Series Switches Huawei s5700
-
Upload
budi-hartanto -
Category
Documents
-
view
234 -
download
0
Transcript of Series Switches Huawei s5700
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 1/111
S1720&S2700&S3700&S5700&S6700&S7700&S970
0 Series Switches
Common Operation Guide
Issue 05
Date 2015-10-23
HUAWEI TECHNOLOGIES CO., LTD.
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 2/111
Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 3/111
About This Document
Intended Audience
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation
which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation
which, if not avoided, could result in death
or serious injury.
Indicates a potentially hazardous situation
which, if not avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation
which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide About This Document
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 4/111
Symbol Description
NOTE Calls attention to important information,
best practices and tips.
NOTE is used to address information notrelated to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n
times.
# A line starting with the # sign is comments.
Interface Numbering Conventions
Interface numbers used in this manual are examples and may not exist on devices. In device
configuration, use the existing interface numbers on devices.
Security Conventions
l Password setting
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide About This Document
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 5/111
– When configuring a password, the cipher text is recommended. To ensure device
security, change the password periodically.
– When you configure a password in plain text that starts and ends with %^%#, %#
%#, %@%@ or @%@% (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in theconfiguration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA,
SHA1, SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and
MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or
lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols
allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on
actual networking. The irreversible encryption algorithm must be used for the
administrator password, SHA2 is recommended.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or communication data of users.
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configureyour devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Updates between document issues are cumulative. Therefore, the latest document issuecontains all updates made in previous issues.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide About This Document
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 6/111
Changes in Issue 05 (2015-10-23)
This version has the following updates:
Some contents are modified according to updates in the product.
Changes in Issue 04 (2015-07-31)
This version has the following updates:
Some contents are modified according to updates in the product.
Changes in Issue 03 (2015-02-12)
This version has the following updates:
The following information is modified:
l 2.9 Using Basic ACL Rules to Control User Loginl 2.10 Backing Up the Configuration File
l 2.11 Restoring the Configuration File
l 2.12 Logging In to a Device Through STelnet
Changes in Issue 02 (2015-01-15)
This version has the following updates:
The matching software version V200R007C10 is added to the document.
Changes in Issue 01 (2014-10-25)
Initial commercial release.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide About This Document
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 7/111
Contents
About This Document.....................................................................................................................ii
1 Use the Quick Search Tool.......................................................................................................... 1
2 Common System Operations...................................................................................................... 2
2.1 Handling Loss of the Password for Console Port Login................................................................................................ 3
2.2 Handling Loss of the Password for Telnet Login...........................................................................................................4
2.3 Handling Loss of the Password for Web Login..............................................................................................................5
2.4 Handling BootROM Password Loss...............................................................................................................................5
2.5 Deleting the Device Configuration.................................................................................................................................6
2.6 Configuring a Local Telnet User.................................................................................................................................... 6
2.7 Setting a User Level....................................................................................................................................................... 7
2.8 Setting Screen Display....................................................................................................................................................7
2.9 Using Basic ACL Rules to Control User Login............................................................................................................. 7
2.10 Backing Up the Configuration File.............................................................................................................................. 82.11 Restoring the Configuration File.................................................................................................................................. 9
2.12 Logging In to a Device Through STelnet................................................................................................................... 11
3 Common Hardware Management Operations.......................................................................13
3.1 Active/Standby Switchover.......................................................................................................................................... 14
3.2 Setting Temperature Alarm Thresholds........................................................................................................................14
3.3 Setting Temperature Thresholds for Adjusting the Fan Speed.....................................................................................14
4 Common Mirroring Operations................................................................................................16
4.1 Configuring an Observing Port.....................................................................................................................................17
4.2 Configuring Port Mirroring.......................................................................................................................................... 17
4.3 Configuring Traffic Mirroring......................................................................................................................................18
4.4 Deleting the Mirroring Configuration.......................................................................................................................... 20
5 Common MAC Address Operations........................................................................................21
5.1 Displaying All MAC Address Entries.......................................................................................................................... 22
5.2 Displaying MAC Address Entries Learned by an Interface......................................................................................... 22
5.3 Displaying MAC Address Entries Learned in a VLAN...............................................................................................22
5.4 Displaying the System MAC Address..........................................................................................................................22
5.5 Displaying the MAC Address of an Interface.............................................................................................................. 23
5.6 Displaying the MAC Address of a VLANIF Interface.................................................................................................23
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide Contents
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vi
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 8/111
5.7 Configuring a Static MAC Address..............................................................................................................................23
5.8 Configuring a Blackhole MAC Address...................................................................................................................... 24
5.9 Displaying and Setting the Aging Time of MAC Addresses........................................................................................24
5.10 Configuring Port Security...........................................................................................................................................24
6 Common Ethernet Interface Operations.................................................................................26
6.1 Configuring a Port Group.............................................................................................................................................27
6.2 Configuring Port Isolation............................................................................................................................................27
6.3 Configuring the Working Mode of a Combo Interface................................................................................................ 28
6.4 Configuring the Interface Rate..................................................................................................................................... 28
6.5 Configuring the Duplex Mode......................................................................................................................................29
6.6 Switching an Interface to Layer 3 Mode...................................................................................................................... 29
6.7 One-Click Configuration Deletion on an Interface...................................................................................................... 30
7 Common Link Aggregation Operations................................................................................. 317.1 Adding Member Interfaces to an Eth-Trunk in a Batch............................................................................................... 32
7.2 Deleting a Specified Member Interface from an Eth-Trunk.........................................................................................32
7.3 Deleting an Eth-Trunk.................................................................................................................................................. 32
7.4 Displaying the Eth-Trunk Configuration......................................................................................................................32
7.5 Displaying Information About Eth-Trunk Member Interfaces.....................................................................................34
7.6 Displaying the Numbers of Eth-Trunks and Member Interfaces Supported by the Device.........................................34
8 Common VLAN Operations......................................................................................................35
8.1 Creating VLANs in a Batch..........................................................................................................................................36
8.2 Adding Interfaces to a VLAN in a Batch..................................................................................................................... 368.3 Restoring the Default VLAN Configuration of an Interface........................................................................................37
8.4 Deleting a VLAN or VLANs in a Batch...................................................................................................................... 37
8.5 Changing the Link Type of an Interface.......................................................................................................................37
9 Common QinQ Operations....................................................................................................... 40
9.1 Configuring Basic QinQ...............................................................................................................................................41
9.2 Configuring Selective QinQ......................................................................................................................................... 41
9.3 Configuring the Device to Add Double Tags to Untagged Packets............................................................................. 42
9.4 Deleting the Selective QinQ Configuration..................................................................................................................43
10 Common STP/RSTP Operations.............................................................................................44
10.1 Enabling STP/RSTP................................................................................................................................................... 45
10.2 Disabling STP/RSTP.................................................................................................................................................. 45
10.3 Configur ing Root Protection...................................................................................................................................... 45
10.4 Configur ing an Edge Port...........................................................................................................................................45
10.5 Changing the STP/RSTP Cost....................................................................................................................................45
10.6 Displaying the STP/RSTP Status............................................................................................................................... 46
10.7 Displaying the Root Bridge........................................................................................................................................46
11 Common DHCP Operations....................................................................................................47
11.1 Configur ing IP Addresses Not Dynamically Assigned.............................................................................................. 49
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide Contents
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vii
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 9/111
11.2 Modifying the Lease...................................................................................................................................................49
11.3 Assigning Fixed IP Addresses to Clients....................................................................................................................50
11.4 Withdrawing the Fixed IP Addresses Assigned to Clients.........................................................................................50
11.5 Checking IP Addresses Used......................................................................................................................................51
11.6 Clearing Conflicting Addresses..................................................................................................................................51
11.7 Increasing the Address Pool Range............................................................................................................................ 52
11.8 Decreasing the Address Pool Range...........................................................................................................................53
11.9 Preventing a Device from Obtaining an IP Address from a Pseudo DHCP Server....................................................54
11.10 Disabling the DHCP Service.................................................................................................................................... 54
12 Common ARP Operations....................................................................................................... 55
12.1 Checking ARP entries................................................................................................................................................ 56
12.2 Updating ARP Entries................................................................................................................................................ 57
12.3 Setting the Aging Time of ARP Entries..................................................................................................................... 58
12.4 Configur ing Static ARP Entries................................................................................................................................. 58
12.5 Configur ing ARP Proxy............................................................................................................................................. 61
12.6 Shielding ARP Miss Alarms Based on Source IP Addresses.....................................................................................62
12.7 Configur ing Dynamic ARP Detection........................................................................................................................62
12.8 Configur ing ARP Gateway Anti-Collision.................................................................................................................63
13 Common ACL Operations....................................................................................................... 64
13.1 Deleting a Time Range............................................................................................................................................... 65
13.2 Deleting ACL and ACL6............................................................................................................................................65
13.3 Configur ing a Time-Based ACL Rule........................................................................................................................65
13.4 Configur ing a Packet Filtering Rule Based on the Source IP Address (Host Address)............................................. 66
13.5 Configur ing a Packet Filtering Rule Based on the Source IP Address Segment....................................................... 66
13.6 Configur ing a Packet Filtering Rule Based on the IP Fragment Information and Source IP Address Segment........66
13.7 Configur ing a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP Address (Host Address) and
Destination IP Address Segment........................................................................................................................................67
13.8 Configur ing a Packet Filtering Rule for TCP Protocol Packets Based on TCP Destination Port Number, Source IP
Address (Host Address), and Destination IP Address Segment.........................................................................................67
13.9 Configur ing a Packet Filtering Rule for TCP Packets Based on the Source IP Address Segment and TCP Flags....68
13.10 Configuring Packet Filtering Rules Based on the Source MAC Address, Destination MAC Address, and Layer 2
Protocol Types.................................................................................................................................................................... 69
13.11 Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and Inner VLAN IDs.............69
13.12 Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String Masks, and User-
Defined Char acter Strings.................................................................................................................................................. 70
14 Common QoS Operations........................................................................................................73
14.1 Configur ing Interface-based Rate Limiting on the S7700/S9700.............................................................................. 74
14.2 Configur ing Interface-based Rate Limiting on the S2700/S5700/S6700...................................................................74
14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700.......................................................75
14.4 Deleting the Interface-based Rate Limiting Configuration on the S2700/S5700/S6700........................................... 75
14.5 Using a Traffic Policy to Limit the Rate of Packets...................................................................................................75
14.6 Using a Traffic Policy to Filter Packets......................................................................................................................76
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide Contents
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
viii
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 10/111
14.7 Configuring Traffic Statistics in a Traffic Policy....................................................................................................... 77
15 Common IPSG Operations...................................................................................................... 80
15.1 Configuring IPSG Based on a Static Binding Table...................................................................................................81
15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table....................................................................8215.3 Deleting Static Binding Entries..................................................................................................................................83
16 Common AAA Operations...................................................................................................... 85
16.1 Configuring Authentication for Telnet Login Users (AAA Local Authentication)................................................... 86
16.2 Setting the User Level................................................................................................................................................ 86
16.3 Configuring the Global Default Domain.................................................................................................................... 87
17 Common NAC Operations...................................................................................................... 88
17.1 Configuring MAC Address Bypass Authentication................................................................................................... 89
17.2 Configuring the Guest VLAN Function.....................................................................................................................89
17.3 Configuring Layer 2 Transparent Transmission of 802.1x Authentication Packets...................................................90
18 Common VRRP Operations.................................................................................................... 91
18.1 Enabling the Master to Respond to Ping Packets Sent to a Virtual IP Address......................................................... 92
18.2 Configur ing Association Between VRRP and the Interface Status............................................................................92
18.3 Configur ing Association Between VRRP and BFD...................................................................................................92
18.4 Configur ing Association Between VRRP and NQA..................................................................................................92
18.5 Configur ing Association Between VRRP and Routing..............................................................................................93
18.6 Configur ing the VRRP Version Number....................................................................................................................93
18.7 Configur ing a Preemption Mode................................................................................................................................ 93
18.8 Configur ing the Mode in Which the Master Sends VRRP Advertisement Packets in a Super-VLAN..................... 93
18.9 Enabling MAC Address Triggered ARP Entry Update..............................................................................................94
19 Common SNMP Operations....................................................................................................95
19.1 Configur ing Access Control.......................................................................................................................................96
19.2 Setting the SNMP Version and Community Name.................................................................................................... 96
19.3 Configur ing User Group and User Name...................................................................................................................96
19.4 Configur ing the Device to Send Traps....................................................................................................................... 97
19.5 Deleting Community Name........................................................................................................................................98
20 Common OSPF Operations..................................................................................................... 99
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide Contents
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ix
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 11/111
1 Use the Quick Search Tool
Switch Hardware Query Tool
This tool allows you to quickly query hardware information of switches. You do not need to
register a Huawei account before using this tool.
Switch Hardware Query Tool
Command Query Tool
This tool shows details about commands used on switches. You do not need to register a
Huawei account before using this tool.
Command Query Tool
Alarm Query Tool
This tool shows details about alarms used on switches. You do not need to register a Huawei
account befor e using this tool.
Alarm Query Tool
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 1 Use the Quick Search Tool
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 12/111
2 Common System Operations
About This Chapter
This chapter describes common system login and file management operations, providing
instructions on how to handle password loss, configure a local user, and set screen display.
2.1 Handling Loss of the Password for Console Port Login
2.2 Handling Loss of the Password for Telnet Login
2.3 Handling Loss of the Password for Web Login
2.4 Handling BootROM Password Loss
2.5 Deleting the Device Configuration
2.6 Configuring a Local Telnet User
2.7 Setting a User Level
2.8 Setting Screen Display
2.9 Using Basic ACL Rules to Control User Login
2.10 Backing Up the Configuration File
2.11 Restoring the Configuration File
2.12 Logging In to a Device Through STelnet
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 13/111
2.1 Handling Loss of the Password for Console Port Login
If you forget the password for logging in through the console port, use either of the following
two methods to set a new password.
Logging In to the Switch Through STelnet or Telnet to Set a New Password
NOTICE
Telnet may bring security risks. You are advised to log in to the switch through STelnet V2.
Ensure that you have an STelnet/Telnet account and administrator rights. The following uses
the command lines and outputs of logging in to the device using STelnet as an example. After logging in to the switch through STelnet, perform the following configuration.
# Take password authentication as an example. Set the password to Huawei@123.
<HUAWEI> system-view[HUAWEI] user-interface console 0[HUAWEI-ui-console0] authentication-mode password [HUAWEI-ui-console0] set authentication password cipher Huawei@123[HUAWEI-ui-console0] return<HUAWEI> save
# Take AAA authentication as an example. Set the user name and password to admin123 and
Huawei@123 respectively.
<HUAWEI> system-view[HUAWEI] user-interface console 0[HUAWEI-ui-console0] authentication-mode aaa[HUAWEI-ui-console0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type terminal[HUAWEI-aaa] return<HUAWEI> save
Clearing the Lost Password Through the BootROM Menu
NOTE
If the switch has two MPUs, remove the standby MPU before performing the following operations.After performing the following operations, install the standby MPU and run the save command to ensure
the consistent configuration on the active and standby MPUs.
You can use the BootROM menu of the switch to clear the lost password for console port
login. After starting the switch, set a new password and save your configuration. Perform the
following steps.
1. Connect the terminal to the console port of the switch and restart the switch. When the
following message is displayed, press Ctrl+B immediately and enter the BootROM
password to enter the BootROM menu.
Information displayed on modular switches:
Press Ctrl+B to enter boot menu ... 1
Password: //Enter the BootROM password.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 14/111
Information displayed on fixed switches:
Press Ctrl+B or Ctrl+E to enter BootROM menu ... 2
password: //Enter the BootROM password.
NOTE
l Some models of fixed switches allow you to enter the BootROM menu by pressing Ctrl+E.
Perform operations as prompted on the screen.
l The default BootROM password of fixed switches is huawei in versions earlier than
V100R006C03 and [email protected] in V100R006C03 and later.
l The default BootROM password of modular switches is 9300 in V100R006 and earlier
versions, and [email protected] in versions after V100R006.
2. Select Clear password for console user on the BootROM menu to clear the password
for console port login.
3. Select Boot with default mode on the BootROM menu to start the switch as prompted.
NOTE
Do not select Reboot; otherwise, the password cannot be cleared.
4. After the switch is started, log in through the console port. Authentication is not required
when you log in. Set a password as prompted after login.
5. You can set an authentication mode and password for the console user interface
according to service requirements. The configuration is similar to that of Logging In to
the Switch Through STelnet or Telnet to Set a New Password, and is not provided
here.
2.2 Handling Loss of the Password for Telnet Login
If you forget the Telnet login password, log in to the switch through the console port and set anew password for Telnet login.
NOTE
The following uses the command lines of the S7700 in V200R006C00 as an example.
# Logging in to the device through the console port.
1. Connect the DB9 female connector of the console cable to the COM port on the PC, and
connect the R J45 connector to the console port on the device.
2. Start the terminal emulation software on the PC. Create a connection, select the
connected port, and set communication parameters.
–Baud rate : 9600
– Data bits : 8
– Stop bits : 1
– Parity : None
– Flow Control : None
3. Click Connect. Enter or configure the login password as prompted to log in to the switch.
# Take password authentication for VTY0 login as an example. Set the password to
Huawei@123.
<HUAWEI> system-view
[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] protocol inbound telnet //By default, switches in V200R006 and
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 15/111
earlier versions support Telnet, and switches in V200R007 and later versions
support SSH.[HUAWEI-ui-vty0] authentication-mode password [HUAWEI-ui-vty0] set authentication password cipher Huawei@123[HUAWEI-ui-vty0] user privilege level 15[HUAWEI-ui-vty0] return
<HUAWEI> save
# Take AAA authentication for VTY0 login as an example. Set the user name and password to
admin123 and Huawei@123 respectively.
<HUAWEI> system-view[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] protocol inbound telnet //By default, switches in V200R006 and
earlier versions support Telnet, and switches in V200R007 and later versionssupport SSH.
[HUAWEI-ui-vty0] authentication-mode aaa[HUAWEI-ui-vty0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type telnet
[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] return<HUAWEI> save
2.3 Handling Loss of the Password for Web Login
If you forget the web login password, log in to the switch through the console port, Telnet, or
STelnet, and set a new password for web login.
NOTICE
Telnet may bring security risks. You are advised to log in to the switch through the console
port or STelnet.
# Set the user name and password to admin123 and Huawei@123 respectively.
<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type http[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] return<HUAWEI> save
2.4 Handling BootROM Password Loss
If you forget the BootROM password, log in to the switch and run the reset boot password
command in the user view to restore the default BootROM password.
l The default BootROM password of fixed switches is huawei in versions earlier than
V100R006C03 and [email protected] in V100R006C03 and later.
l The default BootROM password of modular switches is 9300 in V100R006 and earlier
versions, and [email protected] in versions after V100R006.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 16/111
2.5 Deleting the Device Configuration
To clear the current configuration and restore factory settings of a device, run the reset saved-
configuration command to clear the configuration file for the next startup and then restart the
device. If you are prompted to save the configuration, select N indicating that the device will
not save the current configuration.
NOTICE
Exercise caution and follow the instructions of the technical support personnel when you run
this command.
