ZXR102900ESeriesnova-minsk.com/ZTE/29E/SJ-20130731155059-002-ZXR10 2900E... · 2016-09-30 ·...

ZXR10 2900E SeriesEasy-Maintenance Secure Switch

Configuration Guide

Version: 2.05.11

ZTE CORPORATIONNo. 55, Hi-tech Road South, ShenZhen, P.R.ChinaPostcode: 518057Tel: +86-755-26771900Fax: +86-755-26770801URL: http://ensupport.zte.com.cnE-mail: [email protected]

LEGAL INFORMATIONCopyright © 2013 ZTE CORPORATION.

The contents of this document are protected by copyright laws and international treaties. Any reproduction or

distribution of this document or any portion of this document, in any form by any means, without the prior written

consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by

contractual confidentiality obligations.

All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE

CORPORATION or of their respective owners.

This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions

are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,

title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the

use of or reliance on the information contained herein.

ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications

covering the subject matter of this document. Except as expressly provided in any written license between ZTE

CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter

herein.

ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.

Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.

The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History

Revision No. Revision Date Revision Reason

R1.0 2013-11-27 First edition

Serial Number: SJ-20130731155059-002

Publishing Date: 2013-11-27 (R1.0)

SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential

ContentsAbout This Manual ......................................................................................... I

Chapter 1 Safety Instructions.................................................................... 1-11.1 Safety Instructions.............................................................................................. 1-1

1.2 Safety Signs ...................................................................................................... 1-1

Chapter 2 System Overview ...................................................................... 2-1

Chapter 3 Usage and Operation................................................................ 3-13.1 Configuration Modes .......................................................................................... 3-1

3.2 Command Modes............................................................................................... 3-6

3.3 Common Command Parameters ........................................................................3-11

3.4 Usage of Command Line .................................................................................. 3-12

Chapter 4 System Management ................................................................ 4-14.1 File System Management ................................................................................... 4-1

4.2 Configuring the TFTP Server............................................................................... 4-3

4.3 Configuring the FTP Server................................................................................. 4-4

4.4 Importing and Exporting the Configuration File ..................................................... 4-7

4.5 Backing Up and Recovering Files........................................................................ 4-7

4.6 Downloading the Software Version Automatically ................................................. 4-8

4.7 Configuring Automatic Saving of a Configuration File.......................................... 4-10

4.8 Upgrading the Software Version .........................................................................4-11

4.9 File System Configuration Commands ............................................................... 4-15

Chapter 5 Service Configuration............................................................... 5-15.1 Management Configuration ................................................................................. 5-2

5.2 Port Configuration .............................................................................................. 5-6

5.3 PoE Configuration .............................................................................................. 5-8

5.4 Port Mirroring ....................................................................................................5-11

5.5 MAC Address Table Operation .......................................................................... 5-13

5.6 LACP Configuration.......................................................................................... 5-17

5.7 IGMP Snooping Configuration........................................................................... 5-20

5.8 MLD Snooping Configuration ............................................................................ 5-24

5.9 IPTV Configuration ........................................................................................... 5-27

5.10 STP Configuration .......................................................................................... 5-34

5.11 ACL Configuration .......................................................................................... 5-43

5.12 QoS Configuration.......................................................................................... 5-53

I


5.13 PVLAN Configuration...................................................................................... 5-60

5.14 Layer 2 Protocol Transparent Transmission Configuration................................. 5-63

5.15 IPv4 Layer 3 Configuration.............................................................................. 5-65

5.16 IPv6 Layer 3 Configuration.............................................................................. 5-68

5.17 DAI Configuration ........................................................................................... 5-69

5.18 Access Service Configuration.......................................................................... 5-71

5.19 MAC Authentication Configuration ................................................................... 5-79

5.20 QinQ Configuration......................................................................................... 5-80

5.21 SQinQ Configuration....................................................................................... 5-82

5.22 VLAN Configuration........................................................................................ 5-84

5.23 VLAN Mapping Configuration .......................................................................... 5-87

5.24 Syslog Configuration....................................................................................... 5-89

5.25 NTP Configuration.......................................................................................... 5-91

5.26 GARP/GVRP Configuration............................................................................. 5-93

5.27 DHCP Configuration ....................................................................................... 5-95

5.28 DHCPv6 Configuration...................................................................................5-101

5.29 VBAS Configuration.......................................................................................5-104

5.30 PPPoE-PLUS Configuration ...........................................................................5-106

5.31 ZESR Configuration.......................................................................................5-108

5.32 ZESS Configuration.......................................................................................5-121

5.33 OAM Configuration ........................................................................................5-126

5.34 sFlow Configuration.......................................................................................5-132

5.35 PP Configuration ...........................................................................................5-133

5.36 LLDP Configuration .......................................................................................5-135

5.37 Single Port Loop Detection Configuration........................................................5-137

5.38 UDLD Configuration ......................................................................................5-140

5.39 TACACS+ Configuration ................................................................................5-143

5.40 Time Range Configuration .............................................................................5-145

5.41 Voice VLAN Configuration..............................................................................5-146

5.42 802.1ag Configuration ...................................................................................5-148

5.43 Y.1731 Configuration .....................................................................................5-154

5.44 MAC-based VLAN Command Configuration ....................................................5-159

5.45 DHCP Relay Configuration.............................................................................5-160

5.46 MFF Configuration.........................................................................................5-164

5.47 SSL Configuration .........................................................................................5-167

5.48 ERPS Configuration ......................................................................................5-171

5.49 Debug Module Configuration..........................................................................5-178

II


Chapter 6 Management .............................................................................. 6-16.1 Remote-Access.................................................................................................. 6-1

6.2 SSH .................................................................................................................. 6-3

6.3 Privilege ...........................................................................................................6-11

6.4 SNMP ............................................................................................................. 6-13

6.5 RMON............................................................................................................. 6-18

6.6 ZGMP ............................................................................................................. 6-21

6.7 sFlow .............................................................................................................. 6-28

6.8 Web ................................................................................................................ 6-29

6.9 M_Button......................................................................................................... 6-49

6.10 Telnet ............................................................................................................ 6-52

Chapter 7 Maintenance .............................................................................. 7-17.1 Routine Maintenance.......................................................................................... 7-1

7.2 Virtual Circuit Tester ........................................................................................... 7-2

7.3 Common Fault Handling ..................................................................................... 7-3

7.3.1 Overview ................................................................................................. 7-3

7.3.2 Configuration Through the Console Port Failed .......................................... 7-3

7.3.3 Telnet Connection Failed .......................................................................... 7-4

7.3.4 Web Management Failed .......................................................................... 7-4

7.3.5 Login Username or Password Lost ............................................................ 7-5

7.3.6 Enable Password Lost .............................................................................. 7-6

7.3.7 Two Devices in the Same VLAN Cannot Communicate............................... 7-7

7.3.8 Authentication Timed Out in Campus Network............................................ 7-7

7.3.9 Solution to ARP Attacks in Campus Network.............................................. 7-9

Figures............................................................................................................. I

Tables ...........................................................................................................VII

Glossary ........................................................................................................IX

III


IV


About This ManualPurposeThis manual is applicable to the ZXR10 2900E (V2.05.11) series easy-maintenance secureswitches, which include the following products:

l ZXR10 2910E-PS easy-maintenance secure switchl ZXR10 2918E-PS easy-maintenance secure switchl ZXR10 2918E easy-maintenance secure switchl ZXR10 2928E easy-maintenance secure switchl ZXR10 2928E-PS easy-maintenance secure switchl ZXR10 2952E easy-maintenance secure switch

Intended AudienceThis document is intended for:l Software debugging engineersl Date configure engineersl Maintenance engineers

What Is in This ManualThis manual contains the following chapters:

Chapter Summary

1, Safety Instructions Describes safety instructions and signs.

2, System Overview Provides an overview about the ZXR10 2900E series switches.

3, Usage and Operation Describes configuration modes, command modes and usage of

command line.

4, System Management Describes system management.

5, Service Configuration Describes service configuration.

6, Management Describes management configuration.

7, Maintenance Describes routine maintenance, virtual line detection and common

fault handling.

ConventionsThis manual uses the following typographical conventions:

Typeface Meaning

Italics Variables in commands. It may also refer to other related manuals and documents.

I


Typeface Meaning

Bold Menus, menu options, function names, input fields, option button names, check boxes,

drop-down lists, dialog box names, window names, parameters, and commands.

Constant

width

Text that you type, program codes, filenames, directory names, and function names.

[ ] Optional parameters.

{ } Mandatory parameters.

| Separates individual parameters in a series of parameters.

Caution: indicates a potentially hazardous situation. Failure to comply can result in

moderate injury, equipment damage, or interruption of minor services.

Note: provides additional information about a certain topic.

II


Chapter 1Safety InstructionsTable of Contents

Safety Instructions......................................................................................................1-1Safety Signs...............................................................................................................1-1

1.1 Safety InstructionsOnly duly trained and qualified personnel can install, operate and maintain the devices.

During the device installation, operation and maintenance, please abide the local safetyspecifications and related operation instructions, otherwise physical injury may occuror devices may be broken. The safety precautions mentioned in this manual are onlysupplement of local safety specifications.

ZTE Corporation will assume no responsibility for consequences resulting from violationof general specifications for safety operations or of safety rules for design, production anduse of the devices.

1.2 Safety SignsThe contents that users should pay attention to when they install, operate and maintaindevices are explained in the following formats:

Warning!

Indicates the matters needing close attention. If this is ignored, serious injury accidentsmay happen or devices may be damaged.

Caution!

Indicates the matters needing attention during configuration.

1-1


ZXR10 2900E Series Configuration Guide

Note:

Indicates the description, hint, tip and so on for configuration operations.

1-2


Chapter 2System OverviewThe ZXR10 2900E series switches are an important part of the ZXR10 series Ethernetswitches. The ZXR10 2900E series products are Gigabit L2+ (between layer 2 and layer 3)Ethernet switches used for Gigabit network access and convergence, and 1 Gb is availablefor uplinks. The ZXR10 2900E provides different types of Ethernet access ports, thusproviding a high-speed, effective, and cost-effective access and convergence scheme.The switches are used in the access layer of the carrier and enterprise networks.

For the ports that the ZXR10 2900E supports, refer to the following table.

Switch Type Fixed Port Description

ZXR10 2918E 16 10/100 BASE-TX Ethernet

ports

Two 10/100/1000BASE-T

Ethernet ports

Two 100/1000BASE-FX ports

Two 10/100/1000BASE-T Ethernet

ports and two 100/1000BASE-FX

ports are combo electro-optic

multiplex ports.

ZXR10 2928E 24 10/100 BASE-TX Ethernet

ports

Two 10/100/1000BASE-T

Ethernet ports


Two 1000BASE-FX interfaces



ports are combo optical-electrical

multiplexing ports.

ZXR10 2952E 48 10/100BASE-TX Ethernet

ports

Four 1000BASE-FX ports

-

ZXR10 2910E-PS Eight 10/100 BASE-TX Ethernet

ports

Two 10/100/1000BASE-T

Ethernet ports





multiplexing ports.

ZXR10 2918E-PS 16 10/100 BASE-TX Ethernet

ports

Two 10/100/1000BASE-T

Ethernet ports





multiplexing ports.

2-1



Switch Type Fixed Port Description

ZXR10 2928E-PS 24 10/100 BASE-TX Ethernet

ports

One subcard slot

RS-29EC-4GE-SFP subcards,

RS-29EC-4GE-RJ45 subcards, and

RS-29EC-4FE-SFP subcards are

supported.

Switching CapabilityThe ZXR10 2900E series switches support layer-2 wire-speed switching on all ports. Thedata packets can be forwarded at wire-speed after being filtered and classified. The portsprovide high throughput, low packet loss rate, and low time delay and jitter, which satisfyapplication requirements of key services.

Reliabilityl The ZXR10 2900E supports the Spanning Tree Protocol (STP), Rapid Spanning

Tree Protocol (RSTP), and Multiple Spanning Tree Protocol MSTP, and implementsredundancy backup and fast switching of links.

l The ZXR10 2900E supports the 802.3ad Link Aggregation Control Protocol (LACP)function, and provides load balancing and link backup.

l The ZXR10 2900E supports the ZTE Ethernet Switch Ring (ZESR) to provide fastprotection switching, which ensures that user services are not interrupted.

Service FeaturesThe ZXR10 2900E provides the following service features:

l Provides a flexible Virtual Local AreaNetwork (VLAN) classificationmode. The VLANscan be classified by port or protocol type.

l Provides a layer-2 Virtual Private Network (VPN) through QinQ to control outer-layerlabels flexibly.

l Supports user port locating technologies, such as Virtual Broadband Access Server(VBAS), Dynamic Host Configuration Protocol (DHCP) Option82, and Point to PointProtocol over Ethernet (PPPoE)+.

l Provides layer-2 multicast technologies, including Internet Group ManagementProtocol (IGMP)-snooping and its proxy function, the fast-leaving feature, and theMulticast VLAN Switching (MVS) function, which provide a support for enabling theInternet Protocol Television (IPTV) service.

Security ControlThe ZXR10 2900E provides the following security control functions:

l User-level security control

à It supports IEEE 802.1x, which implements dynamic and port-based security andprovides the user ID authentication function.

2-2


Chapter 2 System Overview

à It supports MAC/IP/VLAN/Port combination at random, which effectively preventsillegal users from accessing the network.

à Port isolation ensures that a user can neither monitor traffic of another user onthe same switch nor obtain the user's information.

à It supports the GuestVlan and anti-proxy function, which facilitates its applicationsin educational networks and other complex network environments.

à Dynamic Host Configuration Protocol (DHCP) monitoring prevents malicioususers from deceiving the DHCP server and sending spurious address information.It can also enable IP source protection and create a binding table for the IPaddress, MAC address, and port of the client and the VLAN to prevent a userfrom accessing or using the IP address of another user.

l Equipment-level security control

à The CPU security control technology prevents Denial of Service (DoS) attacks.

à The Secure Shell (SSH)/Simple Network Management Protocol (SNMP)v3ensures network management security.

à Multi-level access security of the console prevents unauthorized users fromchanging the switch configuration.

à The Remote Authentication Dial In User Service (RADIUS)/Terminal AccessController Access-Control System Plus (TACACS+) identification authenticationputs the switch under centralized control and prevents unauthorized users frommodifying the configuration.

l Network security control

à The Access Control List (ACL) based on ports and VLANs makes it possible forusers to apply security strategies to each port or trunk of the switch.

à MAC address binding and source- or destination-based filtering provide effectiveaddress-based traffic control.

à The port mirroring function provides an effective tool for network managementanalysis.

QoS GuaranteeThe ZXR10 2900E provides the following applications of Quality of Service (QoS):

l Provides Standard 802.1p Class of Service (CoS) and Differentiated Services CodePoint (DSCP) field sorting. Single group-based labeling and re-sorting can beperformed by using source and destination IP addresses, source and destinationMAC addresses, and Transfer Control Protocol (TCP)/User Datagram Protocol(UDP) port numbers.

l Provides queue scheduling algorithms including Strict Priority (SP) and WeightedRound Robin (WRR).

l Supports the Committed Access Rate (CAR) function. It manages asynchronousuplink and downlink data flows from uplinks by ingress strategy control and egress

2-3



shaping. The ingress strategy control provides bandwidth control with the minimumincrement of 8 kbps. It can satisfy QoS requirements of packet loss, time delay andjitter even if network congestion occurs, thus avoiding queue congestion effectively.

Management ModesThe ZXR10 2900E provides the following management modes:

l Supports the SNMPv1/v2c/v3 and Remote Monitoring (RMON).l Supports the ZXNM01 unified network management platform.l Supports accessing the switches through CLI command lines, including Console,

Telnet and SSH.l Supports network management through Web.l Supports the ZTE Group Manage Protocol (ZGMP).

FunctionsThe ZXR10 2900E uses the Store and Forward mode, and supports layer 2 wire-speedswitching. Full wire-speed switching is implemented on all ports.

The ZXR10 2900E provides the following functions:

1. The 100 M ports support 10/100 M auto-sensing and Media-DependentInterface/Media-Dependent Interface-crossover (MDI/MDIX) auto-sensing.

2. The Gigabit electrical ports support 10/100/1000 M auto-sensing and MDI/MDIXauto-sensing.

3. It supports port-based 802.3x traffic control (full duplex) and back-pressure trafficcontrol (half duplex).

4. It supports Virtual Circuit Tester (VCT) function.5. It supports 802.1q VLANs. The maximum number of VLANs is 4094.6. It supports the VLAN stack function (QinQ), and outer labels are optional (Selective

QinQ (SQinQ)).7. It supports GARP VLAN Registration Protocol (GVRP) dynamic VLANs. The full name

GARP of is Generic Attribute Registration Protocol.8. It has the capability of MAC address self-learning. The maximum size of the MAC

address table is 16 KB.9. It supports port MAC address binding and addresses filtering.10. It supports the automatic fixing function of MAC addresses. The MAC addresses can

be recovered if the device is powered off.11. It supports port security and port isolation.12. It supports the 802.1d STP, 802.1w RSTP, and 802.1s MSTP. The MSTP provides at

most four instances.13. It supports the ZESR technology and the linkhello/linkdown mechanism.14. It supports 802.3ad LACP port binding and static port binding. At most 15 port groups

can be bound and each group contains at most eight ports.15. It supports 1,024 multicast groups, cross-VLAN IGMP snooping and Multicast VLAN

Switching (MVS).16. It supports the single port loop test.

2-4


Chapter 2 System Overview

17. It supports 802.1x user authentication.18. It supports the VBAS, DHCP-OPTION82 and PPPOE+.19. It supports the DHCP-SNOOPING.20. It supports the DHCP client function to request amanagement interface from theDHCP

server automatically.21. It supports the DHCP relay function, which allows an access device to request the

DHCP server for a host address across different network segments.22. It supports the Dynamic ARP Inspection (DAI) technology, which prevents Address

Resolution Protocol (ARP) attacks.23. It supports broadcast storm suppression.24. It supports port ingress and egress mirroring, and flow-based ingress mirroring and

statistics.25. It supports the Remote Switched Port Analyzer (RSPAN).26. It supports the ACL function based on ports and VLANs. The ACL rules take effect in

specified time periods.27. It supports the IETF-DiffServ and IEEE-802.1p. Queues of eight priorities are provided

on all ports. The ingress supports the CAR function and the egress supports shapingand tail drop. The queue scheduling supports SP and WRR.

28. It supports port-based speed control, including ingress speed limit and egress speedlimit. The ingress speed limit supports flow rate limit of multiple buckets, and the speedlimit types of each bucket are configurable. The minimal granularity of speed limit is 8Kbps.

29. It provides detailed port flow statistics.30. It supports 802.3ah Ethernet Operation, Administration and Maintenance (OAM).31. It supports the sFlow.32. It supports layer-2 transparent protocol transmission.33. It supports the syslog function.34. It supports the Network Time Protocol (NTP) client function.35. It supports the network management static route configuration.36. It supports the ZGMP.37. It supports the SNMPv1/v2c/v3 and RMON.38. It supports configuration through the Console and remote login through Telnet.39. It supports the SSHv2.0.40. It supports the Web function.41. It supports the ZXNM01 unified network management.42. It supports version/configuration upload and download through the Trivial File Transfer

Protocol (TFTP).43. It supports version/configuration upload and download through the FTP .44. The ZXR10 2910E-PS/2918E-PS/2928E-PS supports the 802.3af Power over

Ethernet (PoE) function. The power supply of at most 30 W is supported.

2-5



This page intentionally left blank.

2-6


Chapter 3Usage and OperationTable of Contents

Configuration Modes ..................................................................................................3-1Command Modes.......................................................................................................3-6Common Command Parameters ..............................................................................3-11Usage of Command Line..........................................................................................3-12

3.1 Configuration ModesThe ZXR10 2900E supports various configuration modes, see Figure 3-1. A user shouldselect a proper configuration mode based on the network that the user accesses.

Figure 3-1 ZXR10 2900E's Configuration Modes

The configuration modes are as follows:1. Console port mode: This mode is used as a primary mode for configuring a switch.2. Telnet/SSH mode: This mode is used to configure the ZXR10 2900E at any place of

a network.3. Network management workstation mode: This mode requires the use of the

SNMP-capable network management software.4. FTP/TFTP/WEB mode: This mode is used to manage the file system of a switch.

Configuration Through the Console PortA serial configuration cable is delivered along with the ZXR10 2900E. One end of the cableis connected to the Console port of the ZXR10 2900E, and the other end is connected tothe serial port of a debugging PC. The VT100 terminal mode is applied in the Console portconnection configuration. The following use the Windows HyperTerminal configuration asan example to illustrate the connection configuration.

1. Start the HyperTerminal program on the PC.

3-1



Select Start > All programs > Accessories > Communications > HyperTerminalin the Windows operating system to start the HyperTerminal program.

2. Establish a connection.

Enter a name and select an icon for the connection, and then clickOK, see Figure 3-2.

Figure 3-2 Connection Description Dialog Box

3. Set the interconnection port.

In the Connect To dialog box, select desired options from the Connect using list andthen click OK, see Figure 3-3.

Figure 3-3 Connect To Dialog Box

4. Set communication parameters.

In theCOM1Properties dialog box, click theRestore Defaults button to set the COM1property, and then click OK, see Figure 3-4.

3-2


Chapter 3 Usage and Operation

Figure 3-4 COM1 Properties Dialog Box

5. Click the OK button. After the ZXR10 2900E is powered on, enter the configurationmode for further operations.

Configuration Through TelnetThe Telnet mode is often used for configuring a remote switch. A user can log in to aremote switch through an Ethernet port of the local computer. The login username andpassword for the switch must be configured and the IP address of the layer-3 port on theswitch can be pinged successfully from the local computer, refer to Table 3-1.

For configuration of the IP address of the layer-3 port, refer to 5.15 IPv4 Layer 3Configuration and 5.16 IPv6 Layer 3 Configuration.

Table 3-1 Configuration Command

Command Function

create user <name>{admin | guest}[<0-15>] Create a new user, The user <name> parameter

value consists of at most 15 characters.

set user local <name> login-password [<string>] Set the login password, The login-password

<string> parameter value consists of at most 16

characters.

set user {local | radius| tacacs-plus}<name>

admin-password <string>

Set the administrator password, The

admin-password <string> parameter value

consists of at most 16 characters.

3-3



Note:

The default username is admin and the password is zhongxing. The default administratorpassword is empty.

It is assumed that the IP address of the layer-3 port is 192.168.3.1 and this address can bepinged successfully from the local computer. Perform the following remote configurationoperations:

1. Select Start > Run on the local computer. Run the Telnet command in the displayedRun dialog box, see Figure 3-5.

Figure 3-5 Running Telnet

2. Click OK. A Telnet window is displayed, see Figure 3-6.

Figure 3-6 Telnet Window

3. Enter the username and password to enter user mode of the switch.

Configuration Through the SNMP ConnectionThe SNMP is the most popular network management protocol at present. With thisprotocol, all devices in the network can be managed by a network management server.

3-4



TheSNMPuses the server/client managementmode. The back-end networkmanagementserver serves as the SNMP server. The front-end network device serves as the SNMPclient. The front end and back end share one Management Information Base (MIB) andcommunicate with each other through SNMP.

The back-end network management server must be installed with the networkmanagement software supporting SNMP. The switch is configured and managed by thenetwork management software. For the detailed SNMP configuration on the ZXR102900E, refer to 6.4 SNMP.

Configuration Through the Web ConnectionWeb is another way to implement remote switches management and is similar to Telnet.A user can log in to a remote switch through an Ethernet port of the local computer. Thelogin username, login password and administrator password must be configured and theWeb function must be enabled. The IP address of the layer-3 port on the switch can alsobe pinged successfully from the local computer. For configuration of the IP address of thelayer-3 port, refer to 5.15 IPv4 Layer 3 Configuration and 5.16 IPv6 Layer 3 Configuration.

1. Create a new management user.

Command Function

create user <name>{admin | guest}[<0-15>] The user <name> parameter value consists of

at most 15 characters.

2. Set a login password.

Command Function

set user local <name> login-password <string> The login-password <string> parameter value


3. Set an administrator password.

Command Function

set user {local|radius}<name> admin-password<string>

The admin-password <string> parameter value


4. Enable the web network management function (by default, this function is disabled)and set a listening port.

Command Function

set web enable Enable the web network management function

(by default, this function is disabled).

set web listen-port < 80,1025-49151 > Set a listening port.

3-5



Note:

The default username is admin and the password is zhongxing. The administratorpassword is empty. If you log in as the administrator, the administrator password cannotbe empty. Set the administrator password in advance. The default HTTP listening portis 80.

For the detailed remote login and configuration through Web, refer to 6.8 Web.

3.2 Command ModesTo facilitate the configuration and management of the switch, the commands of theZXR10 2900E series switches are allocated to different modes according to functions andpermissions. A command can be executed only in the specified mode.

The command modes are listed as follows:

User ModeAfter logging in to the switch through HyperTerminal, Telnet or SSH, you can enter usermode after entering your login username and password. The prompt in user mode is thehost name followed by “>”, which is shown as follows:

zte>

The default host name is zte. You can modify the host name by running the hostname<name> command. The name length consists of at most 200 characters.

In user mode, you can run the exit command to exit the switch configuration or run theshow command to view the system configuration and operation information.

Note:

The show command can be executed in any mode.

Global Configuration ModeIn user mode, you can enter the enable command and the corresponding password to enterglobal configuration mode, which is shown as follows:

zte>enable

Password:***

zte(cfg)#

3-6



In global configuration mode, you can configure various functions of the switch. Thepassword for entering global configuration mode must be set by running the set user local<name> admin-password [<string>] command to prevent login of unauthorized users.

To return to user mode from global configuration mode, run the exit command.

SNMP Configuration ModeIn global configuration mode, you can run the config snmp command to enter SNMPconfiguration mode, which is shown as follows:

zte(cfg)#config snmp

zte(cfg-snmp)#

In SNMP configuration mode, you can set the SNMP and RMON parameters.

To return to global configuration mode from SNMP configuration mode, run the exitcommand or press Ctrl+Z.

Layer-3 Configuration ModeIn global configuration mode, you can run the config router command to enter layer-3configuration mode, which is shown as follows:

zte(cfg)#config router

zte(cfg-router)#

In layer-3 configuration mode, you can configure the layer-3 port, static router, and ARPentity.

To return to global configuration mode from layer-3 configuration mode, run the exitcommand or press Ctrl+Z.

File System Configuration ModeIn global configuration mode, you can run the config tffs command to enter file systemconfiguration mode, which is shown as follows:

zte(cfg)#config tffs

zte(cfg-tffs)#

In file system configuration mode, you can perform the following operations on the filesystem of the switch, including

l adding files or directoriesl deleting files or directoriesl modifying file namesl displaying files or directoriesl changing file directoriesl uploading/downloading files through TFTPl uploading/downloading files through FTPl copying filesl formatting the Flash memory

3-7



l upgrading firmware

To return to global configuration mode from file system configuration mode, run the exitcommand or press Ctrl+Z.

NAS Configuration ModeIn global configuration mode, you can run the config nas command to enter NASconfiguration mode, which is shown as follows:

zte(cfg)#config nas

zte(cfg-nas)#

In NAS configuration mode, you can configure the access service of the switch, includinguser access authentication and management.

To return to global configurationmode fromNAS configurationmode, run the exit commandor press Ctrl+Z.

Cluster Management Configuration ModeIn global configuration mode, you can run the config group command to enter clustermanagement configuration mode, which is shown as follows:

zte(cfg)#config group

zte(cfg-group)#

In cluster management configuration mode, you can configure the cluster managementservice of the switch.

To return to global configuration mode from cluster management configuration mode, runthe exit command or press Ctrl+Z.

Basic Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl basic number <1-99>command to enter basic ingress ACL configuration mode, which is shown as follows:

zte(cfg)#config ingress-acl basic number 10

zte(ingress-basic-acl)#

In basic ingress ACL configuration mode, you can add, delete and move rules for aspecified basic ingress ACL.

To return to global configuration mode from basic ingress ACL configuration mode, run theexit command or press Ctrl+Z.

Extended Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl extend number <100-199>command to enter extended ingress ACL configuration mode, which is shown as follows:

zte(cfg)#config ingress-acl extend number 100

zte(ingress-extend-acl)#

3-8



In extended ingress ACL configuration mode, you can add, delete and move rules for aspecified extended ingress ACL.

To return to global configuration mode from extended ingress ACL configuration mode, runthe exit command or press Ctrl+Z.

Layer-2 Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl link number <200-299>command to enter layer-2 ingress ACL configuration mode, which is shown as follows:

zte(cfg)#config ingress-acl link number 200

zte(ingress-link-acl)#

In layer-2 ingress ACL configuration mode, you can add, delete and move rules for aspecified layer-2 ingress ACL.

To return to global configuration mode from layer-2 ingress ACL configuration mode, runthe exit command or press Ctrl+Z.

Hybrid Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl hybrid number <300-399>command to enter hybrid ingress ACL configuration mode, which is shown as follows:

zte(cfg)#config ingress-acl hybrid number 333

zte(ingress-hybrid-acl)#

In hybrid ingress ACL configuration mode, you can add, delete and move rules for aspecified hybrid ingress ACL.

To return to global configuration mode from hybrid ingress ACL configuration mode, runthe exit command or press Ctrl+Z.

Global Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl global command to enterglobal ingress ACL configuration mode, which is shown as follows:

zte(cfg)#config ingress-acl global

zte(ingress-global-acl)#

In global ingress ACL configuration mode, you can add, delete and move rules for aspecified global ingress ACL.

To return to global configuration mode from global ingress ACL configuration mode, runthe exit command or press Ctrl+Z.

Basic Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl basic number <400-499>command to enter basic egress ACL configuration mode, which is shown as follows:

zte(cfg)#config egress-acl basic number 400

zte(egress-basic-acl)#

3-9



In basic egress ACL configuration mode, you can add, delete and move rules for a basicegress ACL.

To return to global configuration mode from basic egress ACL configuration mode, run theexit command or press Ctrl+Z.

Extended Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl extend number <500-599>command to enter extended egress ACL configuration mode, which is shown as follows:

zte(cfg)#config egress-acl extend number 500

zte(egress-extend-acl)#

In extended egress ACL configuration mode, you can add, delete and move rules for aspecified extended egress ACL.

To return to global configuration mode from extended egress ACL configuration mode, runthe exit command or press Ctrl+Z.

Layer-2 Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl link number <600-699>command to enter layer-2 egress ACL configuration mode, which is shown as follows:

zte(cfg)#config egress-acl link number 600

zte(egress-link-acl)#

In layer-2 egress ACL configuration mode, you can add, delete and move rules for aspecified layer-2 egress ACL.

To return to global configuration mode from layer-2 egress ACL configuration mode, runthe exit command or press Ctrl+Z.

Hybrid Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl hybrid number <700-799>command to enter hybrid egress ACL configuration mode, which is shown as follows:

zte(cfg)#config egress-acl hybrid number 700

zte(egress-hybrid-acl)#

In hybrid egress ACL configuration mode, you can add, delete and move rules for aspecified hybrid egress ACL.

To return to global configuration mode from hybrid egress ACL configuration mode, runthe exit command or press Ctrl+Z.

Mac-Based-Vlan Configuration ModeIn global configuration mode, you can run the config mac-based-vlan session <1-64>command to enter Mac-Based-Vlan configuration mode, which is shown as follows:

zte(cfg)#config mac-based-vlan session 1

zte(mac-based-vlan)#

3-10



In Mac-Based-Vlan configurationmode, you can add or delete rules for a specified session.

To return to global configuration mode from Mac-Based-Vlan configuration mode, run theexit command or press Ctrl+Z.

User-Defined Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl user-define number <801-828> command to enter user-defined ingress ACL configuration mode, which is shown asfollows:

zte(cfg)#config ingress-acl user-define number 811

zte(ingress-user-define-acl)#

In user-defined ingress ACL configuration mode, you can add, delete, or move the rulesof ACLs with the specified ACL numbers.

To return to global configuration mode from user-defined ingress ACL configuration mode,run the exit command or press Ctrl+Z.

3.3 Common Command ParametersFor common command parameters of the ZXR10 2900E, refer to Table 3-2.

Table 3-2 Common Command Parameters

Parameter Description

<portlist> Port number, port name or port number range separated by a

comma, for example:

l 1, 2, 4-8, 18

l p1, pp2, 4-8, port18

The p1, pp2, port18 are port names created by users.

Slot ID is added before the port ID of the devices supporting

subcards. For example, for the ZXR10 2928E-PS device, the

port list is as follows:

l 1/1, 1/2, 1/4-8, 1/18

l 2/1, 2/2

<vlanlist> VLAN ID, VLAN name or VLAN range separated by a comma,

for example:

l 1-19,77,88,100-900

l vlan1,v1,10,100-200

<trunklist> Trunk ID or trunk range separated by a comma, for example,

1-5, 7, 10.

<portname> One port number or port name can be entered once.

<vlanname> One VLAN ID or VLAN name can be entered once.

<trunkid> One trunk ID can be entered once.

3-11




<HH.HH.HH.HH.HH.HH> MAC address, for example, 00.22.33.44.55.66.

<A.B.C.D> IP address, for example, 10.40.47.254.

<A.B.C.D/M> IP address and mask bits. M must be an integer from 1 to 32,

for example, 10.40.47.254/24.

<string> String without spaces.

<mib-oid> Dotted decimal numeral with a variable length, for example,

1.3.6.2.19.2.

<name> String without spaces.

<sessionlist> Session list.

3.4 Usage of Command LineOnline HelpIn any command mode, enter a question mark (?) at the system prompt. A list of availablecommands in the command mode will be displayed. You can also use the online help toget keywords and parameters of any command.

1. In any command mode, enter a question mark "?" at the system prompt. A list of allcommands in the mode and a brief description of the commands are displayed. Forexample,zte>?

enable enable configure mode

exit exit from user mode

help description of the interactive help system

show show config information

list print command list

zte>

2. Enter a question mark (?) after a character or string. A list of commands or keywordsstarting with the character or string is displayed. It is noted that there is no spacebetween the character (string) and the question mark. For example,zte(cfg)#c?

cfm clear config cpu-threshold createconfig clear create

zte(cfg)#c

3. Enter a question mark (?) after a command, keyword or parameter. The next keywordor parameter to be entered is listed, and its brief description is also displayed. Forexample,zte(cfg)#config ?

egress-acl enter egress acl config mode

group enter group management config mode

ingress-acl enter ingress acl config mode

3-12



mac-based-vlan enter mac-based vlan config mode

nas enter nas config mode

router enter router config mode

snmp enter SNMP config mode

tffs enter file system config mode

Note:

A space must be entered before the question mark (?).

4. If a wrong command, keyword, or parameter is entered, and the Enter key is pressed,a message “Command not found” is displayed. For example,zte(cfg)#conf ter

% Command not found (0x40000034)

In the following example, the online help is used to create a username.

zte(cfg)#cre?

zte(cfg)#create ?

acl create descriptive name for acl

cfm create CFM information

port create descriptive name for port

protocol-protect create a rule for protocol protect

user create a user

vlan create descriptive name for vlan

zte(cfg)#create user

% Parameter not enough (0x4000003f)

zte(cfg)#create user ?

<string>

user name(maxsize:15)

zte(cfg)#create user houyx ?

admin create an administrator

guest create a guest

zte(cfg)#create user houyx guest ?

<cr>

<0-15> specify user's priviledge

zte(cfg)#create user houyx guest

zte(cfg)#

<cr>

Command AbbreviationsIn the ZXR10 2900E, a command or keyword can be abbreviated as a character or stringthat uniquely identifies this command or keyword. For example, the command exit can beabbreviated as ex, and the command show port abbreviated as sh por.

3-13



Command HistoryThe user interface supports the function of recording entered commands. A maximum of20 historical commands can be recorded. The function is very useful for recalling a longor complicated command.

To recall commands from the history buffer, perform one of the following actions.

Keystroke Function

Ctrl+P or the up arrow key Recall commands in the history buffer, beginning with the most

recent command. Repeat the key sequence to recall successive

older commands.

Ctrl+N or the down arrow key Return to more recent commands in the history buffer after

recalling commands with Ctrl+P or the up arrow key. Repeat the

key sequence to recall successively more recent commands.

Editing Commands Through KeystrokesFor the keystrokes that you need to edit command lines, refer to Table 3-3.

Table 3-3 Editing Commands Through Keystrokes

Keystroke Purpose

Ctrl+P or the up arrow key Recall commands in the history buffer, beginning with the

most recent command. Repeat the key sequence to recall

successive older commands.

Ctrl+N or the down arrow key Return to more recent commands in the history buffer

after recalling commands with Ctrl+P or the up arrow key.

Repeat the key sequence to recall successively more recent

commands.

Ctrl+B or the left arrow key Move the cursor back one character.

Ctrl+F or the right arrow key Move the cursor forward one character.

Tab After entering a character or string, if there is only one

command starting with the character or string, pressing this

key will show the complete command.

Ctrl+A Move the cursor to the beginning of the command line.

Ctrl+E Move the cursor to the end of the command line.

Ctrl+K Delete all characters from the cursor to the end of the

command line.

Backspace or Ctrl+H Delete the character on the left of the cursor.

Ctrl+C Cancel the command and display the prompt.

Ctrl+L Redisplay the current command line.

Ctrl+Y Recall the most recent entry in the buffer.

3-14



Keystroke Purpose

Ctrl+H Return to global configuration mode.

If the command output has more lines than can be displayed on the terminal screen, theoutput is split into several pages automatically and the prompt “—– more —– Press Q or<Ctrl+C> to break —–” is displayed at the bottom of the current page. You can pressReturn to scroll down one line, or Space to scroll down one screen. To stop the output,press Q or Ctrl+C.

3-15




3-16


Chapter 4System ManagementTable of Contents

File System Management...........................................................................................4-1Configuring the TFTP Server......................................................................................4-3Configuring the FTP Server ........................................................................................4-4Importing and Exporting the Configuration File ...........................................................4-7Backing Up and Recovering Files...............................................................................4-7Downloading the Software Version Automatically .......................................................4-8Configuring Automatic Saving of a Configuration File ...............................................4-10Upgrading the Software Version ...............................................................................4-11File System Configuration Commands......................................................................4-15

4.1 File System ManagementIn the ZXR10 2900E, the Flash memory is the major storage device. Both the version fileand configuration file of the switch are saved in the Flash memory. Operations, such asversion upgrade and configuration saving, should be conducted in the Flash memory.

l The name of the version file is zImage. By default, it is saved in the /img directory.l The name of the configuration file is startrun.dat. By default, it is saved in the

/cfg directory.

The ZXR10 2900E supports backing up and restoring versions and configuration filesthrough TFTP, FTP and SFTP. For SFTP configuration and operation, refer to 6.2 SSH.

When the zImage file is downloaded or uploaded), or when the zImage_bak file isrestored to the ZXR10 2900E, CRC is performed after file transmission is completed. If afile does not pass the check, the file is deleted.

Directory ManagementThe file system can be used to create and delete directories, display the current workingdirectory, and display the information about subdirectories or files under a specifieddirectory.

For the procedure to manage file system directories, refer to the table below:

Step Command Function

1 zte(cfg)#config tffs Enters file system

configuration mode.

2 zte(cfg-tffs)#md <directory name> Creates a directory.

4-1




3 zte(cfg-tffs)#rename <file-name> <file-name> Modifies the directory name.

4 zte(cfg-tffs)#cd <directory name> Changes the current directory,

and opens this directory.

5 zte(cfg-tffs)#ls Lists the current directories.

You can run the remove <file-name> command to delete a specified directory. The img, cfg, and data directories created by default and all non-empty directories cannot be deleted.

File ManagementThe file system can be used to delete a specified file, rename a file name, copy a file anddisplay the file information.

For the procedure to manage file system files, refer to the table below:



configuration mode.

2 zte(cfg-tffs)#rename <file-name> <file-name> Changes a file name.

3 zte(cfg-tffs)#copy <source-pathname> <dest-pathname> Copies a file.

4 zte(cfg-tffs)#ls Lists current files.

You can run the remove <file-name> command to delete a specified file.

Version Download/Upload Through TFTPStart the TFTP server, enter file system configuration mode, and back up or recover theversion file and configuration file of the switch through TFTP.

For the procedure to download or upload a version file through TFTP, refer to the tablebelow:



configuration mode.

2 zte(cfg-tffs)#cd <directory name> Enters the directory.

zte(cfg-tffs)#tftp <A.B.C.D> download<remote-file-name>[<local-file-name>]

3

zte(cfg-tffs)#tftp <A.B.C.D> upload <local-file-name

>[<remote-file-name>]

Downloads or uploads the

version file through TFTP.

4-2


Chapter 4 System Management

Version Download/Upload Through FTPStart the FTP server, enter file system configuration mode, and back up or recover theversion file and configuration file of the switch through FTP.

For the procedure to download or upload a version file through FTP, refer to the tablebelow:



configuration mode.

2 zte(cfg-tffs)#cd <directory name> Enters the directory.

3 zte(cfg-tffs)#ftp <A.B.C.D><remote-file-name>{do

wnload|upload}<local-file-name> username <string>

password <string>

Downloads or uploads the

version file through FTP.

Flash Formatting

Caution!

After the Flashmemory is formatted, all system software and configurations will be cleared.

For the procedure to format the Flash memory, refer to the table below:


1 zte(cfg)#config tffs Enters file system configuration mode.

2 zte(cfg-tffs)#format Formats the Flash.

4.2 Configuring the TFTP Server

The switch version file and configuration file can be backed up or recovered through TFTP.The TFTP server application software is started at the back end to communicate with theswitch (TFTP client) to implement file backup and recovery. This procedure describeshow to configure the back-end TFTP server using TFTP server software (TFTPD) as anexample.

Steps1. Run the Tftpd software at the back-end computer. The TFTP server window is

displayed, see Figure 4-1.

4-3



Figure 4-1 TFTP Server

2. Select Tftpd > Configure. The Tftpd Settings dialog box is displayed, see Figure4-2.

Figure 4-2 Tftpd Settings Dialog Box

3. Click the Browse button on the upper side of the dialog box and select a directory tosave the version file or configuration file.

4. Click the Browse button on the lower side of the dialog box to select a log file, andthen click OK to complete the configuration.

– End of Steps –

4.3 Configuring the FTP Server

4-4



The switch version file and configuration file can be backed up or recovered through FTP.The FTP server application software is started at the back end to communicate with theswitch (FTP client) to implement file backup and recovery. This procedure describes howto configure the back-end FTP server using FileZilla Server (FTP server software) as anexample.

Steps1. Run the FileZilla Server software on the back-end computer. The Connect to Server

dialog box is displayed, see Figure 4-3.

Figure 4-3 Connect to Server Dialog Box

2. SetServer Address, Port andAdministration password, and clickOK. The FileZillaServer window is displayed, see Figure 4-4.

Figure 4-4 FileZilla Server Window

3. Select Edit > Users. The Users dialog box is displayed, see Figure 4-5. Create auser name and password.

4-5



Figure 4-5 Users Dialog Box

4. Select Shared folders in the left area and set a primary directory for the new user,see Figure 4-6.

Figure 4-6 Directory Setting

4-6



Note:

The application scenarios for FTP and TFTP are the same, including configuration fileimport and export, and automatic software version download.

– End of Steps –

4.4 Importing and Exporting the Configuration FileThe ZXR10 2900E switch provides the configuration import/export function, whichfacilitates the switch configuration and management.

Exporting the ConfigurationIn global configuration mode, use the write command to export the current systemconfiguration to startrun.dat and save it in the Flash memory. This file can also beuploaded to the TFTP server for view, modification and bulk configuration.

zte(cfg-tffs)#cd cfg

zte(cfg-tffs)#tftp 192.168.1.102 upload startrun.dat

zte(cfg-tffs)#cd ..

Importing the Configurationstartrun.dat is a configuration file. It can be edited manually as needed anddownloaded to the /cfg directory of the ZXR10 2900E switch by using the tftp command.After the configuration file is downloaded to the Flash memory of the switch, reboot theswitch to import the configuration.


zte(cfg-tffs)#tftp 192.168.1.102 download startrun.dat

zte(cfg-tffs)#cd ..

4.5 Backing Up and Recovering FilesThe files mentioned in this topic refer to the configuration file and version file in the Flashmemory.

Backing Up the Configuration FileIf the switch configuration is modified, the data is running in the memory in real-time. If theswitch is restarted, all the new configuration data will be lost. To avoid this, use the writecommand to save the current configuration in the Flash memory. The following shows thewrite command:

zte(cfg)#write

4-7



To prevent damage to the configuration data, back up the configuration data by using thetftp command.

Run the following commands to upload the configuration file in the Flash memory to theback-end TFTP server:


zte(cfg-tffs)#tftp 192.168.1.102 upload startrun.dat

zte(cfg-tffs)#cd ..

Recovering the Configuration FileRun the following commands to download the configuration file in the back-end TFTPserver to the Flash memory:


zte(cfg-tffs)#tftp 192.168.1.102 download startrun.dat

zte(cfg-tffs)#cd ..

Backing Up the Version FileSimilar to the configuration file, you can use the tftp command to upload the front-endversion file to the back-end TFTP server. For example:

zte(cfg-tffs)#cd img

zte(cfg-tffs)#tftp 192.168.1.102 upload zImage

zte(cfg-tffs)#cd ..

Recovering the Version FileVersion file recovery is used to retransmit the back-end backup version file to the frontend through TFTP. Recovery is very important in the case of upgrade failure. The versionrecovery operation is basically the same as the version upgrade procedure.

4.6 Downloading the Software Version AutomaticallyThe automatic software version download function is used for an un-deployed device.

When the switch is powered on for the first time, it identifies that the automatic downloadflag is set (factory default setting) in the NVRAM and no configuration file exists, soautomatic download is triggered.

The switch obtains the version file name and/or the configuration file name by interactingwith a DHCP server, and downloads the files by interacting with a TFTP server. If thedownload succeeds (even if one file is downloaded successfully), the automatic downloadflag in the NVRAM is cleared and the switch is restarted.

For the relation between the file names transferred by the DHCP server and the triggereddownload operations, refer to the table below:

4-8



Name of the File to beDownloaded

Whether to Download theVersion File

Whether to Download theConfiguration File

zImage Yes No

config.dat No Yes

startrun.dat No Yes

*.dat No Yes

config.dat@zImage Yes Yes

startrun.dat@zImage Yes Yes

*.dat@zImage Yes Yes

In the above table, “*” is a wildcard indicating a device type. This means the configurationfile automatically adapts according to the device type.

The name of the file to be downloaded is a character string configured on the DHCP server,and it cannot be modified on the local computer.

By executing the show dhcp command, you can see the configuration file to be downloadedto the current device. For example, the ZXR10 2928E downloads the ZXR10_2928E.datfile from the TFTP server.

zte(cfg)#show dhcp

DHCP download flag is disabled, config file is found.

DHCP download will not startup, when system reboot.

DHCP config file(option-67) *.dat will be translated to ZXR10_2928E.dat.

DHCP snooping-and-option82 is disabled.

DHCP client is enabled.

DHCP client broadcast-flag is enabled.

The following table lists the complete adaptation relation:

ID Device Configuration File Name

1 ZXR10 2910E-PS ZXR10_2910E-PS.dat


3 ZXR10 2918E ZXR10_2918E.dat


5 ZXR10 2928E ZXR10_2928E.dat

6 ZXR10 2952E ZXR10_2952E.dat

4-9



Figure 4-7 Network Architecture for Automatic Configuration File Download

The network architecture is shown in Figure 4-7. Set the TFTP server address and versionfile name on the DHCP server. For example, set the TFTP server address to 10.40.89.78,and the file name to *.dat@zImage. After being powered on, the switch downloads ZXR102918E.dat (assuming that the device type is ZXR10 2918E) and zImage from the TFTPserver. After downloading the files successfully, the switch is restarted automatically.

4.7 Configuring Automatic Saving of a ConfigurationFile

The function of automatic saving of a configuration file helps you to upload the switchconfiguration to the back-end server.

The uploaded configuration files include startrun.dat and toPmac.dat. When thetime set by period is counted down to 0, the switch uploads the startrun.dat file to theTFTP server at a local time between 00:00 and 00:01, and uploads the toPmac.dat fileafter one minute. The automatically uploaded files are stored in the flash sub-folder inthe theupload/download directory configured by the TFTP server. The names of thefiles respectively are startrun mm_dd_yy.dat and toPmac mm_dd_yy.dat, where“mm”, “dd”, and “yy” indicate the date on which the upload occurs.

Figure 4-8 Network Structure for Automatic Configuration File Upload

4-10



The network is shown in Figure 4-8. Before configuring the following commands, makesure that the switch can ping the server successfully. Assume that the IP address of theTFTP server is 10.40.89.78, and the configuration is saved to the server every 10 days.The configuration commands are as follows:

zte(cfg)#set auto-saveconfig serverip 10.40.89.78

zte(cfg)#set auto-saveconfig period 10

zte(cfg)#set auto-saveconfig enable

Caution!

