.[LSW2] stp enable

4. Configure PE3 as the root bridge and PE4 as the backup root bridge.

# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.[PE3] stp root primary

# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup rootbridge.[PE4] stp root secondary

Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.



After the configurations are complete and network becomes stable, run the following commandsto verify the configuration. LSW1 is used as an example.

l Run the shutdown command on Eth0/0/1 of LSW2 to simulate an interface fault, and thenrun the display sep interface command on LSW3 to check whether Eth0/0/2 ofLSW3 has switched from the Discarding state to the Forwarding state.<LSW3> display sep interface ethernet 0/0/2SEP segment 1----------------------------------------------------------------Interface Port Role Neighbor Status Port Status----------------------------------------------------------------Eth0/0/2 common up forwarding

----End



310


#sysname LSW1#vlan batch 10 100#stp region-configuration region-name RG1 active region-configuration#sep segment 1 control-vlan 10 block port middle tc-notify stp protected-instance 0 to 48#interface Ethernet0/0/1

port hybrid tagged vlan 10 100 sep segment 1 edge no-neighbor primary #interface Ethernet0/0/2


l Configuration file of LSW2# sysname LSW2# vlan batch 10 100#stp region-configuration region-name RG1 active region-configuration#sep segment 1 control-vlan 10 tc-notify stp protected-instance 0 to 48#interface Ethernet0/0/1

port hybrid tagged vlan 10 100 sep segment 1 edge no-neighbor secondary#interface Ethernet0/0/2


l Configuration file of LSW3# sysname LSW3# vlan batch 10 100#sep segment 1 control-vlan 10



311

protected-instance 0 to 48#interface Ethernet0/0/1



port hybrid tagged vlan vlan 100#return

l Configuration file of PE1# sysname PE1# vlan batch 100# stp region-configuration region-name RG1 active region-configuration#interface Ethernet0/0/1

port hybrid tagged vlan 100#interface Ethernet0/0/2



l Configuration file of PE2# sysname PE2# vlan batch 100# stp region-configuration region-name RG1 active region-configuration#interface Ethernet0/0/1






312

l Configuration file of PE3# sysname PE3# vlan batch 100 200# stp instance 0 root primary# stp region-configuration region-name RG1 active region-configuration#interface Ethernet0/0/1


port hybrid tagged vlan 100 200#interface Ethernet0/0/3

port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200#return

l Configuration file of PE4# sysname PE4# vlan batch 100 200# stp instance 0 root secondary# stp region-configuration region-name RG1 active region-configuration#interface Ethernet0/0/1


port hybrid tagged vlan 100 200#interface Ethernet0/0/3

port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200#return

l Configuration file of CE# sysname CE# vlan batch 100#interface Ethernet0/0/1




313

10.7.4 Example for Configuring a Hybrid SEP+RRPP Ring NetworkIn the networking of this example, you can configure SEP at the access layer to implementredundancy protection switching and configure the topology change notification function on anedge device in a SEP segment. This enables an upper-layer network to detect topology changesin a lower-layer network in time.

Networking RequirementsGenerally, redundant links are used to connect an Ethernet switching network to an upper-layernetwork to provide link backup and enhance network reliability. The use of redundant links,however, may produce loops, causing broadcast storms and rendering the MAC address tableunstable. As a result, communication quality deteriorates, and services may even be interrupted.SEP can be deployed on the ring network to eliminate loops and restore communication if a linkfault occurs.



314

Figure 10-11 Hybrid rings running SEP and RRPP

LSW1 LSW2

LSW3

Block Port(SEP)

NPE1 NPE2

NetworkA

cces

s

SEPSegment1

RRPP

Agg

rega

tion

PE1 PE2

PE4PE3

Primary Edge Port

Secondary Edge Port

Eth0/0/1 Eth0/0/1Eth0/0/1Eth0/0/1

Eth0/0/1

Eth0/0/1Eth0/0/1

Eth0/0/2Eth0/0/2

Eth0/0/2

Eth0/0/2

Eth0/0/2

Eth0/0/2

Eth0/0/3

Eth0/0/3 Eth0/0/3Eth0/0/2

VLAN100

Eth0/0/3

Eth0/0/1

Block Port(RRPP)

CE

As shown in Figure 10-11, multiple Layer 2 switching devices at the access layer andaggregation layer form a ring network to access the core layer. RRPP has been configured at theaggregation layer to eliminate loops. In this case, SEP needs to run at the access layer toimplement the following functions:

l Eliminates loops when there is no faulty link on the ring network.l Rapidly restores communication between nodes when a link fault occurs on the ring

network.l Provides the topology change notification function on an edge device in a SEP segment.

This function enables an upper-layer network to detect topology changes in a lower-layernetwork in time.



315

After receiving a message indicating the topology change in a lower-layer network, a deviceon an upper-layer network sends TC packets to instruct other devices to delete originalMAC addresses and learn new MAC addresses after the topology of the lower-layernetwork changes. This ensures uninterrupted traffic forwarding.




a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN10 as the control VLAN of SEP segment 1.

b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1, and configure interface roleson edge devices (PE1 and PE2) of the SEP segment.

c. Set an interface blocking mode on the device where a primary edge interface is locatedto specify an interface to block.

d. Configure the preemption mode to ensure that the specified interface is blocked whena fault is rectified.

e. Configure the topology change notification function so that the topology change inthe local SEP segment can be notified to the upper-layer network where RRPP isenabled.

2. Configure basic RRPP functions.

a. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, andconfigure a protected VLAN.

b. Configure PE1 as the master node and PE2 to PE4 as transit nodes on the major ring,and configure the primary and secondary interfaces of the major ring.

c. Create a VLAN on PE1 to PE4, and add the interfaces on the RRPP ring network tothe VLAN.

3. Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.

Procedure


1. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN 10 asthe control VLAN of SEP segment 1.

# Configure PE1.<Quidway> system-view[Quidway] sysname PE1[PE1] sep segment 1[PE1-sep-segment1] control-vlan 10[PE1-sep-segment1] protected-instance all[PE1-sep-segment1] quit

# Configure PE2.<Quidway> system-view[Quidway] sysname PE2[PE2] sep segment 1[PE2-sep-segment1] control-vlan 10[PE2-sep-segment1] protected-instance all[PE2-sep-segment1] quit



316




2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.

NOTE

By default, STP is enabled on an interface. Before adding an interface to a SEP segment, disable STPon the interface.

# Configure PE1.[PE1] interface ethernet 0/0/1[PE1-Ethernet0/0/1] stp disable[PE1-Ethernet0/0/1] sep segment 1 edge primary[PE1-Ethernet0/0/1] quit

# Configure LSW1.[LSW1] interface ethernet 0/0/1[LSW1-Ethernet0/0/1] stp disable[LSW1-Ethernet0/0/1] sep segment 1[LSW1-Ethernet0/0/1] quit[LSW1] interface ethernet 0/0/2[LSW1-Ethernet0/0/2] stp disable[LSW1-Ethernet0/0/2] sep segment 1[LSW1-Ethernet0/0/2] quit



# Configure PE2.



317

[PE2] interface ethernet 0/0/1[PE2-Ethernet0/0/1] stp disable[PE2-Ethernet0/0/1] sep segment 1 edge secondary[PE2-Ethernet0/0/1] quit

After completing the preceding configurations, run the display sep topology command onPE1 to view the topology of the SEP segment. The command output shows that the blockedinterface is one of the two interfaces that complete neighbor negotiations last.[PE1] display sep topologySEP segment 1-----------------------------------------------------------------System Name Port Name Port Role Port Status-----------------------------------------------------------------PE1 Eth0/0/1 primary forwardingLSW1 Eth0/0/1 common forwardingLSW1 Eth0/0/2 common forwardingLSW3 Eth0/0/2 common forwardingLSW3 Eth0/0/1 common forwardingLSW2 Eth0/0/2 common forwardingLSW2 Eth0/0/1 common forwardingPE2 Eth0/0/1 secondary discarding

3. Set an interface blocking mode.# In SEP segment 1, block the interface in the middle of the SEP segment on PE1 wherethe primary edge interface resides.[PE1] sep segment 1[PE1-sep-segment1] block port middle

4. Set the preemption mode.# In SEP segment 1, set manual preemption on PE1 where the primary edge interfaceresides.[PE1-sep-segment1] preempt manual

5. Configure the topology change notification function.# Configure devices in SEP segment 1 to notify topology changes to the RRPP ring network.# Configure PE1.[PE1-sep-segment1] tc-notify rrpp[PE1-sep-segment1] quit

# Configure PE2.[PE2] sep segment 1[PE2-sep-segment1] tc-notify rrpp[PE2-sep-segment1] quit

After the preceding configurations are successful, perform the following operations to verify theconfigurations. PE1 is used as an example.

l Run the display sep topology command on PE1 to view the topology of the SEPsegment.The command output shows that the status of Eth 0/0/2 on LSW3 is discarding and the statusof the other interfaces is forwarding.[PE1] display sep topologySEP segment 1-----------------------------------------------------------------System Name Port Name Port Role Port Status-----------------------------------------------------------------PE1 Eth0/0/1 primary forwardingLSW1 Eth0/0/1 common forwardingLSW1 Eth0/0/2 common forwardingLSW3 Eth0/0/2 common discardingLSW3 Eth0/0/1 common forwarding



318

LSW2 Eth0/0/2 common forwardingLSW2 Eth0/0/1 common forwardingPE2 Eth0/0/1 secondary forwarding

l Run the display sep interface verbose command on PE1 to view detailedinformation about the interfaces added to the SEP segment.[PE1] display sep interface verboseSEP segment 1Control-vlan :10Preempt Delay Timer :0TC-Notify Propagate to :rrpp----------------------------------------------------------------Interface :Eth0/0/1Port Role :Config = primary / Active = primaryPort Priority :64Port Status :forwardingNeighbor Status :upNeighbor Port :LSW1 - Eth0/0/1 (00e0-0829-7c00.0000)NBR TLV rx :2124 tx :2126LSP INFO TLV rx :2939 tx :135LSP ACK TLV rx :113 tx :768PREEMPT REQ TLV rx :0 tx :3PREEMPT ACK TLV rx :3 tx :0TC Notify rx :5 tx :3EPA rx :363 tx :397

Step 2 Configure basic RRPP functions.

1. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and configurea protected VLAN.# Configure PE1.[PE1] stp region-configuration[PE1-mst-region] instance 1 vlan 5 6 100[PE1-mst-region] active region-configuration[PE1-mst-region] quit[PE1] rrpp domain 1[PE1-rrpp-domain-region1] control-vlan 5[PE1-rrpp-domain-region1] protected-vlan reference-instance 1

# Configure PE2.[PE2] stp region-configuration[PE2-mst-region] instance 1 vlan 5 6 100[PE2-mst-region] active region-configuration[PE2-mst-region] quit[PE2] rrpp domain 1[PE2-rrpp-domain-region1] control-vlan 5[PE2-rrpp-domain-region1] protected-vlan reference-instance 1





319

2. Create a VLAN and add interfaces on the ring network to the VLAN.

# Create VLAN 100 on PE1, and add Eth 0/0/1, Eth 0/0/2, and Eth 0/0/3 to VLAN 100.[PE1] vlan 100[PE1-vlan100] quit[PE1] interface ethernet 0/0/1[PE1-Ethernet0/0/1] stp disable[PE1-Ethernet0/0/1] port link-type trunk[PE1-Ethernet0/0/1] port trunk allow-pass vlan 100[PE1-Ethernet0/0/1] quit[PE1] interface ethernet 0/0/2[PE1-Ethernet0/0/2] stp disable[PE1-Ethernet0/0/2] port link-type trunk[PE1-Ethernet0/0/2] port trunk allow-pass vlan 100[PE1-Ethernet0/0/2] quit[PE1] interface ethernet 0/0/3[PE1-Ethernet0/0/3] stp disable[PE1-Ethernet0/0/3] port link-type trunk[PE1-Ethernet0/0/3] port trunk allow-pass vlan 100[PE1-Ethernet0/0/3] quit

# Create VLAN 100 on PE2, and add Eth 0/0/1, Eth 0/0/2, and Eth 0/0/3 to VLAN 100.[PE2] vlan 100[PE2-vlan100] quit[PE2] interface ethernet 0/0/1[PE2-Ethernet0/0/1] stp disable[PE2-Ethernet0/0/1] port link-type trunk[PE2-Ethernet0/0/1] port trunk allow-pass vlan 100[PE2-Ethernet0/0/1] quit[PE2] interface ethernet 0/0/2[PE2-Ethernet0/0/2] stp disable[PE2-Ethernet0/0/2] port link-type trunk[PE2-Ethernet0/0/2] port trunk allow-pass vlan 100[PE2-Ethernet0/0/2] quit[PE2] interface ethernet 0/0/3[PE2-Ethernet0/0/3] stp disable[PE2-Ethernet0/0/3] port link-type trunk[PE2-Ethernet0/0/3] port trunk allow-pass vlan 100[PE2-Ethernet0/0/3] quit

# Create VLAN 100 on PE3, and add Eth 0/0/1 and Eth 0/0/2 to VLAN 100.[PE3] vlan 100[PE3-vlan100] quit[PE3] interface ethernet 0/0/1[PE3-Ethernet0/0/1] stp disable[PE3-Ethernet0/0/1] port link-type trunk[PE3-Ethernet0/0/1] port trunk allow-pass vlan 100[PE3-Ethernet0/0/1] quit[PE3] interface ethernet 0/0/2[PE3-Ethernet0/0/2] stp disable[PE3-Ethernet0/0/2] port link-type trunk[PE3-Ethernet0/0/2] port trunk allow-pass vlan 100[PE3-Ethernet0/0/2] quit

# Create VLAN 100 on PE4, and add Eth 0/0/1 and Eth 0/0/2 to VLAN 100.[PE4] vlan 100[PE4-vlan100] quit[PE4] interface ethernet 0/0/1[PE4-Ethernet0/0/1] stp disable[PE4-Ethernet0/0/1] port link-type trunk[PE4-Ethernet0/0/1] port trunk allow-pass vlan 100[PE4-Ethernet0/0/1] quit[PE4] interface ethernet 0/0/2[PE4-Ethernet0/0/2] stp disable[PE4-Ethernet0/0/2] port link-type trunk[PE4-Ethernet0/0/2] port trunk allow-pass vlan 100



320

[PE4-Ethernet0/0/2] quit

3. Configure PE1 as the master node and PE2 to PE4 as transit nodes of the major ring, andconfigure the primary and secondary interfaces of the major ring.

# Configure PE1.[PE1] rrpp domain 1[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet0/0/2 secondary-port ethernet0/0/3 level 0[PE1-rrpp-domain-region1] ring 1 enable

# Configure PE2.[PE2] rrpp domain 1[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet0/0/2 secondary-port ethernet0/0/3 level 0[PE2-rrpp-domain-region1] ring 1 enable



4. Enable RRPP.

# Configure PE1.[PE1] rrpp enable




After completing the preceding configurations, run the display rrpp brief or displayrrpp verbose domain command on PE1 to check the RRPP configuration.[PE1] display rrpp briefAbbreviations for Switch Node Mode :M - Master , T - Transit , E - Edge , A - Assistant-Edge

RRPP Protocol Status: EnableRRPP Working Mode: HWRRPP Linkup Delay Timer: 0 sec (0 sec default)Number of RRPP Domains: 1

Domain Index : 1Control VLAN : major 5 sub 6Protected VLAN : Reference Instance 1Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec) Ring Ring Node Primary/Common Secondary/Edge Is ID Level Mode Port Port Enabled ---------------------------------------------------------------------------- 1 0 M Ethernet0/0/2 Ethernet0/0/3 Yes

The command output shows that RRPP is enabled on PE1. In domain 1, VLAN 5 is the majorcontrol VLAN, VLAN 6 is the sub-control VLAN, Instance 1 is the protected VLAN, and PE1



321

is the master node in major ring 1 with the primary and secondary interfaces as Ethernet0/0/2and Ethernet0/0/3 respectively.

[PE1] display rrpp verbose domain 1Domain Index : 1Control VLAN : major 5 sub 6Protected VLAN : Reference Instance 1Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)

RRPP Ring : 1Ring Level : 0Node Mode : MasterRing State : CompleteIs Enabled : Enable Is Active: YesPrimary port : Ethernet0/0/2 Port status: UPSecondary port : Ethernet0/0/3 Port status: BLOCKED

The command output shows that in domain 1, VLAN 5 is the major control VLAN, VLAN 6 isthe sub-control VLAN, Instance 1 is the protected VLAN, PE1 is the master node in major ring1 with the primary and secondary interfaces as Ethernet0/0/2 and Ethernet0/0/3 respectively,and the node status is Complete.

Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.

For the configuration details, see the configuration files.


After the previous configurations, run the following commands to verify the configuration whenthe network is stable. LSW1 is used as an example.

l Run the shutdown command on Eth0/0/1 of LSW2 to simulate an interface fault, and thenrun the display sep interface command on LSW3 to check whether the status ofEth0/0/2 changes from blocked to forwarding.[LSW3] display sep interface ethernet 0/0/2SEP segment 1----------------------------------------------------------------Interface Port Role Neighbor Status Port Status----------------------------------------------------------------Eth0/0/2 common up forwarding

----End


# sysname LSW1# vlan batch 10 100#sep segment 1 control-vlan 10 protected-instance 0 to 48#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1#interface Ethernet0/0/2 port link-type trunk



322

port trunk allow-pass vlan 10 100 stp disable sep segment 1#return

l Configuration file of LSW2# sysname LSW2# vlan batch 10 100#sep segment 1 control-vlan 10 protected-instance 0 to 48#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1#return

l Configuration file of LSW3# sysname LSW3# vlan batch 10 100#sep segment 1 control-vlan 10 protected-instance 0 to 48#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 100#return

l Configuration file of PE1# sysname PE1# vlan batch 5 to 6 10 100# rrpp enable# stp region-configuration



323

instance 1 vlan 5 to 6 100 active region-configuration#rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode master primary-port Ethernet 0/0/2 secondary-port Ethernet 0/0/3 level 0 ring 1 enable#sep segment 1 control-vlan 10 block port middle tc-notify rrpp protected-instance 0 to 48#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1 edge primary#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100 stp disable#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 5 to 6 100 stp disable#return

l Configuration file of PE2# sysname PE2# vlan batch 5 to 6 10 100# rrpp enable# stp region-configuration instance 1 vlan 5 to 6 100 active region-configuration#rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode transit primary-port Ethernet 0/0/2 secondary-port Ethernet 0/0/3 level 0 ring 1 enable#sep segment 1 control-vlan 10 tc-notify rrpp protected-instance 0 to 48#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1 edge secondary#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100



324

stp disable#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 5 to 6 100 stp disable#return

l Configuration file of PE3# sysname PE3# vlan batch 5 to 6 100 200# rrpp enable# stp region-configuration instance 1 vlan 5 to 6 100 active region-configuration#rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode transit primary-port Ethernet 0/0/1 secondary-port Ethernet 0/0/2 level 0 ring 1 enable#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 stp disable#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100 200 stp disable#interface Ethernet0/0/3

port default vlan 200 port trunk allow-pass vlan 5 to 6 100#return

l Configuration file of PE4# sysname PE4# vlan batch 5 to 6 100 200# rrpp enable# stp region-configuration instance 1 vlan 5 to 6 100 active region-configuration#rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode transit primary-port Ethernet 0/0/1 secondary-port Ethernet 0/0/2 level 0 ring 1 enable#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 100



325

stp disable#interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100 200 stp disable#interface Ethernet0/0/3

port default vlan 200 port trunk allow-pass vlan 5 to 6 100#return

l Configuration file of CE1# sysname CE1# vlan batch 100#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 100#return



326

11 Layer 2 Protocol TransparentTransmission Configuration

About This Chapter

This chapter describes the concept, configuration procedure, and configuration examples ofLayer 2 protocol transparent transmission.