<HUAWEI> reset saved-configurationWarning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:yWarning: Now clearing the configuration in the device.Info: Succeeded in clearing the configuration in the device.
<HUAWEI> rebootInfo: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the nextstartup saved-configuration file flash:/vrpcfg.zip. Continue? [Y/N]:n //Select
"N" here.
Info: If want to reboot with saving diagnostic information, input 'N' and then
execute 'reboot save diagnostic-information'.System will reboot! Continue?[Y/N]:y
The command outputs on your device may be different from that provided in this example.
2.6 Configuring a Local Telnet User
# Take AAA authentication as an example. Set the user name and password to admin123 and
Huawei@123 respectively.
Ensure that the Telnet function has been enabled before performing this operation.
NOTE
The following uses the command lines of the S7700 in V200R006C00 as an example.
<HUAWEI> system-view[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] protocol inbound telnet //By default, switches in V200R006 and
earlier versions support Telnet, and switches in V200R007 and later versionssupport SSH.
[HUAWEI-ui-vty0] authentication-mode aaa[HUAWEI-ui-vty0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type telnet[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] return<HUAWEI> save
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 17/111
2.7 Setting a User Level
When password authentication or none authentication is used, use the following method to set
a user level. Take the VTY user interface as an example.
<HUAWEI> system-view[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] user privilege level 15 //Set the user level to 15 for the VTY
0 user interface.
When AAA authentication is used, use the following methods (in descending order of
priorities) to set a user level. Take the VTY user interface as an example.
l Set a user level for a single user.
<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of
user1 to 15.
l Set a user level for all users in a domain.
<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] service-scheme sch1[HUAWEI-aaa-service-sch1] admin-user privilege level 15 //Set the user level
to 15.[HUAWEI-aaa-service-sch1] quit[HUAWEI-aaa] domain domain1[HUAWEI-aaa-domain-domain1] service-scheme sch1 //Bind the service scheme
sch1 to domain1.
l Set a user level for all users that log in through a specified user interface.
<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY user
interfaces to 15.[HUAWEI] user-interface vty 0 14 //Enter the VTY user interfaces VTY 0 toVTY 14.
[HUAWEI-ui-vty0-14] user privilege level 15 //Set the user level to 15 for
the VTY user interfaces VTY 0 to VTY 14.
2.8 Setting Screen Display
Run the screen-length screen-length [ temporary ] command in the user view or user
interface view to set the number of rows to be displayed on a screen. The parameter
temporary is mandatory when you run this command in the user view and specifies the
number of rows to be temporarily displayed on a terminal screen. The default number of rows
is 24.
In V200R005 and earlier versions, run the screen-width screen-length command in any view
to set the number of columns to be displayed on the screen. The default number of columns is
80. Each character is a column. In versions after V200R005, the number of columns displayed
on a terminal screen cannot be set using this command. The device automatically adjusts the
number of columns displayed on a terminal screen.
2.9 Using Basic ACL Rules to Control User Login
After logging in to a device using Telnet or STelnet, you can configure ACL rules to allow
only users with the specified IP addresses or on the specified network segments can log in tothe device.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 18/111
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 19/111
# Start the FTP server program.
Start the FTP server program on the PC. Specify the FTP working directory where the
configuration file is to be saved, and the IP address, port number, user name, and
password of the FTP server.
# Save the current configuration on the device.<HUAWEI> save
# Log in to the FTP server.
<HUAWEI> ftp 10.110.24.254Trying 10.110.24.254 ...
Press CTRL+K to abort
Connected to 10.110.24.254.220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user //
WFTPD is the local FTP server program.
User(10.135.86.164:(none)):admin123 //Enter the user name.331 Give me your password, please
Enter password: //Enter the password.
230 Logged in successfully
[ftp]
# Back up the configuration file of the device to the PC.
[ftp] put config.cfg200 Port command successful.
150 Opening data connection for config.cfg.226 File received ok
FTP: 1257 byte(s) sent in 0.03 second(s) 40.55Kbyte(s)/sec.
NOTE
l After the configuration file is transferred to the PC, check whether the size of the configuration
file on the PC is the same as that on the device. If not, an exception may occur during file
backup. Back up the configuration file again.
l To transfer the configuration file in a simpler way, configure the PC as the TFTP server and
the device as the TFTP client. The configuration procedure is similar to the procedure whenthe PC serves as an FTP server and the device serves as an FTP client, except that the user
name and password are not required for configuring the TFTP server. You only need to run the
tftp 10.110.24.254 put config.cfg command on the device.
l TFTP has no authentication or authorization mechanism, whereas FTP has authentication and
authorization mechanisms. TFTP and FTP both transfer data in plaintext mode, which bring
security risks and therefore apply to good-performance networks. If you have a high
requirement for network security, SFTP V2, SCP, or FTPS is recommended.
2.11 Restoring the Configuration File
When misconfigurations cause exceptions on a device, transfer the backup configuration file
to the device and specify the downloaded configuration file for the next startup. Assume that
the IP address of the PC that saves the configuration file is 10.110.24.254/24 and the device's
IP address is 10.136.23.5/24.
1. Transfer the backup configuration file to the device using FTP.
– When the device serves as an FTP server and the PC serves as an FTP client:
# Configure the FTP function for the device and information about an FTP user.
<HUAWEI> system-view[HUAWEI] ftp server enable[HUAWEI] aaa[HUAWEI-aaa] local-user admin1234 password irreversible-cipherHelloworld@6789
[HUAWEI-aaa] local-user admin1234 privilege level 15[HUAWEI-aaa] local-user admin1234 service-type ftp
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 20/111
[HUAWEI-aaa] local-user admin1234 ftp-directory cfcard:/[HUAWEI-aaa] quit[HUAWEI] quit
# Connect the PC to the device using FTP. Enter the user name admin1234 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating
system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5Connected to 10.136.23.5.220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:230 User logged in.
ftp> binary200 Type set to I.ftp>
# Upload the backup configuration file to the device.
ftp> put vrpcfg.zip200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.zip.226 Transfer complete.
ftp: 1257 bytes sent in 0.03 Seconds 40.55Kbytes/sec.
– When the PC serves as an FTP server and the device serves as an FTP client:
# Start the FTP server program.
Start the FTP server program on the PC. Specify the FTP working directory where
the configuration file is saved, and the IP address, port number, user name, and
password of the FTP server.
# Log in to the FTP server.
<HUAWEI> ftp 10.110.24.254Trying 10.110.24.254 ...
Press CTRL+K to abortConnected to 10.110.24.254.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user /
WFTPD is the local FTP server program.
User(10.135.86.164:(none)):admin123 //Enter the user name.331 Give me your password, please
Enter password: //Enter the password.
230 Logged in successfully
[ftp]
# Download the backup configuration file to the device.
[ftp] get config.cfgWarning: The file config.cfg already exists. Overwrite it? [Y/N]:Y
//Overwrite the current configuration file on the device. To reserve thecurrent configuration file, enter N to stop the file upload. Change thename of the configuration file on the FTP server to different from that
on the device. Download the configuration file from the FTP server.200 Port command successful.
150 Opening data connection for config.cfg.
226 File sent ok
FTP: 1257 byte(s) received in 0.03 second(s) 40.55byte(s)/sec.[ftp] bye
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 21/111
NOTE
l After the configuration file is transferred to the device, check whether the size of the
configuration file on the PC is the same as that on the device. If not, an exception may
occur during file transfer. Transfer the file again.
l To transfer the configuration file in a simpler way, configure the PC as the TFTP server and the device as the TFTP client. The configuration procedure is similar to the
procedure when the PC serves as an FTP server and the device serves as an FTP client.
The only difference is that the user name and password are not required for configuring
the TFTP server. You only need to run the tftp 10.110.24.254 get config.cfg command
on the device.
l TFTP has no authentication or authorization mechanism, whereas FTP has
authentication and authorization mechanisms. TFTP and FTP both transfer data in
plaintext mode, which bring security risks and therefore apply to good-performance
networks. If you have a high requirement for network security, SFTP V2, SCP, or FTPS
is recommended.
2. Specify the backup configuration file for the next startup.
<HUAWEI> startup saved-configuration config.cfg
<HUAWEI> display startupMainBoard:
Configured startup system software: cfcard:/device_software.cc
Startup system software: cfcard:/device_software.cc Next startup system software: cfcard:/device_software.cc
Startup saved-configuration file: cfcard:/config_old.cfg //
Current configuration file name.
Next startup saved-configuration file: cfcard:/config.cfg //Name ofthe configuration file for the next startup.
Startup paf file: default
Next startup paf file: default
Startup license file: default Next startup license file: default
Startup patch package: NULL
Next startup patch package: NULL
<HUAWEI> reboot //Restart the device.
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to thenext startup saved-configuration file cfcard:/config.cfg. Continue? [Y/
N]: N //Enter N to prevent the device configuration from being saved in thebackup configuration file.
Now saving the current configuration to the slot 13.Save the configuration successfully.
Info: If want to reboot with saving diagnostic information, input 'N' and
then execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:Y //Enter Y to restart the device.
2.12 Logging In to a Device Through STelnet
AAA authentication is used as an example. Set the user name to admin123 and password to
Huawei@123.
# Generate a local key pair on the server.
<HUAWEI> system-view[HUAWEI] dsa local-key-pair createInfo: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Configure VTY user interfaces on the device.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 22/111
[HUAWEI] user-interface vty 0 4[HUAWEI-ui-vty0-4] authentication-mode aaa[HUAWEI-ui-vty0-4] protocol inbound ssh[HUAWEI-ui-vty0-4] quit
NOTICE
If the protocol supported by VTY user interfaces 0 to 4 is changed from Telnet to SSH, users
cannot log in to the device using Telnet after logout. In this case, configure VTY user
interfaces 0 to 4 to support all protocols first. Configure STelnet and then run the protocol
inbound ssh command to configure VTY user interfaces 0 to 4 to support SSH.
# Create an SSH user named admin123 and configure the password authentication mode
for the user.
[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type ssh[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] quit[HUAWEI] ssh user admin123 authentication-type password
# Enable the STelnet service.
[HUAWEI] stelnet server enable
# Configure the STelnet service type for the user admin123.
[HUAWEI] ssh user admin123 service-type stelnet
# Log in to the device using the third-party software (such as PuTTY). Enter the device IP
address, select SSH, and enter the user name and password to log in to the device throughSTelnet.
To verify the STelnet login, run the ssh client first-time enable and stelnet 127.0.0.1
commands in system view to log in to the device. If the login page is displayed, the
configuration succeeds. If the login page is not displayed, the configuration fails.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 2 Common System Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 23/111
3 Common Hardware Management
Operations
About This Chapter
This chapter describes common hardware management operations.
3.1 Active/Standby Switchover
3.2 Setting Temperature Alarm Thresholds
3.3 Setting Temperature Thresholds for Adjusting the Fan Speed
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 3 Common Hardware Management Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 24/111
3.1 Active/Standby Switchover
In a stack containing multiple fixed switches, you can manually switch the master and
standby switches during software upgrade or system maintenance. After the active/standby
switchover is complete, the original master switch joins the stack after restarting, and the
original standby switch becomes the new master switch.
During software upgrade or system maintenance, you can manually perform an active/standby
switchover on MPUs. After the active/standby switchover is performed, the running active
MPU restarts. The standby MPU becomes the new active MPU.
# To perform an active/standby switchover in the system, run the following commands.
<HUAWEI> system-view[HUAWEI] slave switchover enable[HUAWEI] slave switchoverWarning: This operation will switch the slave board to the master board.Continue? [Y/N]:y
3.2 Setting Temperature Alarm Thresholds
The ambient temperature and device running time affect the device temperature. A higher
ambient temperature and a longer device running time indicate a higher temperature of the
device. When the device temperature exceeds the specified range, the device service life and
performance are reduced. To prevent the device from overheating, set temperature alarm
thresholds for the device. When the device temperature exceeds the specified range, the
device sends an alarm to the NMS to alert the administrator. The administrator should then
can take measures to lower the temperature.
NOTE
Only fixed switches support the configuration of temperature alarm thresholds.
# To set the lower temperature alarm threshold to 20°C and upper temperature alarm threshold
to 45°C on a device with slot ID 0, run the following commands:
<HUAWEI> system-view[HUAWEI] temperature threshold slot 0 lower-limit 20 upper-limit 45
3.3 Setting Temperature Thresholds for Adjusting the FanSpeed
By default, the device uses fixed temperature thresholds to increase and decrease the fan
speed. The fan speed increases when the device temperature exceeds the upper threshold and
decreases when the device temperature falls below the lower threshold. If you want to keep
the device working at a lower temperature, set lower fixed temperature thresholds. When the
device temperature reaches the lowered threshold for increasing the fan speed, the fan speed
will increase. The fan speed will not decrease until the device temperature falls below the
lower threshold for lowering the fan speed.
To view the original temperature thresholds and the adjusted thresholds, run the display fanspeed-adjust threshold minus command.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 3 Common Hardware Management Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 25/111
# To reduce temperature thresholds for adjusting the fan speed by 10°C, run the following
commands.
<HUAWEI> system-view[HUAWEI] set fan speed-adjust threshold minus 10Info: Succeeded in setting the fan speed-adjust threshold.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 3 Common Hardware Management Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 26/111
4 Common Mirroring Operations
About This Chapter
This chapter describes common mirroring operations.
4.1 Configuring an Observing Port
4.2 Configuring Port Mirroring
4.3 Configuring Traffic Mirroring
4.4 Deleting the Mirroring Configuration
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 4 Common Mirroring Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 27/111
4.1 Configuring an Observing Port
A physical port must be configured as an observing port before the mirroring function is
configured. You can configure a single observing port or multiple observing ports in a batch.
Observing ports configured in a batch are added to an observing port group. After a mirrored
port is configured, the mirrored port is bound to the observing port group. Therefore, such
batch configuration is usually performed in 1:N mirroring to simplify the configuration.
Configuring a Single Observing Port
l Configure a local observing port, which directly connects to a monitoring device.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
l Configure a Layer 2 remote observing port, which forwards mirroring packets to a
monitoring device across a Layer 2 network.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 vlan 10
l Configure a Layer 3 remote observing port, which forwards mirroring packets to a
monitoring device across a Layer 3 network. (Only S7700/S9700 support the
configuration of a Layer 3 remote observing port.)
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 destination-ip10.1.1.1 source-ip 10.2.2.2
Configure Observing Ports in a Batch (only in V200R005 and Later Versions)
l Configure local observing ports in a batch, which directly connect to monitoring devices.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 togigabitEthernet 1/0/3
l Configure Layer 2 remote observing ports, which forward mirroring packets to
monitoring devices across a Layer 2 network.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 togigabitEthernet 1/0/3 vlan 10
l Layer 3 remote observing ports cannot be configured in a batch.
4.2 Configuring Port Mirroring
Configuring 1:1 Port Mirroring
You can copy packets on a mirrored port to an observing port. For example, copy incoming
packets (received packets) on mirrored port GE2/0/1 to observing port GE1/0/1. GE1/0/1 is
directly connected to a monitoring device.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1[HUAWEI] interface gigabitethernet 2/0/1
[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 4 Common Mirroring Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 28/111
Configuring 1:N Port Mirroring
You can copy packets on one mirrored port to N observing ports. For example, copy incoming
packets (received packets) on mirrored port GE2/0/1 to observing ports GE1/0/1 through
GE1/0/3. These observing ports are directly connected to monitoring devices.
l Configure observing ports one by one.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1[HUAWEI] observe-port 2 interface gigabitethernet 1/0/2[HUAWEI] observe-port 3 interface gigabitethernet 1/0/3[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 2 inbound [HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 3 inbound
l Configure observing ports in a batch (only in V200R005 and later versions).
<HUAWEI> system-view[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 togigabitEthernet 1/0/3
[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound
Configuring N:1 Port Mirroring
You can copy packets on N mirrored ports to one observing port. For example, copy incoming
packets (received packets) on mirrored ports GE2/0/1 through GE2/0/3 to observing port
GE1/0/1. GE1/0/1 is directly connected to a monitoring device.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/1] quit
[HUAWEI] interface gigabitethernet 2/0/2[HUAWEI-GigabitEthernet2/0/2] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/2] quit[HUAWEI] interface gigabitethernet 2/0/3[HUAWEI-GigabitEthernet2/0/3] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/3] quit
Related Content
Support Community
Mirroring an Effective Network Monitoring Tool (Working Mechanism and
Configuration)
Mirroring an Effective Network Monitoring Tool (Specifications)
Videos
How to Configure Port Mirroring
4.3 Configuring Traffic Mirroring
Traffic mirroring is a feature that copies a specified type of packets received and sent by
devices, ports, or VLANs to observing ports connected to monitoring devices. Monitoring
devices monitor only the specified type of packets.
Traffic mirroring can be configured based on ACLs and Modular Quality of ServiceCommand-Line Interface (MQC) (complex traffic classification). ACL-based traffic mirroring
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 4 Common Mirroring Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 29/111
is easy to configure but supports fewer packets types than MQC-based traffic mirroring and
supports only inbound traffic mirroring. MQC-based traffic mirroring is complex to configure
but supports more packet types and the inbound, outbound traffic mirroring.
Implementing traffic mirroring using ACLs1. 4.1 Configuring an Observing Port. For example, configure a local observing port
GE1/0/1 that is directly connected to a monitoring device.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
2. Create an ACL. For example, create a Layer 2 ACL to match packets with 802.1p
priority 6.
[HUAWEI] acl 4001[HUAWEI-acl-L2-4001] rule permit 8021p 6[HUAWEI-acl-L2-4001] quit
3. Configure traffic mirroring. For example:
–Copy packets with 802.1p priority 6 in the inbound direction of all the ports on thedevice to observing port GE1/0/1.
[HUAWEI] traffic-mirror inbound acl 4001 to observe-port 1
– Copy packets with 802.1p priority 6 in the inbound direction of all the ports in
VLAN 10 to observing port GE1/0/1.
[HUAWEI] traffic-mirror vlan 10 inbound acl 4001 to observe-port 1
– Copy packets with 802.1p priority 6 in the inbound direction of GE2/0/1 to
observing port GE1/0/1.
[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] traffic-mirror inbound acl 4001 to observe- port 1
Implementing Traffic Mirroring Using Complex Traffic Classification
1. 4.1 Configuring an Observing Port. For example, configure a local observing port
GE1/0/1 that is directly connected to a monitoring device.
<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
2. Create a traffic classifier. For example, create a traffic classifier c1 to match packets with
802.1p priority 6.
[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match 8021p 6[HUAWEI-classifier-c1] quit
3. Create a traffic behavior with the mirroring action. For example, create a traffic behavior
b1 and set the action to traffic mirroring.
[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] mirroring to observe-port 1[HUAWEI-behavior-b1] quit
4. Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic
policy. For example, create a traffic policy p1 and bind the traffic classifier and traffic
behavior to the traffic policy.
[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit
5. Apply the traffic policy. For example:
–
Copy packets with 802.1p priority 6 in the inbound direction of all the ports on thedevice to observing port GE1/0/1.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 4 Common Mirroring Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 30/111
[HUAWEI] traffic-policy p1 global inbound
– Copy packets with 802.1p priority 6 in the inbound direction of all the ports in
VLAN 10 to observing port GE1/0/1.