The enable command should be configured after serverip is configured. If serverip is notconfigured, the system displays a message, prompting that the automatic upload functioncannot be enabled. If a communication exception occurred between the switch and theserver when the upload function was triggered last time, the configuration file cannot beuploaded successfully this time. The system uploads the configuration files when the nexttriggering time comes.

4.8 Upgrading the Software Version

Note:

Normally, version upgrade is needed only when the original version does not support somefunctions or the switch operates abnormally due to some special causes. Improper versionupgrade operations may result in upgrade failure and startup failure of the system. So,before version upgrade, get familiar with the principles and operations of the ZXR10 2900Eand master the upgrade procedure.

Version upgrade operations performed in proper and improper switch systems aredifferent.

Displaying the Version InformationIf the system status allows, check the version information before and after the upgrade.

In global configuration mode, use the show version command to display the systemhardware and software version information.

The displayed contents are as follows:

zte(cfg)#show version

ZXR10 Router Operating System Software, ZTE Corporation:

ZXR10 2928E Version Number : 2928E Series V2.05.11B04

4-11



Copyright (c) 2001-2013 By ZTE Corporation

Compiled: 11:14:25 Aug 27 2013

System uptime is 0 years 1 days 13 hours 20 minutes 46 seconds

Main processor : arm926ejs

Bootrom Version : v2.03 Creation Date : Aug 27 2013

System Memory : 128 M bytes System Flash : 256 M bytes

EPLD Version (Dno.) : V1.0

PCB Version (Dno.) : V1.0

Product Version(Dno.): V1.0

Image Down From : Flash

Image Down Username : N/A

Image Down Time : N/A

Image Down Size : 10262580 bytes

Onboard temperature : 38.0 degree centigrade(100.0 degree fahrenheit)

Startup From : /img/zImage

Switch's Mac Address : 00.d0.d0.ff.00.86

Module 0: ZXR10 2928E; fasteth: 0; gbit: 48;

Upgrading the Version When the System is NormalIf the switch operates properly, upgrade the version as follows:

1. Connect the console port of the switch to the serial port of the back-end computer byusing a provided configuration cable. Connect an Ethernet port of the switch to thenetwork port of the back-end computer by using a network cable. Ensure that theconnections are correct.

2. Set the IP address of the Ethernet port on the switch. Set the IP address of theback-end computer used for upgrade. The two IP addresses must be in the samenetwork segment so that the computer can ping the switch successfully.

3. Start the TFTP server software on the back-end computer and configure it by referringto 4.2 Configuring the TFTP Server.

4. On the switch, use the show version command to check the information of currentoperating version.

5. Enter file system configuration mode and use the remove command to delete the oldversion file in the Flash memory. If the Flash memory has sufficient space, change thename of the old version file and keep it in the Flash memory.zte(cfg)#config tffs

zte(cfg-tffs)#cd img

zte(cfg-tffs)#remove zImage

zte(cfg-tffs)#cd ..

6. Use the tftp command to upgrade the version. The following shows how to downloadthe version file from the TFTP server to the Flash memory:zte(cfg-tffs)#cd img

zte(cfg-tffs)#tftp 10.40.89.78 download zImage

.................................................

4-12



.................................................

.................................................

7,384,016 bytes downloaded

zte(cfg-tffs)#ls

zte(cfg-tffs)#ls

/img/

. <DIR>

.. <DIR>

zImage 7,536,884 bytes

240,568,768 bytes free

7. Restart the switch. After successful startup, check the operating version and confirmwhether the upgrade is successful.

Upgrading the Version When the System is AbnormalIf the switch cannot be started normally or runs abnormally, upgrade the version as follows:

1. Connect the console port of the switch to the serial port of the back-end computer byusing a provided configuration cable. Connect an Ethernet port of the switch to thenetwork port of the back-end computer by using a network cable. Ensure that theconnections are correct.

2. Restart the switch. On the HyperTerminal, press any key as prompted to enter ZXR10Boot status.ZXR10 2928E BootRom Version v1.08

Compiled Feb 27 2012 10:32:29

Copyright (c) 2010 by ZTE Corporation.

boot location [0:Net,1:Flash] : 0

actport : 1

serverip : 10.40.89.78

netmask : 255.255.255.0

ipaddr : 10.40.89.100

bootfile : /img/zImage

username : ZXR10

password : 123456

MAC : 00:d0:d0:3c:3b:00

[ZXR10 Boot]

3. Enter c in ZX10 Boot status and pressEnter to enter the parameter modification status.Set the IP addresses of the Ethernet port and the TFTP server. The two addressesare set to be in the same network segment.[ZXR10 Boot]: c


/*start by tftp or Flash */

actport : 1

/*select the port enabled by tftp*/

serverip : 10.40.89.78

/*ftp/tftp server address*/

4-13



netmask : 255.255.255.0

/*subnet mask*/

ipaddr : 10.40.89.79

/*local interface address*/


/*version file location*/

username : ZXR10

/*username used when the file is downloaded through ftp*/

password : ZXR10

/*password used when the file is downloaded through ftp*/

MAC : 00:d0:d0:30:20:10

/*MAC address of the switch*/

4. Set the IP address of the back-end computer to be the same as that of the TFTP server.5. Start the TFTP server software on the back-end computer and configure the TFTP by

referring to 4.2 Configuring the TFTP Server.6. In ZX10 Boot status, enter zte to enter BootManager status of the switch. Enter ? to

display the command list for this status.[ZXR10 Boot]:zte

[bootManager]: ?

? - alias for 'help'

cd - change current path

exit - exit from bootManager mode

format - format flash

ftp - get/put file from/to FTP server

help - print online help

l - load zImage

ls - list files in current directory

mv - change [source] name to [destination] name

reboot - perform REBOOT of the CPU

rm - remove file

setBOOTpassword - set password for BOOT mode

setPtype- set packaged type

show - show board information

update - update boot or firmware

[bootManager]:

7. In BootManager status, run the reboot command to restart the switch and load thenew version file. The following shows how to download the version file from the TFTPserver to the Flash memory:

FTP directory format: ftp get<filename>. The file will be downloaded to the currentdirectory. If you want to check the current directory, use the ls command. The portaddress used by FTP and port information can be modified in the c directory in ZX10Boot. Take port 1 as an example.


actport : 1

4-14



serverip : 10.40.89.78

netmask : 255.255.255.0

ipaddr : 10.40.89.79


username : ZXR10

password : ZXR10

MAC : 00:d0:d0:30:20:10

Hit any key to stop autoboot: 0

[ZXR10 Boot]:

[ZXR10 Boot]:zte

[bootManager]: cd img

[bootManager]: ftp get zImage

............................................

............................................

............................................

Ftp get zImage successfully, 7397428 bytes received.

[bootManager]:

8. In BootManager status, use the reboot command to restart the switch by using the newversion. If the switch is started normally, use the show version command to verify thatthe new version is operating in the memory. If the switch cannot be started normally, itindicates that the version upgrade has failed. In this case, repeat the above upgradeprocedure from step 1.

4.9 File System Configuration CommandsFile system configuration includes the following commands:

Command Function

zte(cfg-tffs)#md <directory name> Creates a directory.

zte(cfg-tffs)#remove <file-name> Deletes a file or directory.

zte(cfg-tffs)#rename <file-name><file-name> Modifies a file or directory name.

zte(cfg-tffs)#ls Displays a sub-directory and file.

zte(cfg-tffs)#cd <directory name> Changes the current directory.

zte(cfg-tffs)#tftp <A.B.C.D>{download | upload}<remote-file-n

ame>[<local-file-name>]

Uploads or downloads files to/from

the TFTP server.

zte(cfg-tffs)#tftp commander {download | upload}<remote

-file-name>[<local-file-name>]

Uploads or downloads files to/from

the cluster commander.

zte(cfg-tffs)#copy <source-pathname><dest-pathname> Copies files.

zte(cfg-tffs)#format Formats the Flash memory.

zte(cfg-tffs)#update bootrom Updates the bootrom.

4-15



Command Function

zte(cfg)#set dhcp download{enable | disable} Enables or disables the automatic

download function of a DHCP

client.

zte(cfg)#set auto-saveconfig {enable | disable} Enables or disables the system

to automatically upload the

configuration file to a TFTP server.

zte(cfg)#set auto-saveconfig serverip <A.B.C.D> Sets the IP address of the

TFTP server to which the

system automatically uploads the

configuration file.

zte(cfg)#set auto-saveconfig period <1-30> Sets the interval for automatically

uploading the configuration file

(unit: day).

show auto-saveconfig (all configuration modes) Displays the status of the

automatic upload function.

4-16


Chapter 5Service ConfigurationTable of Contents

Management Configuration ........................................................................................5-2Port Configuration ......................................................................................................5-6PoE Configuration ......................................................................................................5-8Port Mirroring ...........................................................................................................5-11MAC Address Table Operation .................................................................................5-13LACP Configuration..................................................................................................5-17IGMP Snooping Configuration ..................................................................................5-20MLD Snooping Configuration....................................................................................5-24IPTV Configuration ...................................................................................................5-27STP Configuration....................................................................................................5-34ACL Configuration....................................................................................................5-43QoS Configuration....................................................................................................5-53PVLAN Configuration ...............................................................................................5-60Layer 2 Protocol Transparent Transmission Configuration........................................5-63IPv4 Layer 3 Configuration .......................................................................................5-65IPv6 Layer 3 Configuration .......................................................................................5-68DAI Configuration.....................................................................................................5-69Access Service Configuration...................................................................................5-71MAC Authentication Configuration............................................................................5-79QinQ Configuration...................................................................................................5-80SQinQ Configuration ................................................................................................5-82VLAN Configuration..................................................................................................5-84VLAN Mapping Configuration ...................................................................................5-87Syslog Configuration ................................................................................................5-89NTP Configuration....................................................................................................5-91GARP/GVRP Configuration......................................................................................5-93DHCP Configuration.................................................................................................5-95DHCPv6 Configuration ...........................................................................................5-101VBAS Configuration ...............................................................................................5-104PPPoE-PLUS Configuration ...................................................................................5-106ZESR Configuration ...............................................................................................5-108ZESS Configuration................................................................................................5-121OAM Configuration.................................................................................................5-126sFlow Configuration................................................................................................5-132PP Configuration ....................................................................................................5-133LLDP Configuration ................................................................................................5-135Single Port Loop Detection Configuration ...............................................................5-137

5-1



UDLD Configuration ...............................................................................................5-140TACACS+ Configuration.........................................................................................5-143Time Range Configuration......................................................................................5-145Voice VLAN Configuration ......................................................................................5-146802.1ag Configuration ............................................................................................5-148Y.1731 Configuration ..............................................................................................5-154MAC-based VLAN Command Configuration ...........................................................5-159DHCP Relay Configuration.....................................................................................5-160MFF Configuration..................................................................................................5-164SSL Configuration ..................................................................................................5-167ERPS Configuration ...............................................................................................5-171Debug Module Configuration ..................................................................................5-178

5.1 Management ConfigurationManagement Configuration OverviewManagement configuration includes the following configurations:

1. Mode switching configuration2. Console attribute configuration3. Global information configuration4. Switch user access configuration

Configuring the Management ServiceThe configuration of management service includes the following commands:

Command Function

zte(cfg)#config group Enters cluster management configuration mode

zte(cfg)#config router Enters layer-3 interface configuration mode.

zte(cfg)#config snmp Enters SNMP configuration mode.

zte(cfg)#config tffs Enters file system configuration mode.

zte(cfg)#config nas Enters service configuration mode.

zte(cfg)#config mac-based-vlan Enters MAC-based VLAN configuration mode.

exit (All configuration mode) Returns to the original command line mode.

zte>enable Enters global configuration mode from user

configuration mode.

list (all configuration modes) Lists all valid configuration commands in the current

mode.

zte(cfg)#set auto-reset <2-120> Sets automatic logout time of the switch console.

zte(cfg)#line-vty timeout <1-12> Sets login timeout time of the Telnet user.

5-2


Chapter 5 Service Configuration

Command Function

zte(cfg)#set date <yyyy-mm-dd> time<hh:mm:ss>

Sets date and time of the switch.

zte(cfg)#set date summer-time {one-year |

repeating}{date <yyyy-mm-dd><hh:mm:ss><yyyy-mm-dd><hh:mm:ss>| week <week><day><month><year><hh:mm:ss><week><day><mo

nth><year><hh:mm:ss>}[<60-1440>]

Sets the period when the daylight saving time is used.

zte(cfg)#clear summer-time Deletes the configuration of the daylight saving time.

zte(cfg)#hostname <name> Sets or changes the host name.

zte(cfg)#promptlen <0-48> Sets the length of the host name.

zte(cfg)#sysLocation <string> Sets the location information of the switch.

zte(cfg)#reboot Reboots the switch immediately.

zte(cfg)#reboot-time <hh:mm> Sets the time when the switch is rebooted.

zte(cfg)#telnet <A.B.C.D>[<A.B.C.D>] Logs in to the Telnet server. You can select the source

address.

zte(cfg)#create user <name>{admin |

guest}[<0-15>]

Creates a new local user.

zte(cfg)#set loginauth {local |

radius|local+radius|radius+local|tacacs-plus|

local+tacacs-plus | tacacs-plus+local}

Sets the login authentication mode.

zte(cfg)#set user local <name>

login-password [<string>]

Sets the login password for the local user.

zte(cfg)#set adminauth {local|radius|lo

cal+radius|radius+local|none|tacacs-plus|

local+tacacs-plus|tacacs-plus+local}

Sets the management authentication mode.

zte(cfg)#set user local <name>

admin-password [<string>]

Sets the management password for the local user.

zte(cfg)#set user radius purview {admin |

guest}

Sets the RADIUS authentication user login authority.

zte(cfg)#set user radius admin-password

[<string>]

Sets the management password for the RADIUS user.

zte(cfg)#set user tacacs-plus purview

{admin | guest}

Sets login permissions for the TACACS+

authentication user.

zte(cfg)#set user tacacs-plus

admin-password [<string>]

Sets the management password for the TACACS+

user.

zte(cfg)#set user multi-user {enable |

disable}

Sets the multi-user login function.

5-3



Command Function

zte(cfg)#cpu-threshold <30-90> Sets the CPU usage threshold.

zte(cfg)#mem-threshold <60-90> Sets the memory usage threshold.

zte(cfg)#write Saves the current configuration information to the

Flash memory and recovers the information when the

switch is rebooted.

zte(cfg)#clear user <name> Deletes a user.

zte(cfg)#clear reboot-time Clears automatic reboot configuration.

zte(cfg)#terminal monitor {on | off} Allows or forbids printing the real-time alarm log

information to the terminal.

zte(cfg)#terminal log {on | off} Allows or forbids writing logs.

zte(cfg)#terminal log toFile Saves logs in the RAM to the Flash memory.

zte(cfg)#terminal log timer {enable | disable

| interval <1-720>}Sets automatic saving of log information.

zte(cfg)#set bootpassword to <string> Sets the password for logging in to boot mode.

zte(cfg)#set bootpassword clear Deletes the password for logging in to boot mode.

zte(cfg)#set fan mode {auto | manual} Sets the fan operating mode.

zte(cfg)#set fan speed Sets the fan operating speed.

zte(cfg)#readconfig <filename> Reads the local file on the device as the configuration.

zte(cfg)#set temperature-alarm <0-100> Sets the threshold for over-temperature alarms on

the switch.

zte(cfg)#clear terminal-log Clears log information.

zte(cfg)#terminal log module

{all|arp-inspection|dhcp|radius|AAA }{

off | on }

Allows/forbids writing logs of a module.

zte(cfg)#terminal monitor module {all|

arp-inspection|dhcp|radius|AAA }{ off | on }

Allows/forbids printing real-time alarm logs of a

module for the terminal.

show reset-time (all configuration modes) Displays automatic logout time setting of the switch

console.

show line-vty (all configuration modes) Displays Telnet user login timeout time setting.

show loginauth (all configuration mode) Displays login authentication mode.

show adminauth (all configuration modes) Displays management authentication state and

authentication mode.

show terminal (all configuration modes) Displays terminal log configuration information.

show terminal log (all configuration modes) Displays the terminal log information in RAM.

5-4



Command Function

show user (all configuration modes) Displays the user configured on the switch and current

login user information.

show version (all configuration modes) Displays the system information.

show running-config [{include | begin}<string>]

(all configuration modes)

Displays all non-default configuration of the current

system.

show start-config (all configuration modes) Displays all non-default configuration when the

system is written at last.

show date-time (all configuration modes) Displays the current date and time.

show reboot-time (all configuration modes) Displays automatic reboot configuration.

show cpu (all configuration modes) Displays CPU usage at the duration of 5 s, 30 s and 2

m.

show memory (all configuration modes) Displays the current RAM usage.

show fan (all configuration modes) Displays the fan status.

show summer-time (all configuration modes) Displays DST configuration.

show bootpassword (all configuration modes) Displays the password for logging in to boot mode.

show Etag (all configuration modes) Displays the electronic labels of devices.

show temperature (all configuration modes) Displays the device temperature.

list include <string> (all configuration modes) Displays the commands including a specific string.

show terminal log include <string> (all

configuration modes)

Displays alarm log information including a specific

string.

zte(cfg)#clear login session <sessionlist> Deletes sessions based on a session list.

zte(cfg)#clear running-config Deletes configuration except the device management

IP address configuration (configuration of all

layer-3 interfaces), log configuration, user account

configuration and banner configuration, saves the

modification, and restarts the system.

zte(cfg)#set banner filename Sets the banner displayed on the welcome screen.

The banner is stored in the system file, and spaces

are supported.

zte(cfg)#set banner endwith Sets the end identifier of the banner.

zte(cfg)#clear banner Clears the banner displayed on the welcome screen.

5-5



5.2 Port ConfigurationPort Configuration OverviewThe port parameters can be configured on the ZXR10 2900E. They includeauto-negotiation, duplex mode, rate and line detection. The commands include thefollowing types:

1. Port basic parameters configuration2. Port diagnosis3. Port information view

Configuring a PortThe port configuration includes the following commands:

Command Function

zte(cfg)#set port <portlist>{enable | disable} Enables or disables the port.

zte(cfg)#set port <portlist> work-mode {fiber |

copper | auto [ prefer {first-up | fiber | copper}]}

Sets the combo port to switch between the

electrical mode and the optical mode.

zte(cfg)#set port <portlist> phy-mode

{1000base-x | sgmii}]}

Controls switchover between 1000 Mbps optical

ports and electrical internal ports.

zte(cfg)#set port <portlist> speedadvertise

maxspeed

Sets the advertisement of the maximum port speed

duplex information.

zte(cfg)#set port <portlist> speedadvertise

{speed10 | speed100 | speed1000}{fullduplex |

halfduplex}

Sets the advertisement of the port speed duplex

information.

zte(cfg)#set port <portlist> duplex {full | half |

auto}

Sets the working mode of the port to full duplex

or half duplex.

zte(cfg)#set port <portlist> speed {10 | 100 |

1000 | auto}

Sets the speed of the port to 10 Mbps, 100 Mbps,

or 1000 Mbps, or auto.

zte(cfg)#set port <portlist>mdix {auto | normal

| crossover}

Sets the line sequence identification function.

zte(cfg)#set port <portlist> flowcontrol {enable

| disable}

Enables or disables the port flow control function.

zte(cfg)#set port <portlist> description<string>

Sets port description information.

zte(cfg)#set port <portlist> accept-frame {tag |

untag | all}

Sets the packet type that the port allows to accept.

zte(cfg)#set jumbo port <portlist>{enable |

disable }

Enables or disables the port jumbo function.

zte(cfg)#set port <portlist> pvid <1-4094> Sets a default port PVID.

5-6



Command Function

zte(cfg)#set port statistics mode {ingress |

egress | both}

Sets packet statistics mode.

zte(cfg)#set sleep-mode {enable | disable} Enables or disables the port sleep mode.

zte(cfg)#create port <portid> name <string> Creates a port name.

zte(cfg)#clear port <portlist>{name | statistics |

description| multicast-filter}

Clears the port name, port statistics data, port

description, and the multicast filter flag.

show port (all configuration modes) Displays the configuration and status information

of all ports.

show port [<portlist>] (all configuration modes) Displays port configuration and status information.

show port <portlist> statistics (all configuration

modes)

Displays the statistics of the current port.

show port <portlist> statistics [1min_unit |

5min_unit] (all configuration modes)

Displays port statistics data.

show port <portlist> utilization (all configuration

modes)

Displays port bandwidth utilization.

show port <portlist> brief (all configuration

modes)

Displays port brief information.

show port <portlist> vlan (all configuration

modes)

Displays the location of VLAN.

show jumbo (all configuration modes) Displays the jumbo configuration of all ports.

show jumbo [<portlist>] (all configuration modes) Displays port jumbo configuration information.

show vct port <portid> (all configuration modes) Displays port virtual line detection result.

show cable-diag (all configuration modes) Displays the up/down status of each port and VCT

detection result.

zte(cfg)#set port <portlist> protect {enable |

disable }

Enables or disables the port protection function.

zte(cfg)#set port <portlist> protect time<1-10>

Sets the port protection period in port protection

status.

zte(cfg)#set cable-diag {enable | disable } Enables or disables the function of virtual cables

detecting logs.

zte(cfg)#set mac protect port <portlist>{enable

| disable}

Enables or disables the port protection function.

zte(cfg)#set mac protect port <portlist> action

{shutdown | restrict | protect}

Sets the port protection action.

zte(cfg)#show mac protect port <portlist> Displays the port protection state.

5-7



5.3 PoE ConfigurationPoE Configuration OverviewPower over Ethernet (PoE) is an extended feature that supports network devices withEthernet electrical ports. The network devices (switches or routers) supporting the PoEfunction can provide power supply through Twisted Pair for remote Powered Devices(PDs) such as IP phones, WLAN Access Points (APs), or network cameras, whichrealizes remote power supply.

Ethernet remote power supply sometimes is named as network power supply. It is a typeof technology that delivers a little electricity and provides power supply through 10 BASE-Tand 100 BASE-TX.When the current Ethernet Cat.5 cabling basic structure is not changed,PoE can provide DC power supply for IP-based devices (such as IP phones, WLAN APs,or network cameras) when its data signals are transmitted. PoE technology can reducethe cost mostly when the current structural cabling security is ensured. Figure 5-1 showsa typical PoE application.

Figure 5-1 PoE Application

The ZXR10 2900E-PS series switch supports the following PoE features:

5-8



l The ZXR10 2900E-PS series switch includes ZXR10 2910E-PS, ZXR10 2918E-PSand ZXR10 2928E-PS. The device can provide power supply for the PD complyingwith 802.3af/802.3at standard, and the single port can provide up to 30 watts of power.

l The ZXR10 2900E-PS series switch supports both DC and AC power input. Whenthe ZXR10 2900E-PS series switch acts as the power supply, the maximum outputpower depends on the Redundant Power System (RPS) if the switch uses DC powerinput, or the maximum output power is 250 W if the switch uses AC power input. Apower module provides 400 W output power. To replace a power module, read theinstructions or name plate of the power module.

l The ZXR10 2900E-PS series switch provides the following configuration andmanagement functions for convenient use.1. Sets integrated device maximum output power.2. Sets port maximum output power.3. Sets port power supply priority. The system provides three types of priorities for

each port. When the total power of all ports exceeds themaximum output power ofthe ZXR10 2900E switch, the switch will decide which devices are to be poweredon according to port power supply priority. The port with a high power supplypriority will provide power in advance. The port with the lowest priority will stoppower supply. If the two ports have the same power supply priority, the priority ofport will be decided by its port number. The less the port number is, the higherthe priority is and the port is powered in advance.

4. Provides the monitoring function for fans.5. Provides various alarm information and exception monitoring and alarm report

mechanisms such as Terminal log, SNMP Trap and Syslog.

Configuring PoEThe PoE configuration includes the following commands:

Command Function

zte(cfg)#set poe port <portlist>{enable | disable} Enables or disables the port

function.

zte(cfg)#set poe port <portlist> pd-max-power {15.4 | 4.0 | 7.0

| ext.18 | ext.27 | ext.30}

Sets the maximum power supply

of the port.

zte(cfg)#set poe port <portlist> priority {critical | high | low} Sets the port power supply priority.

zte(cfg)#set poe port <portlist> forcepower {enable |disable} Enables or disables the port

force-power function.

zte(cfg)#set poe port <portlist> extend-detection {enable |disable} Enables or disables the port

extended detection function.

zte(cfg)#set poe power maxvalue <1–500>[threshold <0-30>] Sets device maximum output

power and protection threshold.

zte(cfg)#set poe port <port list> enable time-range <word> Enables the port PoE.

5-9



Command Function

show poe device (all configuration modes) Displays the PoE status of the

device.

show poe status [port <portlist>] (all configuration modes) Displays the PoE status of the

port.

show poe config [port <portlist>] (all configuration modes) Displays PoE configuration

information.

PoE Configuration Instancel Configuration Description

A DUT device is directly connected to a PD.

Configure a power supply device of PS type. The ZXR10 2910E-PS, ZXR102918E-PS and ZXR10 2928E-PS can be used as a power supply. Take ZXR102918E-PS as an example. It provides 15.4 watts of power supply complying with AFstandard for 16 ports, and provides about 13 watts of power to each PD.

l Configuration Procedurezte(cfg)#set poe port 1-16 pd-max-power 15.4

zte(cfg)#set poe port 1-16 priority low

zte(cfg)#set poe port 1-16 enable

l Configuration Verificationzte(cfg)#show poe status port 12

port: 12

power up : on

power device : delivering power

power device type : standard power device

802.3af classification : class 0

current-power : 12.9 watt

avgerage-power : 12.9 watt

peak-power : 13.0 watt

zte(cfg)#show poe status port 13

port: 13

power up : on

power device : delivering power

power device type : standard power device

802.3af classification : class 0

current-power : 13.2 watt

avgerage-power : 13.2 watt

peak-power : 13.2 watt

zte(cfg)#show poe device

PSE firmware version : ZTE 3.3

PSE max power : 250 watt

5-10



PSE power threshold : 10 watt

PSE current power : 207.1 watt

PSE average-power : 207.1 watt

PSE peak-power : 207.2 watt

PSE critical-power : 0 watt

From the results, we can see that the DUT device provides a power supply for the PDstably.

5.4 Port MirroringPort Mirroring OverviewPort mirroring is used to mirror data packets of the switch port (ingress mirroring port) to aningress destination port (ingress monitoring port), or mirror the data packets of the switchport (egress mirroring port) to an egress destination port (egress monitoring port).

By using mirroring, data packets flowing in or out of a certain port can be monitored. Portmirroring provides an effective tool for the maintenance and monitoring of the switch.

The ZXR10 2900E switch provides the Remote Switched Port Analyzer (RSPAN) function,that is, when the packet is sent from the destination port, the specified tag such as priorityor VID can be added, which provides support for remote mirroring.

Note:

By default, switches do not have mirroring ports or monitoring ports. The correct datapackets received by the ingress mirroring port are mirrored onto the monitoring ports, butdata packets directly discarded on the ingress port (for example, because of CRC errors)are not mirrored.

Configuring Port MirroringThe port mirroring configuration includes the following commands:

Command Function

zte(cfg)#set mirror session <1-3> add source-port<portlist>{ingress | egress}

Adds an egress or ingress

mirroring source port according to

the session.

zte(cfg)#set mirror session <1-3> add dest-port <1-28>{ingress| egress| rspan}

Adds an egress or ingress

mirroring destination port

according to the session.

5-11



Command Function

zte(cfg)#set mirror session <1-3> delete source-port<portlist>{ingress | egress}

Deletes an egress or ingress

monitoring port according to the

session.

zte(cfg)#set mirror session <1-3> delete dest-port<1-28>{ingress | egress| rspan}

Deletes an egress or ingress

monitoring (destination) port

according to the session.

zte(cfg)#set mirror rspan-tag vlan-id <1-4094> priority<0-7>{ingress | egress}

Sets RSPAN tag format including

VLAN-ID and priority.

zte(cfg)#set mirror statistic sample-interval <1-2047>{ingress |

egress}

Sets ingress or egress port

mirroring sample frequency.

zte(cfg)#clear mirror session <1-3> Clears the configuration of mirror

in the session .

show mirror [session <1-3>] (all configuration modes) Displays the configuration

information of mirror session.

show mirror rspan (all configuration modes) Displays the ingress or egress

RSPAN configuration information.

show mirror statistical (all configuration modes) Displays ingress or egress

sample frequency configuration

information.

Port Mirroring Configuration Instancel Configuration Description

This instance describes how to configure port mirroring on a switch, and port 2 canmonitor the packets on port 1, see Figure 5-2.

Figure 5-2 Port Mirroring Configuration Instance

l Configuration Procedure1. The following example describes how to set port mirroring in ingress direction.

zte(cfg)#set mirror session 1 add source-port 1 ingress

zte(cfg)#set mirror session 1 add dest-port 2 ingress

zte(cfg)#set mirror statistical sample-interval 100 ingress

/*set the port sample-interval of mirror statistic*/

zte(cfg)#set mirror rspan-tag vlan-id 100 priority 7 ingress

/*set VLAN tag added after port mirroring*/

5-12



2. The following example describes how to set port mirroring in egress direction.zte(cfg)#set mirror add source-port 1 egress

zte(cfg)#set mirror add dest-port 2 egress

zte(cfg)#set mirror statistical sample-interval 100 egress

/*set the port sample-interval of mirror statistic*/

zte(cfg)#set mirror rspan-tag vlan-id 100 priority 7 engress

/*set VLAN tag added after port mirroring*/

l Configuration Verification

Check port mirroring configuration.

zte(cfg)#show mirror session 1

Session 1:

Ingress mirror information:

---------------------------

Source port : 1

Destination port: 2

Egress mirror information:

---------------------------

Source port : 1

Destination port: 2

zte(cfg)#show mirror rspan

Ingress Rspan VLAN tag: priority 7, vlan 100

Egress Rspan VLAN tag: priority 7, vlan 100

zte(cfg)#show mirror statistical

Ingress statistical mirror: sample-interval 100

Egress statistical mirror: sample-interval 100

5.5 MAC Address Table OperationMAC Address Table OverviewMAC address table operations mainly include MAC addition/deletion, MAC aging timeconfiguration, MAC filtering function, MAC learning control, MAC learning number limit,MAC alarm control, MAC fixed function and MAC related information display.

MAC address tableoperation

Function

MAC addition/deletion Users can manually add static and fixed MAC addresses and delete

dynamic, static and fixed MAC address table entry through a command

line.

MAC table aging time MAC table aging time refers to the period from the latest update of

dynamic MAC address in the FDB table to the deletion of this address.

5-13



MAC address tableoperation

Function

MAC filtering function When the switch receives the packets with specified source address

or destination address, it drops them according to the source MAC

address and the destination MAC address.

MAC address learning

control

MAC address learning control means MAC learning can provide

three types of learning modes including hardware wire-speed

learning, CPU controlled learning and non learning to satisfy various

user requirements. In addition, MAC learning can provide global,

port-based, Trunk-based and VLAN-based independent switches.

MAC learning number limit MAC learning number limit can configure the maximum learning MAC

address number based on global, port, TRUNK and VLAN. When the

value is reached, the new MAC address cannot be learnt.

MAC alarm control MAC alarm control can configure the output of the common alarm

information of MAC function, for example, the number of learnt MAC

addresses is exceeded or the address is drifted.

MAC address fixed function MAC address fixed function can transform a dynamic MAC address

entry to a static or fixed MAC entry in batches. After transformation,

the static entry cannot drift. When the device is rebooted, a fixed MAC

address entry can recover and cannot disappear.

MAC information display MAC information display means the current MAC function configuration

and state information can be checked.

MAC protection function The MAC protection function limits port access. When the number

of MAC addresses learned on a port exceeds the limit, packets with

unknown source MAC addresses are dropped. The protection action

can be set to shutdown, restrict (stopping MAC address learning,

dropping packets with unknown MAC addresses, and sending an

alarm), or protect (stopping MAC address learning, and dropping

packets with unknown MAC addresses).

The MAC address of Ethernet NIC is 48 bits. The 48 bits include two parts. The first24 bits are used to represent the manufacturer indicating Ethernet NIC. The remaining24 bits are a group of sequence numbers designated by the manufacturer and named asOrganizationally Unique Identifier (OUI). The lowest bit (the most left bit in the structure)is named as a private or group bit. If this bit is set to 0, the remaining address is a privateaddress.

If this bit is set to 1, the remaining address domain identifies the group address requiringmore resolution. If the whole OUI is set to 1, each site of the whole network is a destination.That is the special engagement supported by OUI.

Configuring a MAC Address TableThe MAC table configuration includes the following commands:

5-14



Command Function

zte(cfg)#set port <portlist> security {enable | disable} Enables or disables the security function

of a port.

zte(cfg)#set port <portlist> multicast-filter {enable |

disable}

Enables or disables the unregistered

multicast filter function of a port.

zte(cfg)#set port <trunklist> multicast-filter {enable |

disable}

Enables or disables the unregistered

multicast filtering function of a trunk.

zte(cfg)#set mac add static <HH.HH.HH.HH.HH.HH>

port <1-28> vlan <1-4094>

Adds a static MAC address entry based

on the port and the VLAN.

zte(cfg)#set mac add static <HH.HH.HH.HH.HH.HH>

trunk <1-15> vlan <1-4094>

Adds a static MAC address entry based

on the trunk and the VLAN.

zte(cfg)#set mac add permanent <HH.HH.HH.HH.HH.

HH> port <1-28> vlan <1-4094>

Adds a permanent MAC address entry

based on the port and the VLAN.

zte(cfg)#set mac add permanent <HH.HH.HH.HH.HH.

HH> trunk <1-15> vlan <1-4094>

Adds a permanent MAC address entry

based on the trunk and the VLAN.

zte(cfg)#set mac delete Deletes all MAC address entries.

zte(cfg)#set mac delete mac-address <HH.HH.HH.HH.H

H.HH> vlan <1-4094>

Deletes a MAC address entry.

zte(cfg)#set mac delete {port <1-28>| trunk <1-15>|vlan <1-4094>}[dynamic | static | permanent]

Deletes all dynamic/static/permanent MAC

address entries based on port/trunk/VLAN.

zte(cfg)#set mac delete dynamic Deletes all dynamic MAC address entries.

zte(cfg)#set mac delete permanent Deletes all permanent MAC address

entries.

zte(cfg)#set mac delete static Deletes all static MAC address entries.

zte(cfg)#set mac aging-time <60-600> Sets device MAC address aging time.

zte(cfg)#set mac filter {source | destination |

both}<HH.HH.HH.HH.HH.HH> vlan <1-4094>

Sets the source MAC address or

destination MAC address filter function.

zte(cfg)#set mac learning {global | port <1-28>| trunk<1-15>| vlan <1-4094>}{enable | disable |mode {automatic

| cpu-controlled}}

Sets MAC address learning mode based

on global/port/trunk/VLAN.

zte(cfg)#set mac limit {global | port <1-28>| trunk<1-15>| vlan <1-4094>} limit-num <0-16384>

Sets the MAC address number limit

function based on global/port/trunk/VLAN.

zte(cfg)#set mac unknown-filter {global | port <1-28>|trunk <1-15>} limit-num <0-16384>

Sets the function of filtering unknown

source packets based on global/port/trunk.

zte(cfg)#set mac to permanent {port <1-28>| trunk<1-15>}{enable | disable | max-number <1-128>}

Sets the function of converting MAC

addresses as permanent in batches.

5-15



Command Function

zte(cfg)#set mac to permanent auto-save-time

<300-7200>

Sets the time when MAC addresses

converted to permanent ones are

automatically saved.

zte(cfg)#set mac to static {port <1-28>| trunk <1-15>|vlan <1-4094>}{enable | disable}

Sets the function of converting MAC

address to static ones in batches.

zte(cfg)#set mac logging-alarm {station-move |

threshold-state}{enable | disable}

Enables or disables the MAC event alarm

function.

zte(cfg)#set mac logging-alarm interval <1-256> Sets the MAC event alarm output interval.

zte(cfg)#set mac protect port <1-28> action {shutdown |

restrict | protect}

Sets the MAC protection action.

zte(cfg)#set mac protect port <1-28>{enable | disable} Enables or disables the MAC protection

function.

show mac (all configuration modes) Displays MAC address entry content.

show mac running-config (all configuration modes) Displays MAC configuration information.

show mac all-type {port <1-28>| trunk <1-15>| vlan<1-4094>} (all configuration modes)

Displays MAC address entry content

based on port/trunk/VLAN.

show mac {dynamic | learning | limit | permanent |

static}[port <1-28>| trunk <1-15>| vlan <1-4094>] (all


Displays various MAC function

configurations and MAC address

entries based on global/port/trunk/VLAN.

show mac mac-address <HH.HH.HH.HH.HH.HH> (all


Displays the MAC address entry content

of a specified MAC address.

show mac unknown-filter [port <1-28>| trunk <1-15>](all configuration modes)

Displays the filter function of the packet

with an unknown source based on

global/port/trunk.

show mac aging-time (all configuration modes) Displays device MAC address aging time.

show mac filter (all configuration modes) Displays source MAC address or

destination MAC address filtering function.

show mac logging-alarm (all configuration modes) Displays MAC event alarm configuration.

zte(cfg)#set mac learning except session <1-100>{clear

|mac-address <HH.HH.HH.HH.HH.HH.HH> mac-mask<HH.HH.HH.HH.HH.HH.HH>[vlan <1-4094>]}

Sets the function of not learning specified

MAC addresses

zte(cfg)#set mac learning except {port <portlist>| trunk<trunklist>}session unbind

Unbinds ports/trunks and all sessions.

zte(cfg)#set mac learning except {port <portlist>| trunk<trunklist>}session <1-100>{bind|unbind}

Sets the binding relation between

ports/trunks and all sessions.

5-16



Command Function

show mac learning except session [<1-100>] Displays the configuration of sessions for

which specified source MAC learning is

not needed.

show mac learning except {port <portlist>|trunk<trunklist>}

Displays the binding relation between

ports/trunks and sessions.

show mac protect [portlist] Displays the MAC protection state to check

whether MAC protection is triggered.

5.6 LACP ConfigurationLACP OverviewThe Link Aggregation Control Protocol (LACP) is a standard protocol defined in IEEE802.3ad.

Link aggregation means that physical links with the same transmission media andtransmission rate are “bound” together, making them look like one link logically. Thisconcept is also known as Trunk. It allows simultaneous multiplied increase of thebandwidths of parallel physical links between the switches or between the switch and theserver. As a result, it becomes an important technology in increasing the link bandwidthand creating link transmission flexibility and redundancy.

An aggregated link is also called trunk. If a port of the trunk is blocked or faulty, the datapackets will be distributed to other ports of this trunk for transmission. If this port recovers,the data packets will be redistributed to all the normal ports of this trunk for transmission.

The ZXR10 2900E supports up to 15 aggregation groups. In each aggregation group, thenumber of aggregated links does not exceed eight.

Configuring LACPThe LACP configuration includes the following commands:

Command Function

zte(cfg)#set trunk <trunklist> pvid <1-4094> Sets the default trunk VID.

zte(cfg)#set lacp {enable | disable} Enables or disables the LACP

function.

zte(cfg)#set lacp aggregator <1-15>{add | delete} port <portlist> Adds or deletes a specified port

to/from an LACP aggregation

group.

zte(cfg)#set lacp aggregator <1-15> mode {dynamic | static |

mixed }

Sets aggregation mode of an

LACP aggregation group.

5-17



Command Function

zte(cfg)#set lacp port <portlist> mode {active | passive} Sets the mode used by the port to

participate in the aggregation.

zte(cfg)#set lacp port <portlist> timeout {long | short} Sets the timeout information

of the port participating in the

aggregation.

zte(cfg)#set lacp priority <1-65535> Sets the priority of LACP.

zte(cfg)#set lacp load-balance {port | packet {L2 | L3 | L4}} Sets LACP load balancing mode.

show trunk (all configuration modes) Displays the Port VLAN IDs

(PVIDs) of all trunks and

unregistered multicast filtering

configuration.

show trunk [<trunklist>] (all configuration modes) Displays the trunk PVID and

unregistered multicast filtering

configuration.

show trunk <trunklist> vlan (all configuration modes) Displays the VLAN configuration

of trunk.

show lacp (all configuration modes) Displays the LACP global

configuration information.

show lacp aggregator (all configuration modes) Displays brief information of all

LACP aggregation groups.

show lacp aggregator <1-15> (all configuration modes) Displays detailed information of an

LACP aggregation group.

show lacp port (all configuration modes) Displays aggregation status

information of all the LACP

member ports.

show lacp port [<portlist >] (all configuration modes) Displays aggregation status

information of LACP member

ports.

zte(cfg)#clear trunk <trunklist>{ multicast-filter} Clears the flag of the port multicast

filter.

LACP Configuration Instancel Configuration Description

Switch A and switch B are connected through the aggregation port (binding the port15 and port 16). Port 1 of switch A and port 2 of switch B belong to VLAN2. Port 3 ofswitch A and port 4 of switch B belong to VLAN3. Members of the same VLAN cancommunicate with each other. See Figure 5-3.

5-18



Figure 5-3 LACP Configuration Instance

l Configuration Procedure1. The detailed configuration of switch A is as follows:

zte(cfg)#set lacp enable

zte(cfg)#set lacp aggregator 3 add port 15-16

zte(cfg)#set lacp aggregator 3 mode dynamic

zte(cfg)#set lacp load-balance packet L2

zte(cfg)#set vlan 2 add trunk 3 tag

zte(cfg)#set vlan 2 add port 1 untag



zte(cfg)#set port 1 pvid 2


zte(cfg)#set vlan 2-3 enable

2. The detailed configuration of switch B is as follows:zte(cfg)#set lacp enable



zte(cfg)#set lacp load-balance packet L2









The results of implementing the following command on the two switches are similar.

zte(cfg)#show lacp

Lacp is enabled.

Lacp priority is 32768.

Load-balance is based on L2 hash mode.

5-19



PortNum GroupNum GroupMode LacpTime LacpActive

----------- ----------- ----------- ----------- -----------

15 3 Dynamic Long True

16 3 Dynamic Long True

zte(cfg)#show lacp aggregator 3

Group 3

Actor Partner

---------------------------- ----------------------------

Priority : 32768 32768

Mac : 00.d0.d0.fa.29.20 00.d0.d0.fc.88.63

Key : 258 258

Ports : 16, 15 16, 15

The above displayed result proves that the link aggregation is successful. If it is notsuccessful, the result is shown as follows after executing the show lacp aggregator 3command.


% Group 3 is not active!

The above result is due to physical link failure. It is recommended to check the physicallink status.

5.7 IGMP Snooping ConfigurationIGMP Snooping OverviewBecause the multicast address is not in the source address of the packet, the switch cannotlearn the multicast address. When the switch receives a multicast message, it sends themessage to all the ports in the same VLAN. If no measure is taken, unwanted multicastmessages may be spread to each node of the network, causing a great waste of networkbandwidth resource.

With the IGMP Snooping function, the IGMP communication between the host and routeris snooped, so that the multicast packets are sent to the ports in the multicast forwardingtable, instead of all ports. This restricts the flooding of multicast messages in the LANswitch, reduces the waste of network bandwidth, and improves the utilization rate of theswitch.

Configuring IGMP SnoopingThe IGMP Snooping configuration includes the following commands:

Command Function

zte(cfg)#set igmp snooping {enable | disable} Enables or disables the IGMP

Snooping function.

5-20



Command Function

zte(cfg)#set igmp snooping {add | delete} vlan <vlanlist> Adds or deletes the IGMP

Snooping function to/from the

specified VLAN.

zte(cfg)#set igmp snooping {add | delete} maxnum<1-1024>{vlan <vlanlist>| port <portlist>[replace]

Sets or clears the maximum

multicast group number on the

specified VLAN/port. The replace

keyword means to replace the

query group which does not

respond for the longest period.

zte(cfg)#set igmp snooping delete host Deletes all dynamic multicast

users.

zte(cfg)#set igmp snooping monitor-ring {enable | disable} Enables or disables the IGMP ring

monitoring function.

zte(cfg)#set igmp snooping vlan <1-4094>{add | delete} group<A.B.C.D>[port <portlist>| trunk <trunklist>]

Adds or deletes static multicast

group based on the VLAN.

zte(cfg)#set igmp snooping vlan <1-4094>{add | delete} smr

{port <portlist>| trunk <trunklist>}Adds or deletes routing port or

trunk on the specified VLAN.

zte(cfg)#set igmp snooping private-group {<A.B.C.D>| enable |

disable}

Adds private multicast group

and enables or disables private

multicast group function.

zte(cfg)#set igmp snooping timeout {host | router}<time> Sets multicast member or route

time-out.

The value of the <time> parameter

is 0 means no aging. A value

between 100 and 2147483647

(unit: 100 milliseconds).

zte(cfg)#set igmp snooping query-interval <10-2147483647> Sets the snooping interval, unit:

100 milliseconds.

zte(cfg)#set igmp snooping response-interval <10-250> Sets the snooping response

interval, unit: 100 milliseconds.

zte(cfg)#set igmp snooping last-member-query <10-250> Sets the snooping interval for

the last member, unit: 100

milliseconds.

zte(cfg)#set igmp snooping query vlan <vlanlist>{enable |

disable}

Enables or disables the query

function on the specified VLAN.

zte(cfg)#set igmp snooping query version {v2 | v3} Sets the IGMP version of the query

packet sent by the switch.

zte(cfg)#set igmp snooping fastleave {enable | disable} Enables or disables the fast leave

function.

5-21



Command Function

zte(cfg)#set igmp snooping v3 {enable | disable} Enables or disables the IGMP V3

function.

zte(cfg)#set igmp snooping proxy version {v2 | auto} Sets the IGMP version of the

query message that the switch

responses to the router.

zte(cfg)#set igmp snooping crossvlan {enable | disable} Enables or disables the switch

cross-VLAN function.

zte(cfg)#set igmp filter {enable | disable} Enables or disables the filtering

function.

zte(cfg)#set igmp filter {add | delete} groupip <A.B.C.D.> vlan<vlanlist>

Adds or deletes the filtering of

group in the specified VLAN.

zte(cfg)#set igmp filter {add | delete} sourceip <A.B.C.D.> vlan<vlanlist>

Adds or deletes the filter of source

in the specified VLAN.

zte(cfg)#set igmp filter {add | delete} query port < portlist>vlan <vlanlist>

Adds or deletes the query packet

filter for the specified port.

zte(cfg)#set igmp filter {add | delete} query trunk < trunklist>vlan <vlanlist>

Adds or deletes the query packet

filter for the specified trunk port.

show igmp snooping (global configuration modes) Displays IGMP Snooping global


show igmp snooping vlan [<1-4094>[host | route]] (global


Displays the configuration of the

IGMP snooping result.

show igmp snooping port [<portlist>] (global configuration modes) Displays the maximum and current

multicast group numbers for the

port.

show igmp snooping v3 {port <1-28>| trunk <1-15>} (global


Displays the v3 multicast snooping

results of the port or the trunk.

show igmp filter report (global configuration modes) Displays the configuration of the

IGMP filter.

show igmp filter vlan <vlanlist> (global configuration modes) Displays the specified VLAN

multicast group filtering

configuration.

show igmp filter query (global configuration modes)Displays the configuration of the

query packet filter.

show igmp filter query vlan <vlanlist> (global configuration

modes)

Displays the configuration of the

query packet filter for the specified

VLAN.

zte(cfg)#set igmp filter {add | delete} grouplist <A.B.C.D.>mask <A.B.C.D.> vlan <vlanlist>

Adds/removes the group list filter

to/from the specified VLAN.

5-22



Command Function

zte(cfg)#set igmp snooping multicast-ring {enable | disable} Enables or disables the IGMP

multicast ring network function.

zte(cfg)#set igmp snooping multicast-ring {add | delete}

cascade port <portlist>Adds or deletes cascaded ports in

a multicast ring network.

IGMP Snooping Configuration Instancel Configuration Description

Ports 1, 3, and 5 are connected to the host, port 10 is connected to the router, addports 10, 1, 3, and 5 to VLAN200, and users on ports 1, 3, and 5 send multicastjoin request packets with multicast addresses 230.44.45.167 and 230.44.45.157respectively. Add multicast filter group address 230.44.45.167 on VLAN200. TheIGMP Snooping function and IGMP Filter function are enabled and the snoopingresults are displayed. See Figure 5-4.

Figure 5-4 Network Topology of IGMP Snooping Configuration Instance

l Configuration Procedurezte(cfg)#set vlan 200 add port 1, 3, 5, 10 untag

zte(cfg)#set port 1, 3, 5, 10 pvid 200

zte(cfg)#set vlan 200 enable

zte(cfg)#set igmp snooping enable

zte(cfg)#set igmp snooping add vlan 200

zte(cfg)#set igmp snooping vlan 200 add smr port 10

zte(cfg)#set igmp filter enable

zte(cfg)#set igmp filter add groupip 230.44.45.167 vlan 200


Display multicast listening and filtering result.