NOTE

The S2700SI and S2710SI do not support Layer 2 Protocol Transparent Transmission.

11.1 Layer 2 Protocol Transparent Transmission OverviewLayer 2 Protocol Transparent Transmission is a Layer 2 tunneling technology that transparentlytransmits Layer 2 protocol packets between private networks at different locations through apublic ISP network.

11.2 Layer 2 Protocol Transparent Transmission Features Supported by the DeviceThe device supports interface-based, VLAN-based, and QinQ-based Layer 2 protocoltransparent transmission.

11.3 Configuring Interface-based Layer 2 Protocol Transparent TransmissionWhen each interface of a backbone device is connected to only one user network and Layer 2protocol packets sent from the user network do not need VLAN tags, configure interface-basedLayer 2 protocol transparent transmission on the interface connected to the user network. Thisconfiguration allows Layer 2 protocol packets to be transparently transmitted on the backbonenetwork.

11.4 Configuring VLAN-based Layer 2 Protocol Transparent TransmissionWhen each interface of a backbone device is connected to multiple user networks and Layer 2protocol packets sent from user networks contain VLAN tags, configure VLAN-based Layer 2protocol transparent transmission. This configuration allows Layer 2 protocol packets to betransparently transmitted on the backbone network.

11.5 Configuring QinQ-based Layer 2 Protocol Transparent TransmissionWhen each interface of a backbone device is connected to multiple user networks and Layer 2protocol packets sent from user networks contain VLAN tags, you can configure QinQ-basedLayer 2 protocol transparent transmission. This configuration allows Layer 2 protocol packets

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 11 Layer 2 Protocol Transparent Transmission Configuration


327

to be transparently transmitted on the backbone network and reduces VLAN IDs that the carrieruses.

11.6 Configuration ExamplesThis section provides examples for configuring interface, VLAN, and QinQ based Layer 2protocol transparent transmission.



328

11.1 Layer 2 Protocol Transparent Transmission OverviewLayer 2 Protocol Transparent Transmission is a Layer 2 tunneling technology that transparentlytransmits Layer 2 protocol packets between private networks at different locations through apublic ISP network.

Leased lines of ISPs are often used to establish Layer 2 networks. As a result, private networksof a user can be located at two sides of the ISP network. As shown in Figure 11-1, User A hastwo networks: network1 and network2. The two networks are connected through the ISPnetwork. When network1 and network2 run the same Layer 2 protocol (such as MSTP), Layer2 protocol packets from network1 and network2 must be transmitted through the ISP networkto perform Layer 2 protocol calculation (for example, calculating a spanning tree). Generally,the destination MAC addresses in Layer 2 protocol packets of the same Layer 2 protocol are thesame. For example, the MSTP PDUs are BPDUs with the destination MAC address 0180-C200-0000. Therefore, when a Layer 2 protocol packet from network1 reaches an edge deviceon the ISP network, the edge device cannot identify whether the Layer 2 protocol packet comesfrom a user network or the ISP network and sends the Layer 2 protocol packets to the CPU.Layer 2 protocol packets are terminated. As a result, the Layer 2 protocol packets on usernetwork1 cannot traverse the ISP network to reach user network2.

Figure 11-1 Transparent transmission of Layer 2 protocol packets on the ISP network

ISP network

User Anetwork1

CE1 CE2

PE1 PE2

User Anetwork2

To address the preceding issue, the ISP network is required to transparently transmit Layer 2protocol packets from the user network. Layer 2 protocol transparent transmission can bedeployed on the edge device of the carrier network to address this issue. The procedure is asfollows:

1. After receiving Layer 2 protocol packets sent from CE1, PE1 replaces the destination MACaddress with a specified multicast MAC address. Then PE1 forwards the packets on theISP network.

2. The Layer 2 protocol packets are forwarded to PE2. PE2 restores the original destinationMAC address of the packets, and sends the packets to CE2.



329

11.2 Layer 2 Protocol Transparent Transmission FeaturesSupported by the Device

The device supports interface-based, VLAN-based, and QinQ-based Layer 2 protocoltransparent transmission.

Based on application scenarios, the device supports the following Layer 2 protocol transparenttransmission features:

l Interface-based Layer 2 protocol transparent transmissionl VLAN-based Layer 2 protocol transparent transmissionl QinQ-based Layer 2 protocol transparent transmission

The device can transparently transmit packets of the following Layer 2 protocols:

l Spanning Tree Protocol (STP)l Link Aggregation Control Protocol (LACP)l Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)l Link Layer Discovery Protocol (LLDP)l Generic VLAN Registration Protocol (GVRP)l Generic Multicast Registration Protocol (GMRP)l HUAWEI Group Management Protocol (HGMP)l VLAN Trunking Protocol (VTP)l Unidirectional Link Detection (UDLD)l Port Aggregation Protocol (PAGP)l Cisco Discovery Protocol (CDP)l Per VLAN Spanning Tree Plus (PVST+)l Shared Spanning Tree Protocol (SSTP)l Dynamic Trunking Protocol (DTP)l User-defined protocols

NOTE

When the default CPCAR is used, The device transparently transmits a maximum of 10 Layer 2 protocolpackets per second. Excess packets are discarded.



330

Interface-based Layer 2 Protocol Transparent Transmission

Figure 11-2 Interface-based Layer 2 protocol transparent transmission

ISP Network

PE1 PE2

Port basedVLAN 300

Port basedVLAN 300

LAN-AMSTP

LAN-AMSTP

BPDU Tunnel

As shown in Figure 11-2, each interface on a PE connects to one user network. The user networksconnected to the same PE do not belong to the same LAN. BPDUs sent from user networks arenot tagged, but the PE needs to identify the LAN that each BPDU belongs to. BPDUs of a usernetwork on LAN-A must be forwarded to other user networks on LAN-A but not on other LANs.In addition, BPDUs cannot be processed by devices on the ISP network.

l Replace the default multicast MAC address of Layer 2 protocol packets that can beidentified by PEs on the ISP network with another multicast MAC address.

l Replace the original multicast MAC address of Layer 2 protocol packets from user networkswith a specified multicast MAC address.



331

VLAN-based Layer 2 Protocol Transparent Transmission

Figure 11-3 VLAN-based Layer 2 protocol transparent transmission

CE-VLAN 200

CE-VLAN 100

ISP NetworkPE 1 PE 2

LAN-AMSTP

LAN-BMSTP

LAN-BMSTP

LAN-AMSTP

BPDU Tunnel

CE-VLAN 200

CE-VLAN 100

Trunk Link100-200

Trunk Link100-200

A PE generally functions as an aggregation device. As shown in Figure 11-3, the aggregationinterface on PE1 can receive BPDUs from LAN-A and LAN-B. To differentiate BPDUs fromthe two LANs, BPDUs sent from the CE to the PE must have VLAN tags. The VLAN ID of aBPDU from LAN-A is 200 and the VLAN ID of a BPDU from LAN-B is 100. BPDUs of a usernetwork on LAN-A must be sent to other user networks on LAN-A but not on other LANs. Inaddition, BPDUs cannot be processed by devices on the ISP network. In this case, you canconfigure VLAN-based Layer 2 protocol transparent transmission on PEs so that BPDUs cantraverse the ISP network through Layer 2 tunnels.

Similar to interface-based Layer 2 protocol transparent transmission, you can use either of thefollowing methods to implement VLAN-based Layer 2 protocol transparent transmission:

l Replace the default multicast MAC address of Layer 2 protocols that can be identified byPEs with another multicast MAC address.


QinQ-based Layer 2 protocol transparent transmissionNOTE

Only the S3700 supports QinQ-based Layer 2 Protocol Transparent Transmission.

When a large number of user networks are connected to the backbone network, considerablenumber of VLAN IDs are required on the ISP network if packets are transparently transmitted



332

based on VLANs. To reduce the number of VLANs required, BPDUs can be forwarded in QinQmode on the backbone network.

Figure 11-4 QinQ-based Layer 2 protocol transparent transmission

CE-VLAN 200

ISP NetworkPE 1 PE 2

LAN-AMSTP

LAN-BMSTP

LAN-BMSTP

LAN-AMSTP

CE-VLAN 100

PE-VLAN20:CE-VLAN 100~199

PE-VLAN30:CE-VLAN 200~299

CE-VLAN 200

CE-VLAN 100BPDU Tunnel

BPDU Tunnel

As shown in Figure 11-4, QinQ-based Layer 2 protocol transparent transmission is configuredon aggregation interfaces of PEs. Packets from different user networks are encapsulated indifferent outer VLAN tags. QinQ-based Layer 2 protocol transparent transmission isimplemented as follows:

PEs add outer VLAN 20 to Layer 2 protocol packets of VLANs 100 to 199, and add outer VLAN30 to Layer 2 protocol packets of VLANs 200 to 299. The PEs then forward the packets to otherdevices on the backbone network. In this way, Layer 2 protocol packets of different user networksare transparently transmitted on the backbone network, and carrier uses fewer VLAN IDs.

11.3 Configuring Interface-based Layer 2 ProtocolTransparent Transmission

When each interface of a backbone device is connected to only one user network and Layer 2protocol packets sent from the user network do not need VLAN tags, configure interface-basedLayer 2 protocol transparent transmission on the interface connected to the user network. Thisconfiguration allows Layer 2 protocol packets to be transparently transmitted on the backbonenetwork.