[HUAWEI] vlan 10[HUAWEI-vlan10] traffic-policy p1 inbound
– Copy packets with 802.1p priority 6 in the inbound direction of GE2/0/1 to
observing port GE1/0/1.
[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] traffic-policy p1 inbound
4.4 Deleting the Mirroring Configuration
If you want to delete the mirroring configuration after using the mirroring function, you can
perform the following operations:
1. Run the display current-configuration command to check the current mirroring
configuration. For example, you can view the following mirroring configuration.
<HUAWEI> display current-configuration#
vlan batch 10 20 30#
observe-port 2 interface GigabitEthernet1/0/1 ...
...#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2 ...
...
#interface GigabitEthernet2/0/1
port-mirroring to observe-port 2 inbound #
... ...
2. Run the undo port-mirroring command on the mirrored port to delete the binding
between the observing port and mirrored port and restore the mirrored port as a common
port. For example, restore GE2/0/1 in step 1 to a common port.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] undo port-mirroring to observe-port 2 inbound [HUAWEI-GigabitEthernet2/0/1] quit
3. Run the undo observe-port command in the system view to delete the observing port.
For example, delete the observing port in step 1 and restore GE1/0/1 to a common port.
[HUAWEI] undo observe-port 2
You can delete the observing port only after deleting the binding between the observing
port and mirrored port.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 4 Common Mirroring Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 31/111
5 Common MAC Address Operations
About This Chapter
This chapter describes common MAC address operations.
5.1 Displaying All MAC Address Entries
5.2 Displaying MAC Address Entries Learned by an Interface
5.3 Displaying MAC Address Entries Learned in a VLAN
5.4 Displaying the System MAC Address
5.5 Displaying the MAC Address of an Interface
5.6 Displaying the MAC Address of a VLANIF Interface
5.7 Configuring a Static MAC Address
5.8 Configuring a Blackhole MAC Address
5.9 Displaying and Setting the Aging Time of MAC Addresses
5.10 Configuring Port Security
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 5 Common MAC Address Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 32/111
5.1 Displaying All MAC Address Entries
# Run the display mac-address command to check all MAC address entries.
<HUAWEI> display mac-address-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type-------------------------------------------------------------------------------
0000-0000-0002 10/- - blackhole
0000-0000-0003 300/- GE1/0/3 static
0026-6e5c-feac 3000/- Eth-Trunk2 dynamic0000-c116-0201 -/test Eth-Trunk3 dynamic
-------------------------------------------------------------------------------Total items displayed = 4
5.2 Displaying MAC Address Entries Learned by anInterface
# Run the display mac-address dynamic gigabitethernet1/0/1 command to check MAC
address entries learned by GE1/0/1.
<HUAWEI> display mac-address dynamic gigabitethernet1/0/1-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0000-0000-0003 300/- GE1/0/1 dynamic0026-6e5c-feac 3000/- GE1/0/1 dynamic
-------------------------------------------------------------------------------
Total items displayed = 2
5.3 Displaying MAC Address Entries Learned in a VLAN
# Run the display mac-address dynamic vlan 10 command to check the MAC address entry
learned in VLAN 10.
<HUAWEI> display mac-address dynamic vlan 10-------------------------------------------------------------------------------MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0000-0000-0003 10/- GE1/0/1 dynamic
0026-6e5c-feac 10/- GE1/0/2 dynamic
-------------------------------------------------------------------------------
Total items displayed = 2
5.4 Displaying the System MAC Address
The MAC address of a Layer 2 interface and the device's MAC address are the same. You can
run the following commands to check the device's MAC address.
l Run the display interface gigabitethernet1/0/1 command. In the command output,
00e0-f74b-6d00 refers to the device's MAC address.<HUAWEI> display interface gigabitethernet1/0/1
GigabitEthernet1/0/1 current state :UP
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 5 Common MAC Address Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 33/111
Line protocol current state :
UPDescription:
Switch Port, Link-type :
access(configured),
PVID : 103, TPID : 8100(Hex), The Maximum Frame Length is9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-f74b-6d00......
l In V200R002 and later versions, run the display bridge mac-address command to
check the device's MAC address.<HUAWEI> display bridge mac-addressSystem bridge MAC address: 00e0-f74b-6d00
5.5 Displaying the MAC Address of an Interface
Run the display interface gigabitethernet1/0/1 command. In the command output, 00e0-f74b-6d00 refers to the interface's MAC address. The MAC address of a Layer 2 interface and
the device's MAC address are the same.
<HUAWEI> display interface gigabitethernet1/0/1GigabitEthernet1/0/1 current state : UP
Line protocol current state : UP
Description:
Switch Port, Link-type : access(configured),PVID : 103, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-f74b-6d00......
5.6 Displaying the MAC Address of a VLANIF Interface# Run the display interface vlanif10 command. In the command output, 00e0-0987-7891
refers to the VLANIF interface's MAC address.
<HUAWEI> display interface vlanif10Vlanif10 current state : DOWN
Line protocol current state : DOWN
Description:
Route Port,The Maximum Transmit Unit is 1500Internet Address is 172.10.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-0987-7891 Current system time: 2014-08-14 16:40:09+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
5.7 Configuring a Static MAC Address
Configure the MAC address of the fixed upstream device or trusted user host connected to the
switch as the static MAC address to ensure secure communication.
<HUAWEI> system-view[HUAWEI] vlan 10 //Create VLAN 10.[HUAWEI-vlan10] quit[HUAWEI] interface GigabitEthernet1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type access[HUAWEI-GigabitEthernet1/0/1] port default vlan 10 //Add an interface to VLAN 10.
[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] mac-address static 0000-0012-0034 GigabitEthernet1/0/1 vlan 10 //Create
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 5 Common MAC Address Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 34/111
a static MAC address and bind the MAC address of 0000-0012-0034 to the
GigabitEthernet1/0/1.
NOTE
The interface bound to the MAC address must belong to the specified VLAN and the VLAN must have
been created.
5.8 Configuring a Blackhole MAC Address
To prevent a hacker from using a MAC address to attack a user device or network, configure
the MAC address of an untrusted user as the blackhole MAC address. The switch then
discards the received packets with the source or destination MAC address as the blackhole
MAC address.
The switch provides two blackhole MAC address modes: global and VLAN-based blackhole
MAC addresses.
l In the system view, configure the MAC address of 0000-0012-0034 as a global blackholeMAC address.<HUAWEI> system-view[HUAWEI] mac-address blackhole 0000-0012-0034
l In the system view, configure the MAC address of 0000-0012-0035 as the blackhole
MAC address in VLAN 10.<HUAWEI> system-view[HUAWEI] mac-address blackhole 0000-0012-0035 vlan 10
5.9 Displaying and Setting the Aging Time of MAC
Addresses# In the system view, run the mac-address aging-time 600 command to set the aging time of
dynamic MAC addresses to 600s. By default, the aging time is 300s.<HUAWEI> system-view[HUAWEI] mac-address aging-time 600
# In any view, run the display mac-address aging-time command to view the aging time of
dynamic MAC addresses.<HUAWEI> display mac-address aging-time Aging time: 300 second(s)
5.10 Configuring Port SecurityPort security implements dynamic binding. After the maximum number of MAC addresses
that can be learned by an interface is set, other non-trusted hosts cannot use the local interface
to communicate with the switch, thereby improving the device and network security.
# Configure port security on the gigabitethernet1/0/1.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port-security enable
# Set the maximum number of MAC addresses that can be learned by the gigabitethernet1/0/1
to 5.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 5 Common MAC Address Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 35/111
[HUAWEI-GigabitEthernet1/0/1] port-security enable[HUAWEI-GigabitEthernet1/0/1] port-security max-mac-num 5
NOTE
Before setting the maximum number of MAC addresses that can be learned by an interface, ensure that
the interface has been enabled with port security.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 5 Common MAC Address Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 36/111
6 Common Ethernet Interface Operations
About This Chapter
This chapter describes common Ethernet interface operations.
6.1 Configuring a Port Group
6.2 Configuring Port Isolation
6.3 Configuring the Working Mode of a Combo Interface
6.4 Configuring the Interface Rate
6.5 Configuring the Duplex Mode
6.6 Switching an Interface to Layer 3 Mode
6.7 One-Click Configuration Deletion on an Interface
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 6 Common Ethernet Interface Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 37/111
6.1 Configuring a Port Group
Configuring a Temporary Port Group
# Run the port-group group-member command to add GE1/0/9 to GE1/0/15 to a temporary
port group.<HUAWEI> system-view[HUAWEI] port-group group-member gigabitethernet 1/0/9 to gigabitethernet 1/0/15[HUAWEI-port-group]
# Run the interface range command to add GE1/0/16 to GE1/0/20 to a temporary port group.
(The interface range command is supported by only V200R003C00 and later versions.)<HUAWEI> system-view[HUAWEI] interface range gigabitethernet 1/0/16 to gigabitethernet 1/0/20[HUAWEI-port-group]
Configuring a Permanent Port Group
# Run the port-group command to add GE1/0/1 to GE1/0/8 to permanent port group
portgroup1.<HUAWEI> system-view[HUAWEI] port-group portgroup1[HUAWEI-port-group-portgroup1] group-member gigabitethernet 1/0/1 togigabitethernet 1/0/8
6.2 Configuring Port Isolation
Configuring a Port Isolation Group
# Configure port isolation on GE1/0/1 and GE1/0/2 to implement Layer 2 isolation and Layer
3 interworking on the two interfaces.<HUAWEI> system-view[HUAWEI] port-isolate mode l2[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port-isolate enable group 1[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] port-isolate enable group 1[HUAWEI-GigabitEthernet1/0/2] quit
# Configure port isolation on GE1/0/10 to GE1/0/20 to implement Layer 2 and Layer 3
isolation on these interfaces.<HUAWEI> system-view[HUAWEI] port-isolate mode all[HUAWEI] port-group portgroup1[HUAWEI-port-group-portgroup1] group-member gigabitethernet 1/0/10 togigabitethernet 1/0/20[HUAWEI-port-group-portgroup1] port-isolate enable group 2
NOTE
All S series chassis switches support Layer 2 and Layer 3 isolation. S series box switches support Layer
2 and Layer 3 isolation excluding the S2700SI and S2700EI in V100R006C05 and the S1720, S2720,
S2750EI, S5700LI, S5710-X-LI, S5710-C-LI and S5700S-LI in V200R001 and later versions.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 6 Common Ethernet Interface Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 38/111
Configuring Unidirectional Isolation
# Configure unidirectional isolation to isolate GE1/0/5 from GE1/0/6, GE1/0/7, and GE1/0/8
unidirectionally. This configuration ensures that Layer 2 data packets from GE1/0/5 cannot
reach GE1/0/6, GE1/0/7, and GE1/0/8.<HUAWEI> system-view[HUAWEI] port-isolate mode l2[HUAWEI] interface gigabitethernet 1/0/5[HUAWEI-GigabitEthernet1/0/5] am isolate gigabitethernet 1/0/6 to 1/0/8
6.3 Configuring the Working Mode of a Combo Interface
# Configure GE1/0/1 to work in electrical mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] combo-port copper
To configure the working mode of a combo interface, run the combo-port { auto | copper |
fiber } command in the combo interface view.
l When the auto mode is specified, the system checks whether the combo optical interface
has an optical module installed, and selects the interface working mode as follows:
– When the electrical interface is not connected, the combo interface works as an
optical interface if the combo optical interface has an optical module installed.
– When the electrical interface is connected using a network cable and the combo
interface is Up, the combo interface works as an electrical interface even if the
combo optical interface has an optical module installed. However, the combo
interface works as an optical interface after the device restarts.
– When the electrical interface is connected using a network cable and the combo
interface is Down, the combo interface works as an optical interface if the combooptical interface has an optical module installed.
In summary, when the auto mode is specified and the combo optical interface has an
optical module installed, the combo interface works as an optical interface after the
device restarts.
l You can forcibly specify the working mode of the combo interface based on the peer
interface type. If the local combo electrical interface is connected to a peer electrical
interface, configure the combo interface to work in copper mode. If the local combo
optical interface is connected to a peer optical interface, configure the combo interface to
work in fiber mode.
6.4 Configuring the Interface Rate
Manually Configuring the Interface Rate in Auto-Negotiation Mode
# Set the negotiation rate to 100 Mbit/s for Ethernet interface GE1/0/1 working in auto-
negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] negotiation auto[HUAWEI-GigabitEthernet1/0/1] auto speed 100
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 6 Common Ethernet Interface Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 39/111
NOTE
GE optical interfaces do not support manually configuring the interface rate in auto-negotiation mode,
except the GE optical interface that has an GE copper module installed.
Configuring the Interface Rate in Non-Auto-Negotiation Mode# Set the negotiation rate to 100 Mbit/s for Ethernet interface GE1/0/1 working in non-auto-
negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo negotiation auto[HUAWEI-GigabitEthernet1/0/1] speed 100
6.5 Configuring the Duplex Mode
Configuring the Duplex Mode for an Interface in Auto-Negotiation Mode# Set the duplex mode to full-duplex for Ethernet electrical interface GE1/0/1 working in
auto-negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] negotiation auto[HUAWEI-GigabitEthernet1/0/1] auto duplex full
Configuring the Duplex Mode for an Interface in Non-Auto-Negotiation Mode
# Set the duplex mode to half-duplex for Ethernet electrical interface GE1/0/1 working in
non-auto-negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo negotiation auto[HUAWEI-GigabitEthernet1/0/1] duplex half
NOTE
Physical service interfaces of the S5710HI, S6700EI, S5720HI, S5720EI and S6720EI do not support
the duplex mode configuration.
Physical service interfaces of the X1E series cards on a modular switch do not support the duplex mode
configuration.
6.6 Switching an Interface to Layer 3 Mode
# Change the working mode of GE1/0/1 from Layer 2 mode to Layer 3 mode.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo portswitch[HUAWEI-GigabitEthernet1/0/1] ip address 10.10.10.10 255.255.255.0
To switch an interface to Layer 3 mode, run the undo portswitch command in the interface
view.
By default, an Ethernet interface works in Layer 2 mode.
When you run this command on an interface, the mode switching configuration takes effect
when only attribute configurations (such as shutdown and description configurations) existon the interface. If service configurations (such as the port link-type trunk configuration)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 6 Common Ethernet Interface Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 40/111
exist on the interface, you need to clear all service configurations before running this
command.
Since V200R003, interfaces on the S5700EI, S5700HI, S5710EI, S5710HI, S5720EI,
S5720HI, S6700EI, S6720EI, S7700, and S9700 support switching between Layer 2 and
Layer 3 modes.
For switches in V200R005C00 and later versions, after running the undo portswitch
command to switch an Ethernet interface to Layer 3 mode, you can assign an IP address to the
interface.
6.7 One-Click Configuration Deletion on an Interface
# Run the clear configuration interface command in the system view to delete
configurations on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] clear configuration interface gigabitethernet 1/0/1Warning: All configurations of the interface will be cleared, and its state willbe shutdown. Continue? [Y/N] :yInfo: Total 5 command(s) executed, 5 successful, 0 failed.
# Run the clear configuration this command in the interface view to delete configurations on
GE1/0/1.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] clear configuration thisWarning: All configurations of the interface will be cleared, and its state will
be shutdown. Continue? [Y/N] :yInfo: Total 3 command(s) executed, 3 successful, 0 failed.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 6 Common Ethernet Interface Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 41/111
7 Common Link Aggregation Operations
About This Chapter
This chapter describes common Ethernet link aggregation operations.
7.1 Adding Member Interfaces to an Eth-Trunk in a Batch
7.2 Deleting a Specified Member Interface from an Eth-Trunk
7.3 Deleting an Eth-Trunk
7.4 Displaying the Eth-Trunk Configuration
7.5 Displaying Information About Eth-Trunk Member Interfaces
7.6 Displaying the Numbers of Eth-Trunks and Member Interfaces Supported by the Device
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 7 Common Link Aggregation Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 42/111
7.1 Adding Member Interfaces to an Eth-Trunk in a Batch
# Add GigabitEthernet1/0/1 to GigabitEthernet1/0/5 to Eth-Trunk 1.
<HUAWEI> system-view[HUAWEI] interface eth-trunk 1[HUAWEI-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/5
7.2 Deleting a Specified Member Interface from an Eth-Trunk
You can use either of the following methods to delete a specified member interface from an
Eth-Trunk:
lRun the undo trunkport interface-type { interface-number1 [ to interface-number2 ] }&<1-8> command in the Eth-Trunk view to delete a specified member interface from an
Eth-Trunk.
<HUAWEI> system-view[HUAWEI] interface eth-trunk 1[HUAWEI-Eth-Trunk1] undo trunkport gigabitethernet 1/0/1
l Run the undo eth-trunk command in the member interface view to delete a specified
member interface from an Eth-Trunk.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo eth-trunk
7.3 Deleting an Eth-Trunk
Prerequisites
All member interfaces have been deleted from an Eth-Trunk. See 7.2 Deleting a Specified
Member Interface from an Eth-Trunk .
Procedure
Run the undo interface eth-trunk trunk-id command in the system view.
<HUAWEI> system-view
[HUAWEI] undo interface eth-trunk 10
7.4 Displaying the Eth-Trunk Configuration
# Display the configuration of all Eth-Trunks.
<HUAWEI> display eth-trunkEth-Trunk10's state information is:
Local:LAG ID: 10 WorkingMode: LACP Preempt Delay Time: 10 Hash arithmetic: According to SIP-XOR-DIP
System Priority: 120 System ID: 0018-82d4-04c3
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up Number Of Up Port In Trunk: 2--------------------------------------------------------------------------------
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 7 Common Link Aggregation Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 43/111
ActorPortName Status PortType PortPri PortNo PortKey
PortState WeightGigabitEthernet1/0/2 Selected 1GE 10 262 2609
10111100 1
GigabitEthernet1/0/3 Selected 1GE 10 263 2609
10111100 1
GigabitEthernet1/0/4 Unselect 1GE 32768 264 260910100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortStateGigabitEthernet1/0/2 32768 00e0-fc6e-bb11 32768 262 2609
10111100
GigabitEthernet1/0/3 32768 00e0-fc6e-bb11 32768 263 2609
10111100GigabitEthernet1/0/4 32768 00e0-fc6e-bb11 32768 264 2609
10110000
Eth-Trunk11's state information is:WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 1--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet1/0/1 Up 1
# Display the configuration of Eth-Trunk 10 in LACP mode.
<HUAWEI> display eth-trunk 10Eth-Trunk10's state information is:
Local:
LAG ID: 10 WorkingMode: LACPPreempt Delay Time: 10 Hash arithmetic: According to SIP-XOR-DIPSystem Priority: 120 System ID: 0018-82d4-04c3
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up Number Of Up Port In Trunk: 2--------------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey
PortState Weight
GigabitEthernet1/0/2 Selected 1GE 10 262 260910111100 1
GigabitEthernet1/0/3 Selected 1GE 10 263 2609
10111100 1
GigabitEthernet1/0/4 Unselect 1GE 32768 264 260910100000 1
Partner:
--------------------------------------------------------------------------------ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
GigabitEthernet1/0/2 32768 00e0-fc6e-bb11 32768 262 260910111100GigabitEthernet1/0/3 32768 00e0-fc6e-bb11 32768 263 2609
10111100
GigabitEthernet1/0/4 32768 00e0-fc6e-bb11 32768 264 260910110000
# Display the configuration of Eth-Trunk 11 in manual load balancing mode.
<HUAWEI> display eth-trunk 11Eth-Trunk11's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIPLeast Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 1
--------------------------------------------------------------------------------
PortName Status WeightGigabitEthernet1/0/1 Up 1
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 7 Common Link Aggregation Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 44/111
7.5 Displaying Information About Eth-Trunk MemberInterfaces
# Display information about member interfaces of Eth-Trunk 2.
<HUAWEI> display trunkmembership eth-trunk 2Trunk ID: 2
Used status: VALID
TYPE: ethernetWorking Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: upInterface GigabitEthernet1/0/1, valid, operate up, weight=1
Interface GigabitEthernet1/0/2, valid, operate up, weight=1
7.6 Displaying the Numbers of Eth-Trunks and MemberInterfaces Supported by the Device
NOTE
V200R005 and later versions support the display trunk configuration command.