5-23



zte(cfg)#show igmp snooping vlan

Maximal group number: 1024

Current group number: 1

Num VlanId Group Last_Report PortMember

---- ------- --------------- --------------- ----------------

1 200 230.44.45.157 194.85.1.3 1,3,5,10

zte(cfg)#show igmp filter report

IGMP Filter: enabled

Index Type IpAddress IpMask VlanList

----- -------- ---------------- ---------------- ---------------------

1 Groupip 230.44.45.167 255.255.255.255 200

zte(cfg)#show igmp filter report vlan 200

Index FilterIpAddress FilterIpMask Vlan Type

----- ---------------- ---------------- ----- --------

1 230.44.45.167 255.255.255.255 200 Groupip

5.8 MLD Snooping ConfigurationMLD Snooping OverviewCorresponding to the IGMP protocol, MLD is a multicast management protocol in IPv6environment. MLD v1/v2 is supported.

It is impossible to use a multicast address as a source address in a packet, so a switchcannot learn the multicast address. When receiving a multicast message, a switchbroadcasts the message on all ports in the same VLAN. If no measure is taken, unwantedmulticast messages may be spread to each node of the network, causing a great wasteof network bandwidth resource.

Multicast Listener Discovery (MLD) snooping monitors MLD protocol communicationbetween a host and a router. In this way, a multicast message is sent to the ports in themulticast forwarding table instead of all ports. This limits multicast message spread onLAN switches, reduces network bandwidth waste, and enhances switch usage.

Configuring MLD SnoopingThe MLD snooping configuration includes the following commands:

Command Function

zte(cfg)#set mld snooping {enable | disable} Enables or disables the MLD snooping function

globally.

zte(cfg)#set mld snooping {add | delete} vlan<vlanlist>

Adds or deletes an MLD snooping VLAN.

5-24



Command Function

zte(cfg)#set mld snooping add maxnum <1-256>

vlan <vlanlist>

Sets the maximum number of multicast groups

of a specific VLAN.

zte(cfg)#set mld snooping vlan <1-4094> addgroup <ipv6-address> port <portlist>

Adds a static group to a specific VLAN and adds

a port to the static group.

zte(cfg)#set mld snooping vlan <1-4094> deletegroup <ipv6-address>[port <portlist>]

Clears static groups in a specific VLAN and

clears the ports in the static groups.

zte(cfg)#set mld snooping vlan <1-4094>{add |

delete} mrouter port <port-id>Adds or clears a routing portsin a specific VLAN.

zte(cfg)#set mld snooping { host-time-out |

mrouter-time-out }<30-65535>

Sets the time-out period between the router port

and the host port.

zte(cfg)#set mld snooping query-interval

<30-65535>

Sets the interval for sending query packets.

zte(cfg)#set mld snooping query-response-inter

val <1000-25000>

Sets the interval for sending report packets.

zte(cfg)#set mld snooping last-member-query

<1-25>

Sets the time of waiting for a query response

when the last member leaves.

zte(cfg)#set mld snooping query vlan

<vlanlist>{enable | disable}

Enables or disables the query function in a

specific VLAN.

zte(cfg)#set mld snooping query vlan <vlanlist>

version <1-2>

Sets the MLD version of query packets.

zte(cfg)#set mld snooping query {enable |

disable}

Enables or disables the query function.

zte(cfg)#set mld snooping fastleave {enable |

disable}

Enables or disables the fast leave function.

zte(cfg)#set mld snooping robustness <1-7> Sets the MLD robustness value.

zte(cfg)#set mld filter {enable | disable} Enables or disables the filter function globally.

zte(cfg)#set mld filter {add | delete} query port< portlist> vlan <vlanlist>

Adds or deletes the query packet filter for the

specified port.

zte(cfg)#set mld filter {add | delete} query trunk< trunklist> vlan <vlanlist>

Adds or deletes the query packet filter for the

specified trunk port.

show mld snooping (all configuration modes) Displays global MLD snooping configuration

information.

show mld snooping vlan <1-4094>[group<ipv6-address>| port-info | group-source-filter |

host-source-filter ] (all configuration modes)

Displays the MLD snooping result.

show mld snooping mr-port-info (all configuration

modes)

Displays MLD router port information.

5-25



Command Function

show mld filter query (all configuration modes) Displays the configuration of the query packet

filter.

show mld filter query vlan <vlanlist> (all


Displays the configuration of the query packet

filter for the specified VLAN.

MLD Snooping Configuration Instancel Configuration Description

See Figure 5-5. Port 1, Port 3 and Port 5 are connected to hosts, Port 10 is connectedto a router, ports 10, 1, 3 and 5 are in VLAN 200, users connected to Ports 1, 3 and 5send multicast join requests to join the groups ff1e::22 and ff1e::11. Enable the MLDsnooping function on the switch and display the snooping result.

Figure 5-5 MLD Snooping Configuration Instance

l Configuration Procedurezte(cfg)#set vlan 200 add port 1, 3, 5, 10 untag

zte(cfg)#set port 1, 3, 5, 10 pvid 200


zte(cfg)#set mld snooping enable

zte(cfg)#set mld snooping add vlan 200

zte(cfg)#set mld snooping vlan 200 add mr port 10


Display the snooping result:

zte(cfg)#show mld snooping vlan 200

MLD Snooping : enable

Querier : disable

Working Mode : proxy

5-26



Max Group Number : 256

Total Group Number : 2

Exist Host Group Number : 2

Index Vlan Group ID Prejoin LiveTime Ports

----- ---- -------------- ------- ---------- --------

1 200 ff1e::11 0 0:00:00:14 D:1,3, 5

2 200 ff1e::22 0 0:00:00:09 D:1,3,

5.9 IPTV ConfigurationIPTV OverviewInternet Protocol television (IPTV) is also called Interactive Network TV. IPTV is a methodof distributing television content over IP that enables a more customized and interactiveuser experience. IPTV can allow people who are separated geographically to watch amovie together, while chatting and exchanging files simultaneously. IPTV uses a two-waybroadcast signal sent through the provider's backbone network and servers, allowingviewers to select content on demand, and take advantage of other interactive TV options.IPTV can be used through PC or “IP Set-top Box (SBT) + TV”.

Configuring IPTVThe IPTV configuration mainly includes the following contents:

l Configure channel attributesl Configure package attributesl Configure preview-related attributesl Configure CDR-related attributesl Configure port-related attributes

The IPTV configuration includes the following commands:

Command Function

zte(cfg-nas)#iptv control {enable | disable} Enables or disables the IPTV

function.

zte(cfg-nas)#iptv channel mvlan <1-4094> groupip<A.B.C.D>[name <channel-name>[id <0-1031>]]

Adds one channel (multicast

group) to the specified VLAN and

names the channel and allocates

ID.

zte(cfg-nas)#iptv channel mvlan <1-4094> groupip <A.B.C.D>

count <1-1032>[prename <prename>]Adds channel (multicast group) to

the specified VLAN in batch and

names channels in batch.

zte(cfg-nas)#iptv channel name <channel-name> rename<new-name>

Modifies channel name.

5-27



Command Function

zte(cfg-nas)#iptv channel {name <channel-name>| id-list <channel-list>} cdr {enable | disable}

Enables or disables channel log

function.

zte(cfg-nas)#iptv channel {name <channel-name>| id-list<channel-list>}{viewfile-name <viewfile-name>| viewfile-id<0-1023>}

Specifies the preview configuration

file of the channel.

zte(cfg-nas)#iptv sms-server <A.B.C.D> Sets the IP address of the Service

Management System (SMS)

server.

zte(cfg-nas)#iptv sms-server-port <1025-65535> Sets SMS server TCP port.

zte(cfg-nas)#iptv cdr {enable | disable} Enables or disables CDR log

function globally.

zte(cfg-nas)#iptv cdr report Manually triggers CDR log report

at one time.

zte(cfg-nas)#iptv cdr create-period <1-65535> Sets the interval for creating CDRs

when users watch programs for a

long time.

zte(cfg-nas)#iptv cdr deny-right {enable | disable} Enables or disables CDR function

when the access authorization is

deny.

zte(cfg-nas)#iptv cdr prv-right {enable | disable} Enables or disables CDR function

when the access authorization is

preview.

zte(cfg-nas)#iptv cdr report-threshold <1-32> Sets the number of CDRs in each

reported packet.

zte(cfg-nas)#iptv cdr report-interval <1-65535> Sets the time interval for CDR

report.

zte(cfg-nas)#iptv cdr max-records <100-5000> Sets CDR maximum record items.

zte(cfg-nas)#iptv cdr warning-threshold <1-100> Sets CDR buffer alarm threshold.

zte(cfg-nas)#iptv package name <package-name>[id<package-id>]

Creates multicast package.

zte(cfg-nas)#iptv package name <package-name> channel

{id-list <channel-list>| name <channel-name>}{deny | order |

preview}

Adds channels to the package

and configures the authority of the

channels in the package.

zte(cfg-nas)#iptv prv {enable | disable} Enables or disables the preview

function.

zte(cfg-nas)#iptv prv reset Resets the preview function.

5-28



Command Function

zte(cfg-nas)#iptv prv autoreset-time <HH:MM:SS> Automatically resets the preview

function.

zte(cfg-nas)#iptv prv recognition-time <1-65534> Sets recognition time. A short time

preview is not counted.

zte(cfg-nas)#iptv prv overcount-cdr {enable | disable} Enables or disables the IPTV

preview overcount-cdr function.

zte(cfg-nas)#iptv view-profile name < viewfile-name>[id<1-1023>]

Creates IPTV preview

configuration files.

zte(cfg-nas)#iptv view-profile name <viewfile-name>{count

<1-65535>| duration <2-65535>| blackout<2-65535>}

Creates IPTV preview

configuration files.

zte(cfg-nas)#iptv cac-rule {enable | disable} Enables or disables the CAC

control.

zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] service {start |

remove | pause | resume}

Sets user service state.

zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] control-mode

{package | channel}

Sets user multicast control mode.

zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] package

{name <package-name>| id-list <package-list>}Allocates packages for the user.

zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] channel

{name <channel-name>| id-list <channel-list>}{deny | order |preview | query}

Allocates the access permission of

the channel for the user.

zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] cdr {enable |

disable}

Enables or disables the user CDR

log record function.

zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] mac-base

{enable | disable}

Enables or disables the

management mode based on

the MAC address.

zte(cfg-nas)#iptv port <portlist>{add|delete} mvlan <1-4094>

uvlan <1-4094>

Adds or deletes a duplicate rule.

zte(cfg-nas)#clear iptv channel {name <channel-name>| id-list<channel-list>| all}

Deletes a channel.

zte(cfg-nas)#clear iptv package {name <package-name>| id-list< package-idlist >| all}

Deletes a package.

zte(cfg-nas)#clear iptv view-profile{name <viewfile-name>|id-list <viewfile-lis>| all}

Deletes a preview configuration

file.

zte(cfg-nas)#clear iptv port <portlist>[vlan <1-4094>] package

{name <package-name>| id-llist <package-idlist>}Deletes the package allocated for

users.

5-29



Command Function

zte(cfg-nas)#clear iptv client [index <0-255>| mac<HH.HH.HH.HH.HH.HH>| port <portlist>[vlan <1-4094>]]

Deletes an IPTV user.

show iptv control (all configuration modes) Displays IPTV global configuration.

show iptv channel [name <channel-name>| id <channel-id>] (all


Displays channel information (all

channels or some channel detailed

information).

show iptv package [name<package-name>| id <0-127>] (all


Without parameters, displays the

package names. With parameters,

this displays all channel lists in the

package.

show iptv prv (all configuration modes) Displays IPTV preview global


show iptv view-profile [name <viewfile-name>| id <0-1023>] (all


Displays preview configuration file

information.

show iptv cdr (all configuration modes) Displays global CDR configuration

information.

show iptv client [{channel <0-1031>| index <0-255>| mac<HH.HH.HH.HH.HH.HH>| port <portid>| vlan <1-4094>}] (all


Displays IPTV user information.

show iptv rule [ port <portid>][vlan <1-4094>][channel | package]

(all configuration modes)

Displays IPTV rule information.

show iptv duplicate (all configuration modes) Displays duplicate configuration

information.

zte(cfg-nas)#clear iptv channel-group {name<channel-group-name>| id-list <channel-group-list>|all}

Deletes a channel group.

zte(cfg-nas)#iptv channel-group mvlan <1-4094>

groupiplist <A.B.C.D>{<A.B.C.D>| mask <A.B.C.D>}}[name<channel-group-name>[id <0-255>]]

Adds a channel group to a

specified VLAN, names the

channel group, and allocates an

ID to each channel.

zte(cfg-nas)#iptv channel-group name <channel-group-name>

rename <new-name>Modifies the channel group name.

zte(cfg-nas)#iptv channel-group {name <channel-group-name>|id-list < channel-group-list>} cdr {enable | disable}

Enables/disables the channel

group log function.

zte(cfg-nas)#iptv channel-group {name <channel-group-name>|id-list <channel-group-list>}{viewfile-name <viewfile-name>|

viewfile-id <0-1023>}

Specifies the preview configuration

file for the channel group.

5-30



Command Function

zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] channel-group

{name <channel-group-name>| id-list <channel-group-list>}{deny |order | preview | query}

Allocates an access permission to

the channel group for users.

show iptv channel-group [name <channe-groupl-name>| id<channel-group-id>] (all configuration modes)

Displays channel group

information (details of one or

all channel groups).

IPTV Configuration Example Onel Configuration Description

Port 1 connects to the user and it subscribes to channel 225.1.1.1. The user vlanis 100. The multicast vlan is 4000. Router sends data stream of multicast group225.1.1.1. PC sends request for entering into channel 225.1.1.1. See Figure 5-6.

Figure 5-6 IPTV Configuration Instance 1

l Configuration Procedure1. Configure VLAN

zte(cfg)#set vlan 100 add port 1

zte(cfg)#set vlan 4000 add port 1, 4

zte(cfg)#set vlan 100, 4000 enable



/*IGMP Snooping*/


zte(cfg)#set igmp snooping add vlan 100, 4000

zte(cfg)#set igmp snooping fastleave enable

2. Configure IPTVzte(cfg)#config nas

zte(cfg-nas)#iptv control enable

zte(cfg-nas)#iptv cac-rule enable

3. Configure a rule on the portzte(cfg-nas)#iptv channel mvlan 4000 group 225.1.1.1

name CCTV1 id 1

zte(cfg-nas)#iptv port 1 service start

zte(cfg-nas)#iptv port 1 control-mode channel

zte(cfg-nas)#iptv port 1 channel id-list 1 order

zte(cfg-nas)#iptv port 1 add mvlan 4000 uvlan 100


5-31



Check configuration

zte(cfg-nas)#show iptv rule

MaxRuleNum:64

CurRuleNum:1

HisRuleNum:1

Id Port Vlan Mbase Mode Service Cdr Order Preview Query PkgNum

-- ---- ---- ----- ------- ------- -------- ----- ------- ----- ------

1 1 false channel in disabled 1 0 0 0

/*view the user online state when the user is online*/

zte(cfg-nas)#show igmp snooping vlan




---- ------- --------------- --------------- ----------------

1 4000 225.1.1.1 192.85.1.3 1

zte(cfg-nas)#show iptv client index 0

Index :0

Rule :1 Vlan :100

Port :1 ChNum :1

Mac :00.10.94.00.00.01 Ip :192.85.1.3

Channel UserType MultiAddress ElapsedTime

------- ---------- ---------------- --------------

1 order 225.1.1.1 0:0:1:7

IPTV Configuration Example Twol Configuration Description

Port 1 connects with the user and it is the preview user of channel 225.1.1.1. Themaximum preview time is 20 seconds, the interval is at least 10 seconds and themaximum preview time is 2. The user vlan is 100. The multicast vlan is 4000. Routersends data stream of multicast group 225.1.1.1. PC sends request for entering intochannel 225.1.1.1. See Figure 5-7.

Figure 5-7 IPTV Configuration Instance 2

l Configuration Procedure

5-32



1. Configure VLANzte(cfg)#set vlan 100 add port 1


zte(cfg)#set vlan 100, 4000 enable



/*IGMP Snooping*/


zte(cfg)#set igmp snooping add vlan 100, 4000

zte(cfg)#set igmp snooping fastleave enable

2. Configure IPTVzte(cfg)#config nas

zte(cfg-nas)#iptv control enable

zte(cfg-nas)#iptv cac-rule enable

zte(cfg-nas)#iptv prv enable

3. Configure a rule on the portzte(cfg-nas)#iptv channel mvlan 4000 group 225.1.1.1

name CCTV1 id 1

zte(cfg-nas)#iptv port 1 service start

zte(cfg-nas)#iptv port 1 control-mode channel

zte(cfg-nas)#iptv port 1 channel id 1 preview

4. Configure the preview templatezte(cfg-nas)#iptv view-profile name VPF1.PRF

zte(cfg-nas)#iptv view-profile name VPF1.PRF count 2

zte(cfg-nas)#iptv view-profile name VPF1.PRF blackout 10

zte(cfg-nas)#iptv view-profile name VPF1.PRF duration 20

zte(cfg-nas)#iptv channel id 1 viewfile-name VPF1.PRF


Check configuration

/*check the configuration of preview template*/

zte(cfg-nas)#show iptv view-profile name VPF1

ViewProfile Id :1

MaxPrvCount :2

MaxPrvDuration :20

BlackoutInterval :10

/*view the user online state when the user is online*/

zte(cfg-nas)#show iptv client index 0

Index :0

Rule :1 Vlan :100

Port :1 ChNum :1

Mac :00.10.94.00.00.01 Ip :192.85.1.3

Channel UserType MultiAddress ElapsedTime

------- ---------- ---------------- --------------

5-33



1 preview 225.1.1.1 0:0:0:16

5.10 STP ConfigurationSTP OverviewThe Spanning Tree Protocol (STP) is applicable to the network with data loops. It usescertain algorithms to block some redundant links, thus preventing possible network loops.

The Rapid Spanning Tree Protocol (RSTP) is developed on the basis of common STP,and provides a faster spanning tree convergence by using a mechanism in which the portstate can be rapidly changed from Blocking to Forwarding.

TheMultiple Spanning Tree Protocol (MSTP) is developed on the basis of RSTP and STP. Itintroduces domains and instances, and recognizes VLAN ID. The whole network topologystructure can be planned into a Common and Internal Spanning Tree (CIST), which isdivided into Common Spanning Tree (CST) and Internal Spanning Tree (IST).

Many devices enabling MSTP construct Multiple Spanning Tree (MST) areas in theswitching network. When the devices satisfy the following conditions, they can beconsidered to exist in an MST area. A switching network can cover many MST areas.Users can divide the switches into an MST area by using MSTP commands.

l Same area name.l Same reversion level.l Same mapping relationship between a VLAN and an instance.l Switches should be connected directly.

Multiple spanning trees can be configured in each MSTP area, and they are independentfrom each other. Each spanning tree is an Internal Spanning Tree (IST), and it can becalled as Multiple Spanning Tree Instance (MSTI). Common Spanning Tree connects allMST areas in the switching network. An MST area can be considered as a switch, a CSTis a spanning tree which is generated by STP and RSTP protocol calculation. All ISTsand CSTs are called as Common and Internal Spanning Tree (CIST). A CIST is a singlespanning tree used to connect all switches.

In this MSTP topology structure, an IST can serve as a single bridge (switch). In thisway, a CTS can serve as an RSTP for the interaction of configuration information (BPDU).Multiple instances can be created in an IST area and these instances are valid only in thisarea. An instance is equivalent to an RSTP, except that the instance needs to performBPDU interaction with bridges outside this area.

For the MSTP topological structure, see Figure 5-8.

5-34



Figure 5-8 MSTP Topological Structure

The ports have different roles:

l Master: The port type is introduced in the MSTP protocol. When multiple differentareas exist, the master port is the port with the minimal cost to the root.

l Root: The port that has the minimal cost to the root bridge and takes charge inforwarding data to the root node. When multiple ports have the same cost to the rootbridge, the port with the lowest port priority becomes to the root port.

l Designated: The port transmits data to the switch downward, and sends the STPprotocol message to maintain the state of STP.

l Backup: The port receives the STP message, which proves that there exists a loopto the port itself.

l Alternate: The port receives excess STP protocol messages from other equipment.However, when the original link fails, the port becomes transmitting and maintains thenetwork taking the place of the faulty port.

l Edged: The port is used to connect the terminal equipment, for example, PC. Theport does not participate in the calculation before the STP is stable, and the state canbe switched fast.

According to the port role, the port state is different after the calculation becomes steady.For the relationships between the port role and the port state, refer to Table 5-1.

Table 5-1 Port Role and Port State

Port Role Port State

Master Forward

Root Forward

Designated Forward

Backup Discard

5-35



Port Role Port State

Alternate Discard

Edged Forward

Protection Feature OverviewBPDU Protection on a Port

A boundary port is not expected to receive any BPDUs. Receipt of any BPDUs indicatesa failure in the network. To avoid this situation, BPDU protection can be configured on aboundary port.

After being configured with BPDU protection, if a port receives a BPDU, the port will beshut down and a warning message will be displayed. The system waits for some secondsof user configured and then tries to re-open the port. If it still receives BPDUs, the port willbe shut down again. By doing so, the network can be protected from being attacked byabnormal BPDUs to maintain the stability of the topology.

Loopback Protection on a Port

When a non-designated ports other than port breaks down and cannot receive any BPDUs,STP will transit the port to a designated port and its state to Forwarding state, which leadsto loops. To avoid this situation, port loopback protection can be configured on a blockedport.

After being configured with port loopback protection, if a blocked port no longer receivesany BPDUs, it will enter Loop_Inconsistent state, under which no data will be forwardedfrom this port. When it receives BPDUs again, the port will automatically recover to ablocked port.

Root Protection on a Port

After the network has completed the spanning tree calculation, if a new switch is involvedand the numerical value for its bridge ID is lower than that for the root bridge, the newswitch will become the new root bridge to replace the old root bridge, which causes theentire network to recalculate the spanning tree. To avoid this situation, port root protectioncan be configured on the port where a new switch accesses the network.

The port root protection feature is used to protect the root bridge. After being configuredwith root protection, if a port receives a BPDU in which the numerical value for the bridgeID is lower, the port will enter RootGuard state to avoid spanning tree recalculation. Inthis state, no data will be forwarded from this port. Once the port no longer receives anyBPDU in which the numerical value for the bridge ID is lower, it will go through the transitorystates, that is, Listening state and Learning state, and finally transit to Forwarding state.The recovery is automatic, without any human intervention.

Configuring STPIn the default configuration, the MSTP only has the instance with ins_id being 0. Thisinstance always exists and users cannot manually delete it. This instance is mapped withVLANs 1 to 4094.

5-36



The STP configuration includes the following commands:

Command Function

zte(cfg)#set stp {enable | disable} Enables or disables the STP.

zte(cfg)#set stp forceversion {mstp | rstp | stp} Sets the forced STP type to

MSTP/RSTP/STP.

zte(cfg)#set stp port <portlist>{enable | disable} Enables or disables the port STP

function.

zte(cfg)#set stp port <portlist> linktype {point-point | shared} Sets port connection type.

zte(cfg)#set stp port <portlist> packettype {IEEE | CISCO |

HUAWEI | HAMMER | extend }

Sets instance port packet type.

zte(cfg)#set stp port <portlist> pcheck Checks the current STP protocol

type and selects the best protocol.

zte(cfg)#set stp port <portlist> bpdu-guard {enable | disable} Enables or disables the BPDU

packet protection function on the

port.

zte(cfg)#set stp bpdu-interval <10-65535> Sets an interval for BPDU

protection recovery.

zte(cfg)#set stp trunk <trunklist>{enable | disable} Enables trunk/disables the STP

function.

zte(cfg)#set stp trunk <trunklist> linktype {point-point | shared} Sets trunk connection type.

zte(cfg)#set stp trunk <trunklist> packettype {IEEE | CISCO |

HUAWEI | HAMMER | extend }

Sets packet types sent and

received by the trunk.

zte(cfg)#set stp edge-port {add | delete} port <portlist> Adds/deletes STP edge port.

zte(cfg)#set stp {hmd5-digest | hmd5-key}{CISCO |

HUAWEI}<0x00..0-0xff..f>

Sets hmd5 parameter when the

device is connected with CISCO

or HUAWEI.

zte(cfg)#set stp hellotime <1-10> Sets STP notification interval.

zte(cfg)#set stp forwarddelay <4-30> Sets STP forwarding delay time.

zte(cfg)#set stp agemax <6-40> Sets STP aging time

zte(cfg)#set stp hopmax <1-40> Sets the maximum number of hops

between edge equipment and root

switch of MSTP.

zte(cfg)#set stp name <name> Sets the name of the MSTP

domain.

zte(cfg)#set stp revision <0-65535> Sets the revision level of the

MSTP.

5-37



Command Function

zte(cfg)#set stp instance <0-63>{add | delete} vlan <vlanlist> Adds or deletes the VLAN to/from

the MSTP instance.

zte(cfg)#set stp instance <0-63>{port <1-28>| trunk < trunklist>} priority <0-240>

Sets the priority of the port/trunk

in the instance.

zte(cfg)#set stp instance <0-63>{port <1-28>| trunk <trunklist>}cost <1-200000000>

Sets the path cost of the port/trunk

in the instance.

zte(cfg)#set stp instance <0-63>{port <1-28>| trunk <trunklist>}root-guard {enable | disable}

Enables or disables the root

protection of port/trunk in the

instance.

zte(cfg)#set stp instance <0-63>{port <1-28>| trunk <trunklist>}loop-guard {enable | disable}

Enables or disables the loop

protection of port/trunk in the

instance.

zte(cfg)#set stp instance <0-63> priority <0-61440> Sets the priority of the bridge in

the instance, which is used for root

bridge selection.

zte(cfg)#clear stp instance <0-63> Deletes the instance.

zte(cfg)#clear stp instance <0-63>{port <1-28>| trunk <1-15>}cost

Sets the path cost of the port/trunk

in the instance as the default

value.

zte(cfg)#clear stp name Deletes the MSTP domain name.

show stp (all configuration modes) Displays STP global configuration

information.

show stp instance [<0-63>] (all configuration modes) Displays the state information of

the instance.

show stp port [<portlist>] (all configuration modes) Displays the STP port


show stp trunk <trunklist> (all configuration modes) Displays STP trunk configuration

information.

STP Configuration Instancel Configuration Description

Configure the STP function of switch 1 and switch 2, take switch 1 as the root bridgeand block a redundant port in the loop. This realizes loop protection and link backupbetween switches. See Figure 5-9.

5-38



Figure 5-9 STP Configuration Instance

l Configuration Procedurezte(cfg)#set stp enable

/*enable the stp protocol of switch1 and switch2*/

zte(cfg)#set stp forceversion stp

/*set STP forceversion as stp*/

l Configuration Verification1. Check the STP state of switch 1 in the system view.

zte(cfg)#show stp instance

Spanning tree enabled protocol stp

RootID:

Priority : 32768 Address : 00.d0.d0.02.00.54

HelloTime(s) : 2 MaxAge(s): 20

ForwardDelay(s): 15

Reg RootID:


RemainHops : 20

BridgeID:



ForwardDelay(s): 15 MaxHops : 20

Interface PortId Cost Status Role Bound GuardStatus

--------- ------ ------- ------- ---------- ----- -----------

1 128.1 200000 Forward Designated SSTP None

2 128.2 200000 Forward Designated SSTP None

2. Check the STP state of switch 2 in the system view.zte(cfg)#show stp instance

Spanning tree enabled protocol stp

RootID:



ForwardDelay(s):15

Reg RootID:


RemainHops : 20

BridgeID:





--------- ------ ------- ------- ---------- ----- -----------

5-39



1 128.1 200000 Forward Root SSTP None

2 128.2 200000 Discard Alternate SSTP None

RSTP Configuration Instancel Configuration Description

Configure the RSTP function of switch 1 and switch 2, take switch 1 as the root bridgeand block a redundant port in the loop. This realizes loop protection and link backupbetween switches. See Figure 5-10.

Figure 5-10 RSTP Configuration Instance


/*enable STP protocol of switch1 and switch2*/

zte(cfg)#set stp forceversion rstp

/*set forceversion of stp as rstp*/

l Configuration Verification1. Check the STP state of switch 1 in the system view.

zte(cfg)#show stp instance

Spanning tree enabled protocol rstp

RootID:



ForwardDelay(s): 15

Reg RootID:


RemainHops : 20

BridgeID:





--------- ------ -------- ------- ---------- ----- -----------

1 128.1 200000 Forward Designated RSTP None

2 128.2 200000 Forward Designated RSTP None


Spanning tree enabled protocol rstp

RootID:



5-40



ForwardDelay(s):15

Reg RootID:


RemainHops : 20

BridgeID:





--------- ------ --------- ------- ---------- ----- -----------

1 128.1 200000 Forward Root RSTP None

2 128.2 200000 Discard Alternate RSTP None

MSTP Configuration Instancel Configuration Description

Configure the MSTP of switch1 and switch2 (they are in the same MST area) torealize link backup and block the loop in the network. The configuration is as follows:establish mapping between instance 1 and service VLAN10-20; set Name to zte andRevision to 10. Take switch 1 as the root bridge in instance 1. See Figure 5-11.

Figure 5-11 MSTP Configuration Instance


/*enable the stp protocol of switch1 and switch2*/

zte(cfg)#set stp forceversion mstp

/*set the STP forceversion as mstp*/

zte (cfg)#set stp name zte

/*set switch1 and switch2 in the same area*/

zte(cfg)#set stp revision 10

zte(cfg)#set stp instance 1 add vlan 10-20

l Configuration Verification1. Check the STP state of switch 1 and switch 2 in the system view.

zte(cfg)#show stp

The spanning_tree protocol is enabled!

The STP ForceVersion is MSTP !

Revision: 10

Name: zte

Bpdu interval: 100

Cisco key: 0x13ac06a62e47fd51f95d2ba243cd0346

5-41



Cisco digest: 0x00000000000000000000000000000000

Huawei key: 0x13ac06a62e47fd51f95d2ba243cd0346

Huawei digest: 0x00000000000000000000000000000000

Instance VlanMap

-------- -------------------

0 1-9,21-199,211-4094

1 10-20,200-210


MST00

Spanning tree enabled protocol mstp

RootID:



ForwardDelay(s): 15

Reg RootID:


RemainHops : 20

BridgeID:





--------- ------ ------- ------- ---------- ----- -----------

1 128.1 200000 Forward Designated MSTP None

2 128.2 200000 Forward Designated MSTP None

MST01


RootID:


HelloTime(s) : 2 MaxAge(s) : 20

ForwardDelay(s): 15 RemainHops : 20

BridgeID:




Interface PortId Cost Status Role GuardStatus

--------- ------ ------- ------- ---------- -----------

1 128.1 200000 Forward Designated None

2 128.2 200000 Forward Designated None


MST00


RootID:

5-42





ForwardDelay(s):15

Reg RootID:


RemainHops : 19

BridgeID:





--------- ------ ------- ------- ---------- ----- ---------

1 128.1 200000 Forward Root MSTP None

2 128.2 200000 Discard Alternate MSTP None

ST01


RootID:



ForwardDelay(s):15 RemainHops : 19

BridgeID:




Interface PortId Cost Status Role GuardStatus

--------- ------ ------- ------- ---------- ------------

1 128.1 200000 Forward Root None

2 128.2 200000 Discard Alternate None

5.11 ACL ConfigurationACL OverviewAn Access Control List (ACL) is a sequential collection of permissions that apply topackets. When a packet is received on an interface, the switch compares the fields inthe packet against applied ACLs to verify that the packet has the required permissions tobe forwarded, based on the criteria specified in the access lists. It tests packets againstthe conditions in an access list one by one. The first match determines whether theswitch accepts or rejects the packets because the switch stops testing conditions afterthe first match. The order of conditions in the list is critical. If no conditions match, theswitch rejects the packets. If there are no restrictions, the switch forwards the packet.Otherwise, the switch drops the packet.

The ZXR10 2900E supports the following functions.

l The ZXR10 2900E provides two binding types, including physical port and VLAN port.

5-43



l ACL rules can be added, deleted, and sorted.1. Rules can be added to a configured ACL. Regular ID number range is 1-500.2. Configured ACL can be deleted regularly. If the specified ACL instance number

or rule number is not configured, a false message will return.3. Many rules of an ACL can be sorted. It is necessary to specify the position where

a rule number should be moved.l An ACL can become valid according to the configured time range. After configuring

absolute or relative time range on the switch, the time range can be applied to the ruleof the ACL. This causes the rule to be valid according to the time range specification.

l The ZXR10 2900E provides the following ten types of ACLs:1. Basic ACL: Only matches the source IP address.2. Extended ACL: Matches the source IP address, destination IP address, IP

protocol type, TCP source port number, TCP destination port number, UDPsource port number, UDP destination port number, ICMP type, ICMP Code andDiffServ Code Point (DSCP).

3. L2 ingress ACL: Matches the source MAC address, destination MAC address,source VLAN ID and 802. 1p priority value, Ethernet network type andDSAP/SSAP.

4. Hybrid ingress ACL: Matches source IPv4/IPv6 address, destination IPv4/IPv6address, IP protocol type, TCP source port number, TCP destination port number,UDP source port number, UDP destination port number, DiffServ Code Point(DSCP), source MAC address, destination MAC address, source VLAN ID and802. 1p priority value.

5. Global ACL: Matches the source IP address, destination IP address, IP protocoltype, TCP source port number, TCP destination port number, UDP source portnumber, UDP destination port number, DiffServ Code Point (DSCP), source MACaddress, destination MAC address, source VLAN ID and 802. 1p priority value.

6. Basic egress ACL: Only matches source IP address.7. Extended egress ACL: Matches the source IP address, destination IP address,

IP protocol type, TCP source port number, TCP destination port number, UDPsource port number, UDP destination port number, ICMP type, ICMP Code andDiffServ Code Point (DSCP).

8. L2 egress ACL: Matches the destination MAC address, source VLAN ID and 802.1p priority value, Ethernet network type and DSAP/SSAP.

9. Hybrid egress ACL: Matches the Source IPv4/IPv6 address, destinationIPv4/IPv6 address, IP protocol type, TCP source port number, TCP destinationport number, UDP source port number, UDP destination port number, DiffServCode Point (DSCP), source MAC address, destination MAC address, sourceVLAN ID and 802. 1p priority value.

10. User-defined ingress ACL: Only matches the bytes defined by users.l Each ACL has an access list number to identify, which is a digit. The access list

number ranges of different types of ACL are shown below:1. Basic ingress ACL: 1–992. Extended ingress ACL: 100–1993. L2 ingress ACL: 200–299

5-44



4. Hybrid ingress ACL: 300–399, support IPv65. Basic egress ACL: 400–4996. Extended egress ACL: 500–5997. L2 egress ACL: 600-6998. Hybrid egress ACL:700–799, supports IPv69. Global ACL: 80010. User-defined ingress ACL: 801–828

l Each ACL has at most 500 rules and the range is 1–500.

Configuring ACLThe ACL configuration includes the following commands:

Command Function

zte(cfg)#set port <portlist> acl mode {port | vlan} Sets port ACL binding mode.

zte(cfg)#set port <portlist> acl <1-799, 801–828>{enable |

disable}

Binds ACL instance to the port.

zte(cfg)#set vlan <vlanlist> acl <1-399, 801–828>{enable |

disable}

Binds ACL instance to the VLAN.

zte(cfg)#set acl <1-799,801-828> rule <1-500> time-range<word>{enable|disable}

Executes an ACL action in a

specific time range.

zte(cfg)#create acl <1-828> name <name> Creates an ACL name.

zte(cfg)#clear acl<1-828> name Clears an ACL name.

zte(cfg)#show port <portlist> acl-mode Displays port ACL binding mode.

zte(cfg)#config ingress-acl basic number <1-99> Creates and configures a basic

ingress ACL instance.

zte(basic-acl-group)#rule <1-500>{permit | deny}{<source-ipa

ddr><sip-mask>| any}[fragment]

Sets a basic ingress ACL rule.

zte(cfg)#clear ingress-acl basic number <1-99> Clears a basic ingress ACL

instance.

zte(cfg)#config ingress-acl extend number <100-199> Creates and configures an

extended port ACL instance.

zte(extend-acl-group)#rule <1-500>{permit |

deny}<ip-protocol>{<source-ipaddr><sip-mask>| any}{<des

tination-ipaddr><dip-mask>| any}[dscp <0-63>][fragment]

Sets the rule that an extended

ingress ACL is used to match

specified fields of IPv4 packets.

zte(extend-acl-group)#rule <1-500>{permit | deny} icmp

{<source-ipaddr><sip-mask>| any}{<destination-ipaddr><dip-mask>|

any}[icmp-type <0-254><icmp-code>][dscp <0-63>][fragment]


ingress ACL is used to match

ICMP packets.

zte(extend-acl-group)#rule <1-500>{permit | deny} ip


any}[dscp <0-63>][fragment]


ingress ACL is used to match IP

packets.

5-45



Command Function

zte(extend-acl-group)#rule <1-500>{permit | deny}

tcp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>|

any}[dest-port <0-65535><dport-mask>][establishing |established][dscp <0-63>][fragment]


ingress ACL is used to match TCP

packets.

zte(extend-acl-group)#rule <1-500>{permit | deny}

udp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>|

any}[dest-port <0-65535><dport-mask>][dscp <0-63>][fragment]


ingress ACL is used to match UDP

packets.

zte(extend-acl-group)#rule <1-500>{permit | deny} arp

{<sender-ipaddr><sip-mask>| any}{<target-ipaddr><tip-mask>| any}


ingress ACL is used to match ARP

packets.

zte(cfg)#clear ingress-acl extend number <100-199> Clears an extended port ACL

instance.

zte(cfg)#config ingress-acl link number <200-299> Creates and configures a layer-2


zte(link-acl-group)#rule <1-500>{permit | deny} ip {[cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|

any][<dest-mac><dmac-mask>| any]}

Sets the rule that a layer-2 ingress

ACL is used to match IP packets.

zte(link-acl-group)#rule <1-500>{permit | deny} arp {[cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL is used to match ARP

packets.

zte(link-acl-group)#rule <1-500>{permit | deny} other

{[ether-type <1501-65535>| dsap-ssap <0-65535>][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL is used to match packets

except IP/ARP packets.

zte(link-acl-group)#rule <1-500>{permit | deny} any [cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|

any][<dest-mac><dmac-mask>| any]


ACL is used to match packets with

specified cos, VLAN id, smac, and

dmac flags.

zte(cfg)#clear ingress-acl link number <200-299> Clears a layer-2 ingress ACL

instance.

zte(cfg)#config ingress-acl hybrid number <300-399> Creates and configures a hybrid


zte(hybrid-acl-group)#rule <1-500>{permit |

deny}<ip-protocol>{<source-ipaddr><sip-mask>| any}{<des

tination-ipaddr><dip-mask>| any}[dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|


Sets the rule that a hybrid ingress

ACL is used to match specified

fields of IPv4 packets.

5-46



Command Function

zte(hybrid-acl-group)#rule <1-500>{permit | deny} ip


any}[dscp <0-63>][fragment][cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>| any]


ACL is used to match IPv4

packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny} tcp

{<source-ipaddr><sip-mask>| any}[source-port <0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port<0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL is used to match IPv4-TCP

packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny} udp

{<source-ipaddr><sip-mask>| any}[source-port <0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port<0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL is used to match IPv4-UDP

packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny} arp

{<sender-ipaddr><sip-mask>| any}{<target-ipaddr><tip-mask>|

any}[cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>| any]



packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny} any

{[ether-type <1501-65535>][cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>|

any]}


ACL is used to match non-IPv6

packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny}

ipv6 <ip-protocol>{<source-ipv6addr><sipv6-mask>|

any}[<destination-ipv6addr><dipv6-mask>| any][<vlan-id>]


ACL is used to match specified

fields of IPv6 packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny}

ipv6 tcp {<source-ipv6addr><sipv6-mask>| any}[source-port<0-65535><sport-mask>][<destination-ipv6addr><dipv6-mask>|

any][dest-port <0-65535><dport-mask>][<vlan-id>]


ACL is used to match IPv6-TCP

packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny} ipv6

udp {<source-ipv6addr><sipv6-mask>| any}[source-port<0-65535><sport-mask>][<destination-ipv6addr><dipv6-mask>|

any][dest-port <0-65535><dport-mask>][<vlan-id>]


ACL is used to match IPv6-UDP

packets.


deny} ipv6 any {<source-ipv6addr><sipv6-mask>|



ACL is used to match IPv6

packets.

5-47



Command Function


deny} ipv6 icmp {<source-ipv6addr><sipv6-mask>|



ACL is used to match IPv6 ICMP

packets.

zte(hybrid-acl-group)#rule <1-500>{permit | deny} all Sets the rule that a hybrid ingress

ACL is used to match any packet.

zte(cfg)#clear ingress-acl hybrid number <300-399> Clears a hybrid ingress ACL

instance.

zte(cfg)#config ingress-acl user-define number <801-828>

Creates and configures a

user-defined ingress ACL

instance.

zte(ingress-user-define-acl)#rule <1-500>{permit |

deny}[ udb1 <udb-value>< udb-mask>][ udb2 <udb-value><

udb-mask>][ udb3 <udb-value>< udb-mask>][ udb4 <udb-value><udb-mask>][ udb5 <udb-value>< udb-mask>][ udb6 <udb-value><udb-mask>][ udb7 <udb-value>< udb-mask>][ udb8<udb-value><udb-mask>][ udb9 <udb-value>< udb-mask>][ udb10 <udb-value><udb-mask>][ udb11 <udb-value>< udb-mask>][ udb12<udb-value>< udb-mask>][ udb13 <udb-value>< udb-mask>][

udb14 <udb-value>< udb-mask>][ udb15 <udb-value>< udb-mask>]

Defines a rule in a user-defined

ingress ACL.

zte(cfg)#clear ingress-acl user-define number <801-828>Deletes a user-defined ingress

ACL instance.

zte(cfg)#config ingress-acl global Enters and configures a global


zte(global-acl-group)#rule <1-16>{permit | deny} port

{<1-28>| any}<ip-protocol>{<source-ipaddr><sip-mask>| any}{<d

estination-ipaddr><dip-mask>| any}[dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|


Sets the rule that a global ingress

ACL matches specified fields of

IPv4 packets.


{<1-28>| any} ip {<source-ipaddr><sip-mask>| any}{<destina

tion-ipaddr><dip-mask>| any}[dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL matches IPv4 packets.


{<1-28>| any} tcp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port <0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL matches IPv4–TCP packets.

5-48



Command Function


{<1-28>| any} udp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port <0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL matches IPv4–UDP packets.

zte(global-acl-group)#rule <1-500>{permit | deny}

port {<1-28>| any} arp {<sender-ipaddr><sip-mask>|

any}{<target-ipaddr><tip-mask>| any}[cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>|

any]



packets.

zte(global-acl-group)#rule <1-500>{permit | deny}

port {<1-28>| any} any {[ether-type <1501-65535>][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|



ACL is used to match non IPv6

packets.

zte(cfg)#config egress-acl basic number < 400-499> Creates a basic egress ACL

instance and configures it.

zte(egress-basic-acl)#rule < 1-500>{ permit | deny}{<

source-ipaddr>< sip-mask>| any}[ fragment]

Sets a basic egress ACL.

zte(cfg)#clear egress-acl basic number < 400-499> Clears a basic egress ACL

instance.

zte(cfg)#config egress-acl extend number < 500-599> Creates an extended egress ACL


zte(egress-extend-acl)#rule < 1-500>{ permit |

deny}< ip-protocol>{< source-ipaddr>< sip-mask>| any}{<

destination-ipaddr>< dip-mask>| any}[ dsscp < 0-63>][ fragment]

Sets an extended egress ACL that

matches specified fields of IPv4

packets.

zte(egress-extend-acl)#rule < 1-500>{ permit | deny} icmp {<

source-ipaddr>< sip-mask>| any}{< destination-ipaddr>< dip-mask>|

any}[ iicmp-ttype < 0-254>< icmp-code>][ dsscp < 0-63>][

fragment]


matches ICMP packets.

zte(egress-extend-acl)#rule < 1-500>{ permit | deny} ip {<


any}[ dsscp < 0-63>][ fragment]


matches IP packets.

zte(egress-extend-acl)#rule < 1-500>{ permit | deny} tcp {<

source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ establishing | established][ dsscp <

0-63>][ fragment]


matches TCP packets.

5-49



Command Function

zte(egress-extend-acl)#rule < 1-500>{ permit | deny} udp {<

source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ dsscp < 0-63>][ fragment]


matches UDP packets.

zte(egress-extend-acl)#rule < 1-500>{ permit | deny} arp {<

sender-ipaddr>< sip-mask>| any}{< target-ipaddr>< tip-mask>| any}


matches ARP packets.

zte(cfg)#clear egress-acl extend number < 500-599> Clears an extended egress ACL

instance.

zte(cfg)#config egress-acl link number < 600-699> Creates a layer-2 egress ACL


zte(egress-link-acl)#rule < 1-500>{ permit | deny} ip {[ coss< 0-7>][< vlan-id>[< vlan-mask>]][< dest-mac>< dmac-mask>| any]}

Sets a layer-2 egress ACL that

matches IP packets.

zte(egress-link-acl)#rule < 1-500>{ permit | deny} arp {[ coss< 0-7>][< vlan-id>[< vlan-mask>]][< dest-mac>< dmac-mask>| any]}



zte(egress-link-acl)#rule < 1-500>{ permit | deny} other

{[ ether-type < 1501-65535>| dsap-ssap < 0-65535>][ coss< 0-7>][< vlan-id>[< vlan-mask>]][< source-mac>< smac-mask>|

any][< dest-mac>< dmac-mask>| any]}


matches packets except IP/ARP

packets.

zte(egress-link-acl)#rule <1-500>{permit | deny} any

[<vlan-id>[<vlan-mask>]][cos <0-7>][<dest-mac><dmac-mask>|any]

Sets the rule that a layer-2 egress

ACL is used to match packets with

specified cos, VLAN id, and dmac

flags.

zte(cfg)#clear egress-acl link number < 600-699> Clears a layer-2 egress ACL

instance.

zte(cfg)#config egress-acl hybrid number < 700-799> Creates a hybrid egress ACL


zte(egress-hybrid-acl)#rule < 1-500>{ permit |

deny}< ip-protocol>{< source-ipaddr>< sip-mask>| any}{<

destination-ipaddr>< dip-mask>| any}[ dsscp < 0-63>][ fragment][

coss < 0-7>][< vlan-id>[< vlan-mask>]][< source-mac><

smac-mask>| any][< dest-mac>< dmac-mask>| any]

Sets a hybrid egress ACL that


packets.

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ip {<


any}[ dsscp < 0-63>][ fragment][ coss < 0-7>][< vlan-id>[<

vlan-mask>]][< source-mac>< smac-mask>| any][< dest-mac><

dmac-mask>| any]


matches IPv4 packets.

5-50



Command Function

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} tcp {<

source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ dsscp < 0-63>][ fragment][ coss< 0-7>][< vlan-id>[< vlan-mask>]][< source-mac>< smac-mask>|

any][< dest-mac>< dmac-mask>| any]


matches IPv4-TCP packets.

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} udp {<

source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ dsscp < 0-63>][ fragment][ coss< 0-7>][< vlan-id>[< vlan-mask>]][< source-mac>< smac-mask>|

any][< dest-mac>< dmac-mask>| any]


matches IPv4-UDP packet.

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} arp

{< sender-ipaddr>< sip-mask>| any}{< target-ipaddr>< tip-mask>|

any}[ coss < 0-7>][< vlan-id>[< vlan-mask>]][< source-mac><

smac-mask>| any][< dest-mac>< dmac-mask>| any]



zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} any

{[ ettherr-ttype < 1501-65535>][ coss < 0-7>][< vlan-id>[<

vlan-mask>]][< source-mac>< smac-mask>| any][< dest-mac><

dmac-mask>| any]}


matches non-IPv6 packet

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny}

iipv6 < ip-protocol>{< source-ipv6addr>< sipv6-mask>| any}[<

destination-ipv6addr>< dipv6-mask>| any][< vlan-id>]



packets.

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ipv6

tcp {< source-ipv6addr>< sipv6-mask>| any}[ ssourrce-porrtt <0-65535>< sport-mask>][< destination-ipv6addr>< dipv6-mask>|

any][ desstt-porrtt < 0-65535>< dport-mask>][< vlan-id>]


matches IPv6-TCP packets.

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ipv6

udp {< source-ipv6addr>< sipv6-mask>| any}[ ssourrce-porrtt <0-65535>< sport-mask>][< destination-ipv6addr>< dipv6-mask>|

any][ desstt-porrtt < 0-65535>< dport-mask>][< vlan-id>]


matches IPv6-UDP packets.