Pre-configuration TasksBefore configuring interface-based Layer 2 protocol transparent transmission, complete thefollowing task:



333

l Setting link layer protocol parameters and IP addresses for interfaces to ensure that the linklayer protocol on the interfaces is Up

l Using the bpdu enable command to enable the interfaces to send BPDUs to the CPU

11.3.1 (Optional) Defining Characteristic Information About aLayer 2 Protocol

ContextWhen non-standard Layer 2 protocol packets with a specified multicast destination MAC addressneed to be transparently transmitted on the backbone network, define characteristic informationabout the Layer 2 protocol on the PE. The characteristics of the Layer 2 protocol include theprotocol name, Ethernet encapsulation format, destination MAC address, and MAC address thatreplaces the destination MAC address of Layer 2 protocol packets.

When defining characteristic information about a Layer 2 protocol, do not use the followingmulticast MAC addresses to replace the destination MAC address of Layer 2 protocol packets:

l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002Fl Destination MAC address of Smart Link packets: 010F-E200-0004l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCDl Common multicast MAC addresses that have been used on the device

Perform the following operations on PEs.

Procedure



Step 2 Run:l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac [ encap-type { { ethernetii | snap } protocol-type protocol-type | llc dsap dsap-value ssap ssap-value } ] group-mac { group-mac | default-group-mac }

Characteristic information about a Layer 2 protocol is defined.

----End

11.3.2 Configuring Layer 2 Protocol Transparent TransmissionMode

ContextYou can configure the following Layer 2 protocol transparent transmission modes:l Configure the device to replace the default multicast MAC address of Layer 2 protocol

packets that can be identified by PEs with another multicast MAC address. This mode canbe used to transparently transmit Layer 2 protocol packets of STP, RSTP, and MSTP.



334

l Configure the device to replace the original multicast MAC address of Layer 2 protocolpackets with a specified multicast MAC address. This mode can be used to transparentlytransmit all types of Layer 2 protocol packets.

Use either of the following methods on PEs based on the Layer 2 protocol type and the requiredtransparent transmission mode.

Procedurel Replace the default multicast MAC address of Layer 2 protocols that can be identified by

PEs with another multicast MAC address.1. Run:

system-view


bpdu-tunnel stp bridge role provider

The PE is configured as a provider.

l Replace the original multicast MAC address of Layer 2 protocol packets from user networkswith a specified multicast MAC address.1. Run:

system-view


l2protocol-tunnel protocol-type group-mac group-mac

The original multicast destination MAC address of Layer 2 protocol packets isreplaced with a specified multicast MAC address.

NOTE

Do not replace the destination MAC addresses of SSTP, STP, GVRP, and GMRP packets withthe same multicast MAC address.

When configuring Layer 2 protocol transparent transmission, do not use the following multicastMAC addresses to replace the destination MAC address of Layer 2 protocol packets:

l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F

l Destination MAC address of Smart Link packets: 010F-E200-0004

l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD

l Common multicast MAC addresses that have been used on the device

----End

11.3.3 Enabling Layer 2 Protocol Transparent Transmission on anInterface

ContextPerform the following operations on PEs based on the required Layer 2 protocol transparenttransmission mode.



335

NOTE

The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the sameprotocol type on the same interface. Otherwise, the configurations conflict.

Procedure




The user-side interface view is displayed.

Step 3 Run:port hybrid pvid vlan vlan-id

The default VLAN of the interface is configured.

Step 4 Run:port hybrid untagged vlan vlan-id

The interface is added to the default VLAN in untagged mode.

Step 5 Run:l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } enable

Layer 2 protocol transparent transmission is enabled on the interface.

----End


Procedurel Run the display l2protocol-tunnel group-mac { all | protocol-type

| user-defined-protocol protocol-name } command to check informationabout transparent transmission of specified or all Layer 2 protocol packets.

----End

11.4 Configuring VLAN-based Layer 2 Protocol TransparentTransmission

When each interface of a backbone device is connected to multiple user networks and Layer 2protocol packets sent from user networks contain VLAN tags, configure VLAN-based Layer 2protocol transparent transmission. This configuration allows Layer 2 protocol packets to betransparently transmitted on the backbone network.



336

Pre-configuration TasksBefore configuring interface-based Layer 2 protocol transparent transmission, complete thefollowing task:l Setting link layer protocol parameters and IP addresses for interfaces to ensure that the link

layer protocol on the interfaces is Upl Using the bpdu enable command to enable the interfaces to send BPDUs to the CPU


ContextWhen non-standard Layer 2 protocol packets with a specified multicast destination MAC addressneed to be transparently transmitted on the backbone network, define characteristic informationabout the Layer 2 protocol on the PE. The characteristics of the Layer 2 protocol include theprotocol name, Ethernet encapsulation format, destination MAC address, and MAC address thatreplaces the destination MAC address of Layer 2 protocol packets.


l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002Fl Destination MAC address of Smart Link packets: 010F-E200-0004l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCDl Common multicast MAC addresses that have been used on the device


Procedure





----End


ContextYou can configure the following Layer 2 protocol transparent transmission modes:



337

l Configure the device to replace the default multicast MAC address of Layer 2 protocolpackets that can be identified by PEs with another multicast MAC address. This mode canbe used to transparently transmit Layer 2 protocol packets of STP, RSTP, and MSTP.




PEs with another multicast MAC address.

1. Run:system-view


2. Run:bpdu-tunnel stp bridge role provider



1. Run:system-view


2. Run:l2protocol-tunnel protocol-type group-mac group-mac


NOTE

Do not replace the destination MAC addresses of SSTP, STP, GVRP, and GMRP packets withthe same multicast MAC address.






----End

11.4.3 Enabling VLAN-based Layer 2 Protocol TransparentTransmission on an Interface



338

ContextPerform the following operations on PEs according to the type of Layer 2 protocol packets tobe transparently transmitted.

NOTE

The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the sameprotocol type on the same interface. Otherwise, the configurations conflict.

Procedure





Step 3 Run:port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The interface is added to the specified VLANs in tagged mode.

NOTE

l The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packetsfrom user networks.

l The VLAN for VLAN-based Layer 2 protocol transparent transmission must be the static VLAN, andcannot be the VLAN dynamically created by GVRP.

Step 4 Run:l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } vlan { low-id [ to high-id ] } &<1-10>

VLAN-based Layer 2 protocol transparent transmission is enabled on the interface.

----End




----End

11.5 Configuring QinQ-based Layer 2 Protocol TransparentTransmission

When each interface of a backbone device is connected to multiple user networks and Layer 2protocol packets sent from user networks contain VLAN tags, you can configure QinQ-based



339

Layer 2 protocol transparent transmission. This configuration allows Layer 2 protocol packetsto be transparently transmitted on the backbone network and reduces VLAN IDs that the carrieruses.


Before configuring interface-based Layer 2 protocol transparent transmission, complete thefollowing task:

l Setting link layer protocol parameters and IP addresses for interfaces to ensure that the linklayer protocol on the interfaces is Up

l Using the bpdu enable command to enable the interfaces to send BPDUs to the CPU

NOTE



Context

When non-standard Layer 2 protocol packets with a specified multicast destination MAC addressneed to be transparently transmitted on the backbone network, define characteristic informationabout the Layer 2 protocol on the PE. The characteristics of the Layer 2 protocol include theprotocol name, Ethernet encapsulation format, destination MAC address, and MAC address thatreplaces the destination MAC address of Layer 2 protocol packets.







Procedure





----End



340


Context

You can configure the following Layer 2 protocol transparent transmission modes:

l Configure the device to replace the default multicast MAC address of Layer 2 protocolpackets that can be identified by PEs with another multicast MAC address. This mode canbe used to transparently transmit Layer 2 protocol packets of STP, RSTP, and MSTP.




PEs with another multicast MAC address.

1. Run:system-view


2. Run:bpdu-tunnel stp bridge role provider



1. Run:system-view


2. Run:l2protocol-tunnel protocol-type group-mac group-mac


NOTE






----End



341

11.5.3 Enabling QinQ-based Layer 2 Transparent Transmission onan Interface

Context

Perform the following operations on PEs based on the required Layer 2 protocol transparenttransmission mode.

NOTE

The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the sameprotocol type on the same interface. Otherwise, the configurations conflict.

Procedure





Step 3 Run:port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The interface is added to the specified VLANs in untagged mode.



Step 5 Run:port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3

The interface is configured to add an outer VLAN tag to the Layer 2 protocol packets.

Step 6 Run:l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } vlan { low-id [ to high-id ] } &<1-10>

QinQ-based Layer 2 protocol transparent transmission is enabled on the interface.

NOTE

l The outer VLAN tag (vlan-id3) specified in step 5 must be included in the VLAN range specifiedin step 6.

----End



342




----End

11.6 Configuration ExamplesThis section provides examples for configuring interface, VLAN, and QinQ based Layer 2protocol transparent transmission.

11.6.1 Example for Configuring Interface-based Layer 2 ProtocolTransparent Transmission


As shown in Figure 11-5, CEs are edge devices on two private networks of an enterprise locatedin different areas, and PE1 and PE2 are edge devices on the ISP network. The two privatenetworks of the enterprise are Layer 2 networks and they are connected through the ISP network.STP is run on the Layer 2 networks to prevent loops. Enterprise users require that STP run onlyon the private networks so that spanning trees can be generated correctly.

Figure 11-5 Networking diagram for configuring interface-based Layer 2 protocol transparenttransmission

ISP network

User Anetwork1

CE1 CE2PE1

PE2

User Anetwork2

Eth0/0/1

Eth0/0/1

Eth0/0/1Eth0/0/1



1. Configure STP on CEs to prevent loops on Layer 2 networks.



343

2. Add PE interfaces connected to CEs to specified VLANs so that PEs forward packets fromthe VLANs.

3. Configure interface-based Layer 2 protocol transparent transmission on PEs so that STPpackets are not sent to the CPUs of PEs for processing.

Procedure

Step 1 Enable STP on CEs.