# Display the numbers of LAGs and member interfaces.
<HUAWEI> display trunk configuration--------------------------------------------------
Item Default Current Configured
--------------------------------------------------
trunk-group 128 2 4trunk-member 8 16 16
--------------------------------------------------
Table 7-1 Description of the display trunk configuration command output
Item Meaning
Default Default Eth-Trunk specifications supported by the device.
Current Current Eth-Trunk specifications supported by the device.
Configured Configured Eth-Trunk specifications. If the configured Eth-
Trunk specifications are different from the current Eth-Trunk specifications, the configured Eth-Trunk specifications take
effect after the device restarts.
trunk-group Maximum number of Eth-Trunks supported by the device.
trunk-member Maximum number of member interfaces in each Eth-Trunk.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 7 Common Link Aggregation Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 45/111
8 Common VLAN Operations
About This Chapter
This chapter describes common VLAN operations.
8.1 Creating VLANs in a Batch
8.2 Adding Interfaces to a VLAN in a Batch
8.3 Restoring the Default VLAN Configuration of an Interface
8.4 Deleting a VLAN or VLANs in a Batch
8.5 Changing the Link Type of an Interface
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 8 Common VLAN Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 46/111
8.1 Creating VLANs in a Batch
Run the vlan batch command in the system view to create VLANs in a batch.
l Create 10 contiguous VLANs in a batch: VLAN 11 to VLAN 20.<HUAWEI> system-view[HUAWEI] vlan batch 11 to 20
l Create 10 noncontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.<HUAWEI> system-view[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 noncontiguous VLANs or VLAN range at one time. If more than
10 noncontiguous VLANs need to be created, run this command multiple times. For example, vlan
batch 10 15 to 19 25 28 to 30 indicates four noncontiguous VLAN ranges.
8.2 Adding Interfaces to a VLAN in a Batch
Configure a port group to add interfaces to a VLAN in a batch.
l Set the link type of interfaces to access.<HUAWEI> system-view[HUAWEI] port-group pg1 //Create a port group named pg1.[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 togigabitethernet1/0/5 //Add gigabitethernet1/0/1 to gigabitethernet1/0/5 to
the port group.[HUAWEI-port-group-pg1] port link-type access //Set the link type of
gigabitethernet1/0/1 to gigabitethernet1/0/5 to access.
[HUAWEI-port-group-pg1] port default vlan 10 //Add gigabitethernet1/0/1 togigabitethernet1/0/5 to VLAN 10.
l Set the link type of interfaces to trunk.<HUAWEI> system-view[HUAWEI] port-group pg1 //Create a port group named pg1.[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 togigabitethernet1/0/5 //Add gigabitethernet1/0/1 to gigabitethernet1/0/5 tothe port group.
[HUAWEI-port-group-pg1] port link-type trunk //Set the link type of
gigabitethernet1/0/1 to gigabitethernet1/0/5 to trunk.
[HUAWEI-port-group-pg1] port trunk allow-pass vlan 10 20 //Addgigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 10 and VLAN 20.
l Set the link type of interfaces to hybrid.<HUAWEI> system-view
[HUAWEI] port-group pg1 //Create a port group named pg1.[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 togigabitethernet1/0/5 //Add gigabitethernet1/0/1 to gigabitethernet1/0/5 tothe port group.
[HUAWEI-port-group-pg1] port link-type hybrid //Set the link type of
gigabitethernet1/0/1 to gigabitethernet1/0/5 to hybrid.[HUAWEI-port-group-pg1] port hybrid tagged vlan 10 //Add
gigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 10 in tagged mode.
[HUAWEI-port-group-pg1] port hybrid untagged vlan 20 //Add
gigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 20 in untagged mode.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 8 Common VLAN Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 47/111
8.3 Restoring the Default VLAN Configuration of anInterface
The default VLAN configuration of an interface involves the PVID and VLAN 1 that the
interface joins.
l Restore the default configuration of the access interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port default vlan
l Restore the default configuration of the trunk interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port trunk pvid vlan[HUAWEI-GigabitEthernet1/0/1] undo port trunk allow-pass vlan all[HUAWEI-GigabitEthernet1/0/1] port trunk pvid vlan 1
l Restore the default configuration of the hybrid interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port hybrid pvid vlan[HUAWEI-GigabitEthernet1/0/1] undo port hybrid vlan all[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 1
8.4 Deleting a VLAN or VLANs in a Batch
The device supports deletion of a single VLAN or VLANs in a batch.
l Delete VLAN 10.
<HUAWEI> system-view[HUAWEI] undo vlan 10
l Delete VLAN 10 to VLAN 20 in a batch.<HUAWEI> system-view[HUAWEI] undo vlan batch 10 to 20
NOTE
The earlier versions of V200R005, before deleting a VLAN where a VLANIF interface has been
configured, run the undo interface vlanif command to delete the VLANIF interface.
8.5 Changing the Link Type of an Interface
The link type of an interface can be access, trunk, hybrid, or Dot1q-tunnel. The methods usedto change the link type of an interface in different versions are different.
l In V200R005 and later versions, run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command and enter y or n as prompted. When the interface uses the
default VLAN configuration, the system does not display any message. The link type of
the interface is changed directly.
– When you enter y and press Enter, the device automatically deletes the non-default
VLAN configuration of the interface and set the link type of the interface to the
specified one.
– When you enter n and press Enter, the device retains the current link type and
VLAN configuration of the interface.
Change the link type of the interface to hybrid.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 8 Common VLAN Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 48/111
<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid Warning: This command will delete VLANs on this port. Continue?[Y/N]:y Info: This operation may take a few seconds. Please wait for a moment...done.
l
In earlier versions of V200R005, an interface joins VLAN 1 by default, and the PVID of an interface is VLAN 1. You can run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command to change the link type of the interface.
– Change the link type of the interface to access.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type access[HUAWEI-GigabitEthernet0/0/1] port default vlan 10 //Set the PVID ofthe interface to VLAN 10.
– Change the link type of the interface to trunk.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type trunk[HUAWEI-GigabitEthernet0/0/1] port trunk pvid vlan 10 //Set the PVID
of the interface to VLAN 10.
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 10 20 //Add
the interface to VLAN 2, VLAN 10, and VLAN 20.
– Change the link type of the interface to hybrid.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] port hybrid pvid vlan 10 //Set the PVIDof the interface to VLAN 10.
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 2 10 //Add the
interface to VLAN 2 and VLAN 10 in untagged mode.
[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 20 //Add theinterface to VLAN 20 in tagged mode.
– Change the link type of the interface to Dot1q-tunnel.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type dot1q-tunnel[HUAWEI-GigabitEthernet0/0/1] port default vlan 10 //Set the PVID ofthe interface to VLAN 10. The interface adds VLAN 10 to all received
data packets.
When you change the link type of an interface that does not use the default VLAN
configuration, the system displays the message "Error: Please renew the default
configurations."
You need to restore the default configuration of the interface, and then change the link
type of the interface.– Restore the default VLAN configuration of an access or Dot1q-tunnel interface.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] undo port default vlan
– Restore the default VLAN configuration of a trunk interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1
– Restore the default configuration of a hybrid interface.<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 8 Common VLAN Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 49/111
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 8 Common VLAN Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 50/111
9 Common QinQ Operations
About This Chapter
This chapter describes common QinQ operations.
9.1 Configuring Basic QinQ
9.2 Configuring Selective QinQ
9.3 Configuring the Device to Add Double Tags to Untagged Packets
9.4 Deleting the Selective QinQ Configuration
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 9 Common QinQ Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 51/111
9.1 Configuring Basic QinQ
Basic QinQ is also called common QinQ and is implemented based on interfaces. When an
interface enabled with basic QinQ receives a packet, the device tags the packets with the
default VLAN ID of the interface.
l If the received packet carries one VLAN tag, the packet then has double tags.
l If the received packet does not carry any VLAN tag, the packet then carries the default
VLAN tag of an interface.
# Create VLAN 10 in the outer tag.<HUAWEI> system-view[HUAWEI] vlan 10[HUAWEI-vlan10] quit
# Configure downlink interface GE1/0/1.[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Set the link typeto Dot1q-tunnel.
[HUAWEI-GigabitEthernet1/0/1] port default vlan 10 //GE1/0/1 tags all receiveddata packets with VLAN 10.
# Configure uplink interface GE1/0/2 to transparently transmit packets with VLAN 10 in the
outer tag.[HUAWEI] interface gigabitethernet1/0/2[HUAWEI-GigabitEthernet1/0/2] port link-type trunk[HUAWEI-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
9.2 Configuring Selective QinQ
Selective QinQ, also called VLAN stacking or QinQ stacking, is implemented based oninterfaces and VLANs.
Configure the device to tag VLAN 2 in the outer tag of packets with VLANs 100 to 200 in
inner tags, to tag VLAN 3 in the outer tag of packets with VLANs 300 to 400, and to
transparently transmit packets from VLAN 1000.
l Configure selective QinQ on a fixed switch.
# Create VLAN 2, VLAN 3, and VLAN 1000.<HUAWEI> system-view[HUAWEI] vlan batch 2 3 1000
# Configure downlink interface GE0/0/1.[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable //VLAN
translation must be enabled on the fixed device.
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3 //The interfacejoins VLAN 2 and VLAN 3 in untagged mode.
[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 1000 //The interface
transparently transmits packets tagged with VLAN 1000.[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking vlan 100 to 200 stack-vlan2 //The interface adds VLAN 2 in the outer tag of packets with VLANs 100 to
200 in inner tags.
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking vlan 300 to 400 stack-vlan3 //The interface adds VLAN 3 in the outer tag of packets with VLANs 300 to
400 in inner tags.
[HUAWEI-GigabitEthernet0/0/1] port vlan-mapping vlan 1000 map-vlan 1000 //
The S5700EI, S3700EI, and S3700SI must be configured to map the VLAN to
itself from which single-tagged packets need to be transparently transmitted.[HUAWEI-GigabitEthernet0/0/1] quit
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 9 Common QinQ Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 52/111
# Configure uplink interface GE0/0/5 to transparently transmit packets from VLAN 2,
VLAN 3, and VLAN 1000.
[HUAWEI] interface gigabitethernet0/0/5 [HUAWEI-GigabitEthernet0/0/5] port link-type trunk[HUAWEI-GigabitEthernet0/0/5] port trunk allow-pass vlan 2 3 1000
l Configure selective QinQ on a modular switch.
# Create VLAN 2, VLAN 3, and VLAN 1000.<HUAWEI> system-view[HUAWEI] vlan batch 2 3 1000
# Configure downlink interface GE1/0/1.[HUAWEI] interface gigabitethernet1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //The interface
joins VLAN 2 and VLAN 3 in untagged mode.[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 1000 //The interface
transparently transmits packets tagged with VLAN 1000.
[HUAWEI-GigabitEthernet1/0/1] port vlan-stacking vlan 100 to 200 stack-vlan2 //The interface adds VLAN 2 in the outer tag of packets with VLANs 100 to
200 in inner tags.[HUAWEI-GigabitEthernet1/0/1] port vlan-stacking vlan 300 to 400 stack-vlan3 //The interface adds VLAN 3 in the outer tag of packets with VLANs 300 to
400 in inner tags.[HUAWEI-GigabitEthernet1/0/1] port vlan-mapping vlan 1000 map-vlan 1000 //
The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and EH1D2S24CSA0 and
EH1D2G24SSA0 cards of the S9700 must be configured to map the VLAN to itself
from which single-tagged packets need to be transparently transmitted.[HUAWEI-GigabitEthernet1/0/1] quit
# Configure uplink interface GE2/0/1 to transparently transmit packets from VLAN 2,
VLAN 3, and VLAN 1000.
[HUAWEI] interface gigabitethernet2/0/1 [HUAWEI-GigabitEthernet2/0/1] port link-type trunk[HUAWEI-GigabitEthernet2/0/1] port trunk allow-pass vlan 2 3 1000
9.3 Configuring the Device to Add Double Tags toUntagged Packets
# Configure GE0/0/1 to add double tags to received untagged packets.<HUAWEI> system-view[HUAWEI] vlan 10 //Create VLAN 10 in the outer tag.
[HUAWEI-vlan10] quit[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable //VLAN translation
must be enabled on the fixed device. This command does not need to be used on the
modular device.[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 10 //The interface
joins VLAN 10 in untagged mode.
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10 stack-inner-vlan 5 //The interface tags untagged packets with inner VLAN 5 and outerVLAN 10.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 9 Common QinQ Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
42
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 53/111
NOTE
l The S5700SI, S5700EI, ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and
EH1D2G24SSA0 and EH1D2S24CSA0 cards of the S9700 do not support this configuration.
l When you configure the device to add double tags to untagged packets, run the port link-type
hybrid command to change the link type of the interface to hybrid if the following message isdisplayed:[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10stack-inner-vlan 5Error: The port is not a Trunk or Hybrid port.
l When you configure the fixed device to add double tags to untagged packets, run the qinq vlan-
translation enable command to enable VLAN translation if the following message is displayed:[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10stack-inner-vlan 5Error: Please configure qinq vlan-translation enable on this port first.
l When you configure the device to add double tags to untagged packets, run the undo port hybrid
pvid vlan command to restore the PVID of the interface to be 1 if the following message is
displayed:[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10
stack-inner-vlan 5Error: This port has been configured with default VLAN or PVID, please
undo it first.
9.4 Deleting the Selective QinQ Configuration
# Delete all the selective QinQ configuration of an interface.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port vlan-stacking all
# Delete the configuration of an inner VLAN in selective QinQ.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port vlan-stacking vlan 3 stack-vlan 10 //
Delete the selective QinQ configuration with VLAN 3 in the inner tag.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 9 Common QinQ Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
43
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 54/111
10 Common STP/RSTP Operations
About This Chapter
This chapter describes common STP/RSTP operations.
10.1 Enabling STP/RSTP
10.2 Disabling STP/RSTP
10.3 Configuring Root Protection
10.4 Configuring an Edge Port
10.5 Changing the STP/RSTP Cost
10.6 Displaying the STP/RSTP Status
10.7 Displaying the Root Bridge
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 10 Common STP/RSTP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
44
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 55/111
10.1 Enabling STP/RSTP
Enabling STP/RSTP GloballyRun the stp enable command in the system view.
<HUAWEI> system-view[HUAWEI] stp enable
Enabling STP/RSTP on an Interface
Run the stp enable command in the interface view.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] stp enable
10.2 Disabling STP/RSTP
Disabling STP/RSTP Globally
Run the undo stp enable command in the system view.
<HUAWEI> system-view[HUAWEI] undo stp enable
Disabling STP/RSTP on an Interface
Run the undo stp enable command in the interface view.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo stp enable
10.3 Configuring Root Protection
Run the stp root-protection command in the interface view.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] stp root-protection
10.4 Configuring an Edge Port
Run the stp edged-port enable command in the interface view.
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] stp edged-port enable
10.5 Changing the STP/RSTP Cost
Run the stp cost cost command in the interface view.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 10 Common STP/RSTP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
45
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 56/111
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] stp cost 20000
10.6 Displaying the STP/RSTP Status# Display the spanning tree status and statistics.
<HUAWEI> display stp briefMSTID Port Role STP State Protection
0 GigabitEthernet1/0/22 DESI FORWARDING NONE
0 GigabitEthernet1/0/27 DESI FORWARDING NONE
0 GigabitEthernet1/0/28 DESI FORWARDING NONE
0 GigabitEthernet1/0/35 DESI FORWARDING NONE0 GigabitEthernet1/0/40 DESI FORWARDING NONE
10.7 Displaying the Root Bridge
# Display the spanning tree status of the root bridge.
<HUAWEI> display stp bridge rootMSTID Root ID Root Cost Hello Max Forward Root Port
Time Age Delay
----- -------------------- ---------- ----- --- ------- -----------------
0 61440.781d-ba56-f06c 0 2 20 15
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 10 Common STP/RSTP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
46
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 57/111
11 Common DHCP Operations
About This Chapter
This chapter describes common DHCP operations.
Table 11-1 lists the versions and products that support the DHCP server, relay, client, and
DHCP snooping functions.
Table 11-1 Applicable products and versions
Version Model
V100R006C05 l
Supporting the DHCP server and relay functions:S3700SI and S3700EI
l Supporting the DHCP client function: all
products
l Supporting the DHCP snooping function:
S2700EI, S3700SI and S3700EI
V200R001C00&C01 l Supporting the DHCP server and relay functions:
S9700, S7700, S6700, S5710EI, S5700HI,
S5700EI, S5700SI, S3700HI
l Supporting the DHCP client function: all
products
l Supporting the DHCP snooping function: all
products
V200R002C00 l Supporting the DHCP server and relay functions:
S9700, S7700, S6700, S5710EI, S5700HI,
S5700EI, S5700SI
l Supporting the DHCP client function: all
products
l Supporting the DHCP snooping function: all
products
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
47
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 58/111
Version Model
V200R003C00&C02&C10 l Supporting the DHCP server and relay functions:
S9700, S7700, S6700, S5710HI, S5710EI,
S5700HI, S5700EI, S5700SI
l Supporting the DHCP client function: all
products
l Supporting the DHCP snooping function: all
products
V200R005C00&C01 l Supporting the DHCP server and relay functions:
S9700, S7700, S6700, S5710HI, S5710EI,
S5700HI, S5700EI, S5700SI, S5700LI, S5700S-
L, S2750EI
l Supporting the DHCP client function: all
products
l Supporting the DHCP snooping function: all
products
V200R006C00 and later versions l Supporting the DHCP server and relay function:
all products
l Supporting the DHCP client function: all
products
l Supporting the DHCP snooping function: all
products
11.1 Configuring IP Addresses Not Dynamically Assigned
11.2 Modifying the Lease
11.3 Assigning Fixed IP Addresses to Clients
11.4 Withdrawing the Fixed IP Addresses Assigned to Clients
11.5 Checking IP Addresses Used
11.6 Clearing Conflicting Addresses
11.7 Increasing the Address Pool Range
11.8 Decreasing the Address Pool Range
11.9 Preventing a Device from Obtaining an IP Address from a Pseudo DHCP Server
11.10 Disabling the DHCP Service
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
48
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 59/111
11.1 Configuring IP Addresses Not Dynamically Assigned
You can configure some IP addresses that are not dynamically assigned in the following
scenarios:
l An enterprise requires that the IP addresses assigned to employees' computers should be
within the range of 10.1.1.2-10.1.1.254 (gateway address 10.1.1.1). To ensure stability of
the DNS server deployed in the enterprise, the server IP address should be manually
configured to 10.1.1.10. Therefore, 10.1.1.10 can be configured as an IP address that is
not dynamically assigned.
l Assume that an enterprise assigns the IP addresses 10.1.1.2-10.1.1.100 (gateway address
10.1.1.1) to the clients in department A and 10.1.1.101-10.1.1.254 to those in department
B based on the global mode. When the device functions as the DHCP server, create two
address pools: pool1 (assigns addresses to hosts in department A) and pool2 (assigns
addresses to hosts in department B). The network masks are both 24 for the address
pools. Configure 10.1.1.101-10.1.1.254 in pool1 and 10.1.1.1-10.1.1.100 in pool2 as IPaddresses that are not dynamically assigned.