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ipv6 any

{< source-ipv6addr>< sipv6-mask>| any}[< destination-ipv6addr><

dipv6-mask>| any][< vlan-id>]


matches IPv6 packets.

zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} all Sets a hybrid egress ACL that

matches any packet.

zte(cfg)#clear egress-acl hybrid number < 700-799> Clears a hybrid egress ACL

instance.

zte(cfg)#config ingress-acl user-define udb <1-15> anchor<0-3>[offset <0-31>][data-length<1-6>]

Sets a user-defined anchor and

offset.

5-51



Command Function

zte(cfg)#config ingress-acl user-define udb <1-15> description<string>

Sets a description for a

user-defined byte.

zte(cfg)#clear acl udb <1-15> descriptionClears the description of a

user-defined byte.

move <1-500>{after | before}<1-500> (all ACL configuration

modes)

Sorts rules in ACL instance.

clear rule <1-500> (all ACL configuration modes) Clears one rule in ACL instance.

zte(cfg)#show vlan-range <vlan-range> Displays the best mask

configuration when VLAN ID

is matched in batch.

zte(cfg)#show acl binding {all | port [<portlist>]| vlan [<vlanlist>]} Displays the configuration

information that ACL is bound to

the interface.

zte(cfg)#show acl config Displays ACL summary

configuration.

zte(cfg)#show acl config [<1-828>| name <word>][ active |

command | deny | passive | permit | policy | rule <1-500>| snmp| time-range ]

Displays the detailed configuration

of ACL instance.

zte(cfg)#show acl udb Displays detailed configurations of

user-defined bytes.

zte(cfg)#create acl <1-828> description <description> Sets ACL descriptions.

zte(cfg)#clear acl <1-828> description Deletes ACL descriptions.

ACL Configuration Instancel Configuration Description

Configure ACL in the switch to realize the following functions. Forbid the users toaccess the external network through the gateway from 9:00 to 18:00. The gatewayconnects with the switch on port 26. The client PC connects the switch on ports 1-24.All the users access the external network through the gateway 192.168.0.1. SeeFigure 5-12.

5-52



Figure 5-12 ACL Configuration Instance

l Configuration Procedurezte(cfg)#config ingress-acl hybrid number 300

zte(ingress-hybrid-acl)#rule 1 deny ip any 192.168.0.1 255.255.255.255

zte(ingress-hybrid-acl)#rule 2 deny arp any 192.168.0.1 255.255.255.255

zte(ingress-hybrid-acl)#exit

zte(cfg)#set port 1-24 acl 300 enable

zte(cfg)#set time-range worktime range period 09:00 to 18:00 daily

zte(cfg)#set time-range worktime acl 300 rule 1 enable

zte(cfg)#set time-range worktime acl 300 rule 2 enable

5.12 QoS ConfigurationQoS OverviewQoS can provide end-to-end data exchange with a high quality. The content includes thefollowing parts:

l Port ingress rate limitl Port egress shapingl Port queue schedule algorithml Port priority mappingl QoS profile configurationl Traffic Classification (TC)l Flow rate limitl Flow statistics, count the packet with the special color based on the flow rate limit.l Flow mapping, flow redirection.l Specified field modification for specified packets.

QoS includes port QoS, global QoS and flow-based QoS.

5-53



For the data packet QoS handling method on the network edge device on the access side,there are the following conditions:

l The switch can select whether to trust the packet and which fields of the packet, suchas UP or DSCP, can be trusted when receiving the packet. It allocates the QoS serviceaccording to trusted fields.

l When the data packet received by the switch is not trusted, the QoS service isallocated according to the related QoS configuration on the receiving port.

l QoS service defines the internal processing method and external processing methodof the packet. The internal processing method includes TC, and the externalprocessing method includes modifying the 802.1p user priority of a data packet orthe DSCP domain of an IP header.

For the following network core device, implement the service similar to the previous serviceaccording to 802.1p of the packet or DSCP mark. This way, a set of end-to-end QoSservice is provided. When the flow exceeds the configuration, the network device canmodify the QoS service level such as dropping packets or allocating the lower-level QoSservice.

When a data packet enters the port, the switch will perform the QoS initialization markwhich mainly includes the initialization of TC QoS parameters.

In the direction of switch egress, the QoS is used to put the packet into the suitable queueaccording to marked TC and perform the corresponding queue scheduling algorithm andcongestion control algorithm according to the current queue configuration and modify itaccording to 802.1p user priority or IP DSCP field of the data packet.

Configuring QoSThe QoS configurations on the ZXR10 2900E includes global-based QoS configurationand port-based QoS configuration. Part of QoS configuration is related to ACL. The QoSconfiguration includes the following commands:

Command Function

zte(cfg)#set qos priority-mapping port <1-28> default-up <0-7> Sets the default port UP priority.

zte(cfg)#set qos priority-mapping port <1-28> trust-mode

{dscp-priority | port-profile | user-priority}

Sets the port trusted mode.

zte(cfg)#set qos priority-mapping port <1-28>{remapping-dscp

| remark {dscp-priority | user-priority}}{enable | disable}

Sets packet UP/DSCP

remark/remapping based on

the port.

zte(cfg)#set qos priority-mapping qos-profile dscp-to-dscp

<0-63> to <0-63>

Sets the mapping relation between

DSCPs .

zte(cfg)#set qos priority-mapping port <1-28> port-to-profileqos-profile <0-127>


the port and the QoS profile.

zte(cfg)#set qos priority-mapping qos-profile {up-to-profile<0-7>| dscp-to-profile <0-63>} qos-profile <0-127>


the DSCP/UP and the QoS profile.

5-54



Command Function

zte(cfg)#set qos priority-mapping qos-profile <0-127>{drop-pri

ority {red | yellow | green}| dscp-priority <0-63>| user-priority<0-7>| traffic-class <0-7>}

Sets the QoS profile template.

zte(cfg)#set qos priority-mapping qos-profile default Sets 128 QoS profiles to recover

default values.

zte(cfg)#set qos queue-schedule enhance {disable| enable} Sets the optimized queue

scheduling mode.

zte(cfg)#set qos queue-schedule mode {byte | packet} Sets the QoS queue scheduling

unit.

zte(cfg)#set qos queue-schedule port <1-28>{session <1-7>|

default}

Sets the scheduling policy of each

queue of the port.

zte(cfg)#set qos queue-schedule session <1-7><0-255><0-255><0

-255><0-255><0-255><0-255><0-255><0-255>[single-wrrgroup]

Sets scheduling policy template.

zte(cfg)#set qos traffic-limit mode {byte|packet} Sets the speed limit mode of the

global Ingress port.

zte(cfg)#set qos traffic-limit fe-port <1-24>{data-rate<0-100000>| disable}

Sets 100 M port ingress rate

limit, in which <0-100000> is the

maximum of data transmission

rate.

zte(cfg)#set qos traffic-limit fe-port <1-24>{packet-rate<0-148810>[packet-lenth <64-10240>]| disable}


limit, in which <0-148810> is the

maximum of packet transmission

rate.

zte(cfg)#set qos traffic-limit port <1-28> packet-type {broadcast

| known-uc | multicast | tcp-syn | unknown-uc}{enable | disable}

Sets the packet type that the rate

limit function limits.

zte(cfg)#set qos traffic-limit port <1-28> percent <1-100> Sets the ingress rate limit based

on the port bandwidth percentage.

zte(cfg)#set qos traffic-limit port <1-28> protect {enable|disable} Sets the port rate limiting function.

zte(cfg)#set qos traffic-limit port <1-28> protect time <1-10> Sets the port shutdown time

when the port rate limit function is

enabled.

zte(cfg)#set qos traffic-limit port <1-28> trap {enable | disable} Enables or disables the trap

function for a port.

zte(cfg)#set qos traffic-limit ge-port <25-28>{data-rate<32-1000000>| disable}


limit, in which, <32-100000> is the

maximum of data transmission

rate.

5-55



Command Function

zte(cfg)#set qos traffic-limit ge-port <25-28>{packet-rate<0-14881000>[packet-lenth <64-10240>]| disable}

Sets 1000 M port ingress rate limit.

zte(cfg)#set qos traffic-limit xge-port <2/1-2/4>{data-rate<0-10000000>| disable}

Sets the ingress rate limit for

the 10000 M port, in which,

<0-100000> is the maximum of

data transmission rate

zte(cfg)#set qos traffic-limit ge-port <2/1-2/4>{packet-rate<0-14881000>[packet-lenth <64-10240>]| disable}

Sets the ingress rate limit for

the 10000 M port, in which,

<0-148810> is the maximum of

packet transmission rate.

zte(cfg)#set qos traffic-shaping fe-port <1-24>{data-rate<32-100000> burst-size <8-4094>| disable}

Sets 100M egress shaping rate.

zte(cfg)#set qos traffic-shaping fe-port <1-24> queue<0-7>{data-rate <32-100000> burst-size <8-4094>| disable}

Sets 100M egress shaping rate

based on the queue.

zte(cfg)#set qos traffic-shaping ge-port <25-28>{data-rate<2-1000> burst-size <8-4094>| disable}

Sets 1000M egress shaping rate.

zte(cfg)#set qos traffic-shaping ge-port <25-28> queue<0-7>{data-rate <2-1000> burst-size <8-4094>| disable}

Sets 1000M egress shaping rate

based on the queue.

zte(cfg)#set qos traffic-shaping xge-port <2/1-2/4>{data-rate<2-10000> burst-size <8-4094>| disable}

Sets the Egress shaping rate for

the 10000 M port.

zte(cfg)#set qos traffic-shaping xge-port <2/1-2/4> queue<0-7>{data-rate <2-10000> burst-size <8-4094>| disable}

Sets the queue-based Egress

shaping rate for the 10000 M port.

zte(cfg)#set anti-DoS {enable | disable} Enables or disables the DOS

anti-attack function.

show qos priority-mapping port [<1-28>] (all configuration modes) Displays priority mapping

configuration based on the

port.

show qos priority-mapping qos-profile [<0-127>| dscp-to-dscp |

dscp-to-profile | up-to-profile] (all configuration modes)

Displays various priority-mapping

configuration related to the QoS

profile.

show qos queue-schedule mode (all configuration modes) Displays QoS queue scheduling

unit.

show qos queue-schedule port <1-28> (all configuration modes) Displays the queue scheduling

policy of each queue of the port.

show qos queue-schedule session [<1-7>] (all configuration modes) Displays the configuration of

scheduling policy template.

show qos traffic-limit [port <1-28>] protect (all configurationmodes)

Displays the egress rate limiting

configuration of the port.

5-56



Command Function

show qos traffic-limit [port <1-28>] trap (all configuration modes) Displays trap function

configuration.

show qos traffic-limit [port <1-28>] (all configuration modes) Displays ingress rate limit

configuration.

show qos traffic-shaping [port <1-28>] (all configuration modes) Displays egress shaping

configuration.

show anti-dos (all configuration modes) Displays the DOS anti-attack

configuration.

show qos traffic-limit [protect | port <1-28> protect] Displays the port protection

configuration.

zte(cfg)#set qos policer <0-383> mode {aware | blind} cir<32-10485760> cbs <20000-268435456>{ebs <20000-268435456>|pir <32-10485760> pbs <20000-268435456>}

Sets the flow policer.

zte(cfg)#set qos policer <0-383> exceed-action red {no-operation

| drop | remark} yellow {no-operation | drop | remark}

Sets flow policing action.

zte(cfg)#set qos policer <0-383> exceed-action remark profile<0-127> up {no-change | enable-modify | disable-modify} dscp {

no-change | enable-modify | disable-modify }

Sets the binding and action

implementation mode between the

flow policer and the QoS profile.

zte(cfg)#set qos policer counter-mode {L1 | L2 | L3} Sets the flow policer statistics

mode.

zte(cfg)#set qos policer <0-383> counter <0-255>{enable |disable}

Enables or disables the flow

policer statistics function and

configures the binding between

the flow policer and the counter.

zte(cfg)#set policy policing in acl <1-828> rule <1-500> policer<0-383>

Enables the flow policer and

handles the special flow by the

flow policer.

zte(cfg)#set policy remark in ingress-acl <1-399,800-828>

rule <1-500> profile <0-127> up {no-change | enable-modify |

disable-modify} dscp {no-change | enable-modify | disable-modify}

Uses the QoS profile to modify the

specified flow UP/DSCP field that

the ingress ACL matches.

zte(cfg)#set policy remark in egress-acl < 400-799> rrulle <1-500> up { no-change |< 0-7>} dscp { no-change |< 0-63>}

Uses the QoS profile to modify the

specified flow UP/DSCP field that

the egress ACL matches.

zte(cfg)#set mirror analyze-port session <1-3>{enable | disable} Sets the session between flow

mapping port and port mapping .

zte(cfg)#set policy mirror in acl <1-399,800-828> rule<1-500>{cpu | analyze-port}

Copies the specified data flow to

the monitor port.

5-57



Command Function

zte(cfg)#set policy redirect in acl <1-399,800-828> rule<1-500>{cpu | port <1-28>}

Redirects the specified data flow

to the user-specified egress port.

zte(cfg)#set policy statistics in acl <1-828> rule <1-500>

counter <0-1023>Implements flow statistic for the

data flow matching ACL rule.

zte(cfg)#set policy vlan-remark in acl <1-828> rule<1-500><1-4094>{nested | replace {untagged | tagged | all}}

Modifies the VLAN remark of the

specified flow.

zte(cfg)#set policy harddrop in acl <1-828> rule <1-500> Sets harddrop.

zte(cfg)#clear policy remark in acl <1-828> rule <1-500> Clears the configuration of the

specified flow UP/DSCP field

modified by QoS profile.

zte(cfg)#clear policy policing in acl <1-828> rule <1-500> Clears the configuration that

the flow policer processes the

specified flow.

zte(cfg)#clear policy mirror in acl <1-399,800-828> rule <1-500> Clears the configuration that

the specified flow mirrors to the

specified port.

zte(cfg)#clear policy statistics in acl <1-828> rule <1-500> Clears the configuration of

collecting statistics of packets of

the specified flow.

zte(cfg)#clear policy redirect in acl <1-399,800-828> rule<1-500>

Clears the configuration that the

specified flow is redirected to the

specified port.

zte(cfg)#clear policy vlan-remark in acl <1-828> rule <1-500> Clears the configuration of

modifying the specified flow VLAN

tag.

zte(cfg)#clear policy harddrop in acl <1-828> rule <1-500> Clears the configuration that

the specified flow implements

harddrop operation.

zte(cfg)#clear qos policy-counter <counterlist> Clears the counter that counts the

specified flow.

zte(cfg)#clear qos policer-counter <counterlist> Clears the flow policer statistics

value.

zte(cfg)#clear qos policer <0-383> Clears the flow policer

configuration.

show qos policer [<0-383>] (all configuration modes) Displays the flow policer

configuration.

show qos policy-counter [<0-1023>] (all configuration modes) Displays the counter value of the

specified flow.

5-58



Command Function

show qos policer-counter [<0-383>] (all configuration modes) Displays the flow policer statistics

value.

show policy [mirror | redirect | statistics | policing [<0-383>]|

vlan-remark | remark | harddrop] (all configuration modes)

Displays various binding

configuration of the specified

flow.

zte(cfg)#set icmp protect {enable|disable} Sets the ICMP protection function.

QoS Configuration Instancel Configuration Description

Use the 2928E as an example, set the uplink bandwidth of all the user-interface to 2Mbps. The uplink bandwidth of the switch is 20 Mbps. The uplink port is port 26 andthe client PC accesses the network through port 24. See Figure 5-13.

Figure 5-13 QoS Configuration Instance

l Configuration Procedurezte(cfg)#set qos traffic-limit fe-port 1 data-rate 2000

zte(cfg)#set qos traffic-limit fe-port 2 data-rate 2000

/*Omitted*/

zte(cfg)#set qos traffic-limit fe-port 24 data-rate 2000

zte(cfg)#set qos traffic-shaping ge-port 26 data-rate 20 burst-size 10

l Configuration Verificationzte(cfg)#show qos traffic-shaping port 26

Port Egress Traffic Shaping Table:

Port ID : 26

Port Shaping Rate (Kbps) : 20000 The Burst Size : 10

Queue 0 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A


5-59









zte(cfg)#sho qos traffic-limit port 1

Port Ingress Traffic Limit Table:

Flags: DataRate - traffic limit rate (Kbps), BcEn - Enable Broadcast Limit

KucEn - Enable Known unicast Limit, McEn - Enable Multicast Limit

TcpSynEn - Enable TCP SYN Limit, UucEn - Enable Unknown unicast Limit

PORT DataRate(Kbps) BcEn KucEn McEn TcpSynEn UucEn

------- -------------- ----- ------ ----- --------- ------

port-1 2000 1 1 1 1 1

5.13 PVLAN ConfigurationPVLAN OverviewTo enhance network security, it is necessary to isolate users’ packets. A traditional solutionis to allocate a VLAN for a user. This solution has obvious limits, as described below.

1. IEEE 802.1Q standard supports 4094 VLANs at most. The number of users is limited,which is not good for network extension.

2. Each VLAN corresponds to an IP subnet. Too many subnets bring IP address waste.3. Too many VLANs and IP subnets make it difficult to manage networks.

The Private VLAN (PVLAN) technology solves these problems.

A PVLAN divides ports in a VLAN into hybrid ports, isolated ports, and community ports.l A hybrid port can communicate with any port.l An isolated port can communicate only with a hybrid port, and it cannot communicate

with other isolated ports.l A community port can communicate with a hybrid port or another community port in

the same session.

The ports within a VLAN are separated. Users can only communicate with their defaultgateways, and the network security is guaranteed.

The ZXR10 2900E series switches support four PVLAN sessions. Each PVLAN sessionsupports an unlimited number of hybrid ports. Each PVLAN supports an unlimited numberof isolated or community ports.

Configuring PVLANThe PVLAN configuration includes the following commands:

5-60



Command Function

zte(cfg)#set vlan pvlan session <1-4>{promise-port<portlist>|promise-trunk<trunklist>}{isolate-port<portlist>|isolate-trunk<trunklist>}{communi-port<portlist>|communi-trunk<trunklist>}

Sets the PVLAN function.

clear vlan pvlan [session<1-4>] Clears the PVLAN configuration.

show vlan pvlan [session<1-4>] (all configuration modes) Displays the PVLAN configuration.

zte(cfg)#set vlan pvlan session <1-4>{promise-port<portlist>|promise-trunk<trunklist>|isolate-port<portlist>|isolate-trunk<trunklist>|communi-port <portlist>| communi-trunk<trunklist>}

Configures a type of PVLAN port.

PVLAN Configuration Example Onel Configuration Description

Add a hybrid port 26 and isolated ports 1, 2, and 3 to session 1. See Figure 5-14.

Figure 5-14 PVLAN Configuration Example 1

l Configuration Procedurezte(cfg)#set vlan pvlan session 1 promis-port 26 isolate-port 1-3

l Configuration Verificationzte(cfg)#show vlan pvlan

pvlan session : 1

promis-ports : 26

promis-trunks :

isolate-ports : 1-3

5-61



isolate-trunks :

community-ports :

community-trunks :

PVLAN Configuration Example Twol Configuration Description

Add a trunk 1 and isolated ports 4, 5 and 6 into session 2. See Figure 5-15.

Figure 5-15 PVLAN Configuration Example 2

l Configuration Procedure1. Configuration of switch A:

zte(cfg)#set lacp enable


zte(cfg)#set lacp sggregator 1 mode dynamic

2. Configuration of switch B:zte(cfg)#set lacp enable



zte(cfg)#set vlan pvlan session 2 promis-trunk 1 isolate-port 4-6

l Configuration Verificationzte(cfg)#show vlan pvlan

pvlan session : 1

promis-ports : 16

promis-trunks :

isolate-ports : 1-3

isolate-trunks :

5-62



community-ports :

community-trunks :

pvlan session : 2

promis-ports :

promis-trunks : 1

isolate-ports : 4-6

isolate-trunks :

community-ports :

community-trunks :

5.14 Layer 2 Protocol Transparent TransmissionConfiguration

Layer 2 Protocol Transparent Transmission OverviewIEEE 802.1x is a Port-Based Network Access Control protocol. Port-based networkaccess control is a way to authenticate and authorize the users to be connected tothe LAN equipment. This type of authentication provides a point-to-pint subscriberidentification method in the LAN.

The ZXR10 2900E provides 802.1x transparent transmission function which transparentlytransmits 802.1x protocol packets from the client to the authentication server forauthentication.

The ZXR10 2900E provides 802.1x transparent transmission function. It also provideslayer-2 transparent transmission function such as STP, LACP/OAM, ZGMP,LLDP andGVRP. The protocol range is 0x00, 0x02-0x2f.

The common layer-2 protocols are shown below.

Protocol Number Protocol

0x00 STP

0x02 LACP/OAM

0x03 802.1x

0x09 ZGMP

0x0E LLDP

0x21 GVRP

Configuring Layer 2 Protocol Transparent TransmissionThe configuration of layer-2 protocol transparent transmission includes the followingcommands:

5-63



Command Function

zte(cfg)#set l2pt <protocol-list>{enable | disable | invalid} Enables or disables L2pt

transparent transmission function.

show l2pt (all configuration modes) Displays the configuration of L2pt

transparent transmission.

Layer 2 Protocol Transparent Transmission Configuration Instancel Configuration Description

Set the LACP transparent transmission function of L2pt of Switch 1 to implement thelink aggregation between Switch 2 and Switch 3. The configuration increases the linkbandwidth and realizes a redundant backup. See Figure 5-16.

Figure 5-16 Layer 2 Protocol Transparent Transmission Configuration Topology

l Configuration Procedurezte(cfg)#set l2pt 0x02 enable



zte(cfg)#set port 1,3 pvid 100



zte(cfg)#set port 2,4 pvid 200


Display the aggregation state of Switch 2 and Switch 3:


Group 1

Actor Partner

------------------------------- ----------------------------

Priority : 32768 32768

5-64



Mac : 00.d0.d0.02.00.54 00.d0.d0.29.52.06

Key : 258 258

Ports : 2, 1 2, 1

5.15 IPv4 Layer 3 ConfigurationIPv4 Layer 3 OverviewThe ZXR10 2900E provides a few IPv4 layer-3 functions for the remote configuration andmanagement. To realize the remote access, an IP port must be configured on the switch.If the IP port of the remote configuration host and that of the switch are not in the samenetwork segment, it is also necessary to configure the static route.

Static route is a simple unicast route protocol. The next-hop address to a destinationnetwork segment is specified by a user, where next hop is also called gateway. Static routeinvolves destination address, destination address mask, next-hop address, and egressinterface. Destination address and destination address mask describe the destinationnetwork information. The next-hop address and egress interface describe the way thatswitch forwards destination packets.

The ZXR10 2900E allows adding and deleting the static ARP table. The ARP table recordsmapping relationship between the IP address and the MAC address of each node in thesame network. When sending IP packets, the switch first checks whether the destinationIP address is in the same network segment. If yes, the switch checks whether there is apeer end IP address and MAC address mapping entry in the ARP table.

1. If yes, the switch directly sends the IP packets to this MAC address.2. If the MAC address corresponding to peer end IP address cannot be found in the ARP

table, an ARP Request broadcast packet will be sent to the network to query peer endMAC address.

Entries of the ARP table on the switch are dynamic. Static ARP table entry needs to beconfigured only when the connected host cannot respond the ARP Request.

Switch layer-3 configuration includes the following commands:

l Connectivity testl Layer 3 interface related configurationl ARP related configurationl Static route related configuration

The ZXR10 2900E series system supports the hardware routing function to increase IPpackets forwarding speed.

To configure the IPv4 layer-3 function, use the config router command to enter the layer-3configuration mode first.

Configuring IPv4 Layer 3 FunctionsThe configuration of the IPv4 L3 functions includes the following contents:

5-65



Command Function

zte(cfg)#ping <A.B.C.D>[<0-65535>[<28-65535>[<1-255>[<0-65

535>[<A.B.C.D>]]]]]

Detects the network connectivity.

zte(cfg)#trace <A.B.C.D>[max-ttl <1-255>[min-ttl<1-255>[repeat <1-65535>[source <A.B.C.D>[timeout<1-60>[udp-port <1-65535>]]]]]]

Router trace, which is used

to determine the path of IP

data messages to access the

destination.

zte(cfg-router)#set ipport <0-63>{enable | disable} Enables or disables a layer-3

interface.

zte(cfg-router)#set ipport <0-63> ipaddress {<A.B.C.D/M>|<A.

B.C.D>< A.B.C.D>}

Sets the IP address and submask

of a layer-3 port.

zte(cfg-router)#set ipport <0-63> mac <HH.HH.HH.HH.HH.HH>

Sets the MAC address of layer-3

port.

zte(cfg-router)#set ipport <0-63> vlan <1-4094> Sets the VLAN binding with layer-3

port.

zte(cfg-router)#iproute {<A.B.C.D/M>|<A.B.C.D>< A.B.C.D>}<

A.B.C.D>[<1-15>][description <string>]

Adds a static route.

zte(cfg-router)#arp add <A.B.C.D><HH.HH.HH.HH.HH.HH

><0-63>

Adds a static ARP.

zte(cfg-router)#arp delete <A.B.C.D> Deletes a static ARP.

zte(cfg-router)#arp ipport <0-63> timeout <1-1000> Sets ARP entry aging time based

on layer-3 interface.

zte(cfg-router)#arp gratuitous-send <5-4294967295> Enables the free ARP function and

sets the period for sending free

ARP messages.

zte(cfg-router)#clear arp Clears dynamic ARP entry in

batches.

zte(cfg-router)#clear iproute [{<A.B.C.D/M>|<A.B.C.D><A.B.

C.D>}<A.B.C.D>]

Clears static routing entry.

zte(cfg-router)#clear ipport <0-63>[mac | ipaddress | vlan |

dhcp ]

Deletes ipport configuration.

zte(cfg-router)#clear gratuitous-send Disable the free ARP function.

zte(cfg-router)#hardware-iproute {enable | disable} Enables or disables the hardware

routing function.

zte(cfg-router)#show arp [static | dynamic | invalid | ipport<0-63>[static | dynamic | invalid]| ipaddress <A.B.C.D>]

Displays the ARP table item

information and free ARP function

status according to various rules.

5-66



Command Function

show ipport [<0-63>](all configuration modes) Displays ipport layer-3 interface

configuration.

show iproute (all configuration modes) Displays all routing information.

show hardware-iproute (all configuration modes) Displays hardware routing

configuration.

IPv4 Layer 3 Configuration Instancel Configuration Description

Set the layer-3 IP address to 192.168.1.2 on the switch. The IP address 192.168.1.2can ping the IP address 192.168.1.1 successfully. Bind vlan100 with 192.168.1.2.Port 1 on switch connects with PC. See Figure 5-17.

Figure 5-17 Layer-3 Configuration Instance

l Configuration Procedurezte(cfg)#set vlan 100 enable



zte(cfg)#config route

zte(cfg-router)#set ipport 0 ipaddress 192.168.1.2 255.255.255.0

zte(cfg-router)#set ipport 0 vlan 100

zte(cfg-router)#set ipport 0 enable

l Configuration Verificationzte(cfg-router)#show ipport

IpPort En/Disable IpAddress Mask MacAddress VlanId

------ ---------- ------------ -------------- ----------------- ------

0 enabled 192.168.1.2 255.255.255.0 00.d0.d0.fa.29.20 100

zte(cfg-router)#exit

Use the ping command to check whether the layer-3 port is available.

zte(cfg)#ping 192.168.1.1

zte(cfg)#ping 192.168.1.1

Reply from 192.168.1.1 : bytes=28 time<1ms TTL=64





5-67



5.16 IPv6 Layer 3 ConfigurationIPv6 Layer 3 Function OverviewThe ZXR10 2900E supports IPv6 layer-3 functions for remote configuration andmanagement. The Layer 3 functions are as follows:

1. IPv6 interface configuration2. Ping v6 for checking network connectivity3. Telnet v6 server for remote login and configuration

Configuring IPv6 Layer 3 FunctionsThe configuration of IPv6 Layer 3 functions includes the following commands:

Command Function

zte(cfg-router)#set ipv6port <0> vlan <1-4094> Sets a VLAN associated with an

IPv6 Layer 3 interface.

zte(cfg-router)#set ipv6port <0> ipv6address

{<ipv6Addr/M>|<ipv6Addr><wildcard>}

Sets an IPv6 address and address

prefix length of an IPv6 Layer 3

interface.

zte(cfg-router)#set ipv6port <0>{enable | disable} Enables or disables an IPv6 Layer

3 interface.

zte(cfg-router)#ipv6route default <ipv6Addr> Adds an IPv6 static route.

zte(cfg-router)#clear ipv6port <0>[ipv6address<ipv6Addr/M>]

Clears IPv6 Layer 3 interface

configuration.

zte(cfg-router)#clear ipv6route default Clears the IPv6 default route.

show ipv6port (all configuration modes) Displays IPv6 Layer 3 interface

configuration.

show ipv6route(all configuration modes) Displays IPv6 route configuration.

show ipv6port <0> nd (all configuration modes) Displays IPv6 device neighbor

information, similar to the function

of the show arp command in IPv4.

zte(cfg)#ping6 <ipv6Addr>[<0-65535>[<48-1280>[<1-255>[<0-

65535>]]]]

Checks network connectivity,

similar to the function of the ping

command in IPv4.

Layer-3 IPv6 Configuration Instancel Configuration Description

On a switch, configure IPv6 address 12:12::c055:40, bind VLAN 300, configure thegateway, and set the port connected to the PC to port 10. On a PC, configure an IPv6address and interface route. See Figure 5-18.

5-68



Figure 5-18 Layer-3 IPv6 Configuration Instance

l Configuration Procedurezte(cfg)#set vlan 300 enable



zte(cfg)#config route

zte(cfg-router)#set ipv6port 0 ipv6address 12:12::c055:40/128

zte(cfg-router)#set ipv6port 0 vlan 300

zte(cfg-router)#set ipv6port 0 enable

zte(cfg-router)#set ipv6port 0 enable

zte(cfg-router)#ipv6route default 12:12::c055:12

l Configuration Verificatiozte(cfg-router)#show ipv6port

IpPort Status Ipv6AddrNum MacAddress VlanId IpMode

------ ------ --------------- ----------------- ------ ------

0 up 1 00.22.93.63.4f.70 300 static

Use the ping command to check whether the layer-3 port is available.

zte(cfg)#ping6 12:12::c055:40

Reply from 12:12::c055:40 : bytes=48 time<1ms TTL=64





5.17 DAI ConfigurationDAI OverviewBecause so many ARP middle-man-attacks happen, Dynamic ARP Inspection (DAI) isintroduced in the ZXR10 2900E. DAI checks the ARP packet received by the switch. If thepacket meets the condition, it will be forwarded. Otherwise it will be dropped.

DAI is related to the trusted state of the port of the switch. If an ARP packet is receivedon a trusted port, shield all DAI detections. If an ARP packet is received on a non-trustedport, it must pass the DAI validity test.

Configuring DAIThe DAI configuration includes the following commands:

5-69



Command Function

zte(cfg)#set arp-inspection validate {ip | dst-mac |

src-mac}{enable | disable}

Enables or disables the inspection

of each field of an ARP packet.

zte(cfg)#set arp-inspection vlan <vlanlist>{enable | disable} Enables or disables DAI function

based on the VLAN.

zte(cfg)#set arp-inspection port <portlist>{trust | untrust} Sets a port to a trusted or untrusted

port.

zte(cfg)#set arp-inspection port <portlist> limit {<1-100>|

infinite}

Sets the maximum number of ARP

packets in the unit time.

show arp-inspection (all configuration modes) Displays DAI function configuration

information.

DAI Configuration Instancel Configuration Description

When DHCP snooping is enabled, check ARP packet validity and the correspondingrelation between MAC, IP and VLAN. An illegal packet is dropped, and the speed ofsending ARP packets on a non-trusted port to the CPU is limited. See Figure 5-19.

Figure 5-19 DAI Configuration InstanceTopology

l Configuration Procedurezte(cfg)#set dhcp snooping-and-option82 enable

zte(cfg)#set dhcp snooping add port 49,50

zte(cfg)#set dhcp port 49 client

zte(cfg)#set dhcp port 50 server

zte(cfg)#show dhcp snooping

DHCP snooping is enabled on the following port(s):

PortId PortType

------ --------

49 Client

50 Server

zte(cfg)#set arp-inspection vlan 1 enable

zte(cfg)#set arp-inspection port 49 untrust

5-70



zte(cfg)#set arp-inspection port 49 limit 15

zte(cfg)#set arp-inspection validate ip enable

zte(cfg)#set arp-inspection validate dst-mac enable

zte(cfg)#set arp-inspection validate src-mac enable

Note:

DAI detection condition: the port sending packets is a non-trusted port, and the DAIfunction is enabled on the VLAN. When DHCP Snooping is enabled and a non-trustedport is added into DHCP Snooping, DAI detection is valid.

l Configuration Verificationzte(cfg)#show arp-inspection

Enabled validation: ip,dst-mac,src-mac

Enabled vlanlist : 1

PortId TrustType Limit(pps)

------ --------- ----------

49 Untrust 15

50 Trust -

51 Trust -

52 Trust -

5.18 Access Service ConfigurationAccess Service OverviewWith the rapid expansion of Ethernet, to meet the fast increase of subscribers andrequirement of diversified broadband services, a Network Access Service (NAS) isembedded on the switch to improve the authentication and management of accesssubscribers and better support the billing, security, operation, and management of thebroadband network.

NAS uses the 802.1x protocol and RADIUS protocol to realize the authentication andmanagement of access subscribers. It is highly efficient, safe, and easy to operate.

IEEE 802.1x is called port-based network access control protocol. Its protocol systemincludes three key parts: client system, authentication system, and authentication server.

l The client system is a user terminal system installed with the client software. Asubscriber originates the IEEE802.1x protocol authentication process through thisclient software. To support the port-based network access control, the client systemmust support the Extensible Authentication Protocol Over LAN (EAPOL).

l The authentication system is network equipment that supports the IEEE802.1xprotocol. Corresponding to the ports of different subscribers (the ports can be

5-71



physical ports or MAC address, VLAN, or IP address of the user equipment), theauthentication system has two logical ports: controlled port and uncontrolled port.1. The uncontrolled port is always in the state that the bidirectional connections are

available. It is used to transfer the EAPOL frames and can ensure that the clientcan always send or receive the authentication.

2. The control port is enabled only when the authentication is passed. It is used totransfer the network resource and services. The controlled port can be configuredas bidirectional controlled or input controlled to meet the requirement of differentapplications. If the subscriber authentication is not passed, this subscriber cannotvisit the services provided by the authentication system.

3. The controlled port and uncontrolled port in the IEEE 802.1x protocol are logicalports. There are no such physical ports on the equipment. The IEEE 802.1xprotocol sets up a local authentication channel for each subscriber and othersubscribers cannot use it. Thus, preventing the port from being used by othersubscribers after the port is enabled.

l The authentication server is a RADIUS server. This server can store a lot ofsubscriber information, such as the VLAN that the subscriber belongs to, CARparameters, priority, and subscriber access control list. After the authenticationof a subscriber is passed, the authentication server will pass the information ofthis subscriber to the authentication system, which will create a dynamic accesscontrol list. The subsequent flow of the subscriber will be monitored by the aboveparameters. The authentication system communicates with the RADIUS serverthrough the RADIUS protocol.

RADIUS is a protocol standard used for the authentication, authorization, and exchangeof configuration data between the Radius server and Radius client.

RADIUS uses the Client/Server mode. The Client runs on the NAS. It is responsiblefor sending the subscriber information to the specified Radius server and carrying outoperations according to the result returned by the server.

The Radius Authentication Server is responsible for receiving the subscriber connectionrequest, verifying the subscriber identity, and returning the configuration informationrequired by the customer. A Radius Authentication Server can serve as a RADIUScustomer proxy to connect to another Radius Authentication Server.

The Radius Accounting Server is responsible for receiving the subscriber billing startrequest and subscriber billing stop request, and completing the billing function.

The NAS communicates with the Radius Server through RADIUS packets. Attributes inthe RADIUS packets are used to transfer the detailed authentication, authorization, andbilling information.

The EAP protocol is used between the switch and the subscriber. Three types of identityauthentication methods are provided between the RADIUS servers: PAP, CHAP, andEAP-MD5. Any of the methods can be used according to different service operationrequirements.

l Password Authentication Protocol (PAP)

5-72



PAP is a simple plain text authentication mode. NAS requires the subscriber toprovide the username and password and the subscriber returns the subscriberinformation in the form of plain text. The server checks whether this subscriberis available and whether the password is correct according to the subscriberconfiguration and returns different responses. This authentication mode featurespoor security and the username and password transferred may be easily stolen.

For the process of using the PAP mode for identity authentication, see Figure 5-20.

Figure 5-20 Using PAP Mode for Identity Authentication

l Challenge Handshake Authentication Protocol (CHAP)

CHAP is an encrypted authentication mode and avoids the transmission of the user’sreal password upon connection setup. NAS sends a randomly generated Challengestring to the user. The user encrypts the Challenge string by using the user’spassword and MD5 algorithm and returns the username and encrypted Challengestring (encrypted password).

The server uses the user password it stores and the MD5 algorithm to encrypt theChallenge string. Then it compares this Challenge string with the encrypted passwordof the server and returns a response accordingly.

For the process of using the CHAP mode for identity authentication, see Figure 5-21.

5-73



Figure 5-21 Using Chap Mode for Identity Authentication

l Extensible Authentication Protocol - Message Digest 5 (EAP-MD5)

EAP is a type of authentication mode of transmitting EAP message transparentlyincluding EAP-MD5 and PEAP. The following example is about EAP-MD5 description.

EAP-MD5 is a CHAP identity authentication mechanism used in the EAP frameworkstructure. For the process of using the EAP-MD5 mode for identity authentication,see Figure 5-22.

Figure 5-22 Using EAP Mode for Identity Authentication

Configuring Access ServiceThe access service configuration includes the following commands:

Command Function

zte(cfg)#set port <portlist> vlanjump {enable [defaultauthvlan<1-4094>]| disable]}

Enables or disables the vlan jump

after user 802.1x authentication.

5-74



Command Function

zte(cfg-nas)#dot1x re-authenticate {enable | disable} Enables or disables

re-authentication function.

zte(cfg-nas)#dot1x re-authenticate period <1-4294967295> Sets the time interval for

re-authentication.

zte(cfg-nas)#dot1x quiet-period <0-65535> Sets quiet period of authentication.

zte(cfg-nas)#dot1x tx-period <1-65535> Sets the time that the

authentication system needs

to wait before it can retransmit

the EAPOL data packet because

it does not receive the response

from the client.

zte(cfg-nas)#dot1x supplicant-timeout <1-65535> Sets the time-out time for the

authentication system to receive

the data packets from the

authentication client system.

zte(cfg-nas)#dot1x server-timeout <1-65535> Sets the time-out time for the

authentication system to receive

the data packets from the

authentication server.

zte(cfg-nas)#dot1x max-request <1-10> Sets the maximum times of

request retransmission when

the timer expires before the

authentication system receives

the Challenge response from the

client.

zte(cfg-nas)#dot1x add vlan <1-4094>[mac <HH.HH.HH.HH.HH.HH>]

Sets the private MAC address that

DOT1X protocol can use.

zte(cfg-nas)#dot1x delete vlan <1-4094> Deletes the private MAC address

that DOT1X protocol can use.

zte(cfg-nas)#clear client Deletes all clients.

zte(cfg-nas)#clear client index <0-255> Clears the specified client.

zte(cfg-nas)#clear client {port <portlist>| vlan <vlanlist>} Deletes the client end user of

specified port/VLAN.

show dot1x (all configuration modes) Displays 802.1x configuration

information.

show client (all configuration modes) Displays the information of all

access users.

5-75



Command Function

show client index <0-255> (all configuration modes) Displays the information of an

access user.

show client mac <HH.HH.HH.HH.HH.HH> (all configuration

modes)

Displays access user information

on the specified MAC address.

show client port <portlist> (all configuration modes) Displays access user information

on the specified port.

zte(cfg-nas)#aaa-control port <portlist> dot1x {enable | disable} Enables or disables port 802.1x

access authentication function.

zte(cfg-nas)#aaa-control port <portlist> port-mode {auto |

force-unauthorized | force-authorized}

Sets the authentication control

mode of the port.

zte(cfg-nas)#aaa-control port <portlist> protocol {pap | chap

| eap }

Sets the authentication mode of

the port.

zte(cfg-nas)#aaa-control port <portlist> accounting {enable |

disable}

Enables or disables port

accounting function.

zte(cfg-nas)#aaa-control port <portlist>multiple-hosts {enable |

disable}

This allows or prohibits

multi-subscriber access of

the port.

zte(cfg-nas)#aaa-control port <portlist> max-hosts <0-256> Sets the maximum number of

subscribers connected through the

port.

zte(cfg-nas)#aaa-control port <portlist> keepalive {enable |

disable}

Enables or disables the abnormal

off-line detection mechanism of

the port.

zte(cfg-nas)#aaa-control port <portlist> keepalive period<1-3600>

Sets the abnormal off-line

detection period of the port.

zte(cfg-nas)#aaa-control port <portlist> keepalive antiproxy

{add | delete}{character-detect | ip-modified | multi-card |

multi-ipaddress | packet-analyse | port-detect | service-detect |

tcp-session <1-65535>| udp-session <1-65535>}

Enables or disables the port

anti-deception rule.

zte(cfg-nas)#aaa-control port <portlist> keepalive antidhcp

{enable | disable}

Enables or disables the port

anti-DHCP-deception rule.

zte(cfg-nas)#aaa-control port <portlist> keepalive client-ip

{enable | disable}

Enables or disables the function of

acquiring the user’s IP address.

show aaa-control port [<portlist>] (all configuration modes) Displays port AAA configuration

information.

zte(cfg-nas)#radius isp <ispname>{enable | disable} Adds or deletes one ISP domain.

zte(cfg-nas)#radius isp <ispname>{add | delete}accounting<A.B.C.D>[<0-65535>]

Adds or deletes accounting server

in the ISP.

5-76



Command Function

zte(cfg-nas)#radius isp <ispname>{add | delete} authenticate<A.B.C.D>[<0-65535>]

Adds or deletes authentication

server in the ISP.

zte(cfg-nas)#radius isp <ispname> client <A.B.C.D> Sets RADIUS client end address.

zte(cfg-nas)#radius isp <ispname> sharedsecret <string> Sets the shared password of the

ISP domain (public key).

zte(cfg-nas)#radius isp <ispname> sharedsecret-encrypt<string>

Sets the shared password encrypt

of the ISP domain (public key).

zte(cfg-nas)#radius isp <ispname> fullaccount {enable | disable} Sets or deletes the full account of

the domain.

zte(cfg-nas)#radius isp <ispname> defaultisp {enable | disable} This specifies a default domain.

zte(cfg-nas)#radius isp <ispname> description <string> Sets the domain description.

zte(cfg-nas)#radius nasname <nasname> Sets the NAS server name.

zte(cfg-nas)#radius delimiter <ispdelimiter> Sets Radius authentication domain

name delimiter.

zte(cfg-nas)#radius keep-time <0-4294967295> Sets keep time of radius

accounting packets failed to

be sent.

zte(cfg-nas)#radius timeout <1-255> Sets the server response time-out

time.

zte(cfg-nas)#radius retransmit <1-255> Sets the number of

retransmissions upon server

response time-out.

zte(cfg-nas)#radius vendor-id <3902,10008> Sets the vendor ID of the NAS

device.

zte(cfg-nas)#clear accounting-stop {session-id <session-id>|

user-name <user-name>| isp-name <isp-name>| server-ip<A.B.C.D>}

Deletes radius accounting packets

failed to be sent.

show radius [ispname <ispname>] (all configuration modes) Displays radius configuration

information.

show radius accounting-stop [{ session-id <session-id>|

user-name <user-name>| isp-name <isp-name>| server-ip<A.B.C.D>}] (all configuration modes)

Displays RADIUS accounting

packets failed to be sent.

Access Service Configuration Instancel Configuration Description

The user installs a radius client on a PC. The switch connects the radius server andthe user’s PC through a network cable. The user can log in to the switch through the

5-77



console port and configure the access server, and then enable client software on theuser PC to originate authentication request. See Figure 5-23.

Figure 5-23 Access Authentication Configuration Instance

l Configuration Procedure1. Configure layer-3 interface commands

zte(cfg-router)#set ipport 0 ip 10.40.89.106/24



2. Configure 802.1X commandszte(cfg)#set port 2 security enable

zte(cfg)#config nas

zte(cfg-nas)#aaa-control port 2 dot1x enable

zte(cfg-nas)#aaa-control port 2 keepalive enable

zte(cfg-nas)#aaa-control port 2 accounting enable

3. Configure radius commandszte(zte)#config nas

zte(cfg-nas)#radius isp zte enable

zte(cfg-nas)#radius isp zte defaultisp enable

zte(cfg-nas)#radius isp zte sharedsecret 1234

zte(cfg-nas)#radius isp zte client 10.40.89.106

zte(cfg-nas)#radius isp zte add accounting 10.40.89.78

zte(cfg-nas)#radius isp zte add authentication 10.40.89.78

4. Enable radius client software on the PC and input a correct username andpassword. Then the authentication request is sent.

Note:

Disable the security proxy such as Sygate before the user PC sending theauthentication request.


5-78



When the authentication request succeeds, view the user information by using theshow client command.

zte(cfg)#show client

MaxClients : 256 HistoryAccessClientsTotal : 1

OnlineClients: 1 HistoryFailureClientsTotal: 0

Flags:I-Index,Au-Authorized,P-PortId,US-UpSpeed,DS-DownSpeed,Y-yes,N-no

I UserName Au P Vlan MacAddress US DS ElapsedTime

--- ------------- -- ---- ---- ----------------- ------ ------ ------------

0 liushujie Y 2 1 00.19.e0.1a.97.dd 0 0 0:0:0:22

5.19 MAC Authentication ConfigurationMAC Authentication OverviewOn current networks, many devices (such as IP phones and printers) do not support theauthentication client. When connected to networks, the devices cannot initiate D0T1Xauthentication.

MAC authentication means that, with a MAC address segment configured on a device,when the device detects that a MAC address belongs to the address segment, a switchagent initiates authentication. The user's MAC address is used as a username andpassword. If a RADIUS server returns a message indicating that the authenticationsucceeded, the device can access the network.

Configuring MAC AuthenticationThe MAC authentication configuration includes the following commands:

Command Function

zte(cfg-nas)#aaa-control mac-authentication {enable | disable } Enables or disables the MAC

authentication function.

zte(cfg-nas)#aaa-control mac-authentication session <1-3>

range <HH.HH.HH.HH.HH.HH><HH.HH.HH.HH.HH.HH>Adds the range of MAC addresses

that need authentication in unit of

session.

zte(cfg-nas)#clear mac-authentication session <1-3> Clears the range of MAC

addresses in unit of session.

zte(cfg-nas)#clear mac-authentication client Clears all clients with authenticated

MAC addresses.

zte(cfg-nas)#clear mac-authentication client mac

<HH.HH.HH.HH.HH.HH>

Clears a specific MAC

authentication client.

zte(cfg-nas)#clear mac-authentication client {port <portlist>|vlan <vlanlist>}

Clears clients on a specific port or

in a specific VLAN.

5-79



Command Function

show aaa mac-authentication (all configuration modes) Displays MAC authentication


show aaa mac-authentication client (all configuration modes) Displays information of all MAC

authentication clients.

5.20 QinQ ConfigurationQinQ OverviewA QinQ is the IEEE 802.1Q tunneling protocol and is also called VLAN stacking. The QinQtechnology is the addition of one more VLAN tag (outer tag) to the original VLAN tag (innertag). The outer tag can shield the inner tag.

A QinQ does not need any protocol support. The simple Layer 2 Virtual Private Network(L2VPN) can be realized through QinQ. The QinQ is especially suitable for the small-sizedLAN that takes the layer-3 switch as its backbone.

For the typical network of the QinQ technology, see Figure 5-24. The port connected tothe user network is called Customer port. The port connected to the ISP network is calledUplink port. The edge access equipment of the ISP network is called Provider Edge (PE).

Figure 5-24 Typical QinQ Network

The user network is connected to the PE through the Trunk VLAN mode. The internalUplink ports of the ISP network are symmetrically connected through the Trunk VLANmode.

1. When a packet is sent form user network 1 to the customer port of switch A, becausethe PORTBASE VLAN-based customer port does not identify the tag when receivingthe packet, the customer port processes the packet as an untagged packet no matterwhether this data packet is attached with the VLAN tag or not. The packet is forwardedby the VLAN 10, which is determined by the PVID.