# Configure CE1.

<Quidway> system-view[Quidway] sysname CE1[CE1] vlan 100[CE1-vlan100] quit[CE1] stp enable[CE1] interface ethernet 0/0/1[CE1-Ethernet0/0/1] port hybrid pvid vlan 100[CE1-Ethernet0/0/1] port hybrid untagged vlan 100[CE1-Ethernet0/0/1] quit

# Configure CE2.

<Quidway> system-view[Quidway] sysname CE2[CE2] vlan 100[CE2-vlan100] quit[CE2] stp enable[CE2] interface ethernet 0/0/1[CE2-Ethernet0/0/1] port hybrid pvid vlan 100[CE2-Ethernet0/0/1] port hybrid untagged vlan 100[CE2-Ethernet0/0/1] quit

Step 2 Add Eth0/0/1 on PE1 and PE2 to VLAN 100 and enable Layer 2 protocol transparenttransmission on PEs.

# Configure PE1.

<Quidway> system-view[Quidway] sysname PE1[PE1] vlan 100[PE1-vlan100] quit[PE1] interface ethernet 0/0/1[PE1-Ethernet0/0/1] port hybrid pvid vlan 100[PE1-Ethernet0/0/1] port hybrid untagged vlan 100[PE1-Ethernet0/0/1] l2protocol-tunnel stp enable[PE1-Ethernet0/0/1] quit

# Configure PE2.

<Quidway> system-view[Quidway] sysname PE2[PE2] vlan 100[PE2-vlan100] quit[PE2] interface ethernet 0/0/1[PE2-Ethernet0/0/1] port hybrid pvid vlan 100[PE2-Ethernet0/0/1] port hybrid untagged vlan 100[PE2-Ethernet0/0/1] l2protocol-tunnel stp enable[PE2-Ethernet0/0/1] quit

Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.

# Configure PE1.

[PE1] l2protocol-tunnel stp group-mac 0100-0100-0100



344

# Configure PE2.



After the configuration is complete, run the display l2protocol-tunnel group-mac command on PEs. You can view the protocol type or name, multicast destination MACaddress, group MAC address, and priority of Layer 2 protocol packets to be transparentlytransmitted.

The display on PE1 is used as an example.

[PE1] display l2protocol-tunnel group-mac stpProtocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri ----------------------------------------------------------------------------- stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0 ssap 0x42

Run the display stp command on CE1 and CE2 to view the root in the MSTP region. Youcan find that a spanning tree is calculated between CE1 and CE2. Eth0/0/1 on CE1 is the rootport and Eth0/0/1 on CE2 is the designated port.

[CE1] display stp-------[CIST Global Info] [Mode MSTP] -------CIST Bridge :32768.00e0-fc9f-3257Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0CIST RootPortId :128.82BPDU-Protection :DisabledTC or TCN received :6TC count per hello :6STP Converge Mode :Time since last TC :0 days 2h:24m:36s----[Port1(Ethernet0/0/1)] [FORWARDING] ---- Port Protocol :Enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :6 TCN: 0, Config: 0, RST: 0, MST: 6 BPDU Received :4351 TCN: 0, Config: 0, RST: 0, MST: 4351[CE2] display stp-------[CIST Global Info] [Mode MSTP] -------CIST Bridge :32768.00e0-fc9a-4315Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.00e0-fc9a-4315 / 0CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0CIST RootPortId :0.0BPDU-Protection :DisabledTC or TCN received :3TC count per hello :3STP Converge Mode :Time since last TC :0 days 2h:26m:42s



345

----[Port1(Ethernet0/0/1)] [FORWARDING] ---- Port Protocol :Enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :4534 TCN: 0, Config: 0, RST: 0, MST: 4534 BPDU Received :6 TCN: 0, Config: 0, RST: 0, MST: 6

----End

Configuration Filesl Configuration file of CE1

#sysname CE1#vlan batch 100#interface Ethernet0/0/1 port hybrid pvid vlan 100 port hybrid untagged vlan 100#return

l Configuration file of CE2#sysname CE2#vlan batch 100 #interface Ethernet0/0/1 port hybrid pvid vlan 100 port hybrid untagged vlan 100#return

l Configuration file of PE1#sysname PE1#vlan batch 100#l2protocol-tunnel stp group-mac 0100-0100-0100#interface Ethernet0/0/1 port hybrid pvid vlan 100 port hybrid untagged vlan 100 l2protocol-tunnel stp enable#return

l Configuration file of PE2#sysname PE2



346

#vlan batch 100#l2protocol-tunnel stp group-mac 0100-0100-0100#interface Ethernet0/0/1 port hybrid pvid vlan 100 port hybrid untagged vlan 100 l2protocol-tunnel stp enable#return

11.6.2 Example for Configuring VLAN-based Layer 2 ProtocolTransparent Transmission


As shown in Figure 11-6, CEs are edge devices on two private networks of an enterprise locatedin different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN200 are Layer 2 networks for different users and are connected through the ISP network. STPis run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only onthe private networks so that spanning trees can be generated correctly.

l All the devices in VLAN 100 participate in calculation of a spanning tree.

l All the devices in VLAN 200 participate in calculation of a spanning tree.

Figure 11-6 Networking diagram for configuring VLAN-based Layer 2 protocol transparenttransmission

VLAN 100User A

VLAN 200User B

Eth0/0/1

CE1 CE2Eth0/0/1

VLAN 100User A

VLAN 200User B

CE3 CE4

PE1 PE2

Eth0/0/1Eth0/0/1

Eth0/0/2 Eth0/0/2Eth0/0/3 Eth0/0/3

ISP network



1. Configure STP on CEs to prevent loops on Layer 2 networks.

2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculationof a spanning tree is complete independently in VLAN 100 and VLAN 200.

3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STPpackets are not sent to the CPUs of PEs for processing.



347

Procedure


# Configure CE1.

<Quidway> system-view[Quidway] sysname CE1[CE1] stp enable

# Configure CE2.


# Configure CE3.


# Configure CE4.


Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3and CE4 to send STP packets with VLAN tag 200 to PEs.

# Configure CE1.

[CE1] vlan 100[CE1-vlan100] quit[CE1] interface ethernet 0/0/1[CE1-Ethernet0/0/1] port hybrid tagged vlan 100[CE1-Ethernet0/0/1] stp bpdu vlan 100[CE1-Ethernet0/0/1] quit

# Configure CE2.


# Configure CE3.


# Configure CE4.




348

Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the peer ends.

# Configure PE1.

<Quidway> system-view[Quidway] sysname PE1[PE1] vlan 100[PE1-vlan100] quit[PE1] vlan 200[PE1-vlan200] quit[PE1] interface ethernet 0/0/2[PE1-Ethernet0/0/2] port hybrid tagged vlan 100[PE1-Ethernet0/0/2] l2protocol-tunnel stp vlan 100[PE1-Ethernet0/0/2] quit[PE1] interface ethernet 0/0/3[PE1-Ethernet0/0/3] port hybrid tagged vlan 200[PE1-Ethernet0/0/3] l2protocol-tunnel stp vlan 200[PE1-Ethernet0/0/3] quit

# Configure PE2.

<Quidway> system-view[Quidway] sysname PE2[PE2] vlan 100[PE2-vlan100] quit[PE2] vlan 200[PE2-vlan200] quit[PE2] interface ethernet 0/0/2[PE2-Ethernet0/0/2] port hybrid tagged vlan 100[PE2-Ethernet0/0/2] l2protocol-tunnel stp vlan 100[PE2-Ethernet0/0/2] quit[PE2] interface ethernet 0/0/3[PE2-Ethernet0/0/3] port hybrid tagged vlan 200[PE2-Ethernet0/0/3] l2protocol-tunnel stp vlan 200[PE2-Ethernet0/0/3] quit


# Configure PE1.


# Configure PE2.





[PE1] display l2protocol-tunnel group-mac stpProtocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri ----------------------------------------------------------------------------- stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0 ssap 0x42


[CE1] display stp



349

-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.000b-09f0-1b91Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.000b-09d4-b66c / 199999CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0CIST RootPortId :128.82BPDU-Protection :disabledTC or TCN received :2TC count per hello :2STP Converge Mode :Time since last TC :0 days 3h:53m:43s----[Port1(Ethernet0/0/1)] [FORWARDING] ---- Port Protocol :Enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :237 TCN: 0, Config: 0, RST: 0, MST: 237 BPDU Received :9607 TCN: 0, Config: 0, RST: 0, MST: 9607 <CE2> display stp-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.000b-09d4-b66cBridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.000b-09d4-b66c / 0CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0CIST RootPortId :0.0BPDU-Protection :disabledTC or TCN received :1TC count per hello :1STP Converge Mode :Time since last TC :0 days 5h:29m:6s ----[Port1(Ethernet0/0/1)] [FORWARDING] ---- Port Protocol :Enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7095 TCN: 0, Config: 0, RST: 0, MST: 7095 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2


<CE3> display stp



350

-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.00e0-fc9f-3257Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0CIST RootPortId :128.82BPDU-Protection :disabledTC or TCN received :4TC count per hello :4STP Converge Mode :Time since last TC :0 days 3h:57m:0s ----[Port1(Ethernet0/0/1)] [FORWARDING] ---- Port Protocol :Enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :238 TCN: 0, Config: 0, RST: 0, MST: 238 BPDU Received :9745 TCN: 0, Config: 0, RST: 0, MST: 9745 <CE4> display stp-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.00e0-fc9a-4315Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.00e0-fc9a-4315 / 0CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0CIST RootPortId :0.0BPDU-Protection :disabledTC or TCN received :2TC count per hello :2STP Converge Mode :Time since last TC :0 days 5h:33m:17s----[Port1(Ethernet0/0/1)] [FORWARDING] ---- Port Protocol :enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7171 TCN: 0, Config: 0, RST: 0, MST: 7171 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2

----End



351


#sysname CE1#vlan batch 100#interface Ethernet0/0/1 port hybrid tagged vlan 100 stp bpdu vlan 100#return

l Configuration file of CE2#sysname CE2#vlan batch 100#interface Ethernet0/0/1 port hybrid tagged vlan 100 stp bpdu vlan 100#return



l Configuration file of PE1#sysname PE1#vlan batch 100 200#l2protocol-tunnel stp group-mac 0100-0100-0100#interface Ethernet0/0/2 port hybrid tagged vlan 100 l2protocol-tunnel stp vlan 100#interface Ethernet0/0/3 port hybrid tagged vlan 200 l2protocol-tunnel stp vlan 200#



352

returnl Configuration file of PE2

#sysname PE2#vlan batch 100 200#l2protocol-tunnel stp group-mac 0100-0100-0100#interface Ethernet0/0/2 port hybrid tagged vlan 100 l2protocol-tunnel stp vlan 100#interface Ethernet0/0/3 port hybrid tagged vlan 200 l2protocol-tunnel stp vlan 200#return

11.6.3 Example for Configuring QinQ-based Layer 2 ProtocolTransparent Transmission

Networking RequirementsAs shown in Figure 11-7, CEs are edge devices on two private networks of an enterprise locatedin different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN200 are Layer 2 networks for different users and are connected through the ISP network. STPis run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only onthe private networks so that spanning trees can be generated correctly.

l All the devices in VLAN 100 participate in calculation of a spanning tree.l All the devices in VLAN 200 participate in calculation of a spanning tree.