Configure the IP addresses that are not dynamically assigned on the device functioning as the
DHCP server. For example, in an address pool with a mask length of 24 on the network
segment 10.1.1.0, configure 10.1.1.100-10.1.1.200 as IP addresses that are not dynamically
assigned.
l Configuration in the global address pool:
<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24[HUAWEI-ip-pool-pool1] gateway-list 10.1.1.1
[HUAWEI-ip-pool-pool1] excluded-ip-address 10.1.1.100 10.1.1.200
l Configuration in the interface address pool:
<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 24[HUAWEI-Vlanif100] dhcp select interface[HUAWEI-Vlanif100] dhcp server excluded-ip-address 10.1.1.100 10.1.1.200
11.2 Modifying the Lease
You can modify the lease for the device functioning as a DHCP server or client. When a
DHCP server assigns leases, it compares the lease expected by a DHCP client with the leasesin the DHCP server address pool and assigns a shorter lease to the DHCP client.
By default, the lease is one day for the device functioning as a DHCP server and is not
configured for the device functioning as a DHCP client.
# On the device functioning as a DHCP server, modify the lease of the IP addresses in the
global address pool pool1 or interface address pool VLANIF100 to 10 days.
l Configuration in the global address pool:
<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] lease day 10
l Configuration in the interface address pool:
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
49
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 60/111
<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] dhcp server lease day 10
# Modify the lease to 10 days (864000 seconds) on the device functioning as a DHCP client.
<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] dhcp client expected-lease 864000
11.3 Assigning Fixed IP Addresses to Clients
In network planning, some devices need to use fixed IP addresses to ensure stability. For
example, the devices can be DNS servers in an enterprise and printers in an office building. A
fixed IP address can be statically configured (using the ip address command) or obtained
through DHCP. The following is an example of assigning fixed IP addresses to clients through
DHCP.
Configure fixed IP addresses to clients on the device functioning as the DHCP server. For example, in an address pool with a mask length of 24 in the network segment 10.1.1.0,
configure the IP address 10.1.1.100 to be assigned only to the client with the MAC address
dcd2-fc96-e4c0.
l Configuration in the global address pool:
<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] static-bind ip-address 10.1.1.100 mac-address dcd2-fc96-e4c0
l Configuration in the interface address pool:
<HUAWEI> system-view[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] dhcp server static-bind ip-address 10.1.1.100 mac-addressdcd2-fc96-e4c0
11.4 Withdrawing the Fixed IP Addresses Assigned toClients
Withdraw the IP addresses assigned to clients on the device functioning as the DHCP server.
For example, in an address pool with a mask length of 24 in the network segment 10.1.1.0,
withdraw the IP address 10.1.1.5 assigned to a client. You can run the display ip pool
{ interface interface-pool-name | name ip-pool-name } used command to check static
binding relationships between the clients and IP addresses. For the command output, see 11.5
Checking IP Addresses Used.
l Configuration in the global address pool:
a. Withdraw the IP address 10.1.1.5.
<HUAWEI> reset ip pool name pool1 10.1.1.5
b. Cancel the static binding relationship.
<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo static-bind ip-address 10.1.1.5
l Configuration in the interface address pool:
a. Withdraw the IP address 10.1.1.5.
<HUAWEI> reset ip pool interface vlanif100 10.1.1.5
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
50
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 61/111
b. Cancel the static binding relationship.
<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] undo dhcp server static-bind ip-address 10.1.1.5
11.5 Checking IP Addresses Used
On the device functioning as a DHCP server, run the display ip pool { interface interface-
pool-name | name ip-pool-name } used command to check the IP addresses used.
For example, the following command output indicates that there are 253 available IP
addresses (10.1.1.1-10.1.1.254, excluding the gateway address 10.1.1.2) in the global address
pool pool1. The IP address 10.1.1.254 is used by the DHCP client with the MAC address
0235-2036-adcc, and 10.1.1.5 is used by the DHCP client with the MAC address
00e0-0987-7895.
<HUAWEI> display ip pool name pool1 used
Pool-name : pool1Pool-No : 0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -DNS-server0 : -
NBNS-server0 : -
Netbios-type : -Position : Local Status : Unlocked
Gateway-0 : 10.1.1.2
Network : 10.1.1.0
Mask : 255.255.255.0VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 2 252(0) 0 0
-----------------------------------------------------------------------------
Network section :
-----------------------------------------------------------------------------
Index IP MAC Lease Status
-----------------------------------------------------------------------------
253 10.1.1.254 0235-2036-adcc 178 Used4 10.1.1.5 00e0-0987-7895 60 Static-
bind-----------------------------------------------------------------------------
11.6 Clearing Conflicting Addresses
Clear conflicting addresses in the address pool on a device functioning as a DHCP server. The
conflicting addresses then can be used. For example, clear the conflicting IP addresses in the
global address pool pool1 or interface address pool VLANIF100.
NOTE
The clients with conflicting addresses need to be reconnected to obtain new IP addresses.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
51
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 62/111
l Configuration in the global address pool:
<HUAWEI> reset ip pool name pool1 conflict
l Configuration in the interface address pool:
<HUAWEI> reset ip pool interface vlanif100 conflict
11.7 Increasing the Address Pool Range
You can reduce the mask length of an address pool to increase the address pool range. For
example, a DHCP server can assign IP addresses (in an address pool with a mask length of
25) to 126 users. Then 120 users are added to the network and also obtain IP addresses
through DHCP. In this case, you need to reduce the mask length of the address pool to 24.
Before increasing the address pool range, check whether IP addresses have been assigned to
clients. For details, see 11.5 Checking IP Addresses Used.
NOTE
l After the mask length is changed from 25 to 24, 128 new users can be assigned IP addresses.
l The increased address range cannot conflict with other address ranges on the network.
l The ratio of the client quantity to the address pool range is planned according to the clients' online status.
If all clients (for example, enterprise employees' PCs) are online concurrently, ensure that the number of
addresses that can be assigned in the address pool is equal to or greater than the number of clients. If the
clients (for example, PCs in public areas such as hotels and Internet cafes) are not online concurrently, the
number of addresses that can be assigned in the address pool can be less than the number of clients.
l If the addresses have not been assigned:
Reduce the mask length of the address pool on the device functioning as the DHCP
server to increase the address pool range.
– Configuration in the global address pool:
<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo network[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24 //Adjust the masklength.
– Configuration in the interface address pool:
<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 24 //Adjust the mask length.[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interface
address pool function.
l If the addresses have been assigned:
On the device functioning as the DHCP server, perform the following operations insequence to increase the address pool range: withdraw IP addresses (only in the global
address pool), configure the function to prevent repetitive IP address allocation, and
adjust the mask length of the address pool.
– Configuration in the global address pool:
<HUAWEI> reset ip pool name pool1 all //Withdraw all IP addresses.
<HUAWEI> system-view[HUAWEI] dhcp server ping packet 3 //Enable the function of preventing
repetitive IP address allocation.[HUAWEI] dhcp server ping timeout 100 //Enable the function of
preventing repetitive IP address allocation.
[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo network
[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24 //Adjust the masklength.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
52
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 63/111
– Configuration in the interface address pool:
<HUAWEI> system-view[HUAWEI] dhcp server ping packet 3 //Enable the function of preventing
repetitive IP address allocation.[HUAWEI] dhcp server ping timeout 100 //Enable the function of
preventing repetitive IP address allocation.[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 24 //Adjust the mask length.[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interface
address pool function.
11.8 Decreasing the Address Pool Range
You can increase the mask length of an address pool to decrease the address pool range. For
example, a DHCP server can assign IP addresses (in an address pool with a mask length of
24) to 254 users. Then 140 users are deleted from the network. To save address resources, you
can increase the mask length of the address pool to 25 so that the address pool range is
decreased. Before decreasing the address pool range, check whether IP addresses have beenassigned to clients. For details, see 11.5 Checking IP Addresses Used.
NOTE
After the mask length is increased from 24 to 25, 128 IP addresses can be saved.
l If the addresses have not been assigned:
Increase the mask length of an address pool on a device functioning as the DHCP server
to decrease the address pool range.
– Configuration in the global address pool:
<HUAWEI> system-view[HUAWEI] ip pool pool1
[HUAWEI-ip-pool-pool1] undo network[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 25 //Adjust the mask
length.
– Configuration in the interface address pool:
<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 25 //Adjust the mask length.
[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interface
address pool function.
l If the addresses have been assigned:
On the device functioning as the DHCP server, perform the following operations in
sequence to decrease the address pool range: withdraw IP addresses (only in the global
address pool), configure the function to prevent repetitive IP address allocation, andadjust the mask length of the address pool.
NOTE
After the address pool range is decreased, the clients that have IP addresses beyond the range will
re-apply for addresses when their leases expire.
– Configuration in the global address pool:
<HUAWEI> reset ip pool name pool1 all //Withdraw all IP addresses.
<HUAWEI> system-view[HUAWEI] dhcp server ping packet 3 //Enable the function of preventing
repetitive IP address allocation.
[HUAWEI] dhcp server ping timeout 100 //Enable the function of
preventing repetitive IP address allocation.
[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo network
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
53
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 64/111
[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 25 //Adjust the mask
length.
– Configuration in the interface address pool:
<HUAWEI> system-view[HUAWEI] dhcp server ping packet 3 //Enable the function of preventing
repetitive IP address allocation.[HUAWEI] dhcp server ping timeout 100 //Enable the function ofpreventing repetitive IP address allocation.
[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 25 //Adjust the mask length.
[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interfaceaddress pool function.
11.9 Preventing a Device from Obtaining an IP Addressfrom a Pseudo DHCP Server
On the Layer 2 access device or the first DHCP relay device, configure DHCP snooping to
prevent the device from obtaining an IP address from a pseudo DHCP server.
NOTE
l For a Layer 2 access device, steps 1-3 are mandatory. Configure this function in sequence.
l For a DHCP relay device, only steps 1 and 2 are mandatory.
1. Enable DHCP snooping globally.
<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable
2. Enable DHCP snooping on the interface connected to the DHCP client (configuring all
interfaces connected to the DHCP client and using GE1/0/1 as an example).
[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable[HUAWEI-GigabitEthernet1/0/1] quit
3. Configure the interface connected to the DHCP server as a trusted interface.
[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted [HUAWEI-GigabitEthernet1/0/2] quit
11.10 Disabling the DHCP Service
Disable the DHCP service on the device functioning as a DHCP server or DHCP relay, or
configured with DHCP snooping. By default, the DHCP service is disabled.<HUAWEI> system-view[HUAWEI] undo dhcp enable
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 11 Common DHCP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
54
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 65/111
12 Common ARP Operations
About This Chapter
This chapter describes common ARP operations.
12.1 Checking ARP entries
12.2 Updating ARP Entries
12.3 Setting the Aging Time of ARP Entries
12.4 Configuring Static ARP Entries
12.5 Configuring ARP Proxy
12.6 Shielding ARP Miss Alarms Based on Source IP Addresses
12.7 Configuring Dynamic ARP Detection
12.8 Configuring ARP Gateway Anti-Collision
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
55
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 66/111
12.1 Checking ARP entries
In routine maintenance, you can run the display arp command in any view to check ARP
entry information on the device.
By checking ARP entries on a gateway device, the network administrator can view
information about the connected users, including IP addresses, MAC addresses, and
interfaces. For example, the network administrator can check ARP entry information to query
the MAC address based on the IP address of a user.
When the gateway does not learn the IP address of a connected user, the network
administrator can ping the broadcast address on the network segment on the gateway. For
example, if the gateway IP address is 10.10.10.1/24, the network administrator runs the ping
10.10.10.255 command on the gateway. Then the user on the same network segment sends an
ARP Reply packet. After receiving the ARP Reply packet, the gateway can learn the user's IP
address.
# Check ARP entries on the network segment 172.16.0.0/16.
<HUAWEI> display arp network 172.16.0.0 16IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/
CEVLAN
------------------------------------------------------------------------------
172.16.10.3 0025-9efb-be55 S-- GE1/0/6
100/-
172.16.20.3 0200-0000-00e8 S-- GE1/0/19172.16.10.1 0025-9ef4-abcd I -
Vlanif100
172.16.10.2 0025-9efb-be55 20 D-0 GE1/0/6
100/-
172.16.20.1 0025-9ef4-abcd I - GE1/0/19
172.16.20.2 0200-0000-00e8 18 D-0 GE1/0/19------------------------------------------------------------------------------
Total:6 Dynamic:2 Static:2 Interface:2
In the command output, the ARP entry of each row is described as follows:
l The IP address is 172.16.10.3, MAC address is 0025-9efb-be55, and type is S (indicatinga static ARP entry). For this static ARP entry, the outbound interface is GE1/0/6 and
VLAN ID is 100.
l The IP address is 172.16.20.3, MAC address is 0200-0000-00e8, and type is S
(indicating a static ARP entry). For this static ARP entry, the outbound interface is
GE1/0/19.
l The IP address is 172.16.10.1, MAC address is 0025-9ef4-abcd, and type is I (indicating
an interface ARP entry). This ARP entry indicates that 172.16.10.1 is the IP address of
the interface VLANIF 100.
l The IP address is 172.16.10.2, MAC address is 0025-9efb-be55, and type is D
(indicating a dynamic ARP entry). This dynamic ARP entry is learned from the interfaceGE1/0/6, the VLAN ID is 100, and the remaining lifetime is 20 minutes.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
56
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 67/111
l The IP address is 172.16.20.1, MAC address is 0025-9ef4-abcd, and type is I (indicating
an interface ARP entry). This ARP entry indicates that 172.16.20.1 is the IP address of
the interface GE1/0/19.
l The IP address is 172.16.20.2, MAC address is 0200-0000-00e8, and type is D
(indicating a dynamic ARP entry). This dynamic ARP entry is learned from the interfaceGE1/0/19, and the remaining lifetime is 18 minutes.
NOTE
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP
packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP
Request packets to the destination network segment.
l When a temporary ARP entry is not aged out:
l Before receiving an ARP Reply packet, the device discards the IP packets matching the
temporary ARP entry, and no ARP Miss message is triggered.
l After receiving the ARP Reply packet, the device generates a correct ARP entry to replace
the temporary entry.
l After the temporary ARP entry ages out, the device deletes this entry.
12.2 Updating ARP Entries
Before updating ARP entries, clear ARP entries on the device so that the device will relearn
the entries.
NOTICE
After ARP entries are cleared, mappings between IP addresses and MAC addresses aredeleted. As a result, users may not access specified nodes. Exercise caution when you clear
ARP entries.
# Clear all ARP entries on the device.
<HUAWEI> reset arp all
# Clear the dynamic ARP entries with the IP address 172.16.10.1 on the device.
<HUAWEI> reset arp dynamic ip 172.16.10.1 //If the IP address is not specified,all dynamic ARP entries are deleted from the device.
# Clear all static ARP entries on the device.
<HUAWEI> reset arp staticWarning: This operation will reset all static ARP entries, and clear the
configurations of all static ARP, continue?[Y/N]:y
# Clear the static ARP entries with the IP address 172.16.20.1, MAC address
0023-0045-0067, and outbound interface GE1/0/1 on the device.
<HUAWEI> system-view[HUAWEI] undo arp static 172.16.20.1 0023-0045-0067 interface gigabitethernet1/0/1
# Clear the ARP entries learned from VLANIF 100 with the IP address 172.16.20.1 on the
device.
<HUAWEI> reset arp interface vlanif 100 ip 172.16.20.1 //If the IP address is notspecified, all ARP entries learned by VLANIF 100 are deleted from the device.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
57
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 68/111
12.3 Setting the Aging Time of ARP Entries
The ARP aging time takes effect only for dynamic ARP entries. The default ARP aging time
is 20 minutes. You can run the arp expire-time expire-time command in the system view or
interface view to configure the aging time of dynamic ARP entries. The value range of expire-
time is as follows: 60-62640 (chassis switches) and 30-62640 (box switches), in seconds.
If you run the command only in the system view, the aging time takes effect for dynamic ARP
entries learned by all interfaces on the device. If you run the command both in the view of an
interface and the system view, the aging time configured in the interface view takes effect for
the dynamic ARP entries learned by the interface.
# Set the aging time of dynamic ARP entries to 1800s.
<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] arp expire-time 1800
# After the configuration is complete, you can run the display current configuration |
include arp command in any view to check the configured aging time of dynamic ARP
entries.
<HUAWEI> display current-configuration | include arparp expire-time 1800
12.4 Configuring Static ARP Entries
Static ARP entries will not age and cannot be overridden by dynamic ARP entries. You can
manually configure a static ARP entry, or use automatic scanning and fixed ARP to batchconfigure static ARP entries.
Manually Configuring a Static ARP Entry
NOTE
If the outbound interface is an Ethernet interface in Layer 2 mode, you are advised to configure a long
static ARP entry. Specify the VLAN and outbound interface when configuring the entry.
# Configure a static ARP entry with the IP address 172.16.10.2, MAC address
0023-0045-0067, and outbound interface GE1/0/1 in Layer 2 mode. This static ARP entry
belongs to VLAN 100.
<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.10.1 24 //The IP address of the VLANIFinterface must be in the same network segment with the IP address (172.16.10.2)in the static ARP entry.
[HUAWEI-Vlanif100] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type trunk[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 //The interfaceGigabitEthernet1/0/1 is in Layer 2 mode and needs to be added to VLAN 100.
[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] arp static 172.16.10.2 0023-0045-0067 vid 100 interface gigabitethernet1/0/1
# Configure a static ARP entry with the IP address 172.16.20.2, MAC address0023-0045-0068, and outbound interface GE1/0/2 in Layer 3 mode.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
58
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 69/111
<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] undo portswitch[HUAWEI-GigabitEthernet1/0/2] ip address 172.16.20.1 24 //The IP address ofGigabitEthernet1/0/2 must be in the same network segment with the IP address
(172.16.20.2) in the static ARP entry.