2. The uplink port of switch A inserts the outer tag (VLAN ID: 10) when forwarding thedata packet received from the customer port. The tpid of this tag can be configured

5-80



on the switch. Inside the ISP network, the packet is broadcast along the port of VLAN10 until it reaches the switch B.

3. Switch B finds out that the port connected to user network 2 is a customer port. Thus, itremoves the outer tag in compliance with the conventional 802.1Q protocol to recoverthe original packet and sends the packet to user network 2.

4. In this way, data between user network 1 and user network 2 can be transmittedtransparently. The VLAN ID of the user network can be planned regardless of theconflict with the VLAN ID in the ISP network.

Configuring QinQThe QinQ configuration includes the following commands:

Command Function

zte(cfg)#set vlan qinq customer port <portlist>{enable | disable} Adds or deletes a customer port.

zte(cfg)#set vlan qinq uplink port <portlist>{enable | disable} Adds or deletes an uplink port.

zte(cfg)#set vlan egress-tpid session <1-7> tpid-value<0xHHHH>

Sets an egress TPID template.

zte(cfg)#set port <portlist> egress-tpid {default | session <1-7>} Sets the binding between the port

and the template.

show vlan egress-tpid (all configuration modes) Displays the egress-tpid value of

each template.

zte(cfg)#set vlan ingress-tpid session <1-7> tpid-value<0xHHHH>

Configures an ingress-tpid

template.

zte(cfg)#set port <portlist> ingress-tpid session <sessionlist> Sets the binding between the port

and the template.

show vlan ingress-tpid (all configuration modes) Displays ingress-tpid values

configured in templates.

show vlan qinq (all configuration modes) Displays customer/uplink port of

QinQ.

QinQ Configuration Instancel Configuration Description

Encapsulate an exterior label in Switch1 (ZXR10 2952E) for the packet from Switch2.The VLAN number is 100. The port connecting upstream BRAS in Switch1 is port 24.The port connecting the downstream Switch2 is port 1. The NM vlan of Switch1 is 999and the management IP address is 192.168.0.1/24. See Figure 5-25.

5-81



Figure 5-25 QinQ Configuration Instance

l Configuration Procedure/*set qinq, the outer label is 100*/



zte(cfg)#set vlan 100 add port 24 tag


zte(cfg)#set vlan qinq customer port 1 enable

zte(cfg)#set vlan qinq uplink port 24 enable



zte(cfg-router)#set ipport 1 ipaddress 192.168.0.1/24




5.21 SQinQ ConfigurationSQinQ OverviewThe SQinQ is a type of VLAN tunnel technology. It provides multi-point to multi-point VLANtransparent transportation service and simple Layer 2 VPN tunnel by means of adding aVLAN tag outside original 802.1Q tag and getting rid of outside VLAN tag when the packetis transported to edge switch.

The SQinQ provides the function of providing SPVLAN tag according to traffic, whichis different from that ordinary QinQ adds SPVLAN tag based on ports. That is, in thesame Customer port, according to difference between traffic carried CVLAN tags, providecorresponding SPVLAN tag based on user demands.

5-82



Configuring SQinQThe SQinQ configuration includes the following commands:

Command Function

zte(cfg)#set vlan sqinq session <1-400> customer-port<port-id> customer-vlan <vlan-list> uplink-vlan <vlan-id>

Enables SVLAN function.

When the SQinQ function is

enabled, the uplink traffic is

normally forwarded in SPVLAN.

The downlink traffic is normally

forwarded in SPVLAN. Because

the UNI port belongs to SPVLAN

in untagged mode, the SPVLAN

tag of downlink packets will be

removed.

zte(cfg)#clear vlan sqinq Deletes all SQinQ sessions.

zte(cfg)#clear vlan sqinq session <1-400> Deletes the specified SQinQ

session.

show vlan sqinq (all configuration modes) Displays all SQinQ sessions.

show vlan sqinq session <1-400> (all configuration modes) Displays the specified SQinQ

session.

SQinQ Configuration Instancel Configuration Description

Port 1 is a customer port, and port 2 is an uplink port. When CVLAN is 10 and 12, thepacket from port 1 SPVLAN is 997 and 998 respectively. See Figure 5-26.

Figure 5-26 SQinQ Configuration Instance


Configure the SVLAN instance.

zte(cfg)#set vlan 10,12 add port 1 tag

zte(cfg)#set vlan 997,998 add port 1 untag


zte(cfg)#set vlan 10,12,997,998 enable

zte(cfg)#set vlan sqinq session 1 customer-port 1 customer-vlan 10 uplink-vlan 997

zte(cfg)#set vlan sqinq session 2 customer-port 1 customer-vlan 12 uplink-vlan 998


The following example shows how to show the SVLAN instance.

5-83



zte(cfg)#show vlan sqinq

Session number : 1

Customer Port : 1

Customer Vlan List : 10

Uplink Vlan : 997

Session number : 2

Customer Port : 1

Customer Vlan List : 12

Uplink Vlan : 998

5.22 VLAN ConfigurationVLAN OverviewThe Virtual Local Area Network (VLAN) protocol is a basic protocol of layer-2 switchingequipment, which enables the administrator to divide a physical LAN into multiple VLANs.Each VLAN has a VLAN ID to identify it uniquely in the entire LAN. Multiple VLANs sharethe switching equipment and links of the physical LAN.

Logically, a VLAN is like an independent LAN. All frame flows in the same VLAN arerestricted in this VLAN. Cross-VLAN visit can only be implemented through forwardingon layer 3. In this way, the network performance is improved, and the overall flow in thephysical LAN is effectively lowered.

The VLAN has the following functions:

l Reduces the broadcast storms of network.l Enhances the network security.l Provides centralized management and control.

The ZXR10 2900E also supports the tagged-based VLAN. This is a mode defined in IEEE802.1Q and is a universal working mode. In this mode, the division of VLAN is basedon the VLAN information about the port (PVID: port VLAN ID) or the information in theVLAN tag. Also, the ZXR10 2900E supports the division of VLAN according to the packetprotocol type, that is, protocol VLAN.

Configuring a VLANThe VLAN configuration includes the following commands:

Command Function

zte(cfg)#set vlan <vlanlist>{enable | disable} Enables or disables a VLAN.

zte(cfg)#set vlan <vlanlist> add port <portlist>[untag | tag] Adds a port to a VLAN and

configures the location in the

VLAN.

zte(cfg)#set vlan <vlanlist> delete port <portlist> Deletes the port from a VLAN.

5-84



Command Function

zte(cfg)#set vlan <vlanlist> add trunk <trunklist>[tag | untag] Adds a trunk to a VLAN and

configures the trunk location in the

VLAN.

zte(cfg)#set vlan <vlanlist> delete trunk <trunklist> Deletes a trunk from a VLAN.

zte(cfg)#set port <portlist> protocol-vlan {enable | disable} Enables or disables the protocol

VLAN function.

zte(cfg)#set vlan protocol-mapping session-no <1-8>{ethernet2 |

llc | snap}<0xHHHH> vlan <1-4094>

Sets a protocol VLAN template.

zte(cfg)#create vlan <1-4094> name <name> Creates a VLAN name.

zte(cfg)#clear vlan <vlanlist> name Clears a VLAN name.

zte(cfg)#clear vlan protocol-mapping session-no <1-8> Clears the VLAN template

configuration of the protocol.

show vlan [<vlanlist>] (all configuration modes) Displays the basic VLAN

information.

show vlan protocol-mapping (all configuration modes) Displays the VLAN configuration

of the protocol.

VLAN Configuration Example Onel Configuration Description

Configure VLAN 100. Add untagged ports 1 and 2 and tagged ports 7 and 8. Thedetailed configuration is as follows:

Note:

By default, VLAN1 is enabled, all ports are in VLAN1 and in untag mode.

l Configuration Procedurezte(cfg)#set vlan 100 add port 1, 2 untag

zte(cfg)#set vlan 100 add port 7, 8 tag

zte(cfg)#set port 1, 2 pvid 100


l Configuration Verificationzte(cfg)#show vlan 100

VlanId : 100 VlanStatus: enabled

VlanName:

VlanMode: Static

Tagged ports : 7-8

5-85



Untagged ports: 1-2

Forbidden ports:

VLAN Configuration Example Twol Configuration Description

Switch A is connected to switch B through port 16. Port 1 of switch A and port 2of switch B are members of VLAN 2. Port 3 of switch A and port 4 of switch B aremembers of VLAN 3. The members in the same VLAN can communicate with eachother. See Figure 5-27.

Figure 5-27 VLAN Transparent Transmission Configuration Instance

l Configuration Procedure1. Configuration of switch A








2. Configuration of switch Bzte(cfg)#set vlan 2 add port 16 tag







5-86



5.23 VLAN Mapping ConfigurationVLAN Mapping OverviewThe VLANMapping, namely N to One VLANmapping, implements the VLAN convergencefunction by establishing mapping between customer VLAN and service provider VLAN byreplacing the outer VLAN tags in the data frames. This way, customer services can betransmitted according to operator’s network planning.

Due to the limited VLAN resource, the VLANs of service provider network and customernetwork are planned separately. The “customer VLAN” mentioned in this chapter refers toCVLAN used in customer network, while the “service provider VLAN” is the SVLAN usedin service provider’s network.

Different services of home users (Internet, IPTV, VoIP) are transferred through differentVLANs in the access networks of MAN, see Figure 5-28. As there are limited VLANs inoperator’s network, the VLAN convergence function needs to be fulfilled in the switchesin access layer to transmit the same service, which is transferred by different users indifferent VLANs, through one VLAN.

Figure 5-28 VLAN Mapping Network Diagram

5-87



Mapping Modes:Uplink: replace the CVLAN with SVLAN based on “Interface+customer VLAN”.

Downlink: replace the SVLAN in the outermost layer with CVLAN based on “SVLAN +Destination MAC address”.

The whole system supports 400 sessions, and up to 400 CVLANs can be supported.

Configuring VLAN MappingThe VLAN mapping configuration includes the following commands:

Command Function

zte(cfg)#set vlan mapping session <session_id> customer-port<port-id> customer-vlan <vlan-list> uplink-vlan <vlan-id>

Sets the VLAN Mapping function.

When the VLAN Mapping is

enabled, the uplink traffic is

normally forwarded in SPVLAN.

The downlink traffic is normally

forwarded in SPVLAN. When

reaching the user port, it is

transformed to the corresponding

CVLAN tag.

zte(cfg)#clear vlan mapping Deletes all VLAN Mapping

sessions.

zte(cfg)#clear vlan mapping session <1-400> Deletes the specified VLAN

Mapping session.

zte(cfg)#clear vlan mapping user Deletes the user information of all

VLAN Mapping sessions.

zte(cfg)#clear vlan mapping user session <1-400> Deletes the user information of the

specified VLAN Mapping session.

show vlan mapping (all configuration modes) Displays all VLAN Mapping

sessions.

show vlan mapping session <1-400> (all configuration modes) Displays the specified VLAN

Mapping session.

show vlan mapping user-table (all configuration modes) Displays the user information of all

VLAN Mapping sessions.

show vlan mapping user-table session <1-400> (all configuration

modes)

Displays the user information

of the specified VLAN Mapping

session.

VLAN Mapping Configuration Instancel Configuration Description

5-88



The port 1 is on customer network, and the port 24 is on service provider network, seeFigure 5-29. Map the packets received from port 1, and whose CVLANs are between1-100, to SPVLAN 1000.

Figure 5-29 VLAN Mapping Configuration Instance

Switch1 and Switch2 are configured in the same way. Use Switch1 as an example.


The following example shows how to configure the VLAN Mapping instance.

zte(cfg)#set vlan 1-100,1000 add port 1,24 tag

zte(cfg)#set vlan 1-100,1000 enable

zte(cfg)#set vlan mapping session 1 customer-port 1 customer-vlan 1-100

uplink-vlan 1000


The following example shows how to show the SVLAN instance.

zte(cfg)#show vlan mapping

Session number : 1

Customer Port : 1

Customer Vlan List : 1-100

Uplink Vlan : 1000

5.24 Syslog ConfigurationSyslog OverviewThe Syslog protocol is an important part of Ethernet switch and is the information junctioncenter of system software module. Syslog manages most of important information outputand classifies them in detail, which filters the information effectively and provides a strongsupport for network administrators and development engineers in monitoring networkoperation status and diagnosing network faults.

5-89



The Syslog protocol is classified by information source and the information is filtered byfunction module, which satisfies customized user demands.

The Syslog protocol can classify the log information into eight levels from the highest tothe lowest level of importance. For a description of the levels, refer to Table 5-2.

Table 5-2 Syslog Log Information

Severity Level Description

Emergencies Crucial fault.

Alerts Fault that must be corrected quickly.

Critical Key fault.

Errors Fault that needs to be noticed but not important

Warnings Warning, indicating a potential fault.

Notifications Information that needs to be noticed.

Informational General prompt information.

Debugging Debug information.

Configuring SyslogThe Syslog configuration includes the following commands:

Command Function

zte(cfg)#set syslog module {all | arp-inspection | commandlog |

dhcp| radius | AAA}{enable | disable}

Enables or disables the syslog

module.

zte(cfg)#set syslog level {emergencies | alerts | critical | errors |

warnings | notifications | informational | debugging }

Defines the syslog information

level.

zte(cfg)#set syslog add server <1-5 > ipaddress<A.B.C.D>[name <name>][<0-65535>]

Sets the syslog server.

zte(cfg)#set syslog delete server <1-5> Deletes the syslog server.

zte(cfg)#set syslog {enable | disable} Enables or disables the syslog

function globally.

show syslog status (all configuration modes) Displays the syslog configuration.

Syslog Configuration Instancel Configuration Description

Suppose that the syslog function of the switch is enabled, information level isinformational, all function modules are enabled, the server IP address is 192.168.1.1,and the name is Srv1.

l Configuration Procedurezte(cfg)#set syslog enable

zte(cfg)#set syslog level informational

5-90



zte(cfg)#set syslog module all disable

zte(cfg)#set syslog module radius enable

zte(cfg)#set syslog module aaa enable

zte(cfg)#set syslog module commandlog enable

zte(cfg)#set syslog add server 1 ipaddress 192.168.1.1 name server1

l Configuration Verificationzte(cfg)#show syslog status

Syslog status: enable

Syslog level: informational

Syslog enabled modules:

commandlog AAA radius

Syslog disabled modules:

all-others

Syslog server IP UDP port Name

1 192.168.1.1 514 server1

5.25 NTP ConfigurationNTP OverviewNetwork Time Protocol (NTP) is the protocol used to synchronize the clocks betweennetwork devices. The ZXR10 2900E provides NTP client function and synchronizes theclock with other NTP servers, the ZXR10 2900E also supports second-server function, sothat the two servers get the time at the same time.

Configuring NTPThe NTP configuration includes the following commands:

Command Function

zte(cfg)#set ntp add authentication-key <1-255> md5 <string> Sets the NTP authentication key.

zte(cfg)#set ntp delete authentication-key <1-255> Deletes the NTP authentication

key.

zte(cfg)#set ntp {add | delete} trusted-key <1-255> Adds or deletes the NTP trusted

key.

zte(cfg)#set ntp authenticate {enable | disable} Enables or disables the NTP

authentication function.

zte(cfg)#set ntp server <A.B.C.D>[version <1,2,3>| key<1-255>]

Sets the NTP server.

zte(cfg)#set ntp second-server <A.B.C.D>[version <1,2,3>| key<1-255>]

Sets the NTP second server.

5-91



Command Function

zte(cfg)#set ntp source <A.B.C.D> Sets the source IP address that is

used for the switch to send NTP

packets.

zte(cfg)#set ntp clock-period <5-2147483647> Sets the period of NTP

synchronization.

zte(cfg)#set ntp timezone <(-12)-(+13)> Sets NTP time-zone.

zte(cfg)#set ntp {enable | disable} Enables or disables NTP.

zte(cfg)#set ntp src-udp-port {123 | 1000} Sets the ID of the udp port through

which NTP messages are sent.

show ntp (all configuration modes) Displays NTP configuration.

NTP Configuration Instancel Configuration Description

Suppose that the switch and NTP server 1 (IP address is 202.10.10.10) and NTPserver 2 (IP address is 201.10.10.10) implement time synchronization. Make surethat the switch and NTP server can ping each other successfully. The NTP module isconfigured as follows:

l Configuration Procedurezte(cfg)#set ntp server 202.10.10.10

zte(cfg)#set ntp second-server 201.10.10.10

zte(cfg)#set ntp enable

l Configuration Verificationzte(cfg)#show ntp

ntp protocol is enable

ntp server address : 202.10.10.10

ntp source address : None

ntp source udp port : 1000

ntp is_synchronized for second server : Yes

ntp rcv stratum : 16

no reference clock.

ntp time zone : 0

In the displayed information, “ntp is_synchronized for second server” means thecurrent switch time is synchronized with that of the server 2.

5-92



5.26 GARP/GVRP ConfigurationGARP/GVRP OverviewThe Generic Attribute Registration Protocol (GARP) is a type of generic attributeregistration protocol, which distributes VLAN and multicast MAC address dynamically tothe member in the same switching network by applying the different application protocols.

GARP VLAN Registration Protocol (GVRP) is a type of application protocol definedby the GARP, which maintains VLAN information in the switch dynamically basedon the GARP protocol mechanism. All switches supporting GVRP can receive theVLAN registration information from other switches and update local VLAN registrationinformation dynamically including the current VLAN on this switch and the ports inthis VLAN. All switches supporting GVRP can broadcast the local VLAN registrationinformation to other switches, so that, the VLAN configurations of all devices with theGVRP in the same switching network have a consistent interworking according to thedemand.

Configuring GARP/GVRPThe GARP/GVRP configuration includes the following commands:

Command Function

zte(cfg)#set vlan <vlanlist>{permit | forbid}{port <portlist>|trunk <trunklist>}

Permits or forbids adding/deleting

port/trunk in the specified VLAN.

zte(cfg)#set garp {enable | disable} Enables or disables the GARP

function.

zte(cfg)#set garp timer {hold | join | leave | learvall}<timer_value> Sets various GARP timers.

show garp (all configuration modes) Displays GARP configuration.

zte(cfg)#set gvrp {enable | disable} Enables or disables GVRP.

zte(cfg)#set gvrp {port <portlist>| trunk <trunklist>}{enable |disable}

Enables or disables GVRP on the

port/trunk.

zte(cfg)#set gvrp {port <portlist>| trunk <trunklist>} registration{normal | fixed | forbidden}

Sets GVRP registration type on

Trunk port.

show gvrp (all configuration modes) Displays GVRP configuration and

state.

GARP/GVRP Configuration Instancel Configuration Description

Switch A connects with switch B through port 1. By configuring GVRP, the twoswitches can register each other and refresh their VLAN table. See Figure 5-30.

5-93



Figure 5-30 GVRP Configuration Instance


zte(cfg)#set garp enable

zte(cfg)#set gvrp enable

zte(cfg)#set gvrp port 1 enable


zte(cfg)#set vlan 10-20 add port 1

2. Configuration of switch B:zte(cfg)#set garp enable

zte(cfg)#set gvrp enable

zte(cfg)#set gvrp port 1 enable


zte(cfg)#set vlan 30-40 add port 1

Note:1. The GARP function must be enabled first before the GVRP function is enabled.2. Enabling GVRP can enable up to 512 vlans.3. Timer of Garp uses the default value. If it is modified, the value must be the same

as the one configured in the network.4. Gvrp port registration type uses default Normal value. If it is modified to other

types, vlan learning cannot be implemented.

l Configuration VerificationSwitchA(cfg)#show garp /*View GARP configuration*/

GARP is enabled!

GARP Timers:

Hold Timeout :100 milliseconds

Join Timeout :200 milliseconds

Leave Timeout :600 milliseconds

LeaveAll Timeout :10000 milliseconds

SwitchA(cfg)#show gvrp /*View GV RP configuration*/

GVRP is enabled!

PortId Status Registration LastPduOrigin

------ -------- ------------ -----------------

1 Enabled Normal 00.d0.d0.f2.51.24

SwitchA(cfg)#show port 1 vlan

PortId : 1

5-94



Tagged in vlan : 30-40

Untagged in vlan : 1, 10-20

SwitchB(cfg)#show port 1 vlan

PortId : 1

Tagged in vlan : 10-20

Untagged in vlan : 1, 30-40

SwitchA(cfg)#show vlan 30


VlanName:

VlanMode: Dynamic

Tagged ports : 1

Untagged ports :

Forbidden ports :

SwitchB(cfg)#show vlan 10


VlanName:

VlanMode: Dynamic

Tagged ports :1

Untagged ports :

Forbidden ports :

5.27 DHCP ConfigurationDHCP OverviewThe Dynamic Host Configuration Protocol (DHCP) enables the host to request dynamicaddresses from the server.

The ZXR10 2900E DHCP function includes the following contents:

The DHCP snooping function prevents bogus DHCP servers from being deployed in thenetwork, and in this case, the port connecting to DHCP server must be set to a trustedport. Besides, the dynamic ARP inspection technology can be used together to preventillegal IP and MAC address binding, thus ensuring normal assignment of IP addressesby the DHCP server. DHCP Snooping and Option82 are designed to solve these safetyproblems. DHCP Snooping, namely DHCP packet filtering, is to detect legality of DHCPpackets based on some special rules and filter illegal packets. Use Option82 technique toprovide more additional information, and then strengthen the network safety ability.

In the DHCP service system, the ZXR10 2900E series switches are provided with a lotof automatically deployed functions. For details, see Downloading the Software VersionAutomatically.

Configuring DHCPThe DHCP configuration includes the following commands:

5-95



Command Function

zte(cfg)#set dhcp snooping-and-option82 {enable | disable} Enables or disables DHCP

snooping and Option82 globally.

zte(cfg)#set dhcp snooping {add | delete}{port <portlist>| trunk<trunklist>}

Enables or disables the DHCP

Snooping function based on the

port/trunk.

zte(cfg)#set dhcp port <portlist>{server | cascade | client} Sets DHCP attribute of the port.

zte(cfg)#set dhcp trunk <trunklist>{server | default} Sets trunk attribute in DHCP

snooping.

zte(cfg)#set dhcp ip-source-guard {{add | delete} port <portlist>|quota <0-400>}

Enables or disables port

ip-source-guard function.

zte(cfg)#set dhcp snooping bind-entry mac <HH.HH.HH.HH.HH

.HH> ip <A.B.C.D> vlan <1-4094> port <1-28>Adds static user information

binding entry.

zte(cfg)#set dhcp snooping bind-entry mode port <portlist>{hold

| drop}

Sets the binding mode of the

dynamic user information binding

entry on the port.

zte(cfg)#set dhcp option82 {add | delete}{port <portlist>| trunk<trunklist>}

Enables or disables DHCP

Option82 function based on the

port/trunk.

zte(cfg)#set dhcp option82 sub-option device { ani< string >|remote-ID {cisco | key < string >| manual < string >}}

Configures the device information

of Switch.

zte(cfg)#set dhcp option82 sub-option port < portlist >{circuit-ID

{on {cisco | china-tel | dsl-forum| henan-rtf | key <string>| manual<string>}| off}| subscriber-ID {on <string>| off}| reserve {on tag<1-255> value <string>| off}}

Sets option82 sub-option.

zte(cfg)#set dhcp option82 mode port <portlist>{default | drop |

modify | append}

Sets the binding mode of the

dynamic user binding entry on the

port.

zte(cfg)#clear dhcp snp-bind-entry {mac <HH.HH.HH.HH.HH.HH>| port <1-28>| all}

Clears DHCP binding entry.

zte(cfg)#clear dhcp option82 sub-option device ani Deletes device identifier

information.

show dhcp (all configuration modes) Displays the configuration of

DHCP snooping-and-option82 and

DHCP client.

show dhcp snooping (all configuration modes) Displays DHCP snooping global


show dhcp snooping binding[port <1-28>] (all configurationmodes)

Displays DHCP snooping entry

information.

5-96



Command Function

show dhcp ip-source-guard (all configuration modes) Displays port ip-source-guard

configuration.

show dhcp option82 (all configuration modes) Displays DHCP option82


show dhcp option82 port (all configuration modes) Displays the configuration

information of DHCP option82.

show dhcp option82 device (all configuration modes) Displays the configuration

information of the device.

zte(cfg)#set dhcp client {enable | disable} Enables or disables the DHCP

client function.

zte(cfg)#set dhcp client broadcast-flag {enable | disable} Sets whether the packet that

DHCP server returns is a

broadcast packet.

show dhcp client (all configuration modes) Displays DHCP client configuration

information.

zte(cfg-router)#set ipport <0-63> ipaddress dhcp Sets the IP address of layer-3

interface acquired by DHCP

protocol.

zte(cfg-router)#set ipport <0-63> ipaddress dhcp {release |

renew}

Releases or renews layer-3

interface IP address.

zte(cfg-router)#set ipport <0-63> dhcp client {class-id

{characters <string>| hex-numbers <hex-string>}| client-id mac |hostname <string>| lease {<0-365><0-23><0-59>| infinite}}

Sets available messages when

the DHCP client interacts with the

server.

zte(cfg-router)#set ipport <0-63> dhcp client request

{dns-server | domain-name | route | static-route | tftp-server-name}

Sets message type sent by the

server when the DHCP client

interacts with the server.

zte(cfg-router)#set ipport <0-63> dhcp relay agent Sets a layer-3 IP port as a DHCP

relay agent. If the port is an inside

port, the address of the port is

used as the source addresses of

DHCP packets sent to the server.

zte(cfg-router)#set ipport <0-63> dhcp relay server<A.B.C.D>

Sets the address of the DHCP

relay server onthe IP port. When

DHCP packets are forwarded to a

server, this server is preferred.

5-97



Command Function

zte(cfg)#set dhcp relay global-ipport <0-63>{enable | disable} Enables the DHCP relay function

on an IP port globally. When

the DHCP relay selects a source

IP address, if no IP address is

configured for the VLAN, the IP

address of the IP port is used as

the source address.

zte(cfg-router)#clear ipport < 0-63> dhcp client { class-id |

client-id | hostname | lease }

Clears DHCP client optional

sending information configuration.

zte(cfg-router)#clear ipport <0-63> dhcp client request

{dns-server | domain-name | route | static-route | tftp-server-name}

Clears the configuration requesting

DHCP server to return various

information.

zte(cfg)#set dhcp snooping bind-entry database read Reads DHCP binding entry from

the Flash memory.

zte(cfg)#set dhcp snooping bind-entry database recovery{

disable | enable }

Recovers binding entry from the

Flash memory after restarted.

zte(cfg)#set dhcp snooping bind-entry database time-write

{disable | enable | time <30-65535>}Writes DHCP binding entry into

the Flash memory at regular time.

zte(cfg)#set dhcp snooping bind-entry database write Writes DHCP binding entry into

the Flash memory.

show dhcp snooping database (all configuration modes) Displays configuration related to

DHCP database.

zte(cfg)#set dhcp special udp-light-check {enable | disable} Enables/Disables DHCP

udp-check function globally.

zte(cfg)#set dhcp snooping vlan <vlanlist>{ disable | enable } Enables/Disables snooping

function of a VLAN globally.

zte(cfg)#set dhcp snooping quota <0-8191>

Sets the quota of a DHCP binding

table globally. The value 0 means

that the quota is not limited.

zte(cfg)#set dhcp snooping vlan <vlanlist> quota <0-8191>


table based on a VLAN. The value

0 means that the quota is not

limited.

zte(cfg)#set dhcp snooping port <portlist> quota <0-8191>Sets the quota of a DHCP binding

table based on a port. The value 0

means that the quota is not limited.

5-98



zte(cfg)#set dhcp snooping vlan <vlanlist> port <1-28> quota<0-8191>


table based on a VLAN and port.

The value 0 means that the quota

is not limited.

show dhcp snooping quota [<1-8191>] (all configuration modes)Displays configuration related to

a DHCP quota.

zte(cfg)#set dhcp relay vlan <vlanlist>{enable | disable}Enables the DHCP relay function

for a VLAN.

zte(cfg)#set dhcp relay server ip <A.B.C.D>Sets the address of the global

DHCP relay server.

zte(cfg)#set dhcp relay server mode {ipport | vc-class id}

Sets the mode of selecting a

server for the DHCP relay. If a

vc-class ID is configured, vc-class

mode is preferred.

zte(cfg)#set dhcp relay server retry <5-1000>

Sets the number of times that

the DHCP relay retries to send a

packet. Default: 10.

zte(cfg)#set dhcp hop <1-16>Sets the hop limit of the DHCP

relay.

Configuring DHCP snooping/Option82l Configuration Description

The PC can get its IP address from the specified DHCP server and prevent otherillegal DHCP servers from affecting hosts in the network. See Figure 5-31.

Figure 5-31 DHCP Snooping/Option82 Configuration Instance Topology

l Configuration Procedurezte(cfg)#set dhcp snooping-and-option82 enable

zte(cfg)#set dhcp snooping add port 49,50

zte(cfg)#set dhcp port 49 client

zte(cfg)#set dhcp port 50 server

5-99



zte(cfg)#set dhcp ip-source-guard add port 49

zte(cfg)#set dhcp option82 add port 49,50

l Configuration Verificationzte(cfg)#show dhcp snooping

DHCP snooping is enabled on the following port(s):

PortId PortType

------ --------

49 Client

50 Server

DHCP snooping disabled vlan: none

zte(cfg)#show dhcp option82

DHCP option82 is enabled on the following port(s):

PortId PortType

------ --------

49 Client

50 Server

zte(cfg)#show dhcp

DHCP download flag is disabled, config file is found.

DHCP download will not startup, when system reboot.

DHCP config file(option-67) *.dat will be translated to ZXR10_2952E.dat.

DHCP snooping-and-option82 is enabled.

PortId PortType Snooping Option82

------ -------- -------- --------

49 Client Enabled Enabled

50 Server Enabled Enabled

51 Client Disabled Disabled

52 Client Disabled Disabled

DHCP client is disabled.

zte(cfg)#show dhcp ip-source-guard

Ip source guard is configured on the following port(s): 49

Configuring DHCP Clientl Configuration Description

The PC can get an IP address from the specified DHCP server. See Figure 5-32.

5-100



Figure 5-32 DHCP Client Configuration Instance Topology

l Configuration Procedurezte(cfg)#set dhcp client enable






zte(cfg-router)#set ipport 0 ipaddress dhcp


l Configuration Verificationzte(cfg-router)#show ipport

IpPort Status IpAddress Mask MacAddress VlanId IpMode

------ ------ ---------- ------------ ----------------- ------ ------

0 up 100.1.1.5 255.255.0.0 00.00.00.00.00.02 10 dhcp

5.28 DHCPv6 ConfigurationDHCPv6 OverviewThe Dynamic Host Configuration Protocol of IPv6 (DHCPv6) is used by a network host todynamically request host configuration from a server.

The ZXR10 2900E series system supports the following DHCPv6 functions:

l DHCPv6 snooping function: DHCPv6 servers and clients do not supportauthentication mechanism. Illegally and privately created DHCPv6 servers bringconfusion to address allocation, gateway and DNS parameters of some hosts. As aresult, these hosts cannot connect to external networks properly. In addition, thereare problems such as IP spoofing, MAC address spoofing and user ID spoofing fromillegal clients, and DHCPv6 server address exhaustion. On the basis of DHCPv6snooping, the Option82 technology can solve these security problems effectively.

l IP source guard function: By listening to the DHCPv6 interaction procedure betweena client and a server, the system records the IP address allocated to the client by the

5-101



server. The system filters out packets with other source IP addresses on ports, thuspreventing spoofing.

Configuring DHCPv6The DHCPv6 configuration includes the following commands:

Command Function

zte(cfg)#set dhcpv6 snooping {enable | disable} Enables or disables the DHCPv6

snooping function globally.

zte(cfg)#set dhcpv6 snooping {add | delete} port <portlist> Enables or disables the DHCPv6

snooping function on a port.

zte(cfg)#set dhcpv6 port <portlist>{server | cascade | client} Sets the attribute of a port in the

DHCPv6 snooping function.

zte(cfg)#set dhcpv6 ip-source-guard {add | delete} port<portlist>

Enables or disables the

ip-source-guard function on a

port.

zte(cfg)#set dhcpv6 option18 {enable | disable} Enables or disables the DHCPv6

Option18 function globally.

zte(cfg)#set dhcpv6 option18 {add | delete} port <portlist> Enables or disables the DHCPv6

Option18 function on a port.


snooping function globally.

zte(cfg)#set dhcpv6 option37{add | delete} port <portlist> Enables or disables the DHCPv6



Option82 function globally.

zte(cfg)#set dhcpv6 option82 {add | delete} port <portlist> Enables or disables the DHCPv6


zte(cfg)#set dhcpv6 option82 ani <string> Sets the device identifier of a

switch node.

zte(cfg)#set dhcpv6 option82 sub-option port < portlist

>{circuit-ID {on {cisco | china-tel | dsl-forum|key <string>}| off}|subscriber-ID {on <string>| off}| reserve {on tag <1-255> value<string>| off}}

Sets the sub-option port for

Option82 function.

zte(cfg)#clear dhcpv6 snp-bind-entry {mac <HH.HH.HH.HH.HH.HH>| port <1-28>| all}

Clears ip-source-guard entities.

zte(cfg)#clear dhcpv6 ani Clears device identifiers.

show dhcpv6 (all configuration modes) Displays DHCPv6 snooping and

option configuration.

5-102



Command Function

show dhcpv6 snooping (all configuration modes) Displays global DHCPv6 snooping


show dhcpv6 snooping binding (all configuration modes) Displays information about

DHCPv6 snooping entries.

show dhcpv6 snooping [port <1-28>] (all configuration modes) Displays DHCPv6 snooping

entities.

show dhcpv6 ip-source-guard (all configuration modes) Displays port ip-source-guard

configuration.

show dhcpv6 option82 (all configuration modes) Displays DHCPv6 Option82


show dhcpv6 option82 port (all configuration modes) Displays DHCPv6 Option82

configuration information on ports.

show dhcpv6 option82 ani (all configuration modes) Displays device identifiers.





DHCPv6 Configuration Instancel Configuration Description

This configuration example describes how to configure DHCPv6 snooping/Option82.See Figure 5-33, the PCs can obtain IP addresses from the DHCP server. Option82is used to improve the security performance. It is required to prevent illegal DHCPserver from affecting the PCs on the network.

Figure 5-33 DHCPv6 Snooping/Option82 Configuration Instance

l Configuration Procedurezte(cfg)#set dhcpv6 snooping enable

zte(cfg)#set dhcpv6 snooping add port 49,50

5-103



zte(cfg)#set dhcpv6 port 49 client

zte(cfg)#set dhcpv6 port 50 server

zte(cfg)#set dhcpv6 ip-source-guard add port 49

zte(cfg)#set dhcpv6 option82 enable

zte(cfg)#set dhcpv6 option82 add port 49,50

l Configuration Verificationzte(cfg)#show dhcpv6 snooping

DHCP v6 snooping is enabled on the following port(s):

PortId PortType

------ --------

49 Client

50 Server

zte(cfg)#show dhcpv6 option82

DHCP v6 option82 is enabled on the following port(s):

PortId PortType

------ --------

49 Client

50 Server

zte(cfg)#show dhcpv6 ip-source-guard

Ip source guard is configured on the following port(s): 49

5.29 VBAS ConfigurationVBAS OverviewThe Virtual Broadband Access Server (VBAS) is not physical equipment but a protocolstandard, which is developed by China Telecom. The VBAS is used to solve the problemof wide-band user identifier. When the Broadband Access Server (BAS) gets useridentifier by inquiring corresponding relationship between MAC of users dialing to theswitch and port, then sends user name, password and identifier information to RADIUS, itcan determine the position of the user.

Layer 2 communication mode is implemented between BAS and switches, that is,information query and response data packets of VBAS are encapsulated into Ethernetdata frames of layer-2 directly, and use protocol number 0x8200 for identification.

Note:

Only trust ports can receive VBAS packets and VBAS response packets only can be sentfrom trust ports.

5-104



Port connecting to user network is called cascade port and port connecting to BAS serveris called trust port. For the typical network of VBAS, see Figure 5-34.

Figure 5-34 VBAS Typical Network

Configuring VBASThe VBAS configuration includes the following commands:

Command Function

zte(cfg)#set vbas trust-port <portlist>{enable | disable} Enables or disables the global

VBAS trust-port.

zte(cfg)#set vbas cascade-port <portlist>{enable | disable} Enables or disables the cascade

port VBAS function.

zte(cfg)#set vbas {enable | disable} Enables or disables the global

VBAS function.

show vbas (all configuration modes) Displays the VBAS configuration.

VBAS Configuration Instancel Configuration Description

See Figure 5-35, this example describes how to set trust port of switch A as port 1,cascade port as port 2, trust port of switch B as port 1.

5-105



Figure 5-35 VBAS Configuration Instance Topology


zte(cfg)#set vbas enable

zte(cfg)#set vbas trust-port 1 enable

zte(cfg)#set vbas cascade-port 2 enable

2. Configuration of switch B:zte(cfg)#set vbas enable

zte(cfg)#set vbas trust-port 1 enable

3. Configuration Verification

Check switch A

zte(cfg)#show vbas

vbas: enabled

trust port : 1

cascade port : 2

Check switch B

zte(cfg)#show vbas

vbas: enabled

trust port : 1

cascade port : none

5.30 PPPoE-PLUS ConfigurationPPPoE-PLUS OverviewThe typical user location technology has PPPoE-PLUS (PPPoE+) besides VBAS andDHCP OPTION82. PPPOE+ technology inserts user location information in PADI/PADRmessage by monitoring the PAD packet interacting procedure between PC and BASserver. PPPoE+ is divided into three types based on the format of the inserted userinformation, China Telecom format, DSL BBS format, and CISCO format. The ZXR102900E also supports user-defined formats.

5-106



Configuring PPPoE-PLUSThe configuration of PPPoE-PLUS (PPPoE+) includes the following contents:

Command Function

zte(cfg)#set pppoe-plus {enable | disable} Enables or disables the PPPoE+

function.

zte(cfg)#set pppoe-plus tag-format port <portlist>{dsl-forum |

cisco | china-tel | manual <string>| key <string>}Sets the PPPoE+ location

message format.

zte(cfg)#set pppoe-plus rid <portlist>[<string>] Adds or deletes port rid

information.

show pppoe-plus (all configuration modes) Displays PPPoE+ global

configuration.

show pppoe-plus port <1-28> (all configuration modes) Displays port rid configuration.

zte(cfg)#set pppoe-plus mode port <portlist>{default | drop |

modify }

Sets the mode for dynamic user

information processing at the port.

PPPoE-PLUS Configuration Instancel Configuration Description

Configure the user information format of switch A as DSL forum format. See Figure5-36.

Figure 5-36 PPPOE-PLUS Configuration Instance Topology


Configure switch A

zte(cfg)#set pppoe-plus enable

zte(cfg)#set pppoe-plus tag-format port 1 dsl-forum

l Configuration Verificationzte(cfg)#show pppoe-plus

PPPoE plus is enabled.

zte(cfg)#show pppoe-plus port 1

PPPoE Vendor-Specific Tag format on port 1:DSL-Forum

PPPoE-PLUS option mode information on port 1: Default

PPPoE VST remote ID on port 1 has not been set.

5-107



5.31 ZESR ConfigurationZESR OverviewZESR is a private ring network protection technology developed by ZTE Corporation.Evolved from EAPS, ZESR ensures that there is only one logically connected pathbetween any two nodes in the ring network.

Basic ZESR ConceptsFor a description of the basic ZESR concepts, see Table 5-3.

Table 5-3 Basic ZESR Concepts

Name Description

ZESR Domain and

ZESR Node

A ZESR domain consists of a control VLAN and a protection instance.

The device that is configured with ZESR is called a ZESR node. All ZESR

nodes in the same ZESR domain must be configured with the same control

VLAN and protection instance.

Control VLAN The control VLAN of a ZESR domain forwards ZESR protocol packets. A

control VLAN is required for a ZESR domain.

Protection Instance

and Service VLAN

An instance in MSTP is used as the protection instance of a ZESR domain.

The VLAN in a protection instance (that is, service VLAN) is used for service

data transmission.

Major ZESR Ring

and Secondary

ZESR Ring

A ZESR domain supports ring-based hierarchy with three levels, including

level 0, level 1, and level 2. Among them, level 0 is the highest level and level

2 is the lowest level.

A ring with level 0 is called a primary ring, while a ring with level 1 or level

2 is called a secondary ring.

ZESR Ring State There are two states for a ZESR ring: UP and DOWN.

l UP indicates that each link in a ring operates properly.

l DOWN indicates that there is one or more disconnected links in a ring.

ZESR Node Role A ZESR node can act as a master node, a transit node, an edge control node,

or an edge assistant node.

l A master node implements the control function and transmits data in a ring.

l A transit node transmits data in a ring.

l An edge control node implements the control function and transmits data

in a secondary ring.

l An edge assistant node transmits data in a secondary ring.

5-108



Name Description

Primary Port and

Secondary Port

When a device is configured as a master node or a transit node, two ports need

to be designated for it, that is, a primary port and a secondary port. The primary

port and secondary port of a transit node have the same functions, while the

primary port and secondary port of a master node have the following differences:

l When a ring is in UP state, the primary port of a master node is in

Forwarding state, and the secondary port is in Blocking state to block

logical loops.

l When a ring is in DOWN state, ZESR rapidly transits the secondary port

of a master node from Blocking state to Forwarding state to switch the

logical path quickly.

Boundary Port When a device is configured as an edge control node or an edge assistant

node, one port needs to be designated for it, that is, a boundary port.

ZESR Link Switching IntroductionZESR eliminates logical loops by blocking some particular ports in a ring; and when thestates of some links in a ring change (from on to off, or from off to on), ZESR can rapidlyswitch the logical paths.

Figure 5-37 shows the diagram of the master node blocking its secondary port when thering is in UP state.Figure 5-38 shows the diagram of themaster node opening its secondaryport when the ring is in DOWN state. In both diagrams, switches A, B, C and D areconfigured with a ZESR domain, in which switch A is the master node with port 1/1 asits primary port and port 1/2 as its secondary port, and switches B, C and D are the transitnodes.

PC 1 interchanges service data traffic with PC 2. The arrows in the diagrams indicate theflow of the service data.

Figure 5-37 Diagram of the Master Node Blocking its Secondary Port When the Ringis in UP State

5-109



Figure 5-38 Diagram of the Master Node Opening its Secondary Port When the Ringis in DOWN State

As shown in Figure 5-37, all links operate properly, the ring is in UP state, the secondaryport of the master node is blocked, and traffic needs to go through switch C and switch D.

As shown in Figure 5-38, the link between switch B and switch C is disconnected, the ringstate is changed to DOWN, ZESR rapidly transits the secondary port of the master nodeto Forwarding state, and traffic is switched quickly to switch A without going through switchC and switch D.

When the link between switch B and switch C recovers from disconnection, the secondaryport of the master node is blocked again, the ring is switched to UP state, and the entireZESR region returns to the state shown in Figure 5-37.

link-hello Link Connectivity Detection OverviewFigure 5-39 shows the transmission link fault diagram. Switch C does not have a directconnection with switch D. They are interconnected with each other through transmissionlinks.

When the transmission link marked in red in the middle of the transmission linksencounters a bidirectional connectivity failure, switch C and switch D are still in UP state.If the bidirectional connectivity detection function is not enabled for the transmission link,switch C and switch D will not be able to perceive this failure and for this reason ZESRlink switching will not be triggered.

If the link-hello link connectivity detection function is enabled on the ports through whichswitch C and switch D are interconnected with each other, these ports will periodically sendlink-hello detection packets to each other. If a port does not receive the link-hello detectionpacket from the peer port within a specified time period, the switch will consider this as alink failure. The device will immediately block the ports on the link and inform the masternode to implement link switching.

5-110



Figure 5-39 Transmission Link Fault Diagram

Configuring ZESR

The ZESR configuration includes the following commands:


1 ZXR10(config)#set zesr ctrl-vlan <1-4094>

protect-instance <1-16>Create a ZESR domain.

The control VLAN of a ZESR domain

cannot be a service VLAN. It cannot

have any conflict with a service VLAN

or a Network Management VLAN. The

PVID of a port cannot be used as the

control VLAN.

ZXR10(config)#set zesr ctrl-vlan <cvlan

id> major-level role {master | transit |

zess-master | zess-transit}{primary-port <port1>|primary-trunk <trunkId>}{secondary-port<port2>| secondary-trunk <trunkId>}

Configures a node as the node on the

primary ring.

ZXR10(config)#set zesr ctrl-vlan <1-4094>

level <1-2> seg <1-10> role {master |

transit}{primary-port <port1>| primary-trunk<trunkId>}{secondary-port <port2>|secondary-trunk <trunkId>}

Configures a node as the master node

or a transit node on a secondary ring.

2

5-111





level <1-2> seg <1-10> role {edge-assistant |

edge-control}{edge-port <port>| edge-trunk<trunkId>}

Configures a node as an edge assistant

node or an edge control node on a

secondary ring.


major-level preforward <10-600>[preup <

0-500>]

Configures the preforward time and the

preup time for a node on the primary

ring.

The default value for the preforward time

is 10 seconds, and the default value for

the preup time is 0 second.

The configuration of the preforward time

and the preup time is required to satisfy

the following condition: preforward >

preup + link recovery time (10 seconds).

3

ZXR10(config)#set zesr ctrl-vlan <1-4094> level<1-2> seg <1-10> preforward <10-600>[ preup<0-500>]

Configures the preforward time and the

preup time for a node on a secondary

ring.

l The preforward time: takes effect

during link failure recovery. During

the failure recovery, the faulty port

still remains blocked for some

time for the master node to block

the secondary port first to avoid

temporary loops.

After the master node blocks

the secondary port, it will inform

the node where the faulty port is

located to unblock the faulty port

immediately. If the node where

the faulty port is located does not

receive any notification from the

master node, the faulty port will

unblock itself when the preforward

time expires.

l The preup time: takes effect during

link failure recovery. During the

failure recovery, the master node

waits for the preup time before it

blocks the secondary port again,

to prevent the ring state from

repeatedly switching due to the

5-112




instability of the link state during the

failure recovery.

ZXR10(config)#set zesr link-hello <port-id>{

normal | special}

Configures whether to enable the

link-hello function on a port. specialindicates enabling the hello-link function,

while normal indicates disabling the

hello-link function. The default value is

normal.Link-hello, the bidirectional link

connectivity detection function of the

ZXR10 2900E applies to the scenario

where two nodes are interconnected

with each other not through a direct

connection but through transmission

links.

4

ZXR10(config)#set zesr link-hello hello-interval

<10-10000> fail-times <3-10>Configures the interval to send link-hello

packets and the number of timeout

packets. The default values are 1000

ms and 5 timeout packets.

When the link-hello function is enabled

on a link, the devices at both ends of the

link must be enabled to send link-hello

packets, and the transmission intervals

of both ends should be set to the same.

The ZXR10 2900E supports enabling

the link-hello function on the Smartgroup

port.

5 ZXR10(config)#set zesr protocol-mac { normal |

special}

Configures the destination MAC mode

used in a ZESR protocol packet. The

default value is special mode.

The ZXR10 2900E supports configuring

the MAC address used in a ZESR

protocol packet. The modes of all nodes

in a ZESR region must have the same

configuration, that is, all nodes must be

configured to Normal mode or Special

mode.

l Normal mode: the destination

MAC address of a ZESR

protocol packet uses the address

00-E0-2B-00-00-04.

5-113




l Special mode: the destination MAC

address of a ZESR protocol packet

uses a ZTE-defined address.

6 ZXR10(config)#set zesr restart-time <30-600> Configures the ZESR restart time (s).

Default: 120.

Restart-time: the ZESR initialization

time during the device startup. During

this period, all ports in the ZESR ring are

in Blocking state.


tcn-sending {enable | disable }

Configures not to send a TCN packet in

a designated ZESR domain. By default,

a ZESR domain is configured to send

TCN packets.

A TCN packet is a packet sent when the

topology changes in the STP network.

Currently it is ZESR that triggers STP

to send TCN packets. In the ZESR and

STP hybrid networking environment, in

order for the STP network to perceive

the topology change of the ZESR

network, ZESR is required to send TCN

packets to the STP network when it

detects the topology change.

7

ZXR10(config)#set zesr tcn-sending {port<portlist>| trunk <trunklist>}{enable | disable }

Configures to enable or disable the TCN

packet sending function on a port. By

default, a port is configured not to send

TCN packets.

Only in the condition that the TCN packet

sending function is enabled both in a

ZESR region and on the corresponding

port in that region, the corresponding

port will send out TCN packets when the

ZESR ring state changes.

ZESR Single-Domain Multi-Ring Configuration ExampleFigure 5-40 shows the ZESR single-domain multi-ring configuration example. Switches Ato F are configured with a ZESR domain, which contains a primary ring and a secondaryring. This is called single-domain multi-ring configuration.