Because of shortage of public VLAN resources, VLAN IDs on carrier networks must be saved.

NOTE


Figure 11-7 Networking diagram for configuring QinQ-based Layer 2 protocol transparenttransmission

User AVLAN100

User BVLAN200

CE2

CE4

PE2

Eth0/0/2

Eth0/0/3

Eth0/0/1

Eth0/0/1

User AVLAN100

User BVLAN200

CE1

CE3

PE1

Eth0/0/1

Eth0/0/1

Eth0/0/2

Eth0/0/3

ISPNetwork



353


1. Configure STP on CEs to prevent loops on Layer 2 networks.2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation

of a spanning tree is complete independently in VLAN 100 and VLAN 200.3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP

packets are not sent to the CPUs of PEs for processing.4. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP

packets sent from CEs, saving public network VLAN IDs.

Procedure


# Configure CE1.


# Configure CE2.


# Configure CE3.


# Configure CE4.


Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3and CE4 to send STP packets with VLAN tag 200 to PEs.

# Configure CE1.


# Configure CE2.


# Configure CE3.



354


# Configure CE4.


Step 3 Configure QinQ-based Layer 2 protocol transparent transmission on PEs so that STP packetswith VLAN tags 100 and 200 are tagged with outer VLAN 10 by PEs and can be transmittedon the ISP network.

# Configure PE1.

<Quidway> system-view[Quidway] sysname PE1[PE1] vlan 10[PE1-Vlan10] quit[PE1] interface ethernet 0/0/2[PE1-Ethernet0/0/2] qinq vlan-translation enable[PE1-Ethernet0/0/2] port hybrid untagged vlan 10[PE1-Ethernet0/0/2] port vlan-stacking vlan 100 stack-vlan 10[PE1-Ethernet0/0/2] l2protocol-tunnel stp vlan 10[PE1-Ethernet0/0/2] quit[PE1] interface ethernet 0/0/3[PE1-Ethernet0/0/3] qinq vlan-translation enable[PE1-Ethernet0/0/3] port hybrid untagged vlan 10[PE1-Ethernet0/0/3] port vlan-stacking vlan 200 stack-vlan 10[PE1-Ethernet0/0/3] l2protocol-tunnel stp vlan 10[PE1-Ethernet0/0/3] quit

# Configure PE2.

<Quidway> system-view[Quidway] sysname PE2[PE2] vlan 10[PE2-Vlan10] quit[PE2] interface ethernet 0/0/2[PE2-Ethernet0/0/2] qinq vlan-translation enable[PE2-Ethernet0/0/2] port hybrid untagged vlan 10[PE2-Ethernet0/0/2] port vlan-stacking vlan 100 stack-vlan 10[PE2-Ethernet0/0/2] l2protocol-tunnel stp vlan 10[PE2-Ethernet0/0/2] quit[PE2] interface ethernet 0/0/3[PE2-Ethernet0/0/3] qinq vlan-translation enable[PE2-Ethernet0/0/3] port hybrid untagged vlan 10[PE2-Ethernet0/0/3] port vlan-stacking vlan 200 stack-vlan 10[PE2-Ethernet0/0/3] l2protocol-tunnel stp vlan 10[PE2-Ethernet0/0/3] quit


# Configure PE1.


# Configure PE2.




355



The display on PE1 is used as an example.[PE1] display l2protocol-tunnel group-mac stpProtocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri ----------------------------------------------------------------------------- stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0 ssap 0x42

Run the display stp command on CE1 and CE2 to view the root in the MSTP region. Youcan find that a spanning tree is calculated between CE1 and CE2. Eth0/0/1 on CE1 is the rootport and Eth0/0/1 on CE2 is the designated port.[CE1] display stp-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.000b-09f0-1b91Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.000b-09d4-b66c / 199999CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0CIST RootPortId :128.82BPDU-Protection :disabledTC or TCN received :2TC count per hello :2STP Converge Mode :Time since last TC :0 days 2h:24m:36s----[Port17(Ethernet0/0/1)][FORWARDING]---- Port Protocol :Enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :237 TCN: 0, Config: 0, RST: 0, MST: 237 BPDU Received :9607 TCN: 0, Config: 0, RST: 0, MST: 9607 [CE2] display stp-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.000b-09d4-b66cBridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.000b-09d4-b66c / 0CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0CIST RootPortId :0.0BPDU-Protection :disabledTC or TCN received :1TC count per hello :1STP Converge Mode :Time since last TC :0 days 2h:24m:36s----[Port17(Ethernet0/0/1)][FORWARDING]---- Port Protocol :Enabled Port Role :Designated Port Port Priority :128



356

Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7095 TCN: 0, Config: 0, RST: 0, MST: 7095 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2


[CE3] display stp-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.00e0-fc9f-3257Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0CIST RootPortId :128.82BPDU-Protection :disabledTC or TCN received :4TC count per hello :4STP Converge Mode :Time since last TC :0 days 2h:24m:36s----[Port17(Ethernet0/0/1)][FORWARDING]---- Port Protocol :Enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :238 TCN: 0, Config: 0, RST: 0, MST: 238 BPDU Received :9745 TCN: 0, Config: 0, RST: 0, MST: 9745 [CE4] display stp-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.00e0-fc9a-4315Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20CIST Root/ERPC :32768.00e0-fc9a-4315 / 0CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0CIST RootPortId :0.0BPDU-Protection :disabledTC or TCN received :2TC count per hello :2STP Converge Mode :Time since last TC :0 days 2h:24m:36s----[Port17(Ethernet0/0/1)][FORWARDING]---- Port Protocol :Enabled Port Role :Designated Port Port Priority :128



357

Port Cost(Dot1T ) :Config=auto / Active=200000000 Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7171 TCN: 0, Config: 0, RST: 0, MST: 7171 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2

Run the display vlan command on PEs to view the QinQ configuration.


[PE1] display vlan 10 verbose* : Management-VLAN --------------------- VLAN ID : 10 VLAN Type : Common Description : VLAN 0010 Status : Enable Broadcast : Enable MAC learning : Enable Statistics : Disable Property : Default VLAN State : Up ---------------- Untagged Port: Ethernet0/0/2 Ethernet0/0/3 ---------------- Active Untag Port: Ethernet0/0/2 Ethernet0/0/3 ---------------- QinQ-stack Port: Ethernet0/0/2 Ethernet0/0/3 ---------------- Interface PhysicalEthernet0/0/2 UP Ethernet0/0/3 UP

----End


# sysname CE1# vlan batch 100#interface Ethernet0/0/1 port hybrid tagged vlan 100 stp bpdu vlan 100#return




358

port hybrid tagged vlan 100 stp bpdu vlan 100#return

l Configuration file of CE3# sysname CE3# vlan batch 200#interface Ethernet0/0/1 port hybrid tagged vlan 200 stp bpdu vlan 200#return

l Configuration file of CE4# sysname CE4# vlan batch 200#interface Ethernet0/0/1 port hybrid tagged vlan 200 stp bpdu vlan 200#return

l Configuration file of PE1# sysname PE1# vlan batch 10# l2protocol-tunnel stp group-mac 0100-0100-0100#interface Ethernet0/0/2 qinq vlan-translation enable port hybrid untagged vlan 10 port vlan-stacking vlan 100 stack-vlan 10 l2protocol-tunnel stp vlan 10#interface Ethernet0/0/3 qinq vlan-translation enable port hybrid untagged vlan 10 port vlan-stacking vlan 200 stack-vlan 10 l2protocol-tunnel stp vlan 10#return

l Configuration file of PE2# sysname PE2# vlan batch 10# l2protocol-tunnel stp group-mac 0100-0100-0100#interface Ethernet0/0/2 qinq vlan-translation enable port hybrid untagged vlan 10 port vlan-stacking vlan 100 stack-vlan 10 l2protocol-tunnel stp vlan 10#interface Ethernet0/0/3 qinq vlan-translation enable



359

port hybrid untagged vlan 10 port vlan-stacking vlan 200 stack-vlan 10 l2protocol-tunnel stp vlan 10#return



360

12 Loopback Detection Configuration

About This Chapter

Loopback detection can detect loops on the network connected to the device and reduce impactson the network.

12.1 Loopback Detection OverviewLoopback detection sends loopback detection packets periodically to detect loops on the networkconnected to the device.

12.2 Default ConfigurationThis section describes default settings of loopback detection parameters.

12.3 Configuring Loopback DetectionLoopback detection can detect loops on the network connected to the device.

12.4 Configuration ExamplesThis section describes configuration examples of loopback detection including networkingrequirements, configuration roadmap, and configuration procedure.

S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 12 Loopback Detection Configuration


361

12.1 Loopback Detection OverviewLoopback detection sends loopback detection packets periodically to detect loops on the networkconnected to the device.