[HUAWEI-GigabitEthernet1/0/2] quit[HUAWEI] arp static 172.16.20.2 0023-0045-0068 interface gigabitethernet 1/0/2
# Configure a static ARP entry with the IP address 172.16.30.2 and MAC address
0023-0045-0069. This static ARP entry belongs to the VPN instance vpn1.
<HUAWEI> system-view[HUAWEI] ip vpn-instance vpn1[HUAWEI-vpn-instance-vpn1] ipv4-family[HUAWEI-vpn-instance-vpn1-af-ipv4] quit[HUAWEI-vpn-instance-vpn1] quit[HUAWEI] arp static 172.16.30.2 0023-0045-0069 vpn-instance vpn1
# Configure a static ARP entry with the IP address 172.16.40.2 and MAC address
02bf-0045-0070. (For example, you can configure such short static ARP entry when the
device is connected to the NLB server cluster in multi-port ARP mode.)
<HUAWEI> system-view[HUAWEI] arp static 172.16.40.2 02bf-0045-0070
Using Automatic Scanning and Fixed ARP to Batch Configure Static ARP Entries
# The IP address of VLANIF 103 is 172.16.50.1/24. Perform automatic scanning on the ARP
entries with the IP addresses 172.16.50.2 to 172.16.50.4, and convert the learned ARP entries
into static ARP entries.
<HUAWEI> system-view[HUAWEI] vlan batch 103
[HUAWEI] interface vlanif 103[HUAWEI-Vlanif103] ip address 172.16.50.1 24[HUAWEI-Vlanif103] quit[HUAWEI] interface gigabitethernet 1/0/3[HUAWEI-GigabitEthernet1/0/3] port link-type trunk[HUAWEI-GigabitEthernet1/0/3] port trunk allow-pass vlan 103[HUAWEI-GigabitEthernet1/0/3] quit[HUAWEI] display arp network 172.16.50.0 24IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/
CEVLAN
------------------------------------------------------------------------------
172.16.50.1 00e0-0987-7895 I -Vlanif103
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:0 Interface:1[HUAWEI] interface vlanif 103[HUAWEI-Vlanif103] arp scan 172.16.50.2 to 172.16.50.4 //Automatic scanning isperformed on VLANIF 103. The IP addresses 172.16.50.2 to 172.16.50.4 are in thesame network segment with the IP address 172.16.50.1 of VLANIF 103. That is, the
start and end IP addresses in the ARP automatically scanned area must be in the
same network segment with the IP address (primary or secondary) of the VLANIF
interface.Warning: This operation may take a long time, press CTRL+C to break. Continue?
[Y/N]:y Processing...
Info: ARP scanning is completed.[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //After automatic scanning,
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
59
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 70/111
check ARP entries. The device newly learns three 3 dynamic ARP entries.
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/
CEVLAN
------------------------------------------------------------------------------
172.16.50.1 00e0-0987-7895 I -Vlanif103
172.16.50.2 0200-0000-0212 20 D-0
GE1/0/3
103/-
172.16.50.3 0200-0000-0212 20 D-0
GE1/0/3
103/-
172.16.50.4 0200-0000-0212 20 D-0GE1/0/3
103/-
------------------------------------------------------------------------------
Total:4 Dynamic:3 Static:0 Interface:1[HUAWEI-Vlanif103] arp fixup //Configure fixed ARP entries on VLANIF 103 byconverting dynamic ARP entries learned into static ARP entries.
Warning: This operation may generate configuration of static ARP, and take a long
time, press CTRL+C to break. Continue?[Y/N]:y Processing...
Info: ARP fixup is completed.
[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //Check fixed ARP entries.The three dynamic ARP entries that newly learned by the device have been
converted into static ARP entries.IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/
CEVLAN
------------------------------------------------------------------------------
172.16.50.2 0200-0000-0212 S-- GE1/0/3
103/-
172.16.50.3 0200-0000-0212 S-- GE1/0/3
103/-
172.16.50.4 0200-0000-0212 S-- GE1/0/3
103/-
172.16.50.1 00e0-0987-7895 I -Vlanif103
------------------------------------------------------------------------------
Total:4 Dynamic:0 Static:3 Interface:1
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
60
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 71/111
12.5 Configuring ARP Proxy
Proxy ARP Classification
Proxy ARP is classified into the following types: routed proxy ARP, intra-VLAN proxy ARP,
and inter-VLAN Proxy ARP. Table 12-1 describes the usage scenarios.
Table 12-1 Proxy ARP Type
Proxy ARP Type Scenario
Routed Proxy ARP Hosts that need to communicate and are not configured with
default gateways belong to the same network segment but
different physical networks (different broadcast domains).
Intra-VLAN Proxy ARP Hosts that need to communicate belong to the same network
segment and VLAN but port isolation is configured in the
VLAN.
Inter-VLAN Proxy ARP Hosts that need to communicate belong to the same network
segment but different VLANs.
Routed Proxy ARP
# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable routed proxy ARP.
<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.1.1 24[HUAWEI-Vlanif100] arp-proxy enable
Intra-VLAN Proxy ARP
# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable intra-VLAN proxy ARP.
<HUAWEI> system-view
[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.1.1 24[HUAWEI-Vlanif100] arp-proxy inner-sub-vlan-proxy enable
Inter-VLAN Proxy ARP
# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable inter-VLAN proxy ARP.
<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.1.1 24[HUAWEI-Vlanif100] arp-proxy inter-sub-vlan-proxy enable
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
61
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 72/111
12.6 Shielding ARP Miss Alarms Based on Source IPAddresses
When a source IP address triggers an ARP Miss alarm, you can cancel the rate limit on ARP
Miss messages of this IP address to shield the ARP Miss alarm.
# Cancel the rate limit on ARP Miss messages of IP address 10.0.0.1. (The S2750, S5710-C-
LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this command.)
<HUAWEI> system-view[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 0
# Cancel the rate limit on ARP Miss messages of all source IP addresses. (The S2750, S5710-
C-LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this command.)
<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 0
12.7 Configuring Dynamic ARP Detection
Dynamic ARP inspection (DAI) is used to prevent Man in The Middle (MITM) attacks. If
DAI is not configured, ARP entries of authorized users on the device may be updated by the
pseudo ARP packets sent by attackers.
DAI is used to check ARP packets according to binding tables (dynamic and static DHCP
binding tables).
When receiving an ARP packet, the device compares the source IP address, source MAC
address, interface, and VLAN in the ARP packet with the information in the binding table.You can configure the parameters to be compared, for example, the source IP address and
VLAN.
l If the parameters match the table information, the user is authorized and the device
allows the ARP packet to pass through.
l If the parameters do not match the table information, the device considers that it is an
attack packet and discards the packet.
# Configure DHCP snooping on the device and enable DAI on the interface connecting the
device to the user side.
<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable ipv4[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on theinterface connecting the device to the user side.[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the interfaceconnecting the device to the DHCP server as a trusted interface. If DHCP snooping
is deployed on the DHCP relay device, the trusted interface configuration is
optional.
[HUAWEI-GigabitEthernet1/0/2] quit[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the staticbinding table on the device for the users configured with static IP addresses.
[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI
on the interface connecting the device to the user side.[HUAWEI-GigabitEthernet1/0/1] quit
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
62
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 73/111
# Configure DHCP snooping on the device and enable DAI in the user-side VLAN.
<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable ipv4[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN that theuser device belongs to.[HUAWEI-vlan100] quit[HUAWEI] vlan 200[HUAWEI-vlan200] dhcp snooping enable[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the interface connecting the device to the DHCP server as a trusted
interface. If DHCP snooping is deployed on the DHCP relay device, the trusted
interface configuration is optional.
[HUAWEI-vlan200] quit[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the staticbinding table on the device for the users configured with static IP addresses.
[HUAWEI] vlan 100[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the user-side VLAN.
[HUAWEI-vlan100] quit
12.8 Configuring ARP Gateway Anti-Collision
If an attacker forges the gateway address to send ARP packets with the source IP address
being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the
incorrect gateway address. As a result, all traffic from hosts to the gateway is sent to the
attacker and the attacker intercepts user information. Communication of users is interrupted.
To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The
gateway considers that a gateway collision occurs when a received ARP packet meets either
of the following conditions:
l The source IP address in the ARP packet is the same as the IP address of the VLANIF
interface matching the inbound interface of the packet.
l The source IP address in the ARP packet is the virtual IP address of the inbound
interface but the source MAC address in the ARP packet is not the virtual MAC address
of the Virtual Router Redundancy Protocol (VRRP) group.
The device generates an ARP anti-collision entry and discards the received ARP packets with
the same source MAC address and VLAN ID in a specified period. This function prevents
ARP packets with the bogus gateway address from being broadcast in a VLAN.
# Enable the ARP gateway anti-collision function on the gateway device. By default, the ARP
gateway anti-collision function is disabled.
<HUAWEI> system-view[HUAWEI] arp anti-attack gateway-duplicate enable
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 12 Common ARP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
63
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 74/111
13 Common ACL Operations
About This Chapter
This chapter describes common ACL operations, including how to delete time ranges, how to
delete ACL and ACL6, and how to configure time-based ACL.
13.1 Deleting a Time Range
13.2 Deleting ACL and ACL6
13.3 Configuring a Time-Based ACL Rule
13.4 Configuring a Packet Filtering Rule Based on the Source IP Address (Host Address)
13.5 Configuring a Packet Filtering Rule Based on the Source IP Address Segment
13.6 Configuring a Packet Filtering Rule Based on the IP Fragment Information and Source
IP Address Segment
13.7 Configuring a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP
Address (Host Address) and Destination IP Address Segment
13.8 Configuring a Packet Filtering Rule f or TCP Protocol Packets Based on TCP Destination
Port Number, Source IP Address (Host Address), and Destination IP Address Segment
13.9 Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address
Segment and TCP Flags
13.10 Configuring Packet Filtering Rules Based on the Source MAC Address, Destination
MAC Address, and Layer 2 Protocol Types
13.11 Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and
Inner VLAN IDs
13.12 Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String
Masks, and User-Defined Character Strings
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
64
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 75/111
13.1 Deleting a Time Range
Before deleting a time range, you must delete the ACL rules associated with the time range or
delete the ACL to which the ACL rules belong.
For example, ACL 2001 contains rule 5 and is associated with time range time1.#
time-range time1 from 00:00 2014/1/1 to 23:59 2014/12/31
#acl number 2001
rule 5 permit time-range time1
#
Before deleting time1, delete rule 5 or ACL 2001.
l Delete rule 5, and then time1.
<HUAWEI> system-view
[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] undo rule 5[HUAWEI-acl-basic-2001] quit[HUAWEI] undo time-range time1
l Delete ACL 2001, and then time1.
<HUAWEI> system-view[HUAWEI] undo acl 2001[HUAWEI] undo time-range time1
13.2 Deleting ACL and ACL6
You do not need to delete the service configurations before using these commands to delete anACL or ACL6. These commands will delete an ACL or ACL6 regardless of whether it is
applied to a service module.
l To delete an ACL, run the undo acl { [ number ] acl-number | all } or undo acl name
acl-name command in the system view.
l To delete an ACL6, run the undo acl ipv6 { all | [ number ] acl6-number } or undo acl
ipv6 name acl6-name command in the system view.
13.3 Configuring a Time-Based ACL Rule
Create a time range working-time (for example, 8:00-18:00 on Monday through Friday) and
configure a rule in ACL work-acl. The rule rejects the packets from network segment
192.168.1.0/24 within the set working-time.<HUAWEI> system-view[HUAWEI] time-range working-time 8:00 to 18:00 working-day[HUAWEI] acl name work-acl basic[HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time
Related Information
Support Community
l Basic Knowledge About ACL
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
65
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 76/111
l ACL Matching
l ACL Application
13.4 Configuring a Packet Filtering Rule Based on theSource IP Address (Host Address)
To allow the packets from a host to pass, add a rule to an ACL. For example, to allow packets
from host 192.168.1.3 to pass, create the following rule in ACL 2001.<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.5 Configuring a Packet Filtering Rule Based on theSource IP Address Segment
To allow the packets from a host to pass and reject the packets from other hosts on the same
network segment, configure rules in an ACL. For example, to allow the packets from host192.168.1.3 to pass and reject the packets from other hosts on network segment
192.168.1.0/24, configure the following rules in ACL 2001 and set the description of ACL
2001 to Permit only 192.168.1.3 through.<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2001] description Permit only 192.168.1.3 through
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.6 Configuring a Packet Filtering Rule Based on the IPFragment Information and Source IP Address Segment
To reject the non-initial fragments from a network segment, configure a rule in an ACL. For
example, to reject the non-initial fragments from network segment 192.168.1.0/24, configurethe following rule in ACL 2001.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
66
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 77/111
<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.7 Configuring a Packet Filtering Rule for ICMPProtocol Packets Based on Source IP Address (Host
Address) and Destination IP Address SegmentTo allow the ICMP packets from a host that are destined for a network segment to pass,
configure a rule in an ACL. For example, to allow the ICMP packets from host 192.168.1.3
that are destined for network segment 192.168.2.0/24 to pass, configure the following rule in
ACL 3001.<HUAWEI> system-view[HUAWEI] acl 3001[HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination192.168.2.0 0.0.0.255
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.8 Configuring a Packet Filtering Rule for TCP ProtocolPackets Based on TCP Destination Port Number, Source
IP Address (Host Address), and Destination IP AddressSegment
l To prohibit Telnet connections between the specified host and the hosts on a network
segment, configure a rule in an advanced ACL. For example, to prohibit Telnet
connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24,
configure the following rule in the advanced ACL deny-telnet.<HUAWEI> system-view[HUAWEI] acl name deny-telnet[HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source192.168.1.3 0 destination 192.168.2.0 0.0.0.255
l To prohibit the specified hosts from accessing web pages (HTTP is used to access web
pages, and TCP port number is 80), configure rules in an advanced ACL. For example,to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
67
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 78/111
following rules in ACL no-web and set the description for the ACL to Web access
restrictions.<HUAWEI> system-view[HUAWEI] acl name no-web[HUAWEI-acl-adv-no-web] description Web access restrictions[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source192.168.1.3 0[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source192.168.1.4 0
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.9 Configuring a Packet Filtering Rule for TCP PacketsBased on the Source IP Address Segment and TCP Flags
To implement unidirectional access control on a network segment, configure rules in an ACL.
For example, to implement unidirectional access control on network segment 192.168.2.0/24,
configure the following rules in ACL 3002. In the following rules, the hosts on
192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake
packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow
the RST TCP packets through, and Do not Allow the other TCP packet through.
To meet the preceding requirement, configure two permit rules to allow the packets with theACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to
reject other TCP packets from this network segment.<HUAWEI> system-view[HUAWEI] acl 3002[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack[HUAWEI-acl-adv-3002] display this // If you do not specify an ID for a createdrule, you can view the rule ID allocated by the system, and configure a
description for the rule by specifying the rule ID.
#
acl number 3002rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack // The
rule ID allocated by the system is 5.
#
return[HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst[HUAWEI-acl-adv-3002] display this#acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn
rule 5 description Allow the ACK TCP packets throughrule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst // The rule ID
allocated by the system is 10.
#
return[HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255[HUAWEI-acl-adv-3002] display this#
acl number 3002rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
68
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 79/111
rule 5 description Allow the ACK TCP packets through
rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rstrule 10 description Allow the RST TCP packets through
rule 15 deny tcp source 192.168.2.0 0.0.0.255 // The rule ID allocated by
the system is 15.
#
return[HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packetthrough
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.10 Configuring Packet Filtering Rules Based on theSource MAC Address, Destination MAC Address, andLayer 2 Protocol Types
l To allow the ARP packets with the specified destination and source MAC addresses and
Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow
the ARP packets with destination MAC address 0000-0000-0001, source MAC address
0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule
in ACL 4001.
<HUAWEI> system-view[HUAWEI] acl 4001[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac0000-0000-0002 l2-protocol 0x0806
l To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in
a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863,
configure the following rule in ACL 4001.<HUAWEI> system-view[HUAWEI] acl 4001[HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.11 Configuring a Packet Filtering Rule Based on theSource MAC Address Segment and Inner VLAN IDs
To reject the packets from the specified MAC address segments in a VLAN, configure a rulein a Layer 2 ACL. For example, to reject the packets from source MAC address segment
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
69
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 80/111
00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL
deny-vlan10-mac.<HUAWEI> system-view[HUAWEI] acl name deny-vlan10-mac link[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000ffff-ffff-0000
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
13.12 Configuring Packet Filtering Rules Based on Layer 2Headers, Offsets, Character String Masks, and User-Defined Character Strings
l To reject the ARP packets from the specified host, configure a rule in a user-defined
ACL. For example, to reject the ARP packets from host 192.168.0.2, configure the
following rule in ACL 5001.
In the following rule:
– 0x00000806 indicates the ARP protocol.
– 0x0000ffff is the character string mask.
– 10 indicates the protocol type field offset in the ARP packets (without VLAN ID).
– c0a80002 is the hexadecimal format of 192.168.0.2.
– 26 and 30 respectively indicate the offsets of the higher and lower two bytes in the
source IP addresses in ARP packets (without VLAN ID). The source IP address in
an ARP packet begins at the 28th byte in Layer 2 header and occupies 4 bytes. The
Layer 2 header offset defined in a user-defined ACL must be 4n+2 (n is an integer).
Therefore, the source IP address is divided into two segments for matching. The
lower two bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher
two bytes among the four bytes behind offset 30 (4 x 7 + 2) are matched separately.
To filter ARP packets with VLAN IDs, add 4 to each of the following offsets.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
70
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 81/111
Figure 13-1 Source IP address field offset in Layer 2 header of an ARP packet
0 2315 31 bit
Ethernet Address of destination(0-31)
Hardware Type
Ethernet Address of sender(0-15)Ethernet Address of destination(32-47)
Ethernet Address of sender(16-47)
Frame Type
Protocol Type Hardware Length Protocol Length
OP Ethernet Address of sender(0-15)
IP Address of sender
Ethernet Address of destination(32-47) IP Address of destination(0-15)
IP Address of destination(16-31)
4 byte
40 byte
32 byte
28 byte
24 byte
Ethernet Address of sender(16-47)
Ethernet Address of destination(0-31)
4×6+2=26byte
4×7+2=30byte
4×0+2=2byte
<HUAWEI> system-view[HUAWEI] acl 5001[HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a80x0000ffff 26 0x00020000 0xffff0000 30
l To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.
In the following rule:
– 0x00060000 indicates the TCP protocol.
–8 indicates the protocol type offset in the IP packets. (The protocol type field in anIP packet begins at the 10th byte in IPv4 header and occupies one byte. The IPv4
header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore,
the second higher byte among the four bytes behind offset 8 in the IPv4 header is
matched.)
<HUAWEI> system-view[HUAWEI] acl name deny-tcp user[HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8
Figure 13-2 TCP protocol field offset in IPv4 header
Version Header Length
Flags
Tos Total length
identifier Fragment offset
TTL Header checksum
Source IP address
Destination IP address
Options (variable length)
Data
0 4 8 16 19 24
H e a d e r
31 bit
Protocol
4 byte
8 byte10byte
12 byte
20 byte
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
71
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 82/111
Related Information
Support Community
l Basic Knowledge About ACL
l ACL Matching
l ACL Application
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 13 Common ACL Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
72
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 83/111
14 Common QoS Operations
About This Chapter
This chapter describes common QoS and MQC operations, including interface-based rate
limiting.