Purposel The control VLAN of the ZESR domain is VLAN 4000, and the protection instance is

instance 1 (including VLANs 100 to 110).

5-114



l Switch A is the master node of the primary ring with Trunk1 as its primary port andport 1/2 as its secondary port.

l Switches B to D are the transit nodes of the primary ring.l Switch E is the master node of the secondary ring with port 1/1 as its primary port and

port 1/2 as its secondary port.l Switch F is the transit node of the secondary ring. Switches A and B are the edge

assistant nodes of the secondary ring.

Figure 5-40 ZESR Single-Domain Multi-Ring Configuration Example

Configurations on switch A:/*Run the following commands to configure the spanning tree instance.*/

Switch_A(config)#set stp enable

Switch_A(config)#set stp forceversion mstp

Switch_A(config)#set stp instance 1 add vlan 100-110

/*Run the following command to configure the ZESR domain with VLAN 4000 as

the control VLAN and protection instance 1 as the protection instance.*/

Switch_A(config)#set zesr ctrl-vlan 4000 protect-instance 1

/*Run the following command to configure switch A as the master node of the

primary ring with Smartgroup1 as its primary port and port 1/2 as its

secondary port.*/

Switch_A(config)#set zesr ctrl-vlan 4000 major-level role master

primary-trunk 1 secondary-port 1/2

/*Run the following command to configure switch A as the edge assistant

node of the secondary ring Level1Seg1 with port 1/4 as its boundary port.*/

Switch_A(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant port 1/4

5-115



Configurations on switch B:/*Run the following commands to configure the spanning tree instance.*/

Switch_B(config)#set stp enable

Switch_B(config)#set stp forceversion mstp

Switch_B(config)#set stp instance 1 add vlan 100-110



Switch_B(config)#set zesr ctrl-vlan 4000 protect-instance 1

/*Run the following command to configure switch B as the transit node of the

primary ring with port 1/1 as its primary port and port 1/2 as its

secondary port.*/

Switch_B(config)#set zesr ctrl-vlan 4000 major-level role transit

primary-port 1/1 secondary-port 1/2

/*Run the following command to configure switch B as the edge assistant

node of the secondary ring Level1Seg1 with port 1/3 as its boundary port.*/

Switch_A(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant port 1/3

Configurations on switch C:/*Run the following commands to configure the spanning tree instance.*/

Switch_C(config)#set stp enable

Switch_C(config)#set stp forceversion mstp

Switch_C(config)#set stp instance 1 add vlan 100-110



Switch_C(config)#set zesr ctrl-vlan 4000 protect-instance 1

/*Run the following command to configure switch C as the transit node of the


secondary port.*/

Switch_C(config)#set zesr ctrl-vlan 4000 major-level role transit


Configurations on switch D:/*Run the following commands to configure the spanning tree instance.*/

Switch_D(config)#set stp enable

Switch_D(config)#set stp forceversion mstp

Switch_D(config)#set stp instance 1 add vlan 100-110t



Switch_D(config)#set zesr ctrl-vlan 4000 protect-instance

5-116



/*Run the following command to configure switch D as the transit node of the

primary ring with Trunk1 as its primary port and port 1/2 as its secondary port.*/

Switch_D(config)#set zesr ctrl-vlan 4000 major-level role transit

primary-trunk 1 secondary-port 1/2

Configurations on switch E:/*Run the following commands to configure the spanning tree instance.*/

Switch_E(config)#set stp enable

Switch_E(config)#set stp forceversion mstp

Switch_E(config)#set stp instance 1 add vlan 100-110



Switch_E(config)#set zesr ctrl-vlan 4000 protect-instance 1

/*Run the following command to configure switch E as the master node of the

secondary ring Level1Seg1 with port 1/1 as its primary port and port 1/2

as its secondary port.*/

Switch_E(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role master


Configurations on switch F:/*Run the following commands to configure the spanning tree instance.*/

Switch_F(config)#set stp enable

Switch_F(config)#set stp forceversion mstp

Switch_F(config)#set stp instance 1 add vlan 100-11



Switch_F(config)#set zesr ctrl-vlan 4000 protect-instance 1

/*Run the following command to configure switch F as the transit node of the

secondary ring Level1Seg1 with port 1/1 as its primary port and port 1/2

as its secondary port.*/

Switch_F(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role transit


ZESR Single-Ring Multi-Domain Configuration ExampleFigure 5-41 shows the ZESR single-ring multi-domain configuration example. SwitchesA to D are configured with two ZESR domains. This is called single-ring multi-domainconfiguration.

Purposel The control VLAN of ZESR domain 1 is VLAN 4000, and the protection instance is

instance 1 (including VLANs 100 to 110). The control VLAN of ZESR domain 2 isVLAN 4001, and the protection instance is instance 2 (including VLANs 200 to 210).

5-117



l Switch A is the master node in ZESR domain 1 with port 1/1 as its primary port andport 1/2 as its secondary port. Switch A is also the master node in ZESR domain 2with port 1/2 as its primary port and port 1/1 as its secondary port.

l Switches B to D are the transit nodes in both ZESR domains.

Note:

When multiple ZESR domains are configured on a physical ring, service data traffic indifferent ZESR domains can be planned to go through different paths by proper settingsto achieve load balancing.

Figure 5-41 ZESR Single-Ring Multi-Domain Configuration Example






/*Run the following commands to configure the ZESR domains with

protection instance 1 as the protection instance of ZESR domain 1

and protection instance 2 as the protection instance of ZESR domain 2.*/



/*Run the following command to configure node roles, that is, switch A

is the master node in ZESR domain 1 with port 1/1 as its primary port

and port 1/2 as its secondary port.*/



5-118



/*Run the following command to configure node roles, that is, switch A

is the master node in ZESR domain 2 with port 1/2 as its primary port









/*Run the following commands to configure the ZESR domains with

protection instance 1 as the protection instance of ZESR domain 1

and protection instance 2 as the protection instance of ZESR domain 2.*/



/*Run the following command to configure node roles, that is, switch B

is the transit node in ZESR domain 1 with port 1/1 as its primary port


Switch_B(config)#zesr ctrl-vlan 4000 major-level role transit


/*Run the following command to configure node roles, that is, switch B

is the transit node in ZESR domain 2 with port 1/1 as its primary port


Switch_B(config)#zesr ctrl-vlan 4001 major-level role transit


Configurations on switch C and switch D are the same as those on switch B.

ZESR Dual-Node Dual-Uplink Configuration ExampleFigure 5-42 shows the ZESR dual-node dual-uplink configuration example. The third partdevice switch C that does not support ZESR acts as an uplink node and connects with thetop network through STP. Switches A and B are configured with a ZESR domain. This iscalled a dual-node dual-uplink topology.

Purposel The control VLAN of the ZESR domain is VLAN 4000, and the service VLANs are

VLANs 100 to 110.l Switch A is the master node with port 1/2 as its primary port and port 1/1 as its

secondary port. Switch B is the transit node.

5-119



l In order for switch C and the top network to perceive the topology change of theunderlying network, port 1/1 of switch A and port 1/1 of switch B are enabled with theTCN packet sending function to notify the network topology change upwards.

Figure 5-42 ZESR Dual-Node Dual-Uplink Configuration Example





/*Run the following command to configure the ZESR domain with VLAN 4000

as the control VLAN and protection instance 1 as the protection instance.*/


/*Run the following command to configure switch A as the master node of the


secondary port.*/

Switch_A(config)#set zesr ctrl-vlan 4000 major-level role zess-master


/*Run the following commands to enable the TCN packet sending function

on port 1/1.*/

Switch_A(config)#set zesr tcn-sending port 1/1 enable





5-120



/*Run the following command to configure the ZESR domain with VLAN 4000

as the control VLAN and protection instance 1 as the protection instance.*/


/*Run the following command to configure switch B as the transit node of the


secondary port.*/

Switch_B(config)#set zesr ctrl-vlan 4000 major-level role zess-transit


/*Run the following commands to enable the TCN packet sending function

on port 1/1.*/

Switch_B(config)#set zesr tcn-sending port 1/1 enable

Configurations on switch C:/*Run the following commands to configure the spanning tree

instance: the configuration commands from vendors differ.

Refer to the user guides published by respective vendors.*/


Switch_C(config)#set stp forceversion mstp


5.32 ZESS ConfigurationZESS is an efficient link switching mechanism, which allows two links on a device to backup each other and always elect one of them for data transmission. If the link in currentuse fails, ZESS can switch to the backup link rapidly and automatically to guarantee thenormal service data transmission.

Basic ZESS ConceptsFor a description of the basic ZESS concepts, refer to Table 5-4:

Table 5-4 Basic ZESS Concepts

Name Description

ZESS Domain A ZESS domain consists of a control VLAN and a protection instance.

There are two states for a ZESS domain:

l UP indicates that each link in a ZESS domain operates properly.

l DOWN indicates that at least one link in a ZESS domain is disconnected.

ZESS Node A device that is configured with a ZESS domain is called a ZESS node.

5-121



Name Description

Control VLAN The control VLAN of a ZESS domain forwards ZESS protocol packets (Flush

packets).

A Flush packet is sent from a ZESS node during ZESS link switching to inform

the relevant devices to refresh the MAC address table. The control VLAN is not

required for a ZESS domain. If the control VLAN is not configured, no Flush

packets will be sent during ZESS link switching.

Receive-VLAN A Receive-VLAN can be configured on the device that is connected with a

ZESS node and should have the same VLAN ID as that of the control VLAN

of a ZESS node.

Only after a node is configured with a Receive-VLAN will it refresh the MAC

address table when it receives a Flush packet from this VLAN to accelerate

link convergence.

Protection

Instance and

Service VLAN

An instance in MSTP is used as the protection instance of a ZESS domain.

The VLAN in a protection instance (that is, service VLAN) is used for service

data transmission.

Primary/Sec-

ondary Port and

Primary/Sec-

ondary Link

When a device is configured with a ZESS domain, the primary port and the

secondary port are designated to it. The link where the primary port is located is

called the primary link and the link where the secondary port is located is called

the secondary link. Both links can back up each other.

Reversal Mode

and Non-Reversal

Mode

In the condition that the primary link is disconnected and the secondary link is in

use for data transmission, if the primary link recovers from disconnection, there

are two modes of processing: reversal mode and non-reversal mode.

l In reversal mode, ZESS switches data traffic to the primary link and blocks

the secondary link.

l In non-reversal mode, ZESS continues to use the secondary link for data

transmission and blocks the primary link.

ZESS Operating FlowFigure 5-43 shows the ZESS network topology. Switch A is configured with a ZESS domainwith port_1/1 as the primary port and port_1/2 as the secondary port.

5-122



Figure 5-43 ZESS Network Topology

Here is a description of the ZESS operating flow:1. In the initial state, both the primary link and the secondary link operate properly. Then

ZESS blocks the secondary link and uses the primary link for data forwarding.2. When the primary link is disconnected, ZESS rapidly switches the secondary link to

Forwarding state and blocks the primary link.3. When the primary link recovers from disconnection, if reversal mode is enabled,

ZESS will set the primary link to Forwarding state and blocks the secondary link; ifnon-reversal mode is enabled, ZESS will block the primary link and continues to usethe secondary link for data transmission.

Note:

In reversal mode, when the primary link recovers from disconnection, the link is notswitched immediately but after a period of the preup time.

Configuring ZESSThe ZESS configuration includes the following commands:


1 ZXR10(config)#set zess domain <1-4>

protect-instance <1-16> primary {port<port-name>| trunk <trunk-name>} secondary{port <port-name>| trunk <trunk-name>}

Creates a ZESS domain.

The control VLAN must be elected from

idle VLANs. It cannot have any conflict with

service VLANs or Network Management

VLANs.

5-123




2 ZXR10(config)#set zess domain <1-4>mode

{revertive | non_revertive}

Configures the ZESS switching mode. The

default value is reversal mode.

Here are two ZESS switching modes:

l Revertive: reversal mode.

l Non_revertive: non-reversal mode.

3 ZXR10(config)#set zess domain <1-4>

ctrl-vlan <1-4094>

Configures the control VLAN.

4 ZXR10(config)#set zess domain < 1-4>

preup <1-600>

Configures the preup time (s). Default: 5.

The preup time is used in reversal mode.

In the condition that the primary link is

disconnected and the secondary link is in

use for data forwarding, if the primary link

recovers from disconnection, ZESS does

not switch the data traffic to the primary

link immediately. It waits for the preup

time before it implements the switching, to

prevent the switching from occurring when

the primary link recovery is still unstable.

5 ZXR10(config)#set zess receive-vlan

<1-4094>{port <port-name>| trunk<trunk-name>}

Configures a port to enable the capability of

receiving Flush packets from a designated

control VLAN.

6 ZXR10(config)#clear zess receive-vlan

{<1-4094>| all}

Clears the Flush packet receiving capability

of a port.

ZESS Configuration ExampleFigure 5-44 shows the ZESS networking configuration. Switch B and switch C are in thetop network. Switch A is configured as a ZESS node. Here, ZESS is used for single-devicedual-uplink backup to achieve the Ethernet smart switch function.

Switch A is configured with two ZESS domains. To achieve load balancing, the primaryand secondary ports of one domain operate as the secondary and primary ports of theother domain, respectively.l In ZESS domain 1, the control VLAN is VLAN4000, the protection instance is instance

1, the primary port is port_1/1 and the secondary port is port_1/2.l In ZESS domain 2, the control VLAN is VLAN4001, the protection instance is instance

2, the primary port is port_1/2 and the secondary port is port_1/1.

The capability of receiving Flush packets from the control VLANs VLAN4000 andVLAN4001 is enabled on relevant ports of switch B and switch C.

5-124



Figure 5-44 ZESS Networking Configuration

Configurations on switch A:/*Run the following commands to configure a protection instance.*/



/*Run the following commands to configure a ZESS domain.*/

Switch_A(config)#set zess domain 1 protect-instance 1 primary port_1/1 secondary port_1/2

Switch_A(config)#set zess domain 2 protect-instance 2 primary port_1/2 secondary port_1/1

/*Run the following commands to configure the control VLAN.*/

Switch_A(config)#set zess domain 1 ctrl-vlan 4000

Switch_A(config)#set zess domain 2 ctrl-vlan 4001

Configurations on switch B:/*Run the following commands to configure a protection instance.*/



/*Run the following commands to configure receive-vlans.*/

Switch_B(config)#set zess receive-vlan 4000 port 1/2

Switch_B(config)#set zess receive-vlan 4001 port 1/2

Switch_B(config)#exit

Configurations on switch C:/*Run the following commands to configure a protection instance.*/



5-125



/*Run the following commands to configure receive-vlans.*/

Switch_C(config)#set zess receive-vlan 4000 port 1/1

Switch_C(config)#set zess receive-vlan 4001 port 1/1

Switch_C(config)#exit

5.33 OAM ConfigurationOAM OverviewWith the rapid development of Ethernet technology, Ethernet network proportion graduallyincreases in network structure. Ethernet devices replacing ATM network devices and otherdevices are widely used in access, convergence layer and backbone network. Due to thegreat application, Operation, Administration and Maintenance (OAM) function of Ethernetdevices receive much concern. The main Ethernet OAM protocols are shown below.

l IEEE 802.3ah (Operations, Administration, and Maintenance-OAM)l IEEE 802.1ag (Connectivity Fault Management) (Draft)l ITU-Y 1731 (OAM functions and mechanisms for Ethernet based networks ) (Draft)

IEEE 802.3ah operations, administration andmaintenance standard is the formal standard,which aims at the management of link level. It monitors and troubleshoots the point topoint (virtual point to point) Ethernet link. It has the important meaning for connectionmanagement of Last One Mile. The faults take place constantly on Last One Mile.

The ZXR10 2900E series switch supports IEEE 802.3ah.

Ethernet OAM Main Function

l OAM Discovery Function: After enabling Ethernet OAM function, the ZXR10 2900Eseries switch can detect the remote DTE device which has OAM function. Aftercoordinating with the peer OAM, enter normal Ethernet OAM interaction process .

l Remote Link Event Alarm: OAM function inspects the events of remote link, andadopts the corresponding responding methods. When the fault takes place on remotelink, OAM defines the event and announces it to remote OAM client. The detailedevents announcement packet is also provided.

OAM defines the following link events.

1. Link Failure: The physical layer locates the failure that take place on receivingdirection of local DTE.

2. Emergency Failure: The local failure event has happened, and this failure cannotbe recovered.

3. Emergency Events: The un-defined emergency event happens.l OAM Remote Loopback: The ZXR10 2900E series switch provides optional data link

layer frame level loopback mode by OAM function. OAM remote loopback is used tolocate failure and examine the link performance. When remote DTE is on the OAMremote loopback mode, the statistic data of local and remote DTE can be inquired andcompared at any time. OAM loopback frame can be analyzed to obtain the additionalinformation of link health (frame discard due to the link failure).

5-126



l Link Monitoring: The ZXR10 2900E series switch monitors and examines the linkstate, and announces the specified frame events by OAM function. The specifiedframe events can be classified into four types: error symbol period event, errorframe event and error frame period event, error frame-second statistic event. Afterinspecting the error, OAM will respond and alarm the peer device by announcementmechanism.

The link monitoring events are classified into four types: error symbol monitor event, errorframe monitor event, error frame-period monitor event and error frame-second statisticmonitor event. When the link monitoring information is viewed, the related error symbol,the statistic of error frame and the statistic of local and peer link events will be shown oneach event.

Configuring OAMThe OAM configuration includes the following commands:

Command Function

zte(cfg)#set ethernet-oam {enable | disable} Enables or disables the global

OAM function.

zte(cfg)#set ethernet-oam port <portlist>{enable | disable} Enables or disables the OAM

function on the port.

zte(cfg)#set ethernet-oam port <portlist> period <1-10>

timeout <2-20> mode {active | passive}Sets the OAM period, timeout time

and mode of the port.

zte(cfg)#set ethernet-oam remote-loopback timeout <1-10> Sets remote-loopback timeout

value on port.

zte(cfg)#set ethernet-oam remote-loopback port <portlist>{start

| stop}

Starts or stops OAM

remote-loopback function on

port.

zte(cfg)#set ethernet-oam org-specific {oui <XX-XX-XX>|time-stamp <1-10>}

Sets the specified content in

OAMPDU packet.

zte(cfg)#set ethernet-oam port <portlist> link-monitor {enable |

disable}

Enables or disables link monitor

function.

zte(cfg)#set ethernet-oam port <portlist> link-monitorsymbol-period threshold <1-65535> window <1-65535>

Sets the symbol period event

which is used for link monitor.

zte(cfg)#set ethernet-oam port <portlist> link-monitor framethreshold <1-65535> window <1-60>

Sets the error frame.

zte(cfg)#set ethernet-oam port <portlist> link-monitorframe-period threshold <1-65535> window <1-600000>

Sets the period of error frame.

zte(cfg)#set ethernet-oam port <portlist> link-monitorframe-seconds threshold <1-900> window <10-900>

Sets error frame summary.

5-127



Command Function

show ethernet-oam (all configuration modes) Displays OAM global configuration

information.

show ethernet-oam port (all configuration modes) Displays OAM port summary

information.

show ethernet-oam port <portlist> discovery (all configuration

modes)

Displays port OAM discovery

state.

show ethernet-oam port <portlist> statistics (all configuration

modes)

Displays port OAM statistics

information.

show ethernet-oam port <portlist> link-monitor (all configuration

modes)

Displays port OAM link event

configuration and state.

OAM Remote Loopback Configuration Instancel Configuration Description

OAM remote loopback is used to locate failure and examine the link performance.The function is based on OAM discovery. See Figure 5-45, the user logs in to theswitch A through console port and configures OAM, Enable OAM and the port remoteloopback of the other end. When remote switch B is on the OAM remote loopbackmode, the statistic data of local and remote switch can be inquired and compared atany time. OAM loopback frame can be analyzed to obtain the additional informationof link health (frame discard due to the link failure).

Figure 5-45 Remote Loop Network


zte(cfg)#set ethernet-oam en

zte(cfg)#set ethernet-oam port 1 en

2. Configuration of switch B:zte(cfg)#set ethernet-oam enable

zte(cfg)#set ethernet-oam port 2 enable

zte(cfg)#show Ethernet-oam port 2 discovery

PortId 2: ethernet oam enabled

Local DTE /*the local device information*/

-----------

Config:

Mode : active

/*the port mode must be active, or the discovery is failure*/

5-128



Period : 10*100(ms)

Link TimeOut : 5(s)

Unidirection : nonsupport

PDU max size : 1518

Status:

Parser : forward

Multiplexer : forward

Stable : yes

/*yes represents that discovery succeeds. no represents discovery fails.*/

Discovery : done

/*discovery succeeds. “undone”represents that discovery fails*/

Loopback : off

PDU Revision : 92

Remote DTE /*the remote device information*/

-----------

Config:

Mode : active

Link Monitor : support


Remote Loopback : support

Mib Retrieval : nonsupport

PDU max size : 1518

Status:

Parser : forward


Stable : yes

Mac Address : 00.d0.d0.29.28.02

/*the system MAC of the remote device.

The MAC address is 00.00.00.00.00.00 when discovery fails.*/

PDU Revision : 967

zte(cfg)#set ethernet-oam remote-loopback port 2 start

zte(cfg)#show ethernet-oam port 2 discovery

PortId 2: ethernet oam enabled

Local DTE

-----------

Config:

Mode : active

Period : 10*100(ms)

Link TimeOut : 5(s)


PDU max size : 1518

Status:

Parser : discard /*the parser state is discard*/


5-129



Stable : yes

Discovery : done

Loopback : on(Master)

/*the local is the active originator (Master).

The other end displays as slave.*/

PDU Revision : 1431

Remote DTE

-----------

Config:

Mode : active

Link Monitor : support


Remote Loopback : support

Mib Retrieval : nonsupport

PDU max size : 1518

Status:

Parser : loopback /*the parser state is loopback*/

Multiplexer : discard /*the multiplexer state is discard*/

Stable : yes

Mac Address : 00.d0.d0.29.28.02

PDU Revision : 28

zte(cfg)#set ethernet-oam remote-loopback port 2 stop

/*disable OAM remote-loopback on port2.

The switch replies OAM discovery success.*/

Key points of configuration:

The switch gives the following prompts when OAM discovery failure occurs, or startingand stopping remote loopback.

OAM discovery is completed successfully on port 2, the following information appears.

SAT JUL 03 23:30:00 2004 ETH-OAM port 2's discovery process is successful.

Disconnect the network cable between switches, the following information appears.

SAT JUL 03 23:33:00 2004 ETH-OAM port 2 deteced

a fault in the local receive direction.

OAM Link Control Event Configuration Instancel Configuration Description

OAM monitor function can notify the abnormal frame of the link receiver to the local.The function is based on OAM discovery. See Figure 5-46, the user logs in to theswitch A through console port and configures OAM. Enable OAM and the port linkmonitor of the switch B. Then the error frame and the error symbol can be detectedand announced to local switch A.

5-130



Figure 5-46 Link Control Network


zte(cfg)#set ethernet-oam enable


2. Configuration of switch B:zte(cfg)#set ethernet-oam enable


zte(cfg)#set ethernet-oam port 1 link-monitor enable

zte(cfg)#set ethernet-oam port 1 lin symbol-period threshold 10 window 10

zte(cfg)#set ethernet-oam port 1 lin frame threshold 10 window 20

zte(cfg)#set ethernet-oam port 1 link-monitor frame-period threshold 5

window 1000

zte(cfg)#set ethernet-oam port 1 link-monitor frame-seconds threshold 10

window 30

zte(cfg)#show eth port 1 link-monitor

Link Monitoring of Port: 1 enabled

Errored Symbol Period Event:

Symbol Window : 10(million symbols)

Errored Symbol Threshold : 10

Total Errored Symbols : 0

Local Total Errored Events : 0

Remote Total Errored Events : 0

Errored Frame Event:

Period Window : 20(s)

Errored Frame Threshold : 10

Total Errored Frames : 0



Errored Frame Period Event:

Frame Window : 1000(ten thousand frames)

Errored Frame Threshold : 5

Total Errored Frames : 0



Errored Frame Seconds Event:

Errored Seconds Window : 30(s)

5-131



Errored Seconds Threshold : 10(s)

Total Errored Frame Seconds : 0(s)

Local Total Errored Frame Seconds Events : 0

Remote Total Errored Frame Seconds Events : 0

5.34 sFlow ConfigurationThe sFlow configuration includes the following commands:

Command Function

zte(cfg)#set sflow agent-address <A.B.C.D>[udp-port<1-65535>]

Sets the IP address of an sFlow

agent.

zte(cfg)#set sflow collector-address <A.B.C.D>[udp-port<1-65535>]

Sets the IP address of an sFlow

collector.

zte(cfg)#set sflow version <number> Sets the format version of sFlow

sampling packets.

zte(cfg)#set sflow {ingress | egress}{enable | disable} Enables or disables the sFlow

function on an ingress or an

egress.

zte(cfg)#set sflow {ingress | egress} reload-mode { continue | cpu} Sets the reloading mode on an

sFlow ingress or egress.

zte(cfg)#set sflow ingress sample-mode {all | forward} Sets the sampling mode on an

sFlow ingress or egress.

zte(cfg)#set sflow {ingress | egress} port <portlist> packet-sampleoff

Disables port-based sFlow

sampling.

zte(cfg)#set sflow {ingress | egress} port <portlist>packet-sample on frequency <2-16000000>[time-range<word>]

Enables port-based sFlow

sampling or associates with a time

range.

zte(cfg)#clear sflow config [{agent | collector}] Clears sFlow configuration on

ports.

zte(cfg)#clear sflow statistic Clears statistics information on

ports.

show sflow (all configuration modes) Displays all sFlow configuration.

5-132



5.35 PP ConfigurationPP OverviewProtocol Protect (PP) maintains and monitors the rate of packets forwarded to the CPU,thus preventing viruses or spiteful attacks to the switch. In this way, the switch providesself-protection ability and ensures network security.

PP takes the following measures: limiting the rates of related services, filtering unsuitablepackets, sending alarms when there are packets sent at an abnormal rate, and remindingNMS that there may be packets attacking the CPU.

To enhance flexibility and compatibility of the switch, PP provides the function of configuringpriority users for the protocol packets sent by the switch.

Configuring PPThe PP configuration includes the following commands:

Command Function

zte(cfg)#create protocol-protect mac-drop rule

<1-128> src-mac <HH.HH.HH.HH.HH.HH> mask<HH.HH.HH.HH.HH.HH>

Creates a mac drop rule.

zte(cfg)#set protocol-protect alarm port <portlist>{enable |

disable}

Enables or disables the PP alarm

function on a port.

zte(cfg)#set protocol-protect alarm port <portlist>{protocol-na

me}<0-18000>

Sets PP 30 second-protocol alarm

threshold.

zte(cfg)#set protocol-protect limit {group-name}<0-800> Sets the rate limit of sending

packets to the CPU.

zte(cfg)#set protocol-protect priority{protocol-name|all}{<0-7

>|default}

Sets PP protocol priority.

zte(cfg)#set protocol-protect mac-drop {disable | enable} Enables the mac drop function.

zte(cfg)#set protocol-protect mac-drop rule <1-128> bind port<portlist>

Binds the mac drop rule with the

port.

zte(cfg)#clear protocol-protect mac-drop counter [port<portlist>]

Clears the number of messages

dropped by the mac drop function.

zte(cfg)#clear protocol-protect mac-drop port <portlist>[rule<1-128>]

Clears the mac drop rules for

specified or all ports.

zte(cfg)#clear protocol-protect mac-drop rule [<1-128>] Clears specified mac drop rules.

show protocol-protect statistic [port <portlist>] (all configurationmodes)

Displays statistics information of

protocol packet alarms on a PP

port.

show protocol-protect limit (all configuration modes) Displays PP rate limit information.

5-133



Command Function

show protocol-protect priority (all configuration modes) Displays packet priority


show protocol-protect mac-drop port [<portlist>](all configuration

modes)

Displays the rules and statistics

bound with a specified port.

show protocol-protect mac-drop rule [<1-128>](all configuration

modes)

Displays specified mac drop rules.

PP Configuration Instancel Configuration Description

See Figure 5-47, Host 1 sends DHCP attack packets. Users can view the deviceoperating status and alarm information. Users also can view IGMP operating statusunder DHCP packet attacks. The router sends IGMP query packets periodically.

Figure 5-47 PP Configuration Instance

l Configuration Procedurezte(cfg)#set igmp snooping enable

zte(cfg)#set igmp snooping add vlan 1

zte(cfg)#set dhcp snooping-and-option82 enable

zte(cfg)#set dhcp snooping add port 1-3


Use Host 1 to send DHCP Discover packets. View alarm information on the switch.

Thu Jul 1 17:53:18 2004 Receive too many packets of 'dhcp' from port 1

Use Host 2 to request joining the multicast group 225.0.0.1. View the multicast entityon the device.

zte(cfg)#show igmp snooping vlan



5-134




---- ------- --------------- --------------- -------------------

1 1 225.0.0.1 10.40.1.10 2-3

5.36 LLDP ConfigurationLLDP OverviewThe Link Layer Discovery Protocol (LLDP) is a new protocol defined in the 802.1ab. Thisprotocol allows neighboring devices to send messages to each other to update physicaltopology information and establish Management Information Bases (MIBs). The LLDPworkflow is described below:

1. The local device sends its link and management information to a neighbor device.2. The local device receives the network management information of a neighbor device.3. The MIB of the local device stores the network management information of all

neighbor devices, and a network management program can query layer-2 connectioninformation in the MIB.

The LLDP is not a configuration protocol of the remote system or a signaling controlprotocol used between two ports. The LLDP discovers layer-2 protocol configurationconflicts between neighbor devices, but it only reports the problem to an upper-layernetwork management device, without providing any mechanism to solve the problem.

The LLDP is simply a neighbor discovery protocol that defines a standard for networkdevices (such as switches, routers, and WLAN access points) in the Ethernet to advertisetheir identities to other nodes in the network and store discovery information of all neighbordevices. For example, device configuration and device IDs can be advertised by the LLDP.

The LLDP defines a universal advertisement information set, a protocol for sendingthe advertisement information, and a method for storing the received advertisementinformation. The device that wants to advertise its information can place multiple piecesof advertisement information into a Link Layer Discovery Protocol Data Unit (LLDPDU).The LLDPDU contains a variable-length message unit (called TLVs), which are describedbelow:

l Type: indicates the type of the message to be sent.l Length: indicates the number of bytes in the message.l Value: indicates the contents to be sent.

Each LLDPDU contains four mandatory TLVs and one optional TLV:

l Chassis ID TLV and Port ID TLV: identify the sender.l TLL TLV: notifies the receiver of the storage period of a message. If the receiver does

not receive any update message within the specified period, the receiver discards allthe related messages. A recommended update frequency is defined by the IEEE, thatis, to send messages at 30-second intervals.

5-135



l Optional TLVs: includes a basic management TLV set (such as port description TLV),a special TLV set defined by IEEE 802.1, a special TLV set defined by IEEE 802.3,and an LLDP-MED TLV set defined by TIA.

l End of LLDPDU TLV: indicates the end of an LLDPDU.

Configuring LLDPThe LLDP configuration includes the following commands:

Command Function

zte(cfg)#lldp hellotime <5-32768> Sets the interval for sending LLDP

neighbor discovery messages.

zte(cfg)#lldp holdtime <2-10> Sets the LLDP neighbor holding

time.

zte(cfg)#lldp max-neighbor <1-31> Sets the maximum number of

neighbors that can be discovered

by LLDP.

zte(cfg)#lldp port <portlist>{enable | disable} Enables or disables all LLDP

functions on a specific port.

zte(cfg)#lldp port <portlist>{txenable | txdisable} Enables or disables the LLDP

sending function on a specific port.

zte(cfg)#lldp port <portlist>{rxenable | rxdisable} Enables or disables the LLDP

receiving function on a specific

port.

zte(cfg)#lldp port <portlist> med-tlv-select {capabilities-tlv

| extended-power-tlv | inventory-tlv | location-tlv |

network-policy-tlv}{enable | disable}

Sets the optional MED TLV type

sent on a port.

zte(cfg)#lldp port <portlist> max-neighbor <1-8> Sets the maximum number of

neighbors that can be discovered

on a specific LLDP port.

zte(cfg)#clear lldp neighbor port <portlist> Clears LLDP neighbors with whom

neighbor relationships have been

established.

zte(cfg)#clear lldp statistic port <portlist> Clears statistics information of

LLDP neighbors.

show lldp config port <portlist> (all configuration modes) Displays LLDP configuration

information.

show lldp neighbor port <portlist> (all configuration modes) Displays summary information of

LLDP neighbors.

show lldp entry port <portlist> (all configuration modes) Displays detailed information of

LLDP neighbors.

5-136



Command Function

show lldp statistic port <portlist> (all configuration modes) Displays statistics information of

LLDP neighbors.

LLDP Configuration Instancel Configuration Description

See Figure 5-48, two switches are connected to each other through a twisted-pair. Bydefault, the LLDP function is enabled, and all parameters use the default values. Usethe show command to view neighbor establishment information.

Figure 5-48 LLDP Configuration Instance

l Configuration Verificationzte(cfg)#show lldp neighbor

Capability Codes:

P-Repeater, B-Bridge, W-WLAN Access Point, R-Router, T-Telephone

C-DOCSIS Cable Device, s-Station, S-Switch, O-Other

Interface DeviceID Hdtm Capability Platform PortID

---------- ----------------- ----- ---------- ------------------ --------------

port-19 00.d0.d0.09.29.18 110 B S ZXR10 2918E-PS port-9

Version V2.05.11B06

zte(cfg)#show lldp entry

--------------------------------------------------------

Local Port:port-1/1

Chassis ID:00.55.43.33.33.59 (MAC Address)

Port ID :port-1/48 (Interface Name)

TTL ID :102 (Time to live)

Port Description :port-1/48 status is up,media-type is 1000BaseT,pvid is 4094.

System Name :52PM

System Description:ZXR10 2918E-PS Version V2.05.11B06

System Capability :Bridge, Switch

Management Address:IPv4 - 192.168.100.100, ifIndex - 63, OID - Null

5.37 Single Port Loop Detection ConfigurationSingle Port Loop Detection OverviewSingle port loop detection is to check whether a loop exists in the ports of the switch. If sucha loop exists, it may result in errors in learning MAC addresses and may easily cause abroadcast storm. In severe case, switch and network may be down. Starting the single port

5-137



loop detection and disabling the port with loop can efficiently avoid the influence causedby port loop.

The switch sends a test packet through a port. If this test packet is received through theport without any change (or only a tag is attached), it indicates that a loop exists in thisport.

The test packet sent by the switch includes the following three parameters:

l Source MAC address: It indicates the MAC address of the switch. The MAC addressof each switch is unique.

l Port Number: Port numbers correspond to the numbers of the ports on the switch oneby one.

l Discrimination Field: For each switch, the digital signature of each port is different.

When three parameters in the receiving and sending test packets are same, the loopdefinitely exists on this port.

Configuring Single Port Loop DetectionThe configuration of single port loop detection includes the following contents:

Command Function

zte(cfg)#set loopdetect sendpktinterval <5-60> Sets the interval for sending loop

detection packet.

zte(cfg)#set loopdetect blockdelay <1-1080> Sets interval for blocking port with

loop.

zte(cfg)#set loopdetect port <portlist>{enable|disable} Enables or disables loop detection

on a port.

zte(cfg)#set loopdetect port <portlist> vlan <vlanlist>{enable|d

isable}

Enables or disables loop detection

on a port in a specific VLAN.

zte(cfg)#set loopdetect port <portlist> protect {enable | disable} Enables or disables port protection

when a loop occurs on a port.

zte(cfg)#set loopdetect extend port <portlist>{enable | disable} Enables or disables cross-device

loop detection on a port.

zte(cfg)#set loopdetect trunk <trunklist>{enable|disable} Enables or disables loop detection

on a trunk port.

zte(cfg)#set loopdetect trunk <trunklist> vlan<vlanlist>{enable|disable}

Enables or disables loop detection

on a trunk port in a specific VLAN.

zte(cfg)#set loopdetect trunk <trunklist> protect {enable |

disable}

Enables or disables trunk port

protection when a loop occurs on

a trunk port.

zte(cfg)#set loopdetect extend trunk <trunklist>{enable | disable} Enables or disables cross-device

loop detection on a trunk port.

5-138



Command Function

show loopdetect (all configuration modes) Displays loop detection

information.

show loopdetect port [<portlist>] (all configuration modes) Displays port information of loop

detection.

show loopdetect trunk [<trunklist>] (all configuration modes) Displays trunk information of loop

detection.

zte(cfg)#clear loopdetect Clears loop detection configuration

information.

Single Port Loop Detection Configuration Instancel Configuration Description

See Figure 5-49, configure the single port loop detection function so that Port 1 onSwitch 1 can detect the loop on Switch 2 and block Port 1.

Figure 5-49 Single Port Loop Detection Configuration Topology

l Configuration Procedurezte(cfg)#set loopdetect port 1 enable


Check the loop detection state of Switch 2:

zte(cfg)#show loopdetect

The block-delay of loopdetect : 5 (min)

The packet interval of loopdetect : 15 (sec)

PortId isUp isStp isProtect isExtend loopVlanNum loopType

------ ---- ----- --------- -------- ----------- ---------

1 Up No Yes No 1 Port

zte(cfg)#show loopdetect port 1

PortId : 1

VlanId isLoop isBlock

------ ------ -------

1 Yes Yes

5-139



Double Ports Loop Detection Configuration Instancel Configuration Description

See Figure 5-50, configure the double ports loop detection function of loop-detect ofswitch2 to suppress broadcast storm of network under switch2.

Figure 5-50 Double Ports Loop Detection Configuration Topology

l Configuration ProcedureSwitch2(cfg)#set loopdetect port 1,2 enable

Switch2(cfg)#set loopdetect extend port 1 enable


Check the loop detection state of switch2.

Switch2(cfg)#show loopdetect

The block-delay of loopdetect : 5 (min)

The packet interval of loopdetect : 15 (sec)

PortId isUp isStp isProtect isExtend loopVlanNum loopType

------ ---- ----- --------- -------- ----------- ---------

1 Up No Yes Yes 1 Port

2 Up No Yes No 0 Port

5.38 UDLD ConfigurationUDLD OverviewUniDirectional Link Detection (UDLD) is a Layer 2 logical link detection protocol. It candetect logical connectivity of Ethernet links and verify physical connectivity. Different fromphysical connectivity detection, UDLD is neighbor-based detection. Layer 1 devices aretransparent for UDLD.

UDLD needs to establish neighbor relationship between Layer 2 devices first, A portsupports a maximum number of 12 neighbors. When the UDLD function is enabled onan Ethernet port whose status is up, the port sends a Probe message inviting a neighbordevice to join. The port on which the UDLD function is enabled on the neighbor devicereceives the Probe message and sends an Echo message. If the port receives the Echomessage, the connection between the devices works properly in both directions in theview of the local device. Neighbor relationship is established with the peer device on thelocal device. The local devices sends an Echo message. After the peer device receivesthe Echo message, the neighbor relationship is established between the devices.

After neighbor relationship is established, the devices send Hello messages periodicallyto detect whether the link is operating properly. When receiving a Hello message from theneighbor, a device updates the neighbor information saved locally and resets the time-out

5-140



period of the neighbor. If the device does not receives a Hello message when the time-outperiod expires, it is considered that the a fault occurs to the neighbor and the neighbor isaged. If the last neighbor is deleted due to aging, it is considered that the link is not innormal operating state. It is necessary to handle the problem according to working mode.

There are two UDLD working modes: normal mode and aggressive mode.

l In normal mode, only when the device receives a protocol message confirming thatthe link is connected incorrectly will the port be shut down. If the device does notreceive the related message or cannot confirm that the link is working properly in onedirection, the device does not operate the port.

l In aggressive mode, if the device cannot confirm that the link is working properly inboth directions (such as the link is connected incorrectly, the link is working properlyonly in one direction or the link is a self-loop), the port is shut down. It is necessary touse the reset or recovery command to recover the communication ability of the port.

UDLD shuts down a port in the following situations.

l In both modes, when an Echo message is sent, the device detects that the neighborof the peer port is not the device itself during the final neighbor detection.

l In aggressive mode, the status becomes PROBE because the last neighbor is aged,and multiple Probe messages are sent continuously without any response.

l In aggressive mode, the port receives the UDLD message sent by itself and there isa self-loop.

To prevent a neighbor from being aged by mistake, a local device sends Flush messageson its own initiative to the port on which the UDLD function is enabled in the followingsituations.

l The port is down administratively.l UDLD is down on the port.l The device is restarted.

Configuring UDLDThe UDLD configuration includes the following commands:

Command Function

zte(cfg)#udld port <portlist>{enable|disable} Enables or disables UDLD on a

port.

zte(cfg)#udld port <portlist> mode {aggressive | normal} Sets the mode of a port in UDLD.

zte(cfg)#udld port <portlist> message timer <7-90> Sets the interval of sending

messages after UDLD enters the

BiDirectional status and the port is

steady.

zte(cfg)#udld port <portlist> recovery {enable | disable} Enables or disables the UDLD

recovery function.

zte(cfg)#udld port <portlist> recovery timer <10-600> Sets the recovery interval.

5-141



Command Function

zte(cfg)#udld port <portlist> reset Recovers the link establishment

function on a port manually.

zte(cfg)#udld <portlist> force-check {enable | disable} Enables or disables the forced

monologue detection function.

zte(cfg)#udld <portlist> force-check timer <15-300> Sets the forced monologue

detection period.

show udld (all configuration modes) Displays UDLD configuration on

all ports.

show udld port [<portlist>] (all configuration modes) Displays port configuration, status

and detailed neighbor information.

UDLD Configuration Instancel Configuration Description

See Figure 5-51, it is required that the switch can detect the connection error, sendalarm information and shut down the ports.

Figure 5-51 UDLD Configuration Instance

l Configuration ProcedurezteA(cfg)#udld port 17,18 enable

zteB(cfg)#udld port 17,18 enable

l Configuration VerificationThu Jul 1 16:07:09 2004 Udld Port : 17 link failure

Thu Jul 1 16:07:09 2004 Udld Port : 18 link failure

Thu Jul 1 16:07:10 2004 Port : 17 linkdown

Thu Jul 1 16:07:10 2004 Host Topology changed

Thu Jul 1 16:07:10 2004 Port : 18 linkdown

5-142



Thu Jul 1 16:07:10 2004 Host Topology changed

zteA(cfg)#show udld port 17

Port 17

Administrative configuration: Enable

Port mode: Aggressive(Aggr)

Current state: Unidirectional - Detected link failure

Recovery configuration: Disable

Recovery time interval: 30s

Message time interval: 15s

Force check configuration: Disable

Force check time: 30s, Remaining: 0s

No neighbour information stored

5.39 TACACS+ ConfigurationTACACS+ OverviewTerminal Access Controller Access-Control System Plus (TACACS+) is developed fromTACACS and XTACACS. It is the latest version of TACACS (not compatible with theprevious two versions). It is a popular AAA protocol at present.

TACACS+ supports separate authentication, authorization, and accounting. DifferentTACACS+ servers can act respectively as the authentication, authorization, andaccounting servers.

Configuring TACACS+The TACACS+ configuration includes the following commands:

Command Function

zte(cfg-nas)#tacacs-plus group <group-name>{enable|disable} Enables or disables a server

group.

zte(cfg-nas)#tacacs-plus group <group-name>{add|delete} host<A.B.C.D>[<49,1025-65535>|<4-180>|<string>]

Adds or deletes a server

in/from a TACACS+ server

group.

zte(cfg-nas)#tacacs-plus loginauthen default group <group-name> Sets the default TACACS+

login authentication server

group.

zte(cfg-nas)#tacacs-plus loginauthor default group <group-name> Sets the default server group

authorized for TACACS+

login.

5-143



Command Function

zte(cfg-nas)#tacacs-plus adminauthen default group <group-name> Sets the default server group

authenticated for TACACS+

management.

zte(cfg-nas)#tacacs-plus accounting commands default group

<group-name>

Sets the default server

group for TACACS+ MML

accounting.

zte(cfg-nas)#tacacs-plus accounting exec default group

<group-name>

Sets the default server

group for TACACS+ user

accounting.

zte(cfg-nas)#tacacs-plus accounting update period <1-2147483647> Sets the refresh period for

TACACS+ user accounting.

zte(cfg-nas)#clear tacacs-plus loginauthen default Clears the default TACACS+

login authentication server

group.

zte(cfg-nas)#clear tacacs-plus loginauthor default Clears the default TACACS+

login authorization server

group.

zte(cfg-nas)#clear tacacs-plus adminauthen default Clears the default server

group authenticated for

TACACS+ management.

zte(cfg-nas)#clear tacacs-plus accounting commands default Clears the default server

group for TACACS+ MML

accounting.

zte(cfg-nas)#clear tacacs-plus accounting exec default Clears the default server

group for TACACS+ user

accounting.

zte(cfg-nas)#clear tacacs-plus accounting update Clears the refresh period for

TACACS+ user accounting.

show tacacs-plus (all configuration modes) Displays TACACS+


TACACS+ Configuration Instancel Configuration Description

See Figure 5-52, the switch works as a TACACS+ client and its IP address is192.168.1.1/24. The Windows server works as a TACACS+ server and its IP addressis 192.168.1.100/24.

5-144



Figure 5-52 TACACS+ Configuration Instance

l Configuration Procedurezte(cfg)#set loginauth tacacs-plus+local

zte(cfg)#set adminauth tacacs-plus+local






zte(cfg)#config nas

zte(cfg-nas)#tacacs-plus group zte enable

zte(cfg-nas)#tacacs-plus group zte add host 192.168.1.100

zte(cfg-nas)#tacacs-plus loginauthen default group zte

zte(cfg-nas)#tacacs-plus loginauthor default group zte

zte(cfg-nas)#tacacs-plus adminauthen default group zte

zte(cfg-nas)#tacacs-plus accounting commands default group zte

zte(cfg-nas)#tacacs-plus accounting exec default group zte

zte(cfg-nas)#tacacs-plus accounting update period 10

5.40 Time Range ConfigurationTime Range OverviewThere are several conditions in the time range configuration.

l Configure a time range for each day: Specify the exact start time and end time. If thestart time and the end time are not configured, the time range is a full day.

l Configure a period: Specify the period to be a certain day of a week.l Configure a date range: Specify the start date and end date. If the start date and the

end date are not configured, the start date is the day when the configuration takeseffect and the end date is the day when the configuration is invalid.

5-145



Configuring a Time RangeThe time range configuration includes the following commands:

Command Function

zte(cfg)#set time-range <word> period <hh:mm> to<hh:mm>{daily | day-off | day-working | monday | tuesday |

wednesday | thursday | friday | saturday | sunday}

Sets a periodic time range.

zte(cfg)#set time-range <word> absolute <hh:mm><yyyy-mm-dd>[to <hh:mm><yyyy-mm-dd>]

Sets an absolute time range.

zte(cfg)#clear time-range [<word>] Clears time range configuration.

show time-range [<word>] (all configuration modes) Displays time range configuration.

5.41 Voice VLAN ConfigurationVoice VLAN OverviewThe Voice VLAN is a VLAN specially allocated for voice data of users. It provides a voiceVLAN and adds interfaces of voice devices to the voice VLAN. The user can configurethe CoS and DSCP for voice data to increase the priority of voice data transmission andensure the call quality.

Voice data can be added to the voice VLAN in two modes: dynamic mode and manualmode.

In dynamic mode, if the interface fails to be added to or removed from the voice VLAN, thesystem will send an alarm to notify the user.

To prevent common service packets from occupying the bandwidth of the voice VLAN andensure the quality of voice communication, the voice VLAN provides the security mode.The security mode is classified into the strict security mode and non-strict security mode.

Configuring a Voice VLANThe voice VLAN configuration includes the following commands:

Command Function

zte(cfg)#set vlan voice-vlan port <port-id> ingress-vlan<vlanlist> voice-vlan <1-4094>

Sets the voice VLAN function on

a port.

zte(cfg)#set vlan voice-vlan port <port-id> oui-id<1-32> mac-addr <HH.HH.HH.HH.HH.HH> mac-mask<HH.HH.HH.HH.HH.HH>

Adds an OUI to a port.

zte(cfg)#set vlan voice-vlan <1-4094> qos-profile <0-127>modify {up|dscp|all}

Sets to modify either up or dscpor both.

5-146



Command Function

zte(cfg)#set vlan voice-vlan <1-4094> qos-profile disable Disables the association between

a QoS profile and a voice VLAN.

zte(cfg)#clear vlan voice-vlan port <port-id> Clears all voice VLAN information

configured on a port.

zte(cfg)#clear vlan voice-vlan port <port-id> oui-id Clears all OUIs configured on a

port.

zte(cfg)#clear vlan voice-vlan port <port-id> oui-id <1-32> Clears a specific OUI configured

on a port.

show vlan voice-vlan (all configuration modes) Displays voice configuration on all

ports.

show vlan voice-vlan port <port-id> (all configuration modes) Displays voice configuration on a

port.

show vlan voice-vlan default-oui (all configuration modes) Displays the default OUI of a

device.

show vlan voice-vlan user-table port <port-id> (all configuration

modes)

Displays the user table on a port.

show vlan voice-vlan <vlanlist> qos (all configuration modes) Displays voice VLAN QoS

configuration.