When a loop occurs on a network, broadcast, multicast, and unknown unicast packets arerepeatedly transmitted on the network. This wastes network resources or even causes serviceinterruption on the entire network. To protect the network, certain actions should be taken onthe interface where the loop occurs, and the administrator needs to check the network connectionand configuration to solve the problem soon. Therefore, a mechanism is required on network todetect loops and notify the administrator.

Loopback detection is such a mechanism. It sends detection packets from an interface at intervalsafter loopback is enabled and checks whether the packets are sent back to the interface. If thepackets are sent back, a loopback occurs on the interface.

Figure 12-1 and Figure 12-2 show the application of loopback detection.

l TX-RX (RX indicates the receiving end, and TX indicates the sending end) self-loops occuron an interface usually because optical fibers are connected incorrectly or the interface isdamaged by high voltage. As shown in Figure 12-1, self-loops may occur on the networkconnected to a Switch interface. When a self-loop occurs, packets sent from the interfaceare sent back to this interface. This causes traffic forwarding errors or MAC addressflapping on the interface.

Figure 12-1 Loopback detection application 1

Switch

Tx Rx

l As shown in Figure 12-2, loops may occur on the network connected to a Switch interface.

When a loop occurs, packets sent from the interface are sent back to this interface.



362

Figure 12-2 Loopback detection application 2

Switch

Interface1

You can configure loopback detection on the interface of the Switch in the preceding scenarios.When a loopback is detected on the interface, the interface is blocked. Only users connected tothe interface on which a loopback is detected are affected, and other users connected to theSwitch can still communicate.After the system detects that the loopback has been removed, itrecovers communication on the interface. After the system detects that the loopback has beenremoved, it recovers communication on the interface.

NOTE

l Loopback detection cannot prevent loops on the entire network. It only detects loops on a single node.

l A large number of packets are sent during loopback detection, occupying CPU resources; therefore,disable loopback detection if it is not required.

l Loopback detection cannot be configured on an Eth-Trunk or its member interfaces.

l You cannot enable loopback detection and STP fuction simultaneously.

12.2 Default ConfigurationThis section describes default settings of loopback detection parameters.

Table 12-1 Default settings of loopback detection parameters


Loopback Detection Disabled

Action to perform on the interface after aloopback is detected

Block

Interval between sending loopback detectionpackets

5 seconds

Interface recovery time 3 times of the interval between sendingloopback detection packets



363

12.3 Configuring Loopback DetectionLoopback detection can detect loops on the network connected to the device.

12.3.1 Enabling Loopback Detection

Context

An interface sends loopback detection packets to detect loopbacks only after loopback detectionis enabled on the interface.

l If an interface has been added to VLANs in untagged mode, the interface sends one copyof untagged detection packet regardless of how many VLANs the interface has been addedto. In the scenario of Using a Loopback Detection to Detect a Loop on the DownstreamNetwork, untagged loopback detection packets are discarded and loops cannot be detected.Therefore, configure the device to detect loops in a specified VLAN.

l If an interface has been added to VLANs in tagged mode, loopback detection must beenabled in specified VLANs, and the interface sends the loopback detection packets of theVLAN that contains the interface and has loopback detection enabled.

NOTE

l If any interface on a ring uses the specified VLAN ID as its PVID or has been added to this VLAN inuntagged mode, VLAN tags of probe packets are removed on this interface, and therefore priority ofthe packets is changed. As a result, loops in this VLAN may not be detected.

l The S2700SI and S2710SI do not support loopback detection in specified VLANs.

l In the scenario of Using a Loopback Detection to Detect a Loop on the Downstream Network, you canconfigure the device not to perform loopback detection in a specified VLAN. In this case, you mustrun the loopback-detect untagged mac-address command to set the destination MAC address ofuntagged loopback detection packets.

After VLAN IDs are specified, the interface sends one copy of untagged loopback detectionpackets and multiple copies of tagged loopback detection packets with the specified VLAN tags.

You can enable loopback detection on all interfaces in the system view or enable loopback onan interface in the interface view.

Procedure



Step 2 Enable loopback detection on the interface. Run the following commands as required.

l Enable loopback detection on all interfaces in the system view.

Run:loopback-detect enable

Loopback detection is enabled on all interfaces.



364

NOTE

You can use this method to simplify configuration when most interfaces need to perform loopbackdetection.

l Enable loopback detection on a single interface.


The interface view is displayed.2. Run:

loopback-detect enable

Loopback detection is enabled on the interface.

By default, loopback detection is disabled on an interface.

Step 3 (Optional) Run:loopback-detect packet vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>

A VLAN ID is specified for loopback detection packets.

By default, no VLAN ID is specified for loopback detection packets.

NOTE

Before running the loopback-detect packet vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> command,ensure that:

l The specified VLAN exists.

l The interface has been added to the specified VLAN in tagged mode.

----End

12.3.2 (Optional) Configuring an Action to Be Taken After aLoopback Is Detected

ContextAfter loopback detection is enabled on an interface, the interface periodically sends detectionpackets and checks whether loopback packets are received. When a loopback is detected on aninterface, the system sets the interface status to loopback, minimizing the impact on the systemand the entire network.

Procedure





Step 3 Run:loopback-detect action { block | nolearn | shutdown | trap }



365

The action to be taken after a loopback is detected on the interface is configured.

The default action is block.

When a loopback is detected on an interface, the system performs any of the following actions:

l block: blocks the interface. After the interface is blocked, packets excluding BPDU packetscannot be sent.

l nolearn: disables MAC address learning on the interface. When a loopback is detected onthe interface, the interface stops learning MAC addresses.

l shutdown: shuts down the interface. After a loopback is eliminated, the shutdown interfacecannot be restored automatically. You must run the shutdown and undo shutdowncommands or run the restart command to restore the interface.

l trap: only sends a trap.

NOTE

l When the Quitvlan action is used, the configuration file remains unchanged.

----End

12.3.3 (Optional) Setting the Interface Recovery Time

Context

After loopback detection is enabled on an interface, the device sends loopback detection packetsat intervals through the interface, performs the preconfigured action configured by theloopback-detect action command on the interface after detecting a loopback, and startstiming. You can configure the interface recovery time. After the configured interface recoverytime, the system will attempt to recover the interface. If the loopback is removed on the interface,the system recovers the interface from the error-down state.

Procedure





Step 3 Run:loopback-detect recovery-time recovery-time

The interface recovery time is set.

By default, an interface recovers automatically three times the loopback detection interval laterafter a loop is removed.



366

NOTE

l It is recommended that the recovery time be at least three times the interval between sending loopbackdetection packets. If the interval between sending loopback detection packets is very short, set therecovery time to be at least 10 seconds longer than the interval.

l Automatic recovery is valid only for nolearn, block, trap, and quitvlan actions. The shutdowninterface cannot be restored automatically. You must run the shutdown and undo shutdowncommands or run the restart command to restore the interface.

----End

12.3.4 (Optional) Setting the Interval Between Sending LoopbackDetection Packets on an Interface

ContextAn interface sends loopback detection packets at intervals.

Procedure



Step 2 Run:loopback-detect packet-interval packet-interval-time

The interval between sending loopback detection packets is set.

By default, the interval between sending loopback detection packets is 5 seconds.

----End


Procedurel Run the display loopback-detect command to check the loopback detection

configuration and status of loopback detection enabled interfaces.

----End

12.4 Configuration ExamplesThis section describes configuration examples of loopback detection including networkingrequirements, configuration roadmap, and configuration procedure.

12.4.1 Example for Configuring Loopback Detection to DetectLoops on the Downstream Network



367

Networking RequirementsAs shown in Figure 12-3, if there is a loop on the network connected to the Eth0/0/1 interface,broadcast storms will occur on the Switch or even the entire network.

To detect loops on the network connected to the switch and disabled downlink interfaces toreduce impacts on the switch and other networks, enable loopback detection on the Switch.

Figure 12-3 Loopback detection network diagram

Switch

Eth0/0/1


1. Enable loopback detection on the interface to detect loops on downlink networks.2. Specify the VLAN ID for loopback detection packets.3. Set loopback detection parameters to enable the interface automatic recovery.

Procedure

Step 1 Enable loopback detection on the interface.<Quidway> system-view[Quidway] sysname Switch[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] loopback-detect enable[Switch-Ethernet0/0/1] quit

Step 2 Specify the VLAN ID for loopback detection packets.[Switch] vlan 100[Switch-vlan100] quit[Switch] interface ethernet 0/0/1[Switch-Ethernet0/0/1] port hybrid tagged vlan 100[Switch-Ethernet0/0/1] loopback-detect packet vlan 100

Step 3 Set loopback detection parameters.

# Configure the action the interface when a loopback is detected.

[Switch-Ethernet0/0/1] loopback-detect action block

# Set the interface recovery time after a loop is removed.



368

[Switch-Ethernet0/0/1] loopback-detect recovery-time 30[Switch-Ethernet0/0/1] quit

# Set the interval between sending loopback detection packets.

[Switch] loopback-detect packet-interval 10

Step 4 Check the configuration.

Run the display loopback-detect command to check the configuration.

[Switch] display loopback-detect Loopback-detect sending-packet interval: 10 --------------------------------------------------------------------------------Interface RecoverTime Action Status--------------------------------------------------------------------------------Ethernet0/0/1 30 block NORMAL

When loops occur on the Eth0/0/1 interface, the interface is blocked. The interface will recover30s after no loopback packets are detected.

----End


# sysname Switch# vlan batch 100# loopback-detect packet-interval 10#interface Ethernet0/0/1

port hybrid tagged vlan 100 loopback-detect recovery-time 30 loopback-detect packet vlan 100 loopback-detect enable#return



369

13 VoIP Access Configuration

About This Chapter

13.1 VoIP Access Overview


S2700&S3700 Series Ethernet SwitchesConfiguration Guide - Ethernet 13 VoIP Access Configuration


370

13.1 VoIP Access Overview

As the voice over IP (VoIP) service becomes more popular, voice data and non-voice data areusually transmitted on the same network. Voice data must have a higher priority than otherservice data to minimize the delay and packet loss during transmission. A commonly usedmethod to ensure preferred transmission of voice data is to configure an access control list (ACL)to identify voice data flow, and use quality of service (QoS) mechanisms to ensure high qualityof voice services.