14.1 Configuring Interface-based Rate Limiting on the S7700/S9700
14.2 Configuring Interface-based Rate Limiting on the S2700/S5700/S6700
14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700
14.4 Deleting the Interface-based Rate Limiting Configuration on the S2700/S5700/S6700
14.5 Using a Traffic Policy to Limit the Rate of Packets
14.6 Using a Traffic Policy to Filter Packets
14.7 Configuring Traffic Statistics in a Traffic Policy
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 14 Common QoS Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
73
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 84/111
14.1 Configuring Interface-based Rate Limiting on theS7700/S9700
Configuring Interface-based Rate Limiting in the Inbound Direction
Configure a QoS CAR profile named qoscar1, specify the rate limit in the QoS profile, and
apply the profile to GE1/0/1.
<HUAWEI> system-view[HUAWEI] qos car qoscar1 cir 10000 cbs 10240[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] qos car inbound qoscar1
Configuring Interface-based Rate Limiting in the Outbound Direction
Run the qos lr cir cir-value [ cbs cbs-value ] [ outbound ] command in the interface view to
limit the rate of traffic passing through the interface.
(Optional) Configuring the Inter-frame Gap and Preamble
In V200R005C00 and later versions, you can configure the switch whether to calculate the
inter-frame gap and preamble of packets during rate limit calculation on the interface. By
default, the switch calculates the inter-frame gap and preamble of packets when the device
calculates the rate limit. You can run either of the following commands in the system view to
configure the device to not calculate the inter-frame gap and preamble of packets during rate
limit calculation, to improve rate limit accuracy.
l Inbound: qos-car exclude-interframe
l Outbound: qos-shaping exclude-interframe
14.2 Configuring Interface-based Rate Limiting on theS2700/S5700/S6700
Configuring Interface-based Rate Limiting in the Inbound Direction
Run the qos lr inbound cir cir-value [ cbs cbs-value ] command in the interface view to limit
the rate of traffic passing through the interface.
Configuring Interface-based Rate Limiting in the Outbound Direction
Run the qos lr outbound cir cir-value [ cbs cbs-value ] command in the interface view to
limit the rate of traffic passing through the interface.
(Optional) Configuring the Inter-frame Gap and Preamble
In V200R005C00 and later versions, you can configure the switch whether to calculate the
inter-frame gap and preamble of packets during rate limit calculation on the interface. By
default, the switch calculates the inter-frame gap and preamble of packets when the devicecalculates the rate limit. You can run either of the following commands in the system view to
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 14 Common QoS Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
74
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 85/111
configure the device to not calculate the inter-frame gap and preamble of packets during rate
limit calculation, to improve rate limit accuracy.
l Inbound: qos-car exclude-interframe
l Outbound: qos-shaping exclude-interframe
14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700
Deleting the Interface-based Rate Limiting Configuration in the InboundDirection
Unbind the QoS CAR profile qoscar1 from GE1/0/1 and delete the profile.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo qos car inbound [HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] undo qos car qoscar1
Deleting the Interface-based Rate Limiting Configuration in the OutboundDirection
Run the undo qos lr [ outbound ] command in the interface view to delete the interface-
based rate limiting configuration.
14.4 Deleting the Interface-based Rate Limiting
Configuration on the S2700/S5700/S6700
Deleting the Interface-based Rate Limiting Configuration in the InboundDirection
Run the undo qos lr inbound command in the interface view to delete the interface-based
rate limiting configuration.
Deleting the Interface-based Rate Limiting Configuration in the OutboundDirection
Run the undo qos lr outbound command in the interface view to delete the interface-based
rate limiting configuration.
14.5 Using a Traffic Policy to Limit the Rate of Packets
Limiting the Traffic Rate Based on IP Addresses
Set the rate limit of packets from the PC at 192.168.1.10 to 4 Mbit/s.
<HUAWEI> system-view [HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 192.168.1.10 0.0.0.0[HUAWEI-acl-basic-2000] quit
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 14 Common QoS Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
75
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 86/111
[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] car cir 4096[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
Limiting the Rate of Packets from Devices on a Network Segment
Set the rate limit of packets from devices on the network segment of 192.168.1.0 to 50 Mbit/s.
<HUAWEI> system-view [HUAWEI] acl 2000[HUAWEI-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] car cir 51200[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
Limiting the Traffic Rate Based on IP Addresses and Protocols
Set the rate limit of HTTP traffic (port 80) from devices on the network segment of
192.168.1.0 to 10 Mbit/s.
<HUAWEI> system-view [HUAWEI] acl 3000[HUAWEI-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.00.0.0.255[HUAWEI-acl-adv-3000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 3000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] car cir 10240[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
14.6 Using a Traffic Policy to Filter Packets
Preventing a Specified Device from Accessing a Network
Prevent the PC at 192.168.1.10 from accessing the network.
<HUAWEI> system-view [HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule deny source 192.168.1.10 0.0.0.0[HUAWEI-acl-basic-2000] quit
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 14 Common QoS Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
76
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 87/111
[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] deny[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
Preventing All Devices on a Network Segment from Accessing a Network
Prevent all devices on the network segment of 192.168.1.0 from accessing a network.
<HUAWEI> system-view [HUAWEI] acl 2000[HUAWEI-acl-basic-2000] rule deny source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2000] quit
[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] deny[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
Filtering Packets of Specified Protocols
l Prevent SMTP packets with TCP destination port 25.
l Prevent POP3 packets with TCP destination port 110.
l Prevent HTTP packets with TCP destination port 80.
<HUAWEI> system-view [HUAWEI] acl 3000[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 25[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 110[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 80[HUAWEI-acl-adv-3000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 3000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] deny[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
14.7 Configuring Traffic Statistics in a Traffic Policy
Configuring the Switch to Collect Traffic Statistics About a Specified Host
Configure the switch to collect statistics on packets with the source MAC address of 0000-0000-0003.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 14 Common QoS Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
77
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 88/111
<HUAWEI> system-view [HUAWEI] acl 4000[HUAWEI-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff[HUAWEI-acl-L2-4000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 4000
[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] statistic enable[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound [HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound
Configuring the Switch to Collect Statistics on ICMP Packets
<HUAWEI> system-view [HUAWEI] acl 3000[HUAWEI-acl-adv-3000] rule 0 permit icmp source 192.168.1.1 0 destination192.168.2.1 0[HUAWEI-acl-adv-3000] rule 5 permit icmp source 192.168.2.1 0 destination192.168.1.1 0[HUAWEI-acl-adv-3000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 3000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] statistic enable[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound [HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound
Configuring the Switch to Collect Statistics on ARP Packets
Configure the switch to collect statistics on ARP Request and Reply packets.
<HUAWEI> system-view [HUAWEI] traffic classifier arp-request[HUAWEI-classifier-arp-request] if-match l2-protocol arp[HUAWEI-classifier-arp-request] if-match source-mac 1111-1111-1111[HUAWEI-classifier-arp-request] if-match destination-mac ffff-ffff-ffff[HUAWEI-classifier-arp-request] quit[HUAWEI] traffic classifier arp-reply[HUAWEI-classifier-arp-reply] if-match l2-protocol arp[HUAWEI-classifier-arp-reply] if-match source-mac 2222-2222-2222[HUAWEI-classifier-arp-reply] if-match destination-mac 1111-1111-1111[HUAWEI-classifier-arp-reply] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] statistic enable[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy arp-request[HUAWEI-trafficpolicy-arp-request] classifier arp-request behavior b1[HUAWEI-trafficpolicy-arp-request] quit[HUAWEI] traffic policy arp-reply[HUAWEI-trafficpolicy-arp-reply] classifier arp-reply behavior b1[HUAWEI-trafficpolicy-arp-reply] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy arp-request inbound
[HUAWEI-GigabitEthernet1/0/1] traffic-policy arp-reply outbound
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 14 Common QoS Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
78
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 89/111
Checking Packet Statistics
After traffic statistics is defined in a traffic policy, run the following command to view packet
statistics.
# Display statistics on incoming packets matching the traffic policy that has been applied tothe system.<HUAWEI> display traffic policy statistics interface gigabitethernet 1/0/1inbound verbose rule-base
Interface: GigabitEthernet1/0/1
Traffic policy inbound: arp-request
Rule number: 1
Current status:success
Statistics interval: 300
---------------------------------------------------------------------Classifier: arp-request operator and
Behavior: b1
if-match l2-protocol arp
if-match source-mac 1111-1111-1111if-match destination-mac ffff-ffff-ffff
Board : 0
---------------------------------------------------------------------
Passed | Packets: 0| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0| Rate(bps): 0
---------------------------------------------------------------------
NOTE
SA cards of S series do not support byte-based traffic statistics. The information is displayed as -.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 14 Common QoS Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
79
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 90/111
15 Common IPSG Operations
About This Chapter
This chapter describes the common IPSG operations.
15.1 Configuring IPSG Based on a Static Binding Table
15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table
15.3 Deleting Static Binding Entries
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 15 Common IPSG Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
80
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 91/111
15.1 Configuring IPSG Based on a Static Binding Table
IPSG based on a static binding table filters IP packets received by untrusted interfaces, to
prevent malicious hosts from stealing authorized hosts' IP addresses to access the network
without permission. IPSG based on a static binding table is applicable to a LAN where a
small number of hosts reside and the hosts use static IP addresses. The configuration
procedure is as follows:
1. Run the user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] }
&<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface
interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command in the
system view to configure a static binding entry.
NOTE
IPSG matches packets against all options in the static binding entry. Ensure that the created
binding entry is correct and contains all the options to check. The device forwards the packetsfrom hosts only when the packets match all options in the binding entry, and discards the packets
not matching the binding entry.
The device can bind multiple IP addresses or IP address segments to the same interface or MAC
address.
l If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For
example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12
interface gigabitethernet 1/0/1 to bind multiple IP addresses to the same interface.
l If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to
end-ip. When the keyword to is used, the IP address segments cannot overlap. For example,
you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address
0001-0001-0001 to bind multiple IP addresses to the same MAC address.
2. Run the ip source check user-bind enable command in the interface or VLAN view to
enable IPSG.
– Enabling IPSG on an interface: IPSG checks all packets received by the interface
against the binding entry. Choose this method if you need to check IP packets on
the specified interfaces and trust other interfaces. In addition, this method is
convenient if an interface belongs to multiple VLANs because you do not need to
enable IPSG in each VLAN.
– Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in
the VLAN against the binding entry. Choose this method if you need to check IP
packets in the specified VLANs and trust other VLANs. In addition, this method is
convenient if multiple interfaces belong to the same VLAN because you do not
need to enable IPSG on each interface.
The following example shows how to configure IPSG based on the static binding table:
# Create a static binding entry (source IP address 192.168.1.1 and source MAC address
0003-0003-0003) and enable IPSG on GE1/0/1.
<HUAWEI> system-view[HUAWEI] user-bind static ip-address 192.168.1.1 mac-address 0003-0003-0003[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable
# Create a static binding entry (source IP address 192.168.2.1, source MAC address
0002-0002-0002, interface GE1/0/1, and VLAN 10) and enable IPSG in VLAN 10.
<HUAWEI> system-view
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 15 Common IPSG Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
81
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 92/111
[HUAWEI] user-bind static ip-address 192.168.2.1 mac-address 0002-0002-0002interface gigabitethernet 1/0/1 vlan 10[HUAWEI] vlan 10[HUAWEI-vlan10] ip source check user-bind enable
15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table
IPSG based on a DHCP snooping dynamic binding table filters IP packets received by
untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to
access the network without permission. IPSG based on a dynamic binding table is applicable
to the LAN where a large number of hosts reside and the hosts obtain IP addresses through
DHCP. The configuration procedure is as follows:
1. Configure DHCP snooping so that a DHCP snooping dynamic binding table is
generated.
a. Run the dhcp enable command in the system view to enable DHCP globally.
b. Run the dhcp snooping enable command in the system view to enable DHCP
snooping globally.
c. Run the dhcp snooping enable command in the interface or VLAN view to enable
DHCP snooping on the interface or in the VLAN.
d. Run the dhcp snooping trusted command in the interface view or the dhcp
snooping trusted interface interface-type interface-number command in the
VLAN view to configure a trusted interface.
The device directly forwards the IP packets received by the trusted interface
without checking them against the binding entry.
2. Run the ip source check user-bind enable command in the interface or VLAN view toenable IPSG.
The following example shows how to configure IPSG based on DHCP snooping dynamic
binding table:
# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG on
GE1/0/2.
<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted [HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] dhcp snooping enable[HUAWEI-GigabitEthernet1/0/2] ip source check user-bind enable
# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG in
VLAN 10.
<HUAWEI> system-view[HUAWEI] vlan batch 10[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type trunk[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] dhcp enable
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 15 Common IPSG Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
82
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 93/111
[HUAWEI] dhcp snooping enable[HUAWEI] vlan 10[HUAWEI-vlan10] dhcp snooping enable[HUAWEI-vlan10] dhcp snooping trusted interface gigabitethernet 1/0/1[HUAWEI-vlan10] ip source check user-bind enable
15.3 Deleting Static Binding Entries
If a binding entry is incorrect or the network rights of a bound host have been changed, you
can run the undo user-bind static [ { { ip-address | ipv6-address } { start-ip [ to end-ip ] }
&<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address | interface
interface-type interface-number | vlan vlan-id [ ce-vlan ce-vlan-id ] ] * command to delete the
entry.
l When you delete a binding entry, the parameters specified in the undo command must be
the same as the corresponding parameters in the binding entry; otherwise, the entry
cannot be deleted.
l Binding entries can be deleted in a batch, for example:
– Run the undo user-bind static command to delete all binding entries.
– Run the undo user-bind static interface gigabitethernet 1/0/1 command to delete
all entries on the specified interface GE1/0/1.
– Run the undo user-bind static vlan 10 command to delete all entries in VLAN 10.
The following example shows how to delete a static binding entry:
Run the display dhcp static user-bind all command to view all static binding entries on the
device.
<HUAWEI> display dhcp static user-bind
all DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P) Interface
--------------------------------------------------------------------------------192.168.1.1 0001-0001-0001 -- /-- /-- --
192.168.1.2 0002-0002-0002 -- /-- /-- GE1/0/2
192.168.2.1 -- -- /-- /-- GE1/0/1
192.168.2.2 -- -- /-- /-- GE1/0/1192.168.2.3 -- -- /-- /-- GE1/0/1
192.168.3.1 0004-0004-0004 10 /-- /-- --
192.168.3.2 0005-0005-0005 10 /-- /-- --
--------------------------------------------------------------------------------Print count: 7 Total count: 7
# Delete the static binding entry of IP address 192.168.1.1.
<HUAWEI> system-view[HUAWEI] undo user-bind static ip-address 192.168.1.1 mac-address 0001-0001-0001
# Delete the static binding entry of IP address 192.168.1.2.
<HUAWEI> system-view[HUAWEI] undo user-bind static ip-address 192.168.1.2 mac-address 0002-0002-0002interface gigabitethernet 1/0/2
# Delete all static binding entries on GE1/0/1.
<HUAWEI> system-view[HUAWEI] undo user-bind static interface gigabitethernet 1/0/1
# Delete all static binding entries in VLAN 10.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 15 Common IPSG Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
83
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 94/111
<HUAWEI> system-view[HUAWEI] undo user-bind static vlan 10
After the preceding steps are performed in sequence, all binding entries are deleted.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 15 Common IPSG Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
84
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 95/111
16 Common AAA Operations
About This Chapter
This chapter describes common AAA operations.
16.1 Configuring Authentication for Telnet Login Users (AAA Local Authentication)
16.2 Setting the User Level
16.3 Configuring the Global Default Domain
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 16 Common AAA Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
85
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 96/111
16.1 Configuring Authentication for Telnet Login Users(AAA Local Authentication)
The authentication mode must be specified on the device; otherwise, users cannot log in to the
device through Telnet. The device supports non-authentication, password authentication, and
AAA authentication, in which AAA authentication has the highest security.
To authenticate the Telnet users through AAA, enable the Telnet service on the device, set the
authentication mode of the user interface (for example, VTY) to aaa, create a local account in
the AAA view, and set the user access type and user level.
<HUAWEI> system-view[HUAWEI] telnet server enable //Enable the Telnet service.
[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY login
users to 15.
[HUAWEI] user-interface vty 0 14 //Enter the view of VTY users at level 0-14.[HUAWEI-ui-vty0-14] authentication-mode aaa //Set the VTY authentication mode to
AAA.
[HUAWEI-ui-vty0-14] protocol inbound telnet //By default, switches in V200R006and earlier versions support Telnet, and switches in V200R007 and later versions
support SSH.
[HUAWEI-ui-vty0-14] quit[HUAWEI] aaa[HUAWEI-aaa] local-user user1 password irreversible-cipher Huawei@1234 //Create
the local user user1 and set the password. The password is displayed in cipher
text in the configuration file, so remember the password. If you forget the
password, run this command again to overwrite the old configuration.[HUAWEI-aaa] local-user user1 service-type telnet //Set the access type of user1
to Telnet. This user can only log in to the device through Telnet.
[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of user1
to 15. After login, the user can run the commands at level 0-15.[HUAWEI-aaa] quit
16.2 Setting the User Level
A user level matches a certain command level. After logging in to the device, a user can run
only the commands of which the levels are the same as or lower than the user level. For
example, a user at level 2 can run only the commands at levels 0, 1, and 2.
When AAA local authentication is used, set the user level on the device. If the user level is
not set, the login users are at level 0 (visit level), and can use only the commands at level 0,
such as network diagnostic commands ping and tracert.
To allow the users to use commands of higher levels, such as monitoring, configuration, or
management level, the users must have higher user levels.
If AAA local authentication is used, you have the following methods to set the user level. The
user level set in the first method has the highest priority and the user level set in the last
method has the lowest priority.
l Set the user level for a specified user.
<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of
user1 to 15.
l Set the user level for all users in a domain.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 16 Common AAA Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
86
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 97/111
<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] service-scheme sch1[HUAWEI-aaa-service-sch1] admin-user privilege level 15 //Set the user
levels of all users in a domain to 15.
l Set the user level for all users logging in through the same user interface (such as VTY
user interface).
<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15[HUAWEI] user-interface vty 0 14[HUAWEI-ui-vty0-14] user privilege level 15 //Set the user level in VTY 0-VTY 14 to 15.
16.3 Configuring the Global Default Domain
The administrator plans to authenticate the users of a department in the domain huawei. The
user name provided for authentication always does not contain a domain name (for example,
the user name is zhangsan). In this case, the access device cannot send the user name to theAAA server configured in the domain huawei, and therefore the user fails the authentication.
To solve the problem, you can configure the global default domain to huawei.
<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] domain huawei[HUAWEI-aaa-domain-huawei] quit[HUAWEI-aaa] quit[HUAWEI] domain huawei
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 16 Common AAA Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
87
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 98/111
17 Common NAC Operations
About This Chapter
This chapter describes common NAC operations.