Voice VLAN Configuration Instancel Configuration Description

See Figure 5-53, the two IP Phones are in VLAN 10 and VLAN 20, respectively. Thevoice VLAN is VLAN 100.

Figure 5-53 Voice VLAN Configuration Instance

l Configuration Procedurezte(cfg)#set vlan 10,20,100 add port 1-3 tag

zte(cfg)#set vlan 10,20,100 enable

zte(cfg)#set vlan voice-vlan port 1 oui-id 1 mac-addr 00.00.01.00.00.01

5-147



mac-mask FF.FF.FF.FF.FF.FF

zte(cfg)#set vlan voice-vlan port 2 oui-id 1 mac-addr 00.00.01.00.00.02

mac-mask FF.FF.FF.FF.FF.FF

zte(cfg)#set vlan voice-vlan port 1 ingress-vlan 10 voice-vlan 100

zte(cfg)#set vlan voice-vlan port 2 ingress-vlan 20 voice-vlan 100

l Configuration Verificationzte(cfg)#show vlan voice-vlan

Port Id: 1

Customer Vlan List: 10

Voice-vlan : 100

Oui configed :

oui-id: 1 mac: 00.00.01.00.00.01 mask: FF.FF.FF.FF.FF.FF

Port Id: 2

Customer Vlan List: 20

Voice-vlan : 100

Oui configed :

oui-id: 1 mac: 00.00.01.00.00.02 mask: FF.FF.FF.FF.FF.FF

5.42 802.1ag Configuration802.1ag OverviewFor IEEE802.1ag, the Connectivity Fault Management (CFM) function checks, separatesand reports connectivity faults of the virtual bridge LAN. It is used in operators’ networkand also valid for the Customer VLAN (C-VLAN) network.

The network manager performs planning on network services and levels for themanagement and maintenance purposes. The entire network is divided into multipleManagement Domains (MDs). For a single management domain, see Figure 5-54.

5-148



Figure 5-54 Single Management Domain

In the domain in Figure 5-54, a series of ports are defined on peripheral and internaldevices.l The grey ports on the peripheral devices are service ports connected to the external

devices and therefore are named Maintenance association End Point (MEP).l The other black ports (including those on intermediate devices) connect internal

devices and therefore are named Maintenance Domain Intermediate Point (MIP).

The management function is implemented through the defined MEP and MIP.

A network is divided into a customer domain, provider domain, and operator domain.A level between 0-7 is designated for each domain. The domain level determines theinclusion relation between domains. A domain with a higher level can include domainswith lower levels but not vice versa. The domains with the same level cannot include eachother. This means that all domains can be tangential (internally or externally) and inclusivebut cannot be intersecting.

The message types defined in the CFM protocol include:

l Continuity Check Message (CCM): A multicast CFM protocol data unit. It isperiodically sent by an MEP to confirm the connectivity of MEP in the same MA. AnMEP receiving a CCM message does not reply to this message.

l Link Trace Message (LTM): A multicast CFM protocol data unit. It is sent by an MEPto trace the path from the MEP to the MP. Each MP along the path generates an LRTas a response. This ends until the message reaches the destination or cannot befurther forwarded.

l Link TraceReply (LTR): A unicast CFMprotocol data unit. It is sent by theMP receivingan LTM to reply to the LTM.

5-149



l Loopback Message (LBM): A unicast CFM protocol data unit. It is sent to a specifiedMP from an MEP, expected to receive an LBR message.

l Loopback Reply (LBR): A unicast CFM protocol data unit. It is sent by theMP receivingan LBM as the reply to the LBM.

With the five protocol messages listed above, CFM implements the following functions:

l Detecting faults: MEP detects network connectivity faults by periodically sendingand receiving CCM messages. The faults include connection failure and unwelcomeconnection (error connection).

l Notifying faults: After MEP detects a connectivity fault, it sends a proper alarm to thespecified management system, for example, trap messages of SNMP.

l Locating a path: MEP locates and traces a path from anMEP to another MP (includingMEP and MIP) by using LTM/LTR messages.

l Confirming and separating a fault: This is an administrative function. The networkmanager confirms the fault through LBM/LBR messages and separates the fault.

Configuring a 802.1AG Command802.1AG configuration includes the following commands:

Command Function

zte(cfg)#cfm {disable|enable}Enables/disables the CFM

function.

zte(cfg)#create cfm md-session <1-16> name <string> level<0-7>

Creates a CFM md.

zte(cfg)#create cfm md-session <1-16> ma-session <1-32>

name <string>

Creates a CFM ma.


mep-session <1-64> mep-id <1-8191> direction {down|up}

Creates a CFM local mep.


mip-session <1-64> name <string>Creates a CFM mip.


rmep-session <1-64> rmep-id <1-8191> remote-mac<hh.hh.hh.hh.hh.hh>

Creates a CFM remote mep.

zte(cfg)#cfm md-session <1-16> ma-session <1-32>

primary-vlan {<1-4094>| delete}

Sets or delete the primary VLAN

within cfm ma.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> ccmtime-interval <4-7>

Sets the interval that ccm packets

of mep within cfm ma are sent.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> ccm

md-name {absent | disable | present}

Sets the way to fill in the MEG ID

field in a cfm ccm messages.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> state {disable|enable}

Sets the status of the cfm mep

protocol.

5-150



Command Function

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> ccm-send {disable|enable}

Sets the status of cfm mep ccm

sending packets.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> ccm-receive {disable|enable}

Sets the status of cfm mep ccm

receiving packets.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> priority <0-7>

Sets the priority of packets sent by

cfm mep ccm.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> alarm-lowest-pri <1-5>

Sets the lowest alarm priority of

cfm mep.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> assign {delete | port <portid>| trunk <trunkid>}

Allocates a port or aggregation

port for mep.

zte(cfg)#cfm md-session <1-16> ma-session <1-32>

mip-session <1-64> assign {delete | port <portid>| trunk<trunkid>}

Allocates port or aggregation port

for mip.

zte(cfg)#clear cfm md-session [<1-16>] Clears all configuration of cfm md.

zte(cfg)#clear cfm md-session <1-16> ma-session [<1-32>] Clears all configuration of cfm ma.

zte(cfg)#clear cfm md-session <1-16> ma-session<1-32>{mep-id [<1-8191>]| mep-session [<1-64>]}

Clears all configuration of cfm

mep.

zte(cfg)#clear cfm md-session <1-16> ma-session <1-32>

mip-session [<1-64>]

Clears all configuration of cfm mip.

show cfm md-session [<1-16>] (all confiuration modes)Displays all configuration of cfm

md.

show cfm md-session <1-16> ma-session [<1-32>] (all confiuration

modes)

Displays all configuration of cfm

ma.

show cfm md-session <1-16> ma-session <1-32> mp-session

[<1-64>] (all confiuration modes)

Displays all configuration of cfm

mp.

show cfm (all confiuration modes)Displays global protocol status of

cfm.

zte(cfg)#cfm lbm md-session <1-16> ma-session<1-32> smep-id <1-8191>{dmep-id <1-8191>| dmep-mac<hh.hh.hh.hh.hh.hh>| dmip-mac <hh.hh.hh.hh.hh.hh>}[repeat<1-200>[size <0-400>[timeout <1-10>]]]

Detects lbm.

zte(cfg)#cfm ltm md-session <1-16> ma-session <1-32>

smep-id <1-8191>{dmep-id <1-8191>| dmep-mac<hh.hh.hh.hh.hh.hh>| dmip-mac <hh.hh.hh.hh.hh.hh>}[ttl<1-64>[timeout <5-10>]]

Detects ltm.

zte(cfg)#cfm read trans-id <1-4294967295> Reads the ltm path tree.

5-151



Network Configuration Without MIPl Configuration Description

For device connection, see Figure 5-55.

Figure 5-55 Single-Domain CFM Network Without MIP


Configuration on S1:

zte(cfg)#cfm enable

zte(cfg)#create cfm md-session 1 name zte_1 level 5

zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1

zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100

zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 1

direction down

zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 state enable

zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-send enable

zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable

zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 assign port 1

zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 2

remote-mac 00.d0.d0.c0.00.02



zte(cfg)# cfm enable





direction down








Network Configuration With MIPl Configuration Description

5-152



For device connection, see Figure 5-56.

Figure 5-56 Single-Domain CFM Network With MIP



zte(cfg)#cfm enable





direction down









zte(cfg)#cfm enable




zte(cfg)#create cfm md-session 1 ma-session 1 mip-session 1 name zte_mip_1

zte(cfg)#cfm md-session 1 ma-session 2 mip-session 1 assign port 2

zte(cfg)#create cfm md-session 1 ma-session 1 mip-session 2 name zte_mip_1

zte(cfg)#cfm md-session 1 ma-session 2 mip-session 2 assign port 3


zte(cfg)#cfm enable





direction down





5-153






5.43 Y.1731 ConfigurationY.1731 OverviewThe Y.1731 protocol complements the 802.1ag protocol. It defines a series of extensionsin which CFM is used to measure the network link status and performance.

The Y.1731 protocol is used in:

l The error management OAM: Alarm Indication Signal (AIS), Locked (LCK), RemoteDefect Indication (RDI) and functions mentioned in 802.1ag (CCM, LB, LT).

l The performance management OAM: Loss Measurement (LM), and DelayMeasurement (DM).

Y.1731 ConfigurationY.1731 configuration includes the following commands:

Command Function

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> one-lm {enable | disable}

Enables the LM function at one

end.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-lm {enable | disable}

Enables the LM function at both

ends.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-dm {enable | disable}

Enables the DM function in both

directions.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> ais {enable | disable}

Enables the AIS function.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> lck {enable | disable}

Enables the LCK function.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> client-level <0-7>

Sets the level that sending the

AIS/LCK function to outer layers.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> relate-to rmep-id <1-8191>

Sets the remote MEP related to

local MEP.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> one-lm send-packet [continue-time <60-600> interval<1-60>]

Starts LM detection at one end.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> one-lm send-packet stop

Stops LM detection at one end.

5-154



Command Function

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-dm send-packet [continue-time <60-600> interval<1-60>]

Starts DM detection at both ends.

zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-dm send-packet stop

Stops DM detection at both ends.


mep-id <1-8191>{ one-lm | two-lm | two-dm }

Clears the results of LM detection

at one end and at both ends, as

well as the result of DM detection

in both directions.


mep-id <1-8191> relate-rmep

Clears the related remote MEP.

LM Network Configurationl Configuration Description

The network configuration is illustrated by using the network instance in Figure 5-57.

Figure 5-57 LM Network Configuration Instance



zte(cfg)#cfm enable





direction down








zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 relate-to rmep-id 2

zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 one-lm (two-lm) enable


5-155



zte(cfg)#cfm enable





direction down









zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 one-lm (two-lm) enable


LM on both ends is automatically performed based on the CCM configuration. WhileLM on one end is performed after manually triggering on S1 or S2:

zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 (2) one-lm send-packet

View the measurement result by using the command for displaying MEP informationthat is provided by 802.1ag.

DM Network Configurationl Configuration Description


Figure 5-58 DM Network Configuration Instance



zte(cfg)#cfm enable





direction down



5-156









zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 two-dm enable


zte(cfg)#cfm enable





direction down









zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 two-dm enable


Manually trigger the test on S1 or S2:



AIS/LCK Network Configurationl Configuration Description


Figure 5-59 AIS/LCK Network Configuration Instance



zte(cfg)#cfm enable

5-157







direction down








zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ais (lck) enable


zte(cfg)#cfm enable

zte(cfg)#create cfm md-session 10 name zte level 4

zte(cfg)#create cfm md-session 10 ma-session 10 name zte_zte



direction down









zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 client-level 5


zte(cfg)#cfm enable

zte(cfg)#create cfm md-session 10 name zte4 level 4

zte(cfg)#create cfm md-session 10 ma-session 10 name zte_zte



direction down








5-158




zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 client-level 5


zte(cfg)#cfm enable





direction down










Disconnect the link between S2 and S3. After that, alarms occur on only S2 and S3,and unrelated alarms on S1 and S4 are restricted due to the AIS function.



5.44 MAC-based VLAN Command ConfigurationMAC-based VLAN OverviewThe MAC-based VLAN decides the VLAN for forwarding an untagged frame based on thesource MAC address of the frame. This technology allows packets to be transmitted indifferent VLANs and provides different services to different users.

Configuring MAC-based VLANThe MAC-based VLAN configuration includes the following commands:

Command Function

zte(mac-based-vlan)#rule <1-1024> mac-address<HH.HH.HH.HH.HH.HH>mac-mask <HH.HH.HH.HH.HH.HH>vlan <1-4094>

Sets a rule for MAC-based VLAN.

zte(mac-based-vlan)#clear rule <1-1024>Clears a rule for MAC-based

VLAN.

5-159



Command Function

zte(cfg)#set vlan mac-based {global |port <portlist>} session<1-64>{bind|unbind}

Sets the binding relation between

global/port and sessions of

MAC-based VLAN.

show vlan mac-based session [<1-64>]

Displays all rules of all or

one session configured for a

MAC-based VLAN.

show vlan mac-based session [<1-64>] bind

Displays the binding relations

between a port and all or

one session configured for a

MAC-based VLAN.

MAC-Based VLAN Configuration Instancel Configuration Description

Set the following MAC-based VLAN rule for port 1: Assign the VLAN "vlan100"to all untagged frames whose source MAC address is 00.00.00.00.00.01 andassign the VLAN "vlan200" to all untagged frames whose source MAC address is00.d0.d0.00.00.00.


Configure a MAC-based VLAN instance:

zte(cfg)#set vlan 100,200 enable

zte(cfg)#set vlan 100,200 add port 1 untag


zte(cfg)#config mac-based-vlan session 1

zte(mac-based-vlan)#rule 1 mac-address 00.00.00.00.00.01 mac-mask

ff.ff.ff.ff.ff.ff vlan 100

zte(mac-based-vlan)#rule 2 mac-address 00.d0.d0.00.00.00 mac-mask

ff.ff.ff.00.00.00 vlan 200

zte(cfg)#set vlan mac-based port 1 session 1 bind

5.45 DHCP Relay ConfigurationDHCP Relay OverviewDHCP Relay interacts with both the Client and the Server, acting different roles. From theview of the DHCP Client, the DHCP Relay Agent can be considered as its DHCP Serverand the DHCP Relay implements the response to the IP address requests from the Client.For this, the DHCP Relay Agent needs to intercept on the interception port of the DHCPServer. From the view of the DHCP Server, the DHCP Relay Agent can be consideredas its DHCP Client and the DHCP Relay initiates IP address requests. For this, the IPaddress of the interface through which messages are received must be filled in the RelayAgent field of the DHCP request messages forwarded by the DHCP Relay.

5-160



The DHCP Server checks the validity of the Relay Agent domain and allocates an IPaddress to the DHCP Client that is in the same subnet as the IP address in accordancewith the domain value. This means that the allocated IP address and the IP address ofthe interface through which the Relay receives request messages are in the same networksegment. At the same time, the DHCP Relay implements the forwarding of the responsesfrom the DHCP Server to the Client.

Configuring the DHCP RelayDHCP relay configuration includes the following commands:

Command Function

zte(cfg)#set dhcp relay{enable | disable}Globally enables/disables the

DHCP relay function.

zte(cfg)#set dhcp relay option82{enable | disable}Globally enables/disables the

DHCP relay option82 function.

zte(cfg)#set dhcp relay option82 sub-option device { ani< string>| remote-ID {cisco | manual < string >| key < string >}}

Sets the switch node device ID.

zte(cfg)#set dhcp relay option82 sub-option port <portlist>

circuit-ID {on {cisco | china-tel | dsl-forum| henan-rft| key < string>| manual < string >}| off}

Sets the relay option82 suboption.

zte(cfg)#set dhcp relay option82 mode port <portlist>{default |

drop | modify | append}

Sets the mode in binding the

dynamic user information binding

table options for the port.

zte(cfg)#set dhcp relay server mode {ipport | vclass-id}

Sets the DHCP Relay mode, sets

the DHCP server depending on

ipport or vclass-id.

zte(cfg)#set dhcp relay server retry <5-1000>

Sets the DHCP Relay retry, that is,

the number of times that message

resending to the server is tried.

zte(cfg)#set dhcp relay vclass-id {characters <string>|

hex-numbers < hex-string>} server <A.B.C.D>

Sets the server IP address

corresponding to the class-id

domain of the server.

zte(cfg)#clear dhcp relay vclass-id {characters <string>{ serverA.B.C.D}| hex-numbers <hex-string>{ server A.B.C.D}}

Clears the configured dhcp relay

vclass-id.

zte(cfg)#clear dhcp relay option82 device ani Clears the device ID information.

show dhcp relayDisplays the DHCP relay

configuration.

show dhcp vclass-idDisplays the DHCP Relay option60

configuration.

zte(cfg)#clear dhcp option82 sub-option device ani Clears the device ID information.

5-161



Command Function

show dhcp relay binding [port <1-28>| trunk <1-15>] (all


Displays the DHCP relay binding

information.

show dhcp relay option82 port<1-28> (all configuration modes)Displays the DHCP relay option82

configuration of the port.

show dhcp relay option82 device (all configuration modes)

Displays device-related

information, including ANI

and remote-ID.

zte(cfg-router)#set ipport <0-63> dhcp relay {agent | server<A.B.C.D>}

Sets the DHCP relay information

of ipport.

zte(cfg-router)#clear ipport <0-63> dhcp relay {agent | server<A.B.C.D>}

Clears the DHCP relay information

of ipport.

zte(cfg-router)#set dhcp relay server <A.B.C.D> Sets a global DHCP server.

zte(cfg-router)#set dhcp relay global-ipport <0-63>Sets a global ipport for a DHCP

relay.

zte(cfg)#set dhcp relay vlan{enable | disable}

Enables or disables the DHCP

relay function based on VLANs.

If the DHCP function is enabled

globally, the device provides

the relay function when either

this command or the relay agent

command is used.

show dhcp relay vlan (all configuration modes) Displays VLANs for which the

DHCP relay function is enabled.

DHCP Configuration Instancel Configuration Description

See Figure 5-60, switch port 1 is connected to the DHCP client, and switch port 2 isconnected to the DHCP server of the IP network.

Figure 5-60 DHCP Relay Configuration Instance

5-162



Note:

The DHCP client and the DHCP server are in different network segments.

l Configuration Procedure1. Assign a specified VLAN to the port:

set vlan 1000 add port 2 tag

set vlan 1000 enable

2. Configure the DHCP relay by using the following commands:zte(cfg)#set dhcp relay enable




zte(cfg-router)#set ipport 0 dhcp relay agent

zte(cfg-router)#set ipport 0 dhcp relay server 10.230.72.2




l Configuration Verificationzte(cfg)#show dhcp relay

DHCP relay status : enable

DHCP server mode : ipport

DHCP server retry : 10

DHCP relay option82: disable

zte(cfg)#show dhcp relay option82 port 1

DHCP option82 sub-option information on port 1:

Circuit-ID: Disabled

Remote-ID: Enabled

Format: Cisco

DHCP option82 mode information on port 1: Default

zte(cfg)#show ipport 0

Status : up IpAddress : 169.1.15.1

VlanId : 1 Mask : 255.255.0.0

ArpProxy : disabled MacAddress: 00.00.00.11.22.33

Timeout : 600(s) IpMode : static

En/Disable: enabled

Dhcp client configuration as follows:

Class-id : -

Client-id : -

Hostname : -

5-163



Lease : -

Clear request: -

Dhcp relay configuration as follows:

Relay agent : enable

Server IP : 10.230.72.2

5.46 MFF ConfigurationMFF OverviewThe MFF function is used on a user access device to isolate users at the access side. Itimplements layer-2 isolation and layer-3 interworking between users in a broadcast domainwithout any extra VLAN being created. When an access switch configured with the MFFfunction receives an ARP request from a user, the switch replies with an ARP responsecontaining the gateway MAC address through the ARP proxy mechanism. In this way, allusers' traffic (including the traffic between users in the same subnet) is sent to the gatewayaccess router compulsively. The gateway can monitor traffic and prevent attacks amongusers, which improves network security.

There are two types of MFF ports: user ports and network ports. MFF user ports areconnected to terminal users. When receiving an ARP packet from a user port, the switchmaintains an MFF user table, and replies with a response. MFF network ports areconnected to uplink devices or gateways.

There are two MFF operation modes: static mode and dynamic mode.l Static mode: The IP address of a user is configured manually. The switch generates

the MFF user table by listening to ARP packets on MFF user ports.l Dynamic mode: The IP address and gateway address of a user are allocated through

DHCP. The switch generates the MFF user table by capturing ACK packets returnedby the DHCP server and parsing the option3 field.

An MFF user table can be added manually.

A gateway can be configured in a VLAN for ARP proxy, or a global gateway can beconfigured. When performing ARP proxy, the gateway in an MFF entry is preferredthan the intra-VLAN gateway, and the intra-VLAN gateway is preferred than the globalgateway. The gateway address can be an IP address or a MAC address. If the gatewayaddress is an IP address, the switch sends an ARP request to the gateway to obtain theMAC address. If the gateway address is a MAC address, the switch directly uses theMAC address in ARP responses. Therefore, it is necessary to manually configure a staticMAC entry directing to the gateway for the switch.

Configuring MFFThe MFF configuration includes the following commands:

5-164



Command Function

zte(cfg)#set mff vlan <vlanlist> add port<portlist>{userport | network}

Sets the MFF attributes for ports and VLANs.

zte(cfg)#set mff vlan <vlanlist> delete port<portlist>

Deletes the MFF attributes for ports and VLANs.

zte(cfg)#set mff vlan <vlanlist> gateway {ip |

mac}<address>

Sets an intra-VLAN MFF gateway.

zte(cfg)#set mff user ip <ip-addr> mac<mac-addr> vlan <vlan-id> gateway {ip |

mac}<address>

Adds an MFF user entry manually.

zte(cfg)#set mff gateway {ip | mac}<address> Sets a global MFF gateway.

zte(cfg)#set mff gateway-arp-keepalive add-port

{<portlist>| all}{timeout <value>}{enable | disable}Sets the ARP keep-alive parameter for the MFF

gateway, and enables or disables the keep-alive

function.

zte(cfg)#set mff gateway-user-keepalive add-port

{<portlist>| all}{timeout <value>}{enable | disable}Sets the ARP keep-alive parameter for users

connected to the gateway device that sends

gratuitous ARP keep-alive packets, and enables

or disables the keep-alive function.

zte(cfg)#clear mff gateway Deletes the global MFF gateway.

zte(cfg)#clear mff gateway arp-keepalive-port Clears the ports that send gateway ARP

keep-alive packets.

zte(cfg)#clear mff gateway user-keepalive-port Clears the ports that send user ARP keep-alive

packets.

zte(cfg)#clear mff vlan <vlanlist> gateway Deletes the intra-VLAN MFF gateway.

zte(cfg)#clear mff user ip <ip-addr> vlan<vlan-id>

Deletes the specified MFF user entry.

zte(cfg)#show mff user-table Displays information about the MFF user table.

zte(cfg)#show mff interface Displays information about MFF port

configuration.

zte(cfg)#show mff gateway Displays information about MFF gateway

configuration.

zte(cfg)#show mff gateway -keepalive-info {port} Displays information about ARP keep-alive

configuration, including gateway ARP keep-alive

configuration and user ARP keep-alive

configuration.

MFF Configuration Instancel Configuration Description

5-165



See Figure 5-61, ports 1 and 2 of the switch are connected to PCs, port 4 is connectedto the gateway, and port 6 is connected to the DHCP server. The following proceduredescribes how to configure static MFF. The configuration for dynamic MFF is similar,but it is necessary to configure the DHCP snooping function. For details, refer to 5.27DHCP Configuration.

Figure 5-61 MFF Configuration Instance


à Configure a VLAN for the ports:zte(cfg)#set vlan 400 add port 1/1,1/2,1/4 untag

zte(cfg)#set port 1/1,1/2,1/4 pvid 400

à Configure the MFF attributes for the ports and VLAN:zte(cfg)#set mff vlan 400 add port 1/1 userport

zte(cfg)#set mff vlan 400 add port 1/2 userport

zte(cfg)#set mff vlan 400 add port 1/4 network

à Configure an intra-VLAN gateway:zte(cfg)#set mff vlan 400 gateway ip 197.1.23.15


When an ARP request is received on a user port, the switch searches the ARP tablefirst. If the gateway ARP entry is not contained in the ARP table, the switch replacesthe user to send an ARP request to the gateway, and then adds an MFF user entry.The MFF user entry is as follows:

zte(cfg)#show mff user-table

MFF user entry total count: 1

Type: born way of MFF user entry.

'M',manual configure; 'A',ARP packet; 'D',DHCP snooping packet.

VlanId IpAddress Type MacAddress Gateway(IpOrMac)

------ --------------- ---- ----------------- ----------

400 197.1.23.3 A 00.10.94.00.00.03 197.1.23.15

5-166



5.47 SSL ConfigurationSSL OverviewThe SSL protocol is an intermediate protocol. It is located between the application layerand transport layer in the network model. Through the data encryption, identificationauthentication, and message integrity validation mechanisms, SSL ensures security forconnections established based on reliable application layer protocols (for example, TCP).

The SSL functional module enables the ZXR10 2900E to operate as an SSL server andcomplete interaction with a client. The interaction procedure includes SSL handshaking,and packet monitoring, receiving, parsing and sending. The SSL handshaking procedureincludes negotiating an encryption algorithm, verifying the local certificate on the server,exchanging keys, and verifying a MAC address. The encryption algorithm, local certificateon the server, keys, and MAC address are used for data encryption and decryption,identification authentication, and message integrity validation in a subsequent session.

Encryption certificate management is the prerequisite for SSL handshaking. Certificatemanagement includes key generation management, local certificate generation on theserver, and root certificate generation on the client.

Users can access the ZXR10 2900E by using browsers and HTTPS to performWeb-basedconfiguration and management.

Configuring SSLThe SSL configuration includes the following commands:

Command Function

zte(cfg)#set ssl {enable | disable} Enables or disables the SSL function.

zte(cfg)#create ca {<A.B.C.D/M>|<A.B.C.D><n

etwork mask>}

Manages the encryption certificate, and creates

an RSA key, a local certificate on the server and

a root certificate on the client.

show ssl (all configuration modes) Displays the SSL configuration and state.

SSL Configuration Instancel Configuration Description

See Figure 5-62, a layer-3 port is configured on the switch, and the IP address is setto 192.168.100.110/24. The IP address of the PC is set to 192.168.100.109/24. Theswitch operates as the SSL server, and the browser on the PC operates as the SSLclient.

5-167



Figure 5-62 SSL Configuration Instance


Configure the switch:

zte(cfg)#create ca 192.168.100.110/24

ca is creating ,please wait......

Rootcafile /flash/data/root.cer, has created!

Servercafile /flash/data/server.pem, has created!

Serverkeyfile /flash/data/server.key, has created!

FS is releasing ,please wait......

Done!

zte(cfg)#set ssl en

The current ca is for ipaddress 192.168.100.110,

Please make sure ip of the switch matches.

Then upload /flash/data/root.cer, and import to explore,the ssl is availible.

zte(cfg)#config tffs

zte(cfg-tffs)#cd data

zte(cfg-tffs)#tftp 192.168.100.109 upload root.cer

Set the browser:

Set the browser as the SSL client on the PC, so that you can access the switch throughHTTPS to perform Web-based management.

1. Import the root.cer file in the browser.

a. Open the browser, and select Tools > Internet Options from the menu bar.The Internet Options dialog box is displayed, see Figure 5-63.

5-168



Figure 5-63 Internet Options Dialog Box

b. Click the Content tab, and then click Certificates. The Certificates dialogbox is displayed, see Figure 5-64.

Figure 5-64 Certificates Dialog Box

5-169



c. Click the Trusted Root Certification Authorities tab, and then clickImport…, see Figure 5-65. The dialog box for certificate import wizard isdisplayed.

Figure 5-65 Certificates Dialog Box—Importing a Certificate

d. Based on the wizard, clickNext, a dialog box is displayed. Select the root.cerfile. Complete the certificate import procedure. Close the dialog boxes, andrestart the browser.

2. Open the SSL login page.

After the SSL function is enabled for the switch, enter https://<ip address

of the switch> in the address bar of the browser. The SSL login page isdisplayed, see Figure 5-66.

Figure 5-66 SSL Login Page

3. Open the main page for Web-based management.

Enter your username, login password and administration password in the textboxes. Themain page for Web-basedmanagement is displayed, see Figure 5-67.

5-170



Figure 5-67 Main Page for Web-Based Management

5.48 ERPS ConfigurationERPS OverviewThe ERPS mechanism is as follows:

l When the network is a ring network that is operating properly, some links in the networkare blocked to prevent loops between switches.

l If the network becomes faulty, the backup links are unblocked to protect the inter-nodecommunication.

The basic concepts in ERPS are as follows:

l RPL

An RPL is a link blocked to prevent a loop in the case of no fault or request.

l RPL owner node (RPL primary node)

An RPL owner node is a node on an RPL. It is used to block the port that has RPLenabled.

l RPL neighbor node (RPL neighbor node)

An RPL neighbor node is used to block one end of an RPL. The other end of the RPLis blocked by the RPL owner node.

l Manual switching commands

The ERPS protocol supports triggering the protocol calculation by using manualswitching commands: Forced Switch (FS) and Manual Switch (MS).

l WTR timer

In revertive mode, the WTR timer is used to prevent the frequent operation of theprotection switch due to an intermittent defect.

l WTB timer

When the corresponding function of the device is restored after an operation command(such as the FS or MS command) is executed, the delay time (called WTB time, guardtimer time plus five seconds) must be set long enough to receive potential FS, SF, orMS requests from the remote end. This time is long enough for an Ethernet ring

5-171



node to consecutively send two R-APS messages, and it is also the condition fordetermining that the Ethernet ring node exists.

Note:

The WTB timer is valid for the RPL owner node only, and the value range depends onthe guard timer.

l Guard timer

The guard timer is used to prevent expired R-APS packets.

An Ethernet ring node can send multiple R-APS packets simultaneously. In this case,the node can still send expired R-APS packets until it receives a new R-APS packet.If the ring node receives an R-APS (SF) packet that is the same as the messagepreviously sent by the node, the node determines that an SF occurs. Due to theabove reason, the guard timer is used to forcedly prevent loops.

l Ring statuses

A ring may be in idle, pending, protection, FS, or MS status.

Link Switching Procedure in ERPSERPS eliminates logical loops by blocking some ports on the ring. When some links in thering have their status changed (from up to down or from down to up), ERPS can switch alogical path immediately.

As shown in Figure 5-68 and Figure 5-69, an ERPS domain is configured on switches A,B, C, and D. Switch A is the owner node, and its port 1/2 is an RPL port. Switch B is theneighbor node. The port that switch B uses to connect to switch A is also an RPL port.Both switch C and switch D are none nodes.

Service traffic arises between PC1 and PC2, and the arrows in Figure 5-68 indicate thedirection in which service data flows.

5-172



Figure 5-68 Example of the Primary Node Blocking the Secondary Port (Ring Status:UP)

Figure 5-69 Example of the Primary Node Enabling the Secondary Port (Ring status:DOWN)

Figure 5-68 shows that each link is operating properly, the ring is in idle status, and thesecondary port of the primary node is blocked. Traffic passes through switches C and D.

Figure 5-69 shows that the link between switches B and C is disconnected. The link statuschanges to Protection, and ERPS immediately switches the RPL port of the owner nodeto forwarding status. After the switching, traffic does not pass through switches C and D.

After the link between switches C and D is restored, the RPL port of the owner node isblocked again, and the ring status changes to pending as shown in Figure 5-68.

Configuring ERPSTo configure ERPS, perform the following steps.

5-173




1 ZXR10(config)#set ERPS domain <1-4>

protect-instance <1-16>Creates an ERPS domain.

2 ZXR10(config)#set erps domain

<1-4> ring-id <1-239> raps-vlan<1-4094>{ring-east {port <portid>| trunk<portid>} ring-west {port <portid>| trunk<portid>}}[ rpl-role {owner | neighbour}

rpl-port {east | west}]

Configures an ERPS ring node.

The raps-vlan parameter should specify a

service-unrelated VLAN (not conflicted with

any of the VLANs for services and network

management). The port PVID must not be

the same as the setting of the raps-vlanparameter.

The setting of the ring-id parameter is

carried in the protocol message, varying

with the ERPS instance.

3 ZXR10(config)#set erps domain <1-4>

ring-mel <1-7>Configures the mel for the ring node.


behaviour {revertive | non-revertive}

Specifies the reverive or non-revertive

mode for the ring.


timer wtr-time <1-12>Configures the WTR time (in minutes) of

the ERPS ring.

The WTR timer (in minutes) is valid for the

RPL owner node only, range: 1–12, default:

5.


timer guard-time <1-200>Configures the guard timer time (in units of

10 ms) for the ERPS ring,

Range: 1–200, default: 50.


switch {{fs | ms east | west}|clear}

Configures the manual switching command

for the ERPS ring.

After the FS/MS command is executed, the

corresponding port is set to block status.

8 show ERPS brief Displays the primary configuration of each

ERPS domain.

9 show ERPS domain <1-4> Displays detailed information about the

ERPS domain.

Configuration Example of a Single ERPS DomainFigure 5-70 shows that an ERPS domain is configured on switches A to D. This type ofconfiguration is called single-domain, single-ring. The configuration is as follows:l Protection instance 1 is configured for the ERPS domain. In this instance, the

dedicated VLAN (VLAN 4000) is used to protect VLANs 100 to 110.l Switch A is the owner node, and its port 1/2 is an RPL port.l Switch B is the neighbor node, and its port 1/2 is an RPL port.

5-174



l Switches C and D are none nodes.

Figure 5-70 Configuration Example of a Single ERPS Domain with Multiple Loops

The configuration on switch A is as follows:

/*The following commands configure a spanning tree instance:*/



/*The following command configures protection instance 1 for the ERPS domain*/

Switch_A(config)#set ERPS domain 1 protect-instance 1

/*The following command configures the owner node. The RPL port is port 1/2. */

Switch_A(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east trunk 1

ring-west port 1/2 rpl-role owner rpl-port west

The configuration on switch B is as follows:




/*The following command configures protection instance 1 for the ERPS domain:*/

Switch_B(config)#set ERPS domain 1 protect-instance 1

/*The following command configures switch B to be a neighbor node*/

/*and its port1/2 to be an RPL port:*/

Switch_B(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1

ring-west port 1/2 rpl-role neighbour rpl-port west

The configuration on switch C is as follows:




5-175




Switch_C(config)#set ERPS domain 1 protect-instance 1

/*The following command configures switch C to be a none node: */

Switch_C(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1

ring-west port 1/2

The configuration on switch D is as follows:


Switch_D(config)#set stp enable

Switch_D(config)#set stp instance 1 add vlan 100-110


Switch_D(config)#set ERPS domain 1 protect-instance 1

/*The following command configures switch D to be a none node: */

Switch_D(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east trunk

1 ring-west port 1/2

Configuration Example of Multiple ERPS DomainsFigure 5-71 shows that two ERPS domains are configured on switches A to D, calledsingle-ring, multiple-domain. The configuration is as follows:

l Protection instance 1 is configured for ERPS domain 1. In this instance, the dedicatedVLAN (VLAN 4000) protects VLANs 100 to 110. Protection instance 2 is configured forERPS domain 2. In this instance, the dedicated VLAN (VLAN 4001) protects VLANs200 to 210.

l Switch A is an owner node in domain 1 (the related ports are ports 1/1 and 1/2, whereport 1/2 is an RPL port), and it is a neighbor node in domain 2 (the related ports areports 1/1 and 1/2, where port 1/2 is also an RPL port).

l Switch B is a neighbor node in domain 1 (the related ports are port 1/1 and port 1/2,where port 1/2 is an RPL port), and it is an owner node in domain 2 (the related portsare ports 1/1 and 1/2, where port 1/2 is also an RPL port).

l Both switches C and D are none nodes in domains 1 and 2.

Note:

If a physical ring has multiple ERPS domains, you can plan different paths for the servicetraffic related to different ERPS domains through the proper configuration, so that loadbalancing can be implemented.

5-176



Figure 5-71 Configuration Example of Multiple ERPS Domains

The configuration on switch A is as follows:





/*The following commands configure protection instance 1 for*/

/*ERPS domain 1 and protection instance 2 for ERPS domain 2:*/



/*The following command configures switch A to be the owner node*/

/*in domain 1 and its port 1/2 to be an RPL port:*/

Switch_A(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1


/*The following command configures switch A to be a neighbor node in domain 2 and*/

/*its port 1/2 to be an RPL port:*/

Switch_A(config)#set ERPS domain 2 ring-id 2 raps-vlan 4001 ring-east port 1/1


The configuration on switch B is as follows:





/*The following commands configure protection instance 1 for ERPS domain 1*/

/*and protection instance 2 for ERPS domain 2:*/



5-177



/*The following command configures switch B to be a neighbor node in domain 1*/

/*and its port 1/2 to be an RPL port:*/



/*The following command configures switch B to be the owner node in domain 2*/

/*and its port 1/2 to be an RPL port:*/



The configuration on switch C is as follows:





/*The following commands configure protection instance 1 for ERPS domain 1*/

/*and protection instance 2 for ERPS domain 2:*/



/*The following command configures switch C to be a none node in domain 1: */


ring-west port 1/2

/*The following command configures switch C to be a none node in domain 2:*/


ring-west port 1/2

The configuration on switch D is the same as that on switch C.

5.49 Debug Module ConfigurationIntroduction to the Debug ModuleThe Debug module is added for debugging the DHCP, dot1x, IP, ARP, and SNMPprotocols. This module configures the commands for locating faults in message sendingand receiving, message statistics, and procedure printing.

By using these commands, a user can easily trace the process of sending and receivingmessages, display statistical data of messages, and observe common printing errors.Thus, the user can preliminarily position the faults, including protocol abnormality andfunction failures.

5-178



Debug Module ConfigurationThe following commands need to be configured for the Debug module.

Command Function

zte(cfg)#debug protocol dhcp client disable Disables the debug function of the DHCP client.

zte(cfg)#debug protocol dhcp client enable Enables the debug function of the DHCP client.

zte(cfg)#debug protocol dhcp client state ipport

<0-63>

Shows statistical data of an ip port on the DHCP

client.

zte(cfg)#debug protocol dhcp download Shows the downloaded information of the DHCP.

zte(cfg)#debug protocol dhcp relay disable Disables the debug function of the DHCP Relay

module.

zte(cfg)#debug protocol dhcp relay enable Enables the debug function of the DHCP Relay

module.

zte(cfg)#debug protocol dhcp snooping-and-opt

ion82 disable

Disables the debug function of the DHCP

snooping-and-option82 module.

zte(cfg)#debug protocol dhcp snooping-and-op

tion82 enable

Enables the debug function of the DHCP

snooping-and-option82 module.

zte(cfg)#debug protocol dhcp statistics clear Deletes DHCP statistical data of all ports.

zte(cfg)#debug protocol dhcp statistics port

<1/1-24>

Shows DHCP statistical data of a port.

zte(cfg)#debug protocol dhcp statistics port

<1/1-24> clear

Deletes DHCP statistical data of a port.

zte(cfg)#debug protocol dhcp statistics trunk

<1-15>

Shows DHCP statistical data of a trunk port.

zte(cfg)#debug protocol dhcp statistics trunk

<1-15> clear

Deletes DHCP statistical data of a trunk port.

zte(cfg)#debug protocol dhcpv6 disable Disables the debug function of the DHCPv6

module.

zte(cfg)#debug protocol dhcpv6 enable Enables the debug function of the DHCPv6

module.

zte(cfg)#debug protocol dot1x disable Disables the debug function for the dot1x

protocol.

zte(cfg)#debug protocol dot1x enable Enables the debug function for the dot1x protocol.

zte(cfg)#debug protocol layer3 ip disable Disables the debug function of layer 3 IP

messages.

zte(cfg)#debug protocol layer3 ip enable Enables the debug function of layer 3 IP

messages.

zte(cfg)#debug protocol layer3 ip port Shows statistical data of all ip ports.

5-179



Command Function

zte(cfg)#debug protocol layer3 ip port <0-63> Shows statistical data of an ip port.

zte(cfg)#debug protocol layer3 arp disable Disables the debug function of ARP messages.

zte(cfg)#debug protocol layer3 arp enable Enables the debug function of ARP messages.

zte(cfg)#debug protocol snmp disable Disables the debug function for the SNMP

protocol.

zte(cfg)#debug protocol snmp enable Enables the debug function for the SNMP

protocol.

Debug Module Configuration ExampleThe ZXR10 2900E provides debug commands to check the status of protocol messagesending and receiving.

1. Run the debug protocol layer3 arp enable command to check the debug information ofARP messages.

The following information is an example of the host receiving or sending ARPmessages:

zte(cfg)#ARP: received request scr 168.1.23.5 0000.0000.0001, dst 168.1.23.218 ipport 1

Enter disable to disable the debug function.

2. Run the debug protocol layer3 ip enable command to the debug information of IPmessages, including the link-mtu parameter of IP ports, MAC addresses for receivingmessages, and size of IP messages.

This command shows the information of the process during which the messagesare sent to the protocol layer, for example, host messages. If the messages areforwarded through fast routing, the messages cannot be debugged by this command.The following information is an example of execution results of this command.

zte(cfg)#IP: received packet mac:002421738150 --> mac:002293634f70 on port 1

IP: pointer to allocated buffer for port 0001, 2112840, bytes: 114

IP: pointer to send packet for port 0001, 211284c

IP: size of packet: 60, link mtu: 1500

IP: received packet mac:002421738150 --> mac:002293634f70 on port 1

IP: pointer to allocated buffer for port 0001, 2113040, bytes: 114

IP: pointer to send packet for port 0001, 211304c



Abnormal information during message processing is also printed. The followingexample shows the TTL expired in transit error:

IP: route has been cached: hash value 1


IP: pointer to allocated buffer for port 0001, 209b840, bytes: 42

IP: pointer to send packet for port 0001, 209b84c

5-180



IP: packet could not be forwarded by router: 168.1.23.177 --> 197.1.23.22

IP: received packet mac:000000000022 --> mac:002293634f70 on port 1

IP: received packet src ip:168.1.23.177 , dst ip:197.1.23.22 , protocol 17 on port 1

IP: dropped packet due to time-to-live from 168.1.23.177 to 197.1.23.22

IP: Allocated buffer at 209c040 of length 218

IP: bptr_offset : 209c080, new_offset : 209c080, bptr_new_offset : 209c080

IP: Pointer to send packet 209c0c0

The debug function is disabled after you enter disable.

3. Run the debug protocol layer3 ip port 1 command to check statistical data oflayer3–based ip port 1.

The following information is an example of statistical data of ip port 1.

Ip port number: 1

num_of_ip_packets_rxed: 124 num_of_ip_packets_txed: 196

num_of_udp_packets_rxed: 0 num_of_udp_packets_txed: 0

num_of_tcp_packets_rxed: 121 num_of_tcp_packets_txed: 193

num_of_rip_packets_rxed: 0 num_of_rip_packets_txed: 0

num_of_arp_packets_rxed: 4 num_of_arp_packets_txed: 0

num_of_rarp_packets_rxed: 0 num_of_rarp_packets_txed: 0

num_of_icmp_packets_rxed: 3 num_of_icmp_packets_txed: 3

num_of_unrecog_packets_rxed: 0 num_of_unrecog_packets_txed: 0

num_of_non_ip_packets_rxed: 0 num_of_rxed_packets_fwded: 0

num_of_rxed_udp_pkts_fwded: 0 num_of_rxed_icmp_pkts_fwded: 0

num_of_packets_not_fwded: 124 num_of_rxed_tcp_pkts_fwded: 0

num_of_packets_redirected: 0 num_of_short_ip_pkts_rxed: 0

num_of_pkts_rxed_down_port: 0 num_of_pkts_rxed_dis_port: 0

4. Run the debug protocol snmp v3 command to view printing prompts.

The following information is an example of printing prompts.

somthing wrong happen when generate ku

somthing wrong happen when generate kul

error to create group

unsupport sec level

sha: param not correct!!!

***decoding!!!***

can not get the security name

can not find the group in securitytogroup table

can not find the mib view

vacm check ok

the user has not been cloned from another user !!!

user not find, can't send trap!

decode msg header successfully!!!

decode msg context successfully!!!

***encode successfully !!!***

5-181




5-182


Chapter 6ManagementTable of Contents

Remote-Access..........................................................................................................6-1SSH ...........................................................................................................................6-3Privilege ...................................................................................................................6-11SNMP ......................................................................................................................6-13RMON......................................................................................................................6-18ZGMP ......................................................................................................................6-21sFlow .......................................................................................................................6-28Web .........................................................................................................................6-29M_Button..................................................................................................................6-49Telnet .......................................................................................................................6-52

6.1 Remote-AccessRemote-Access OverviewRemote-Access is a mechanism for limiting network management users to manage theswitch through Telnet, SSH, SNMP and Web, that is, it is used to restrict the access. Thisfunction is to enhance the security of the network management system.

After this function is enabled, specify a network management user to access the switchonly from a specified IP address, the user cannot access the switch from other IPaddresses. When this function is disabled, the network management user can access theswitch through Telnet, SSH, SNMP and Web from any IP address.

Configuring Remote-AccessThe Remote-Access configuration includes the following commands:

Command Function

zte(cfg)#set remote-access {any | specific} Enables or disables the remote

access control function.

zte(cfg)#set remote-access ipaddress <A.B.C.D>[<A.B.C.D>][{s

nmp | telnet | ssh | web}{permit | deny}]

Permits or denies switch access

from a specified IP address

or network segment through

SSH/SNMP/Telnet/Web.

zte(cfg)#clear remote-access all Deletes all IP address

configurations.

6-1



Command Function

zte(cfg)#clear remote-access ipaddress <A.B.C.D>[<A.B.C.D>] Deletes the configuration of a

specified IP address and network

segment.

show remote-access (all configuration modes) Displays the configuration

information of Remote-Access.

Remote-Access Configuration Instance 1l Configuration Description

Only allow the network management user to access the switch from 192.168.1.0/24through Telnet, SSH, SNMP, and Web.

l Configuration Procedurezte(cfg)#set remote-access specific

zte(cfg)#set remote-access ipaddress 192.168.1.0 255.255.255.0

zte(cfg)#show remote-access

Whether check remote manage address: YES

Allowable remote manage address(es) and application(s):

192.168.1.0/255.255.255.0 snmp, telnet, ssh, web


Only allow the network management user to access the switch from 192.168.1.1through Telnet, SSH, SNMP, and Web.


zte(cfg)#set remote-access ipaddress 192.168.1.1






Only allow the network management user to access the switch from 192.168.1.1through Telnet and SSH.


zte(cfg)#set remote-access ipaddress 192.168.1.1




6-2


Chapter 6 Management


zte(cfg)#set remote-access ipaddress 192.168.1.1 255.255.255.255 snmp deny

zte(cfg)#set remote-access ipaddress 192.168.1.1 255.255.255.255 web deny




192.168.1.1/255.255.255.255 telnet,ssh

6.2 SSHSSH OverviewThe Secure Shell (SSH) is a protocol created by the NetworkWorking Group of the InternetEngineering Task Force (IETF), which is used to offer secure remote access and othersecure network services over an insecure network.

The initial purpose of the SSH protocol is to solve the security problems in interconnectednetworks, and to offer a securer substitute for Telnet and Rlogin, although the presentdevelopment of the SSH protocol has far exceeded remote access. So, the SSHconnection protocol should support interactive sessions.

The SSH can be used to encrypt all transmitted data. Even if these data is intercepted, nouseful information can be obtained.

At present, the SSH protocol has two incompatible versions: SSH v1.x and SSH v2.x. TheZXR10 2900E only supports SSH v2.0 and uses the password authentication mode. TheSSH uses TCP port 22.

Configuring SSHThe SSH configuration includes the following commands:

Command Function

zte(cfg)#set ssh {enable | disable} Enables or disables SSH.

zte(cfg)#set ssh regenerate Generates a new SSH key.

zte(cfg)#set ssh sftp {enable | disable} Enables or disables the SFTP

server function.

show ssh (all configuration modes) Displays the SSH configuration

and status.

SSH Configuration Instancel Configuration Description

See Figure 6-1, one computer attempts to access the switch through SSH. The switchis configured with a layer-3 port. The IP address of the port is 192.168.1.1/24, andthe IP address of the computer is 192.168.1.100/24.