The following methods can be used to implement VoIP access:l Link Layer Discovery Protocol (LLDP): If a voice device supports LLDP and has a high

802.1p priority (for example, 5), you can configure LLDP and Voice VLAN on the switch.Then the switch uses the LLDP protocol to deliver the Voice VLAN ID to the voice deviceand does not change the packet priority.

l Dynamic Host Configuration Protocol (DHCP): If a voice device supports DHCP and hasa high 802.1p priority (for example, 5), you can configure LLDP and Voice VLAN on theswitch. Then the switch uses the DHCP protocol to deliver the Voice VLAN ID to the voicedevice and does not change the packet priority.

l ACL: If a voice device does not support LLDP or DHCP, you can configure an ACL onthe switch so that the switch can assign the VLAN ID and priority for the VoIP service.


13.2.1 Example for Configuring LLDP on a Switch to Provide VoIPAccess

Networking RequirementsFlows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require highquality of the VoIP service. Therefore, voice data flows must be transmitted with a high priority.If a voice device supports LLDP and has a high 802.1p priority (for example, 5), you canconfigure LLDP and Voice VLAN on the switch. Then the switch uses the LLDP protocol todeliver the Voice VLAN ID to the voice device and does not change the packet priority.

As shown in Figure 13-1, after a Voice VLAN is configured on the Switch, the voice devicelearns the Voice VLAN ID using LLDP.

NOTE

The S2700SI and S2710SI do not support this example.



371

Figure 13-1 Configuring LLDP to provide VoIP access

Switch

Internet

DHCP Server

HSI VoIP IPTV

Eth0/0/1

HG


1. Create VLANs.2. Configure the link type and default VLAN of the interface connected to the IP phone.3. Enable the Voice VLAN function on the interface.4. Configure the interface to join the Voice VLAN in manual mode.5. Set the working mode of the Voice VLAN.6. Configure the interface to trust the 802.1p priority of packets.7. Enable LLDP globally and on the interface.

Procedure

Step 1 Configure VLANs and interface on the Switch.



# Configure the link type and default VLAN of Ethernet0/0/1.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port hybrid pvid vlan 6[Quidway-Ethernet0/0/1] port hybrid untagged vlan 6

Step 2 Configure the Voice VLAN on the Switch.

# Enable the Voice VLAN on Ethernet0/0/1.



372

[Quidway-Ethernet0/0/1] voice-vlan 2 enable

# Configure the mode in which Ethernet0/0/1 is added to the Voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan mode manual[Quidway-Ethernet0/0/1] port hybrid tagged vlan 2

# Configure the working mode of the Voice VLAN.

[Quidway-Ethernet0/0/1] undo voice-vlan security enable

Step 3 Configure the interface to trust the 802.1p priority of packets.[Quidway-Ethernet0/0/1] trust 8021p[Quidway-Ethernet0/0/1] quit

Step 4 Enable LLDP.[Quidway] lldp enable[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] lldp enable[Quidway-Ethernet0/0/1] return


Run the display voice-vlan 2 status command to check the Voice VLAN configuration,including the mode in which the interface is added to the Voice VLAN, working mode, andaging time of the Voice VLAN.

<Quidway> display voice-vlan 2 statusVoice VLAN Configurations:---------------------------------------------------Voice VLAN ID : 2Voice VLAN status : EnableVoice VLAN aging time : 1440(minutes) Voice VLAN 8021p remark : 6Voice VLAN dscp remark : 46----------------------------------------------------------Port Information:-----------------------------------------------------------Port Add-Mode Security-Mode Legacy-----------------------------------------------------------Ethernet0/0/1 Normal Disable

----End


#sysname Quidway#vlan batch 2 6# lldp enable # interface Ethernet0/0/1 voice-vlan 2 enable voice-vlan mode manual undo voice-vlan security enable port hybrid pvid vlan 6 port hybrid tagged vlan 2 port hybrid untagged vlan 6 trust 8021p#return



373

13.2.2 Example for Configuring a DHCP Server on a Switch toProvide VoIP Access


Flows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require highquality of the VoIP service. Therefore, voice data flows must be transmitted with a high priority.If a voice device supports DHCP and has a high 802.1p priority (for example, 5), you canconfigure DHCP and Voice VLAN on the switch. Then the switch uses the DHCP protocol todeliver the Voice VLAN ID to the voice device and does not change the packet priority.

As shown in Figure 13-2, the voice device does not support VLAN configuration. In this case,you can configure the DHCP option so that the DHCP server can deliver the voice VLAN ID tothe voice device. The packets sent from the voice device will be tagged with VLAN6, the otherservices use VLAN2.

NOTE

Only the S3700 supports this example.

Figure 13-2 Configuring a DHCP server to provide VoIP access

Switch

Internet

DHCP Server

HSI VoIP IPTV

Eth0/0/1

HG



1. Create VLANs.

2. Configure the link type and default VLAN of the interface connected to the IP phone.

3. Configure the interface to trust the 802.1p priority of packets.

4. Configure an IP address pool.

5. Configure Option in the address pool.



374

6. Enable DHCP globally and configure the DHCP server on the VLANIF interface to allocateIP addresses using the global IP address pool.

Procedure

Step 1 Configure VLANs and interface on the Switch.



# Configure the link type and default VLAN of Ethernet0/0/1.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port hybrid pvid vlan 2[Quidway-Ethernet0/0/1] port hybrid tagged vlan 6[Quidway-Ethernet0/0/1] port hybrid untagged vlan 2[Quidway-Ethernet0/0/1] quit

Step 2 Configure an IP address pool on the Switch.

# Create an IP address pool.

[Quidway] ip pool ip_access

# Configure the address range in the IP address pool.

[Quidway-ip-pool-ip_access] network 192.168.10.0 mask 24[Quidway-ip-pool-ip_access] gateway-list 192.168.10.254[Quidway-ip-pool-ip_access] option184 voice-vlan 6[Quidway-ip-pool-ip_access] quit

NOTE

The DHCP option is configured to enable the DHCP server to deliver the voice VLAN ID to the voicedevice. Option184 is used as an example here. IP phones from different vendors may use different options.For the specific option used by an IP phone, see the user manual of the IP phone. For details on how toconfigure the option, see the option command in S2700&S3700 Series Ethernet Switches IP ServiceCommands - DHCP Configuration Commands.

Step 3 Configure the interface to trust the 802.1p priority of packets.[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] trust 8021p[Quidway-Ethernet0/0/1] quit

Step 4 Enable DHCP globally,[Quidway] dhcp enable

Step 5 Create the VLANIF interface corresponding to the default VLAN of Ethernet0/0/1. Configurethe DHCP server on the VLANIF interface to allocate IP addresses using the global addresspool.[Quidway] interface Vlanif2[Quidway-Vlanif2] ip address 192.168.10.1 255.255.255.0[Quidway-Vlanif2] dhcp select global

----End


#vlan batch 2 6



375

# dhcp enable #ip pool ip_access gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 option184 voice-vlan 6# interface Vlanif2 ip address 192.168.10.1 255.255.255.0 dhcp select global # interface Ethernet0/0/1 port hybrid pvid vlan 2 port hybrid tagged vlan 6 port hybrid untagged vlan 2 trust 8021p (inner)# return

13.2.3 Example for Configuring an Simplified ACL on a Switch toProvide VoIP Access

Networking RequirementsFlows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require highquality of the VoIP service. Therefore, voice data flows must be transmitted with a high priority.If a voice device connected to a switch does not support LLDP or DHCP, you can configure anACL on the switch to implement VoIP access.

As shown in Figure 13-3, the voice device sends untagged packets. To ensure high-quality VoIPservice, the Switch identifies voice data packets based on the source MAC address, tags thevoice data packets with VLAN 200, and sets the priority of the voice data packets to 7.

NOTE

The S2700SI and S2710SI do not support this example.



376

Figure 13-3 Configuring an ACL to provide VoIP access

Switch

Internet

DHCP Server

HSI VoIP IPTV

Eth0/0/1

HG


1. Create a VLAN.2. Configure the link type and default VLAN of the interface connected to the voice device.3. Configure an ACL rule to match the MAC address of the voice device.4. Configure the Switch to change the priority of the packets matching the ACL rule.

Procedure

Step 1 Configure VLAN and interface on the Switch.

# Create VLAN 200.

<Quidway> system-view[Quidway] vlan 200[Quidway-vlan200] quit

# Configure the link type and default VLAN of the interface connected to the voice device.

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] port link-type access[Quidway-Ethernet0/0/1] port default vlan 200[Quidway-Ethernet0/0/1] quit

Step 2 Configure an ACL.[Quidway] acl 4000[Quidway-acl-L2-4000] rule permit source-mac 1234-1234-1234 ffff-ffff-ff00[Quidway-acl-L2-4000] quit

Step 3 Apply the ACL to Eth0/0/1 and re-mark the priority of the packets matching the ACL.



377

[Quidway] interface ethernet 0/0/1[Quidway-Ethernet0/0/1] traffic-remark inbound acl 4000 8021p 7[Quidway-Ethernet0/0/1] traffic-remark inbound acl 4000 dscp ef[Quidway-Ethernet0/0/1] return


Run the display acl 4000 command to check the ACL configuration.

<Quidway> display acl 4000 L2 ACL 4000, 1 rule Acl's step is 5 rule 5 permit source-mac 1234-1234-1200 ffff-ffff-ff00

----End


#sysname Quidway#vlan batch 200# acl number 4000 rule 5 permit source-mac 1234-1234-1200 ffff-ffff-ff00 #interface Ethernet0/0/1 port link-type access port default vlan 200 traffic-remark inbound acl 4000 8021p 7 traffic-remark inbound acl 4000 dscp ef # return



378

Configuration Guide - Ethernet -...

Documents

Transcript of Configuration Guide - Ethernet -...