17.1 Configuring MAC Address Bypass Authentication
17.2 Configuring the Guest VLAN Function
17.3 Configuring Layer 2 Transparent Transmission of 802.1x Authentication Packets
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 17 Common NAC Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
88
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 99/111
17.1 Configuring MAC Address Bypass Authentication
When there are PCs and a few dumb terminals (such as printers) on a network, you can
configure 802.1x authentication and MAC address bypass authentication so that the dumb
terminals can also connect to the 802.1x authentication network. For example, when many
PCs and some dumb terminals are connected to the interfaces GE1/0/1 and GE1/0/5, you can
enable 802.1x authentication and MAC address bypass authentication on the interfaces so that
the PCs and dumb terminals can connect to the network.
NOTE
In the V200R005C00 and later versions, only the common NAC mode supports MAC address bypass
authentication.
l Batch configure multiple interfaces in the system view:<HUAWEI> system-view
[HUAWEI] dot1x enable[HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5[HUAWEI] dot1x mac-bypass interface gigabitethernet 1/0/1 gigabitethernet1/0/5
l Configure each interface in the interface view:<HUAWEI> system-view[HUAWEI] dot1x enable[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dot1x enable[HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/5[HUAWEI-GigabitEthernet1/0/5] dot1x enable[HUAWEI-GigabitEthernet1/0/5] dot1x mac-bypass
17.2 Configuring the Guest VLAN Function
You can configure the guest VLAN function to enable users to access some network resources
without authentication. For example, the users can download client software, upgrade clients,
and update the virus library. For example, configure the guest VLAN function on GE1/0/1
and GE1/0/5 so that the users on the two interfaces can update the virus library in real time.
Assume that the virus library server is located in VLAN 10.
NOTE
In the V200R005C00 and later versions, only the common NAC mode supports the guest VLAN function.
l Batch configure multiple interfaces in the system view:<HUAWEI> system-view[HUAWEI] dot1x enable[HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5[HUAWEI] authentication guest-vlan 10 interface gigabitethernet 1/0/1gigabitethernet 1/0/5
l Configure each interface in the interface view:<HUAWEI> system-view[HUAWEI] dot1x enable[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dot1x enable[HUAWEI-GigabitEthernet1/0/1] authentication guest-vlan 10[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/5
[HUAWEI-GigabitEthernet1/0/5] dot1x enable[HUAWEI-GigabitEthernet1/0/5] authentication guest-vlan 10
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 17 Common NAC Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
89
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 100/111
17.3 Configuring Layer 2 Transparent Transmission of802.1x Authentication Packets
The EAP packet in 802.1x authentication is a bridge protocol data unit (BPDU). By default,
Huawei switches do not perform Layer 2 forwarding for BPDUs. If a Layer switch still exists
between the 802.1x-enabled device and a user, Layer 2 transparent transmission must be
configured on the switch. Otherwise, the EAP packet sent by the user cannot reach the
authentication device and the user cannot pass authentication.
Figure 17-1 Configuring Layer 2 transparent transmission of 802.1x authentication packets
Switch/802.1x
authentication
User
User
LAN Switch
RADIUS Server
IntranetGE0/0/1GE0/0/2
GE0/0/3
As shown in Figure 17-1, there is the Layer 2 LAN Switch between the user and device
Switch enabled with 802.1x authentication. To ensure that the user's 802.1x authentication packet can reach the Switch through the LAN Switch, perform the following configurations
on the LAN Switch (using the S5700HI as an example of the Layer 2 switch).
<HUAWEI> system-view[HUAWEI] sysname LAN Switch[LAN Switch] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 //group-mac cannot be set to the reservedmulticast MAC addresses (from 0180-C200-0000 to 0180-C200-002F) and some otherspecial MAC addresses.
[LAN Switch] interface gigabitethernet 0/0/1 //Connect the Layer 2 switch to theuplink network and configure all interfaces of the users.
[LAN Switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1xenable[LAN Switch-GigabitEthernet0/0/1] bpdu enable
[LAN Switch-GigabitEthernet0/0/1] quit[LAN Switch] interface gigabitethernet 0/0/2[LAN Switch-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1xenable[LAN Switch-GigabitEthernet0/0/2] bpdu enable[LAN Switch-GigabitEthernet0/0/2] quit[LAN Switch] interface gigabitethernet 0/0/3[LAN Switch-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol dot1xenable[LAN Switch-GigabitEthernet0/0/3] bpdu enable[LAN Switch-GigabitEthernet0/0/3] quit
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 17 Common NAC Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
90
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 101/111
18 Common VRRP Operations
About This Chapter
This chapter describes common VRRP operations.
18.1 Enabling the Master to Respond to Ping Packets Sent to a Virtual IP Address
18.2 Configuring Association Between VRRP and the Interface Status
18.3 Configuring Association Between VRRP and BFD
18.4 Configuring Association Between VRRP and NQA
18.5 Configuring Association Between VRRP and Routing
18.6 Configuring the VRRP Version Number
18.7 Configuring a Preemption Mode
18.8 Configuring the Mode in Which the Master Sends VRRP Advertisement Packets in a
Super-VLAN
18.9 Enabling MAC Address Triggered ARP Entry Update
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 18 Common VRRP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
91
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 102/111
18.1 Enabling the Master to Respond to Ping Packets Sentto a Virtual IP Address
# Enable the master to respond to ping packets sent to a virtual IP address.
<HUAWEI> system-view[HUAWEI] vrrp virtual-ip ping enable
18.2 Configuring Association Between VRRP and theInterface Status
# Configure association between VRRP and the interface status to implement an active/
standby switchover.
<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced 40[HUAWEI-Vlanif10] quit
18.3 Configuring Association Between VRRP and BFD
# Configure association between VRRP and BFD to implement a rapid active/standby
switchover.
<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] quit[HUAWEI] bfd [HUAWEI-bfd] quit[HUAWEI] bfd atob bind peer-ip 10.1.1.2 interface vlanif 10[HUAWEI-bfd-session-atob] discriminator local 1[HUAWEI-bfd-session-atob] discriminator remote 2[HUAWEI-bfd-session-atob] min-rx-interval 100[HUAWEI-bfd-session-atob] min-tx-interval 100[HUAWEI-bfd-session-atob] commit
[HUAWEI-bfd-session-atob] quit[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 track bfd-session 1 increased 40[HUAWEI-Vlanif10] quit
18.4 Configuring Association Between VRRP and NQA
# Configure association between VRRP and NQA to implement an active/standby switchover.
<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24
[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] quit
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 18 Common VRRP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
92
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 103/111
[HUAWEI] nqa test-instance user test[HUAWEI-nqa-user-test] test-type icmp[HUAWEI-nqa-user-test] destination-address ipv4 10.20.1.2[HUAWEI-nqa-user-test] frequency 15[HUAWEI-nqa-user-test] start now[HUAWEI-nqa-user-test] quit
[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 track nqa user test reduced 40[HUAWEI-Vlanif10] quit
18.5 Configuring Association Between VRRP and Routing
# Configure association between VRRP and routing to implement an active/standby
switchover.
<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] vrrp vrid 1 track ip route 10.20.1.0 24 reduced 40[HUAWEI-Vlanif10] quit
18.6 Configuring the VRRP Version Number
# Configure the VRRP version number.
<HUAWEI> system-view[HUAWEI] vrrp version v3
18.7 Configuring a Preemption Mode
Configuring a Non-preemption Mode<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 preempt-mode disable
Configuring a Preemption Mode<HUAWEI> system-view
[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 preempt-mode timer delay 20
18.8 Configuring the Mode in Which the Master SendsVRRP Advertisement Packets in a Super-VLAN
# Configure the mode in which the master sends VRRP Advertisement packets in a super-
VLAN.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] vrrp advertise send-mode 10
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 18 Common VRRP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
93
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 104/111
18.9 Enabling MAC Address Triggered ARP Entry Update
# Enable the MAC address triggered ARP entry update function.
<HUAWEI> system-view[HUAWEI] mac-address update arp
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 18 Common VRRP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
94
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 105/111
19 Common SNMP Operations
About This Chapter
This chapter describes common SNMP operations.
19.1 Configuring Access Control
19.2 Setting the SNMP Version and Community Name
19.3 Configuring User Group and User Name
19.4 Configuring the Device to Send Traps
19.5 Deleting Community Name
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 19 Common SNMP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
95
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 106/111
19.1 Configuring Access Control
To ensure device security, you can configure the access control list (ACL) and MIB views to
restrict the access of NMS to the device.
l Configure an ACL.
ACL 2001 allows only the NMS on network segment 192.168.1.0 to access the device.
<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule permit source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2001] rule deny source any
l Create a MIB view.
The MIB view name is alliso and accessed view includes iso.
<HUAWEI> system-view[HUAWEI] snmp-agent mib-view included alliso iso
19.2 Setting the SNMP Version and Community Name
SNMP has three versions: v1, v2c and v3. v1 and v2c support community name, whereas v3
does not support. A lack of authentication capabilities in v1 and v2c results in vulnerability to
security threats, so v3 is recommended. When the community name is configured, ACL can
be used to restrict the access of NMS to the device.
l SNMPv1
SNMP version is v1, read/write community name is community001, and access control
is configured.
<HUAWEI> system-view[HUAWEI] snmp-agent sys-info version v1[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001
l SNMPv2c
SNMP version is v2c, read/write community name is community001, and access control
is configured.
<HUAWEI> system-view[HUAWEI] snmp-agent sys-info version v2c[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001
19.3 Configuring User Group and User Name
Only v3 supports the configuration of user group and user name. By default, SNMPv3 is
enabled on a device.
The security level of a user cannot be lower than the security level of the user group to which
the user belongs. Security levels in the descending order are as follows:
l privacy: authentication and encryption
l authentication: authentication and no encryption
l none: no authentication and no encryption
If a user group is at the privacy level, the users and trap hosts of the user group must be at the
privacy level. If a user group is at the authentication level, the users and trap hosts of the user group must be at the privacy or authentication level.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 19 Common SNMP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
96
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 107/111
l In the versions earlier than V200R003C00:
# Set the user group name to group001 and security level to privacy, and configure
access control to restrict the access of the NMS to the device.
<HUAWEI> system-view
[HUAWEI] snmp-agent group v3 group001 privacy write-view alliso acl 2001# Set the user name to user001, authentication password to Authe1234 and encryption
password to Priva1234.
<HUAWEI> system-view[HUAWEI] snmp-agent usm-user v3 user001 group001 authentication-mode sha Authe1234 privacy-mode des56 Priva1234
l V200R003C00 and later versions:
# Set the user group name to group001 and security level to privacy, and configure
access control to restrict the access of the NMS to the device.
<HUAWEI> system-view[HUAWEI] snmp-agent group v3 group001 privacy write-view alliso acl 2001
# Set the user name to user001, authentication password to Authe@1234 and encryption
password to Priva@1234.
<HUAWEI> system-view[HUAWEI] snmp-agent usm-user v3 user001 group group001[HUAWEI] snmp-agent usm-user v3 user001 authentication-mode shaPlease configure the authentication password
(8-64)
Enter Password: // Enter authentication password Authe@1234.
Confirm Password: // Enter authentication password Authe@1234.[HUAWEI] snmp-agent usm-user v3 user001 privacy-mode aes256Please configure the privacy password
(8-64)
Enter Password: // Enter encryption passwordPriva@1234.
Confirm Password: // Enter encryption password Priva@1234.
19.4 Configuring the Device to Send Traps
After the trap function is enabled and the trap host is configured, the device automatically
sends traps to the trap host.
1. Enable the trap function.
Enable the trap function for the SNMP module.
<HUAWEI> system-view[HUAWEI] snmp-agent trap enable feature-name snmp
NOTE
If the trap function is not enabled for modules, each module uses the default trap configuration. To view
the default trap configuration of each module, run the display snmp-agent trap all command. The trap
function of the SNMP module is used as an example here.
2. Configure the interface to send traps.
Configure LoopBack0 with IP address 10.1.1.1 as the interface to send traps.
<HUAWEI> system-view[HUAWEI] interface loopback 0[HUAWEI-LoopBack0] ip address 10.1.1.1 32[HUAWEI-LoopBack0] quit[HUAWEI] snmp-agent trap source loopback 0
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 19 Common SNMP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
97
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 108/111
NOTE
After the interface is configured, the IP address of the interface is used to send traps. To ensure device
security, it is recommended that you configure a loopback interface to send traps. The trap sending
interface configured on the switch must be the same as that configured on the NMS; otherwise, the
NMS cannot receive traps. In addition, a reachable route must exist between the IP addresses of trap
sending interface and trap host.
3. Configure the trap host.
Set the trap host address to 10.1.2.10, UDP port number to 50000, security name to
user001, trap version to v3, and security level to privacy.
<HUAWEI> system-view[HUAWEI] snmp-agent target-host trap address udp-domain 10.1.2.10 udp-port50000 params securityname user001 v3 privacy
NOTE
The trap version must be the same as the SNMP version configured on the device; otherwise, traps
cannot be sent to the NMS. When the version is set to v3, the security name must be the same as the
created user name; otherwise, traps cannot be sent to the NMS. v1 and v2c do not have limitation on the
configuration of security names.
The default UDP port number is 162. After the UDP port number is changed, you must reconfigure the
UDP port of the NMS that receives traps. If the UDP ports of the device and NMS are different, traps
cannot be sent to the NMS.
The security level of the trap host cannot be lower than the security level of the user.
19.5 Deleting Community Name
When you delete a community name, the configuration related to the community name is also
deleted. The community names are stored in cipher text on the device; therefore, you can
delete the community name in either of the following ways:
l In plain text:
You must enter the correct community name; otherwise, the community name cannot be
deleted.
<HUAWEI> system-view[HUAWEI] undo snmp-agent community community001
l In cipher text:
Before deleting a community name in cipher text, you must query the encrypted
community name.
<HUAWEI> system-view[HUAWEI] display snmp-agent community Community name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#
+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%# Group name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#
+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%#
Acl:
2001
Storage-type: nonVolatile
[HUAWEI] undo snmp-agent community %#%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#+X4QV5CAI^:Z;NlA3*&ta4}a53-%#%#
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 19 Common SNMP Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
98
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 109/111
20 Common OSPF Operations
This chapter uses the Open Shortest Path First (OSPF) network shown in Figure 20-1 as an
example to describe common OSPF operations.
Figure 20-1 Basic OSPF network
SwitchA SwitchB
SwitchD
10GE1/0/1
VLANIF10
192.168.0.1/24
10GE1/0/1
VLANIF10
192.168.0.2/24
10GE1/0/2
VLANIF30
192.168.2.1/24
10GE1/0/1
VLANIF30
192.168.2.2/24
Area0
10GE1/0/2
VLANIF20
192.168.1.1/24
10GE1/0/2
VLANIF50
172.17.1.1/24
SwitchC
10GE1/0/1
VLANIF20
192.168.1.2/24
Area1
10GE1/0/2
VLANIF40
172.16.1.1/24
Area2
10GE1/0/1
VLANIF40
172.16.1.2/24
10GE1/0/1
VLANIF50
172.17.1.2/24SwitchE SwitchF10GE1/0/2
VLANIF60172.18.1.1/24
Configuring Basic OSPF Functions
The following uses the configuration of SwitchA as an example. The configurations of other
switches are similar to the configuration of SwitchA.
<SwitchA> system-view
[SwitchA] ospf 1[SwitchA-ospf-1] area 0
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 20 Common OSPF Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
99
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 110/111
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 //Enable OSPF on
VLANIF10.[SwitchA-ospf-1-area-0.0.0.0] quit[SwitchA-ospf-1] area 1[SwitchA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Enable OSPF on
VLANIF20.
[SwitchA-ospf-1-area-0.0.0.1] quit[SwitchA-ospf-1] quit
Configuring a Stub Area
A stub area is a special area where an area border router (ABR) does not flood received
autonomous system (AS) external routes, which significantly reduces the routing table size
and transmitted routing information of routers. A border area on an OSPF network is often
configured as a stub area. For example, configure Area1 as a stub area.
The following uses the configuration of SwitchA as an example. The configurations of other
switches in Area1 are similar to the configuration of SwitchA.
[SwitchA] ospf 1[SwitchA-ospf-1] area 1[SwitchA-ospf-1-area-0.0.0.1] stub[SwitchA-ospf-1-area-0.0.0.1] quit[SwitchA-ospf-1] quit
Configuring an NSSA
In a not-so-stubby area (NSSA), an ABR does not flood AS external routes received from
other areas, similar to the situation in a stub area. The difference is that an ABR can import
and flood AS external routes to the entire OSPF domain. A border area connected to another
AS on an OSPF network is often configured as an NSSA. For example, configure Area2 as an
NSSA.
The following uses the configuration of SwitchB as an example. The configurations of other
switches in Area2 are similar to the configuration of SwitchB.
[SwitchB] ospf 1[SwitchB-ospf-1] area 2[SwitchB-ospf-1-area-0.0.0.2] nssa[SwitchB-ospf-1-area-0.0.0.2] quit[SwitchB-ospf-1] quit
Configuring OSPF to Import Routes
To access a device running a non-OSPF protocol, an OSPF-capable device needs to import
routes of the non-OSPF protocol into the OSPF network. For example, configure OSPF to
import direct routes of SwitchF into the OSPF network.
[SwitchF] ospf 1[SwitchF-ospf-1] import-route direct[SwitchF-ospf-1] quit
Setting the OSPF Interface Cost
OSPF automatically calculates the cost of an interface according to the interface bandwidth by
default. You can also manually set the OSPF interface cost. For example, set the cost of
VLANIF 20 on SwitchA to 5.
[SwitchA] interface vlanif 20
[SwitchA-Vlanif20] ospf cost 5[SwitchA-Vlanif20] quit
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 20 Common OSPF Operations
Issue 05 (2015-10-23) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
100
8/17/2019 Series Switches Huawei s5700
http://slidepdf.com/reader/full/series-switches-huawei-s5700 111/111
Configuring Association Between OSPF and BFD
To accelerate OSPF convergence when the status of a link changes, you can configure
bidirectional forwarding detection (BFD) on OSPF links. After detecting a link failure, BFD
notifies OSPF of the failure, which triggers fast OSPF convergence. When the OSPF neighbor
relationship is Down, the BFD session is deleted dynamically.
For example, set up a BFD session on the OSPF link between SwitchA and SwitchB.
# Configure SwitchA.
[SwitchA] bfd [SwitchA-bfd] quit[SwitchA] ospf 1[SwitchA-ospf-1] bfd all-interfaces enable[SwitchA-ospf-1] quit
# Configure SwitchB.
[SwitchB] bfd
[SwitchB-bfd] quit[SwitchB] ospf 1[SwitchB-ospf-1] bfd all-interfaces enable[SwitchB-ospf-1] quit
Configuring OSPF to Advertise Default Routes
Multiple switches for next-hop backup or traffic load balancing often reside on the area
border and AS border of an OSPF network. A default route can be configured to reduce
routing entries and improve resource usage on the OSPF network.
The advertising mode of the default route is determined by the type of the area to which the
default route is imported, as shown in Table 20-1.
Table 20-1 Default route advertising mode
AreaType
Generated By Advertised By
LSA Type Flooding Area
Commo
n area
The default-route-advertise command ASBR Type5 LSA Comm
on area
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide 20 Common OSPF Operations