6-3



Figure 6-1 SSH Remote Login Example

l Configuration Procedure1. Switch configuration

zte(cfg)#set ssh enable

zte(cfg)#show ssh

SSH is enabled.

There's no ssh user logging in this system.

2. Software configuration

The SSH v2.0 client can use the free software PuTTY developed by SimonTatham. The current version supports the client of multiple versions. The settingswhen using PuTTY to log in to the switch are as follows.

a. Set the IP address and port number of the SSH server, see Figure 6-2.

Figure 6-2 Setting IP Address and Port Number of the SSH Server

b. Set the SSH version number, see Figure 6-3.

6-4



Figure 6-3 Setting the SSH Version Number

c. For the first time to log in, user confirmation is needed, see Figure 6-4.

Figure 6-4 User Confirmation Dialog Box

d. The SSH login result is displayed, see Figure 6-5.

6-5



Figure 6-5 SSH Login Result

SFTP Configuration Instancel Configuration Description

See Figure 6-6, a layer-3 port is configured on the switch, and the IP address is192.168.1.1/24. The IP address of the PC is 192.168.1.100/24. The SSH and SFTPserver functions are enabled on the switch. The PC downloads files from the switchor uploads files to the switch through an SFTP client.

Figure 6-6 SFTP File Upload and Download Instance



zte(cfg)#set ssh enable

zte(cfg)#show ssh

SSH is enabled.

There's no ssh user logging in this system.

zte(cfg)#set ssh sftp enable

zte(cfg)#show sftp

SFTP is enabled.

There's no sftp user logging in this system.

6-6



Configure the PC:

Before logging in to the switch through an SFTP client, set the client on the PC.Different types of client software provide different SSH and SFTP supports, so thesettings vary. It is recommended that you use SFTP client software such as WinSCPand Secure FX. WinSCP is SSH open-source graphic SFTP client software operatingin the Windows operating system. The following procedure uses WinSCP as anexample to describe the settings.

1. Set the IP address and port number for the SSH server. SFTP uses port 22. Seta username and password. See Figure 6-7.

Figure 6-7 WinSCP Login Dialog Box—Creating a Session

2. From the left navigation tree, select Environment > SFTP, and then set theparameters (you can use the default settings), see Figure 6-8.

6-7



Figure 6-8 WinSCP Login Dialog Box—Setting SFTP Parameters

3. From the left navigation tree, select Preferences. The Preferences dialog box isdisplayed, see Figure 6-9.

By default, WinSCP fragments large-size files and adds filepart postfix names.The ZXR10 2900E does not support extra-long file postfix names, so you mustclick Disable in the Enable transfer resume/transfer to temporary filenamefor area.

6-8



Figure 6-9 Preferences Dialog Box

4. Click OK. The WinSCP Login dialog box is displayed. Click Login. When youlog in to the SFTP server for the first time, the Warning dialog box is displayed,see Figure 6-10.

Figure 6-10 Warning Dialog Box

5. Click Yes. The system starts authentication, see Figure 6-11.

6-9



Figure 6-11 Authentication Banner Dialog Box

6. Click Continue. Enter your password, see Figure 6-12.

Figure 6-12 Password Dialog Box

7. ClickOK. A message indicating successful authentication is displayed, see Figure6-13.

6-10



Figure 6-13 Authentication Banner Dialog Box—Successful Authentication

8. Click Continue. The WinSCP desktop window is displayed, see Figure 6-14.

In the WinSCP desktop window, you can upload or download files.

Figure 6-14 WinSCP Desktop Window

6.3 PrivilegePrivilege OverviewThe command level function, that is, the privilege function, refers to leveling the commandlines available for the switch and granting different permissions. With this function, usersof different levels can access the commands of different scopes. This protects switchconfiguration from being modified by any user with any permission.

Privilege ConfigurationThe Privilege configuration includes the following commands:

Command Function

zte(cfg)#privilege {enable | disable} Enables/disables the command

level function.

6-11



Command Function

zte(cfg)#privilege <0-15> session <1-1024>{all |

part}<mode><key1-string>[<key2-string>[... <key10-string>]]Sets the command permission.

zte(cfg)#clear privilege session [<1-1024>] Clears a specified command

permission rule.

show privilege {default | level [<0-15>]| session [<1-1024>]} (for

all configuration modes)

Displays a specified command

permission rule.

Privilege Configuration Instancel Configuration Description

Users can perform this configuration only when logging in to the switch with the highestpermission (level 15).



/*Enable the privilege function*/

zte(cfg)#privilege enable

/*Grant level-12 permission to all functions of the set node*/

zte(cfg)#privilege 12 session 1 part cfg set

l Configuration Verification1. Execute the following commands to check the command permission rule.

zte(cfg)#show privilege session

State: Enable

User level: 15

Session Level Type Mode Key

------- ----- ---- ------------- -----------------

1 12 part cfg set

2. Log in to the switch and execute the related set command as a user with a lowerpermission (for example, level 11).

Execute the zte(cfg)#set stp enable command. The system will prompt that theuser is disallowed to execute the command.

The user privilege(level 11) is less than command privilege(level 12 rule 1).

% Command cannot be performed because of insufficient privilege. (0x40000aab)

Log in to the switch as a user with a permission higher than or equal to thepermission (for example, level 13) and execute the same command. Thecommand can be properly executed, without the prompt mentioned above.

6-12



6.4 SNMPSNMP OverviewThe SNMP is themost popular network management protocol currently. It involves a seriesof protocols and specifications:

l MIB: Management Information Basel SMI: Structure of Management Informationl SNMP: Simple Network Management Protocol

They offer the means to collect network management information from networkdevices. The SNMP also enables the devices to report problems and errors to NetworkManagement Systems (NMSs). Any network administrator can use the SNMP to managethe switch. The ZXR10 2900E supports SNMPv1, v2c and v3 (v3 strengthens SNMPmanagement security based on v1 and v2c).

The SNMP uses the “Management process–Agent process” model to monitor and controlall types of managed network devices. The SNMP network management needs three keyelements:

1. Managed devices. They can communicate over the Internet. Each device contains anagent.

2. NMS. The network management process should be able to communicate over theInternet.

3. The protocol used to exchange management information between the agent processand the NMS, that is, the SNMP.

The NMSs collect data by polling the agents that reside in the managed devices. Theagents in the managed devices can report errors to NMSs at any time before the NMSspoll them. These errors are called traps. When a trap occurs on a device, the NMSs canbe used to query the device (suppose it is reachable) and obtain more information. SNMPv2c and v3 also support an inform message (an SNMPv2 Trap that needs a response)to inform abnormal events to the NMSs. After an NMS receives the inform message,it sends an acknowledgement message to the switch. If the switch does not receivethe acknowledgement message from the NMS in a period, it resends the original informmessage twice.

All variables in the network are stored in MIBs. The SNMP monitors the network devicestatus by querying the related object values in the agent MIBs.

SNMP ConfigurationThe SNMP configuration includes the following commands:

Command Function

zte(cfg-snmp)#set engineID Sets the SNMP engine ID of a

device.

6-13



Command Function

zte(cfg-snmp)#set recvpacket <0-100> Sets the number of SNMP

messages that the SNMP protocol

stack can handle in a unit time.

zte(cfg-snmp)#set src-ipport <0-63> Sets the source IP address of

SNMP.

zte(cfg-snmp)#create community <string>{public |

private}[ingress-acl-basic-number <1-99>]Creates a community, sets the

access authority, and binds a basic

ACL ID with the community.

zte(cfg-snmp)#create view < string >[{include |

exclude}<mib-oid>]

Creates a view and specifies

whether the view includes a MIB

subtree.

zte(cfg-snmp)#set community <string> view <string> Sets a community and a view

containing the community name.

zte(cfg-snmp)#set community <string> ingress-acl-basic-number <1-99>

Sets the basic ACL ID bound to

the specified community.

zte(cfg-snmp)#clear community <string> ingress-acl-basic-n

umber

Deletes the basic ACL ID bound to

the specified community.

zte(cfg-snmp)#set mib1493compatible {enable | disable} Enables or disables the 1493

compatible mode.

zte(cfg-snmp)#set host <A.B.C.D> trap {v1 <string>| v2c<string>| v3 <string>{auth | noauth | priv}}

Sets the IP address, community

name, username, version, and

security level of the computer

receiving trap information.

zte(cfg-snmp)#set host <A.B.C.D> inform { v2c <string>| v3<string>{auth | noauth | priv}}

Sets the IP address, community

name, username, version, and

security level of the computer

receiving inform messages.

zte(cfg-snmp)#set trap {linkdown | linkup | authenticationfail

| coldstart | warmstart | topologychange | memberupdown

| portloopdetect | trunkloopdetect | linkMonitorStatus |

remoteLinkStatus | dyingGaspStatus | remoteDiscovery |

powerDown | dhcpCharCheck | cpuUserationThreshold |

memUserationThreshold | fanStatusCheck | macNotification |

udldUnidirectional | protocolProtect | dismanpingnotifications|

adminPasswordNoChange | arpOverload | bootfileLost

| cfmFaultAlarm | fanSpeed | fileTransfer | ipConflict |

MacOverload | poe | StpBridgeRoleChange | StpPortStateChange

| trafficLimitProtect | trafficLimit | temperature | all}{enable |

disable}

Enables/disables trap functions

of link connection/disconnection,

authentication failure, cool/hot

startup, topology change,

cluster member UP/DOWN,

loop detected at port/Trunk,

MAC number exceeding the

threshold, link monitor event

alarm, remote link event alarm,

event detection alarms, MAC

list change notification, and ping

notification.

6-14



Command Function

zte(cfg-snmp)#set group <string> v3 {auth | noauth | priv}[read<string>[write <string>[notify <string>]]]

Sets an SNMP V3 group name

and the group security level.

zte(cfg-snmp)#set user <string><string> v3 [md5-auth <string>|

sha-auth <string>[des56-priv <string>]]Sets an SNMP V3 user name,

authentication mode and

password.

zte(cfg-snmp)#set trap macnotification {port<1-51>|trunk<1-15>}{enable|disable}

Enables or disables the trap

function of MAC change

notification on a specific port

or trunk.

zte(cfg-snmp)#set trap macnotification {history-size<1-256>|interval<1-3600>}

Sets the threshold of the number

and interval of MAC change

notifications.

zte(cfg-snmp)#clear host <A.B.C.D>{trap | inform}<string> Clears a host configuration.

zte(cfg-snmp)#clear community <string> Clears a community name.

zte(cfg-snmp)#clear view <string> Clears a view.

zte(cfg-snmp)#clear group <string> v3 {auth | noauth | priv} Clears a group.

zte(cfg-snmp)#clear user <string> v3 Clears a user.

zte(cfg-snmp)#clear engineID Clears an SNMP engine identifier

and recovers to the default value.

show snmp (all configuration modes) Displays all SNMP configuration

information.

show snmp {community | engineID | group | host | trap | user |

view} (all configuration modes)

Displays each element of SNMP

V1, V2C and V3.

SNMP Configuration Instance 1l Configuration Description

Assume that the IP address of the network management server is 10.40.92.105,the switch has a layer-3 port with the IP address of 10.40.92.200, and the switch ismanaged through the network management server.

Create a community named “zte” with the read/write permission and a view named“vvv”, and then associate the community “zte” with the view “vvv”. Set the IP addressof the computer receiving traps to 10.40.92.105, and the community to “zte”.

The DUT device is directly connected to network management server.

l Configuration Procedurezte(cfg)#config router




6-15





zte(cfg-snmp)#create community zte private

zte(cfg-snmp)#create view vvv

zte(cfg-snmp)#set community zte view vvv

zte(cfg-snmp)#set host 10.40.92.105 trap v2 zte

zte(cfg-snmp)#show snmp community

CommunityName Level ViewName Acl

-------------- ------- ------------ ---

zte private vvv -

zte(cfg-snmp)#show snmp view

ViewName Exc/Inc MibFamily

--------- -------- ------------------------

vvv Include 1.3.6.1

zte(cfg-snmp)#show snmp host

HostIpAddress Comm/User Version type SecurityLevel

-------------- ---------- ------- ------ -------------

10.40.92.105 zte Ver.2c Trap


Assume that the IP address of the network management server is 10.40.92.77, theswitch has a layer-3 port with the IP address of 10.40.92.11, and the switch is managedthrough the network management server in the User Security Model (USM).

Create a user named “zteuser” and its group named “ztegroup”. The security level ofthe group is private (that is authentication and encryption). Set the IP address of thecomputer receiving trap or inform information to 10.40.92.77, and the user to “zteuser”.

l Configuration Procedurezte(cfg)#config router






zte(cfg-snmp)#set group ztegroup v3 priv

zte(cfg-snmp)#set user zteuser ztegroup v3 md5-auth zte des56-priv zte

zte(cfg-snmp)#set host 10.40.92.77 inform v3 zteuser priv

6-16



zte(cfg-snmp)#show snmp group

groupName: ztegroup

secModel : v3 readView : zteView

secLevel : AuthAndPriv writeView : zteView

rowStatus: Active notifyView: zteView

zte(cfg-snmp)#show snmp user

UserName : zteuser

GroupName : ztegroup(v3)

EngineID : 830900020300010289d64401

AuthType : Md5 StorageType: NonVolatile

EncryptType: Des_Cbc RowStatus : Active

zte(cfg-snmp)#show snmp host

HostIpAddress Comm/User Version type SecurityLevel

---------------- ----------- ------- ------ -------------

10.40.92.77 zteuser Ver.3 Inform AuthAndPriv


When the configuration is completed, use the mibbrowser software to log in.


This example describes how to configure the MAC change notification function.

See Figure 6-15, configure the SNMP first so that the switch can be managed throughthe network management server. Configure the MAC notification function so thatthe MAC change information on Port 1 can be reported to the network managementserver. The report condition is: The number of changed MAC entries reaches 50, orthe time is one minute (that is, 60 seconds).

Figure 6-15 MAC Change Notification Configuration Network

l Configuration Procedurezte(cfg-snmp)#set trap macnotification enable

zte(cfg-snmp)#set trap macnotification port 1 enable

zte(cfg-snmp)#set trap macnotification history-size 50

zte(cfg-snmp)#set trap macnotification interval 60


If the number of changed MAC entries reaches 50 within one minute, the switch sendstrap information when the number reaches 50 instead of waiting until one minute. The

6-17



number of sent entries is 50. If the number of changed MAC entries does not reach50 within one minute, the switch sends trap information when one minute expires.The number of sent entries is less than or equal to 50. By default, the MAC changenotification function is disabled. So, if the MAC change notification function is enabledglobally but it is not enabled on a port, the network management server cannot receivetrap information. In this example, if the MAC entries change on another port insteadof Port 1, trap information is not sent.

6.5 RMONRMON OverviewThe Remote Monitoring (RMON) defines the standard network monitoring function and acommunication interface between the management console and the remote monitor. TheRMON offers an efficient method to monitor the behaviors of subnets while reducing theload of other agents and management stations.

The RMON specifications refer to the definition of RMONMIB. The ZXR10 2900E supportsfour groups of RMON MIB.

l History: records the periodic statistics sample of the information that can be obtainedfrom the statistics group.

l Statistics: maintains the basic application and error statistics of each subnet that theagent monitors.

l Event: a table related to all events generated by RMON agents.l Alarm: allows operators of the management console to set sampling interval and

alarm threshold for any count or integer recorded by RMON agents.

All these groups are used to store the data collected by the monitor and derived data andstatistics data. The alarm group is based on the implementation of the event group. Thesedata can be obtained through the MIB browser.

The RMON control information can be configured through the MIB browser, orHyperTerminal or remote Telnet command lines. The RMON sampling information andstatistics data is obtained through the MIB browser.

RMON ConfigurationThe RMON configuration includes the following commands:

Command Function

zte(cfg-snmp)#set rmon {enable | disable} Enables or disables the RMON

function.

zte(cfg-snmp)#set statistics <1-65535>{datasource <1-28>|owner <name>| status {valid | underCreation | createRequest| invalid}}

Sets a statistics group.

6-18



Command Function

zte(cfg-snmp)#set alarm <1-65535>{interval <1-65535>|variable <mib-oid>| sampletype {absolute | delta}| startup

{rising | falling | both}| threshold <1-65535> eventindex<1-65535>{rising | falling}| owner <name>| status {valid |underCreation | createRequest | invalid}}

Sets an alarm group.

zte(cfg-snmp)#set event <1-65535>{description <string>| type

{none | log | snmptrap | logandtrap}| owner <name>| community<name>| status {valid | underCreation | createRequest | invalid}}

Sets an event group.

zte(cfg-snmp)#set history <1-65535>{datasource <1-28>|

bucketRequested <1-65535>| owner <name>| interval<1-3600>| status {valid | underCreation | createRequest | invalid}}

Sets a history group.

show rmon (all configuration modes) Displays RMON global

configuration.

show statistics [<1-65535>] (all configuration modes) Displays configuration information

of the statistics group.

show alarm [<1-65535>] (all configuration modes) Displays configuration information

of the alarm group.

show event [<1-65535>] ( all configuration modes) Displays configuration information

of the event group.

show history [<1-65535>] (all configuration modes) Displays configuration information

of the history group.

RMON Configuration Instancel Configuration Description

The instance describes how to set event 2, history 2, alarm 2 and statistics 1respectively.

The DUT device is directly connected to the network management server.

l Switch Configurationzte(cfg-snmp)#set event 2 description It'sJustForTest!!

zte(cfg-snmp)#set event 2 type logandtrap

zte(cfg-snmp)#set event 2 community public

zte(cfg-snmp)#set event 2 owner zteNj

zte(cfg-snmp)#set event 2 status valid

zte(cfg-snmp)#set history 2 datasource 16

zte(cfg-snmp)#set history 2 bucket 3

zte(cfg-snmp)#set history 2 interval 10

zte(cfg-snmp)#set history 2 owner zteNj

zte(cfg-snmp)#set history 2 status valid

6-19



zte(cfg-snmp)#set rmon enable

zte(cfg-snmp)#set alarm 2 interval 10

zte(cfg-snmp)#set alarm 2 variable 1.3.6.1.2.1.16.2.2.1.6.2.1

zte(cfg-snmp)#set alarm 2 sample absolute

zte(cfg-snmp)#set alarm 2 startup rising

zte(cfg-snmp)#set alarm 2 threshold 8 eventindex 2 rising

zte(cfg-snmp)#set alarm 2 threshold 15 eventindex 2 falling

zte(cfg-snmp)#set alarm 2 owner zteNj

zte(cfg-snmp)#set alarm 2 status valid

zte(cfg-snmp)#set statistics 1 datasource 16

zte(cfg-snmp)#set statistics 1 owner zteNj

zte(cfg-snmp)#set statistics 1 status valid

l Configuration Verification1. View configuration information about event 2:

zte(cfg-snmp)#show event 2

EventIndex : 2 Type : log-and-trap

Community : public Status : valid

Owner : zteNj

Description :It'sJustForTest!!

2. View configuration information about history 2:zte(cfg-snmp)#show history 2

ControlIndex : 2 BucketsRequest: 3

Interval : 10 BucketsGranted: 3

ControlStatus: valid ControlOwner : zteNj

DataSource : 1.3.6.1.2.1.2.2.1.1.16

3. View configuration information about alarm 2:zte(cfg-snmp)#show alarm 2

AlarmIndex : 2 SampleType: absolute

Interval : 10 Value : 16

Threshold(R) : 8 Startup : risingAlarm

Threshold(F) : 15 Status : valid

EventIndex(R): 2 Variable : 1.3.6.1.2.1.16.2.2.1.6.2.1

EventIndex(F): 2 Owner : zteNj

4. View configuration information about statistics 1:zte(cfg-snmp)#show statistics 1

StatsIndex: 1

DropEvents : 0 BroadcastPkts : 0

Octets : 0 MulticastPkts : 0

Pkts : 0 Pkts64Octets : 0

Fragments : 0 Pkts65to127Octets : 0

Jabbers : 0 Pkts128to255Octets : 0

Collisions :0 Pkts256to511Octets : 0

CRCAlignErrors :0 Pkts512to1023Octets : 0

6-20



UndersizePkts :0 Pkts1024to1518Octets: 0

OversizePkts :0 DataSource(port) : 1.3.6.1.2.1.2.2.1.1.16

Status : valid Owner : zteNj

l Configuration Result

After the above configuration, when the number of etherHistoryPkts packets of thefirst bucket on port 16 rises over 8 or the number falls below 15, the event with index2 is triggered. The event with index 2 sends a trap to the management station.

6.6 ZGMPZGMP OverviewZGMP is ZTE Group Manage Protocol. A cluster is a set of switches in a specific broadcastdomain. The switches form a unified management domain, providing an external publicnetwork IP address andmanagement interface, and the ability to manage and access eachmember in the cluster.

The management switch which is configured with a public network IP address is called acommand switch. Other switches serve as member switches. In normal cases, a memberswitch is not configured with a public network IP address. A private address is allocated toeach member switch through the DHCP function of the command switch. The commandswitch and member switches form a cluster (private network).

In general, the broadcast domain where a cluster is located consists of switches of fourroles: command switch, member switches, candidate switches and independent switches.

One cluster has only one command switch. The command switch can automatically collectthe device topology and set up a cluster. After a cluster is set up, the command switchprovides a cluster management channel to manage member switches. Member switchesserve as candidate switches before they join the cluster. The switches that do not supportcluster management are called independent switches.

It is recommended that you isolate the broadcast domain between the public networkand the private network on the command switch and shield direct access to the privateaddress. The command switch provides an external management and maintenancechannel to manage the cluster in a centralized manner.

For the cluster management network, see Figure 6-16.

6-21



Figure 6-16 Cluster Management Network

For changeover rules of the four roles of switches within a cluster, see Figure 6-17.

6-22



Figure 6-17 Changeover Rules of Roles

ZGMP ConfigurationThe ZGMP configuration includes the following commands:

Command Function

zte(cfg-group)#set zdp {enable | disable} Enables or disables the ZTE

Discovery Protocol (ZDP) function.

zte(cfg-group)#set zdp {port <portlist>| trunk<trunklist>}{enable | disable}

Enables or disables the ZDP

function based on port/trunk.

zte(cfg-group)#set zdp timer <5-255> Sets a time interval for sending

ZDP packets.

zte(cfg-group)#set zdp holdtime <10-255> Sets ZDP hold time.

show zdp (all configuration modes) Displays ZDP global configuration.

show zdp neighbour (all configuration modes) Displays ZDP neighbor

information.

show zdp neighbour detail (all configuration modes) Displays detailed ZDP neighbor

information.

zte(cfg-group)#set ztp {enable | disable} Enables or disables the global ZTE

Topology Protocol (ZTP) function.

zte(cfg-group)#set ztp {port <portlist>| trunk<trunklist>}{enable | disable}

Enables or disables the ZTP

function based on port/trunk.

zte(cfg-group)#set ztp vlan <1-4094> Sets a VLAN for collecting

topology information.

6-23



Command Function

zte(cfg-group)#set ztp hop <1-128> Sets a range (hop count) of

collecting topology information.

zte(cfg-group)#set ztp timer<0-60> Sets a time interval for collecting

topology information automatically.

zte(cfg-group)#set ztp portdelay <1-100> Sets a port delay for forwarding

topology requests.

zte(cfg-group)#set ztp hopdelay <1-1000> Sets a hop delay for forwarding

topology requests.

zte(cfg-group)#ztp start Starts collecting topology

information.

show ztp (all configuration modes) Displays ZTP global configuration.

show ztp device [<idlist>](all configuration modes) Displays the configuration

information according to the

device ID.

show ztp topology (all configuration modes) Displays network topology in a

simple graph.

show ztp mac <HH.HH.HH.HH.HH.HH> (all configuration modes) Displays detailed information of

a device according to the MAC

address.

zte(cfg-group)#set group commander ipport <0-63>[ip-pool<A.B.C.D/M>]

Sets a command switch, specifies

a layer-3 port number for cluster

management and sets an IP

address pool for cluster members.

zte(cfg-group)#set group candidate Sets a switch to be a candidate

switch.

zte(cfg-group)#set group independent Sets a switch to be an independent

switch.

zte(cfg-group)#set group add {mac <HH.HH.HH.HH.HH.HH>[<1-253>]| device <idlist>}

Adds a switch to a cluster.

zte(cfg-group)#set group delete member <idlist> Deletes a switch from a cluster.

zte(cfg-group)#set group handtime <1-300> Sets a time interval for handshake

between the command switch and

the member switch.

zte(cfg-group)#set group holdtime <1-300> Sets hold time of information about

switches in a cluster.

zte(cfg-group)#set group name <name> Sets a cluster name.

6-24



Command Function

zte(cfg-group)#set group mac-mode {standard | extend [mac<HH.HH.HH.HH.HH.HH>]}

Sets a protocol multicast address

of cluster management.

zte(cfg-group)#set group syslogsvr <A.B.C.D> Sets an IP address of the SYSLOG

server in a cluster.

zte(cfg-group)#set group tftpsvr <A.B.C.D> Sets an IP address of the TFTP

server in a cluster.

show group (all configuration modes) Displays cluster configuration

information.

show group candidate (all configuration modes) Displays candidate switches.

show group member [<1-253>] (all configuration modes) Displays a member switch or all

member switches.

zte(cfg-group)#save member {<idlist>| all} Saves the configuration of a

member switch to a file.

zte(cfg-group)#erase member {<idlist>| all} Deletes the configuration of a

member switch.

zte(cfg-group)#reboot member {<idlist>| all} Restarts a member switch.

rlogin {commander | member <1-253>}(all configuration modes) Remotely logs in to the cluster

device.

ZGMP Configuration Instancel Configuration Description

See Figure 6-18, the initial configuration of the switches is the default configuration.Here, set the VLAN where the public network IP address of the command switch inthe cluster resides to 2525, the IP address to 100.1.1.10/24, the gateway addressto 100.1.1.1, the cluster management VLAN to 4000, the private address pool to192.168.1.0/24, and the IP address of the TFTP Server in the cluster to 110.1.1.2.

6-25



Figure 6-18 Cluster Management Network

l Configuration Procedure1. Configure the public network IP address of the command switch and the gateway.


zte(cfg)#set vlan 2525 add port 1-24 tag





zte(cfg-router)#iproute 0.0.0.0/0 100.1.1.1

2. Create a cluster on layer-3 port 1 of the command switch and VLAN 1 (defaultVLAN).zte(cfg)#config group

zte(cfg-group)#set group commander ipport 1

Cmdr.zte(cfg-group)#ztp start

Cmdr.zte(cfg-group)#show ztp device

Last collection vlan : 1

Last collection time : 210 ms

Id MacAddress Hop Role HostName Platform

6-26



-- ------------------ ---- ------ --------- ---------------

0 00.00.00.00.00.01 0 cmdr Cmdr.zte ZXR10 2928E

1 00.0d.0d.f1.e2.00 1 candi zte ZXR10 2918E

2 00.50.43.3c.3b.5d 1 candi zte ZXR10 2910E-PS

3 00.00.00.00.33.33 2 candi zte ZXR10 2918E

Cmdr.zte(cfg-group)#set group add device 1-3

Adding device id : 1 ... Successed to add member!



Cmdr.zte(cfg-group)#show group member

Id MacAddress IpAddress HostName State

-- ------------------ --------------- --------- -----

1 00.0d.0d.f1.e2.00 192.168.1.2/24 Mem1.zte Up

2 00.50.43.3c.3b.5d 192.168.1.3/24 Mem2.zte Up

3 00.00.00.00.33.33 192.168.1.4/24 Mem3.zte Up

3. Switch to each member switch and add all ports to VLAN 4000 (taking member 1as an example).Cmdr.zte(cfg)#set vlan 4000 enable

Cmdr.zte(cfg)#set vlan 4000 add port 1-16 tag

Cmdr.zte(cfg)#rlogin member 1

Trying ...Open

Connecting ...

Mem1.zte>

Mem1.zte>enable

password:

Mem1.zte (cfg)#set vlan 4000 enable

Mem1.zte (cfg)#set vlan 4000 add port 1-16 tag

4. Delete the cluster created on VLAN 1.Cmdr.ZTE(cfg-group)#set group delete member 1-3

Deleting member id : 1 ... Successed to del member!



Cmdr.zte(cfg-group)#set group candidate

zte(cfg-group)#

5. Create a cluster on VLAN 4000.zte(cfg-group)#set ztp vlan 4000

zte(cfg-group)#set group commander ipport 1

Cmdr.zte(cfg-group)#ztp start

Cmdr.zte(cfg-group)#show ztp device

Last collection vlan : 4000

Last collection time : 230 ms

Id MacAddress Hop Role HostName Platform

-- ------------------ ---- ------ --------- --------------

0 00.00.00.00.00.01 0 cmdr Cmdr.zte ZXR10 2928E

1 00.0d.0d.f1.e2.00 1 candi zte ZXR10 2918E

6-27



2 00.50.43.3c.3b.5d 1 candi zte ZXR10 2910E-PS

3 00.00.00.00.33.33 2 candi zte ZXR10 2918E

Cmdr.zte(cfg-group)#set group add device 1-3




Cmdr.zte(cfg-group)#show group member

Id MacAddress IpAddress HostName State

-- ------------------ --------------- --------- -----

1 00.0d.0d.f1.e2.00 192.168.1.2/24 Mem1.zte Up

2 00.50.43.3c.3b.5d 192.168.1.3/24 Mem2.zte Up

3 00.00.00.00.33.33 192.168.1.4/24 Mem3.zte Up

6. Set the IP address of the TFTP server in the cluster to 110.1.1.2.Cmdr.zte(cfg-group)#set group tftpsvr 110.1.1.2

7. Set the IP address of the SYSLOG server in the cluster to 110.1.1.2.Cmdr.zte(cfg-group)#set group syslogsvr 110.1.1.2

8. Download version zImage on member 1.Mem1.zte(cfg-tffs)#tftp commander download zImage

6.7 sFlowsFlow OverviewThe sFlow is a technique to monitor high-speed data transmission network. It uses ansFlow proxy embedded in network equipment to send sampled data packets to sFlowcollectors.

The sFlow implements the following functions:

l Provide the correct statistics about client flow.l Monitor intrusion and police violation to make the network more safer.l Monitor the network traffic and application visually.l Provide the correct data suitable for capacity deployment.l Ensure the priority of traffic across core network.l Recognize the network application flow from the remote site to ensure the effect on

server.

sFlow ConfigurationThe sFlow configuration includes the following commands:

Command Function

zte(cfg)#set sflow agent-address <A.B.C.D>[udp-port<1-65535>]

Sets an IP address of the sFlow

proxy.

zte(cfg)#set sflow collector-address <A.B.C.D>[udp-port<1-65535>]

Sets an IP address of the sFlow

collector.

6-28



Command Function

zte(cfg)#set sFlow version<number> Sets a format version of sFlow

sampling packets.

zte(cfg)#set sFlow {ingress | egress}{enable | disable} Enables or disables the

ingress/egress sFlow function.

zte(cfg)#set sFlow ingress sample-mode {all | forward} Sets the sFlow ingress sampling

mode.

zte(cfg)#set sflow {ingress | egress} port <portlist> packet-sampleoff

Disables sFlow sampling on a port

or ports.

zte(cfg)#set sflow {ingress | egress} port <portlist>packet-sample on frequency <2-16000000>[time-range<word>]

Enables sFlow sampling based

on ports, or binds a time range to

ports.

zte(cfg)#clear sflow config [{agent | collector}] Deletes sFlow configuration on

ports.

zte(cfg)#clear sFlow statistic Clears sFlow port sampling

statistics.

show sFlow (all configuration modes) Displays sFlow configuration

information.

6.8 WebWeb Management OverviewThe ZXR10 2900E provides an embedded Web server stored in the Flash memory, whichallows user to use a standard Web browser (it is recommended to use IE6.0 above and1024×768 resolution) for managing the remote switch.

Configuring System LoginOn the condition that Web connection has been configured on the switch.

1. Open Microsoft Internet Explorer.2. Enter the IP address of the switch in the address bar (this address is that switch can

connect). The system login interface is displayed, see Figure 6-19.

6-29



Figure 6-19 System Login Interface

3. Enter a username and a password, and select a user privilege. The Admin user needsto enter a login password and a management password. Guest users only need toenter a login password. Click Login to log in to the system main page, see Figure6-20.

Figure 6-20 System Main Interface

Web Configuration Managementl Web Configuration Management

System Information Check

Click the directory tree on the left of the system main page, Configuration > System.The system information page (by default, Configuration directory is expansive) isdisplayed, see Figure 6-21.

6-30



Figure 6-21 System Information Page

This page displays the following system information:


VersionNumber Version number

SwitchType Switch type

VersionMakeTime Version making time

MacAddress Switch hardware address

HostName System name

SysLocation System location

SysUpTime Running time after the system is started.

Both “HostName” and “SysLocation” can be configured. After configuration, clickthe Apply button to complete the configuration.

l Port Management

Port State Information Check

Click the directory tree on the left of the system main page, Configuration > Port >Port State. The port state information page is displayed, see Figure 6-22.

6-31



Figure 6-22 Port State Information Page

This page displays the following port information:


PortClass Port class

LinkState Port linkup/linkdown state

Duplex Duplex working state of the port

Speed Working speed of the port

Note:

Port linkdown means that port hasn’t a physical connection. The displayed values of“Duplex” and “Speed” are meaningless.

Port Configuration Information Check

Click the directory tree on the left of the main page, Configuration > Port > PortParameter. The port configuration information page is displayed, see Figure 6-23.

6-32



Figure 6-23 Port Configuration Information Page

This page displays the following port information:


MediaType Port media type

Name Port name

AdminStatus Port enabled

AutoNeg Port working mode, that is, working speed and

duplex mode

PVID Default VLAN ID of the port

FlowControl Port flow control enabled

MultiFilter Port multicast filter enabled

MacLimit Port Mac address learning limit

Security Port security enabled

SpeedAdvertise Port speed advertisement

Single Port Configuration

Click the Config button in the line of the port to be configured on the port configurationinformation page. The configuration page of this port is displayed, see Figure 6-24.

6-33



Figure 6-24 Single Port Configuration Page

Configure the attribute of the selected port on this page. After configuration, click theApply button to complete the configuration.

Note:

“Security” and “MacLimit” are conflicting. The two attributes cannot be set to beenabled at the same time.

Caution!

If the port connected to the network management computer is disabled, the networkmanagement is interrupted.

Bulk port configuration

Select multiple ports on the port configuration information page (select Select All toselect all ports), and then click Apply. The bulk port configuration page is displayed,see Figure 6-25.

6-34



Figure 6-25 Bulk Port Configuration Page

Set the attributes on this page, and then click Apply to complete the configuration.

l VLAN Management

VLAN Information Check

Click the directory tree on the left of the main page, Configuration > VLAN > VlanOverview. The VLAN information page is displayed, displaying the VLAN informationthat is operated currently. If the VLAN hasn't been operated, the default VLAN will bedisplayed. See Figure 6-26.

Figure 6-26 VLAN Information Page

If the number of VLANs to be displayed is more than 20, they will be displayed by pageand page number is displayed at the bottom right corner. You can click previous ornext to turn pages or select a page number from the GO drop-down list box.

This page displays the following information:

6-35




VlanName VLAN name

AdminStatus VLAN enabled or not

Tag Ports Port with a tag in the VLAN

UntagPorts Port without a tag in the VLAN

TagTrunks Trunk with a tag in the VLAN

UntagTrunks Trunk without a tag in the VLAN

Checking the Specified VLAN Information

1. Click Configuration > VLAN > Vlan Configure on the left of the main page. AVLAN number entering page is displayed, see Figure 6-27.

Figure 6-27 VLAN Number Entering Page

2. Enter a VLAN number (for example, “1, 3-5"), and click Apply. A single VLANconfiguration page or bulk VLAN configuration page is displayed.

à For the single VLAN configuration page, see Figure 6-28.

6-36



Figure 6-28 Single VLAN Configuration Page

After setting some attributes of the VLAN on this page, click Apply tocomplete the configuration.

Note:

When configuring port/trunk in the VLAN, you can enter port/trunk number inthe text box with the format "1, 3-5". You can also select the correspondingcheck boxes to add them into the VLAN.

à For the bulk VLAN configuration page, see Figure 6-29.

Figure 6-29 Bulk VLAN Configuration Page

Admin of Select items is used to enable the VLAN. Port is ordinary port ofbulk VLAN configuration. Trunk is trunk group of bulk VLAN configuration.

6-37



After setting some attributes on this page, click Apply to complete theconfiguration.

l PLAN Management

PVLAN Information Check

Click Configuration > PVLAN > Pvlan Overview on the left of the main page. ThePVLAN information page is displayed, see Figure 6-30.

Figure 6-30 PVLAN Information Page



Pvlan Session PVLAN instance

Promiscuous Port Hybrid physical port

Promiscuous Trunk Hybrid trunk port

Isolated Port Isolated physical port

Isolated Trunk Isolated trunk port

Community Port Community physical port

Community Trunk Community trunk port

PVLAN Configuration

Click Configuration > PVLAN > Pvlan Configure on the left of the main page. ThePVLAN configuration page is displayed, see Figure 6-31.

6-38



Figure 6-31 PVLAN Configuration Page



Pvlan Session PVLAN instance

Promiscuous Port Hybrid physical port

Promiscuous Trunk Hybrid trunk port

Isolated Port Isolated physical port

Isolated Trunk Isolated trunk port

Community Port Community physical port

Community Trunk Community trunk port

After setting some attributes on this page, click Apply to submit. When system isconfigured successfully, the configured information page will be displayed.

l Port Mirroring Management

Port Mirroring Information Check

Click Configuration > MIRROR > Mirror Overview on the left of the main page. Themirror information page is displayed, see Figure 6-32.

6-39



Figure 6-32 Mirror Information Page



Source port Mirroring source port

Destination port Mirroring destination port

Port Mirroring Configuration

Click Configuration > MIRROR > Mirror Configure on the left of the main page. Themirroring port configuration page is displayed, see Figure 6-33.

Figure 6-33 Mirroring Port Configuration Page

The source port and destination port can be configured on this page. After setting,click Apply to complete the configuration.

l LACP Management

6-40



LACP Basic Information Check

Click Configuration > Lacp > Lacp Port on the left of the main page. The LACPbasic information page is displayed, see Figure 6-34.

Figure 6-34 LACP Basic Attribute Page

The displayed information is as follows:


AdminStatus LACP enabled or not

LacpPriority LACP priority

The aggregation port information is as follows:


GroupNum Aggregation group number that the

aggregation port belongs to

GroupMode Aggregation group aggregation mode that the

port belongs to

LacpTime Aggregation port timeout mode

LacpActive Aggregation port active/passive mode

Set basic attributes of "AdminStatus" and "LacpPriority" on this page and set attributesof "LacpTime" and "LacpActive" of the aggregation port. After setting, click Apply tocomplete the configuration.

When setting the same configuration of bulk aggregation port attribute, click thecorresponding check box to select multiple aggregation ports (select Select All toselect all ports), and then click Set. The configuration page of bulk aggregation portis displayed, see Figure 6-35.

6-41



Figure 6-35 Bulk Aggregation Port Configuration Page

After setting attributes of the aggregation port on this page, click Apply to submit.

Aggregation Group Information Check

Click Configuration > Lacp > Lacp State on the left of the main page. Theaggregation group information page is displayed, see Figure 6-36.

Figure 6-36 Aggregation Group Information Page



Attached Ports Attached ports in the aggregation group

Active Ports Active ports in the aggregation group

GroupMode Aggregation mode of the aggregation group

6-42



Click Config of the right column. The corresponding aggregation group configurationpage is displayed, see Figure 6-37.

Figure 6-37 Aggregation Group Configuration Page

You can configure the "Aggregator Mode" attribute of the aggregation group onthis page, bind ports with the aggregation group (select ports in the port available

column, and click ) and release ports from the aggregation group (select ports inthe aggregation port column, and click ).

Note:

Only the ports with the same attribute can be bound into the same aggregation group.Each aggregation group can bind up to 8 ports.

Caution!

Do not bind the port connected to the network management computer to anaggregation group. Otherwise, the network management will be interrupted.

Monitoring Informationl Terminal Log Check

Click Monitoring > Terminal Log on the left of the main page. The terminal loginformation page is displayed, see Figure 6-38.

6-43



Figure 6-38 Terminal Log Information Page

Click the Refresh button to update terminal log information.

l Port Statistics Information Check

Click Monitoring > Port Statistics on the left of the main page. The port statisticsinformation page is displayed, see Figure 6-39.

Figure 6-39 Port Statistics Information Page

Click the Refresh button to update port statistics information.

Select a port from the PortNumber drop-down list box to get the port statistics data.

l Statistics data


ReceivedBytes Received bytes

ReceivedFrames Number of received frames

6-44




ReceivedBroadcastFrames Number of received broadcast frames

ReceivedMulticastFrames Number of received multicast frames

OversizeFrames Number of oversize frames

UndersizeFrames Number of undersize frames

CrcError Number of CRC errors

SendBytes Sent bytes

SendFrames Number of sent frames

SendBroadcastFrames Number of sent broadcast frames

SendMulticastFrames Number of sent multicast frames

l Configuration Information Check

Click Monitoring > Running config on the left of the main page. The configurationinformation page is displayed, see Figure 6-40.

Figure 6-40 Configuration Information Page

This page displays configuration information of switch.

System Maintenancel Configuration Saving Page

Click Maintenance > Save on the left of the main page. The saving configurationinformation page is displayed, see Figure 6-41.

6-45



Figure 6-41 Saving Configuration Page

Click Ok to save configuration or click Cancel to cancel configuration.

Caution!

Saving configuration will cover the original configuration file. Make sure that theconfiguration need to be covered before clicking Ok.

l Configuring Reboot

Click Maintenance > Reboot on the left of the main page. The reboot function pageis displayed, see Figure 6-42.

Figure 6-42 Reboot Function Page

Click Ok to reboot the switch or click Cancel to cancel reboot.

6-46



l Uploading File

à Click Maintenance > Upload on the left of the main page. The file upload pageis displayed, see Figure 6-43.

Figure 6-43 File Upload Page

à Click Browse... to browse and select the file to be uploaded. Click OK to uploadthe file.

Note:

For safety and application, only “zImage”, “zImage.bak”, “bootrom.bin”, “startrun.dat” and “to_permmac.dat” can be uploaded.

Caution!

Make sure the legality and validity of files to be uploaded. The uploaded file will coverthe original file. If the operation is not correct, the switch cannot work. Unprofessionalpersonnel are not recommended to use this function.

l User Management

Click Maintenance > User Manager on the left of the main page. The usermanagement page is displayed, see Figure 6-44.

6-47



Figure 6-44 User Management Page

By default, the Modify tab is displayed. Modify the login password and managementpassword of the user, and then click Apply to submit.

l Adding User

Click the add button on the user management page. The adding user page isdisplayed, see Figure 6-45.

Figure 6-45 Adding User Page

Click the add button on the user management page. The adding user page isdisplayed, see Figure 6-45.

6-48



Figure 6-46 Adding User Page

Enter the password of the current user on this page, enter the information about theuser to be added, and then click Apply to submit.

l Deleting User

Click the Delete button on the user management page. The deleting user page isdisplayed, see Figure 6-47.

Figure 6-47 Deleting User Page

Select the user to be deleted, and then click Apply to submit.

6.9 M_ButtonIntroduction to the M_Button FunctionThe M_button function is used to display the key statistics data and indicate the key eventsthrough the panel indicators, which facilitates device maintenance.

6-49



For a description of the port indicators on the ZXR10 2900E, refer to Table 6-1.

Table 6-1 ZXR10 2900E Port Indicator Descriptions

Indicator State Description

Off No link.

On (green) Indicator for the physical link on an optical port.

After the system is started, a physical link is

established.

LINK

Flashing (green) Indicator for data sending and receiving a

the port. When data is sent or received, the

indicator flashes at the fixed frequency.

On (green) The port speed is the same as the default port

speed.

SPD

On (yellow) The port speed is not the same as the default

port speed.

On (green) The port is in full-duplex mode.DUP

On (yellow) The port is in half-duplex mode.

On (green) The STP status of the port is Forward.

On (yellow) In other statuses.

STA

Off The STP status of the port is Disable.

CPU% On (green) A port indicator displays the current CPU

usage.

For the 2910E-PS, the first 8 ports display

the current usage, each of which represents

12.5%. For other devices, the first 10 ports

display the current usage, each of which

represents 10%.

MEM% On (green) In this mode, a port indicator displays the

current memory usage.

For the 2910E-PS, the first 8 ports display

the current usage, each of which represents

12.5%. For other devices, the first 10 ports

display the current usage, each of which

represents 10%.

↑BW% On (green) In this mode, a port indicator displays the

current occupation rate of uplink port outbound

bandwidth. The current speed on the uplink

interface is used as the base.

6-50



Indicator State Description

↓BW% On (green) In this mode, a port indicator displays the

current occupation rate of uplink port inbound

bandwidth. The current speed on the uplink

interface is used as the base.

On (green) The device sends five ICMP to the network

management center. Each ICMP packet

corresponds to an indicator of a port (port 1–5).

If an indicator is on (green), a response of the

corresponding packet is received.

On (yellow) The device sends five ICMP to the network

management center. Each ICMP packet

corresponds to an indicator of a port (port 1–5).

If an indicator is on (yellow), no response of the

corresponding packet is received.

PING

Off No IP address is configured for the network

management center.

CRC On (yellow) There is a CRC error frame on the port.

STORM On (yellow) The port is a storm port.

The storm threshold is set to 80 percent of the

automatically negotiated speed on the port.

If the traffic sent and received on the port

exceeds the threshold, the port is a storm port.

NoMAC On (yellow) The port does not learn a MAC address.

On (green) PoE is normal.

On (yellow) PoE is abnormal.

PoE (valid only for

devices that support

PoE)Off No power.

Note:

In STA mode, if a port is added to multiple instances, the indicator of the port indicates theSTA state in the first instance.

M_Button Function Mode Switch1. There is a mode button on the panel. Press it once, and then the indicator for the next

mode (based on the sequence on the switch panel) begins flashing for 2 seconds. Ifthe button is not pressed in 2 seconds, the mode indicator is off. The device enters thismode and executes the function of this mode. If the button is pressed in 2 seconds,the next mode indicator begins flashing. The previous process is repeated.

6-51



2. In a mode, if the mode button is not pressed in 3 minutes, the device exits from thismode automatically to the LINK mode. If the button is pressed, the device enters thenext mode. The corresponding mode indicator begins flashing, which is as describedin 1.

3. In the PING mode, a ping packet is sent once per 20 seconds. In other modes, thestatuses are updated in real time.

6.10 TelnetTelnet OverviewAs a member of the TCP/IP protocol family, the Telnet protocol is the standard protocol forthe remote Internet login service. With this protocol, users can perform operations on aremote switch through a local PC.

A ZTE switch can be used as both a Telnet client and a Telnet server.

User can set the listening port number when the device is logged in to through Telnet, alsouser can set the port number and source IP address when the device is used as a Telnetclient to log in to another device.

Telnet ConfigurationThe Telnet configuration includes the following commands:

Command Function

zte(cfg)#set Telnet server {enable | disable}

Enables or disables the Telnet

server function, which is enabled

by default.

zte(cfg)#telnet <dest ip-addr> destination-port <port-num><srcip-addr>

Sets the port number and source

IP address when the device is

used as a Telnet client to log in to

another device.

zte(cfg)#set telnet listen-port <port>

Sets the listening port number

when the device is logged in to

through Telnet. The value is 23 or

between 1025 and 49151.

show Telnet (for all configuration modes)Displays the Telnet configuration

and status.

Telnet Configuration Instancel Configuration Description

See Figure 6-48, a switch has a layer-3 port with the IP address 192.168.1.1/24, andthe IP address of the PC is 192.168.1.100/24. The PC remotely logs in to the switchthrough Telnet.

6-52



Figure 6-48 Telnet Login Instance

l Configuration Procedure1. Configure the switch

By default, the Telnet server function is enabled. You can use the followingcommand to make sure that the function is enabled.

zte(cfg)#show Telnet

Telnet server is enable

Telnet server is listening on port 23

2. Configure the PC

Note:

Windows 2000 provides the Telnet client and server programs. Telnet.exe

is the client program and tlntsvr.exe is the server program. In addition,Windows 2000 provides the Telnet server management program tlntadmn.exe.By default, the Telnet service is installed in Windows 2000.

Execute the Telnet command on the PC, see Figure 6-49.

Figure 6-49 Executing the Telnet Command on the PC

For the Telnet login result, see Figure 6-50.

6-53



Figure 6-50 Telnet Login Result

6-54


Chapter 7MaintenanceTable of Contents

Routine Maintenance .................................................................................................7-1Virtual Circuit Tester ...................................................................................................7-2Common Fault Handling.............................................................................................7-3

7.1 Routine MaintenanceDaily Maintenance Items1. Checking the operation state of the switch.

a. Verifying that the interface of the back-end terminal can be operated.

b. Verifying that each indicator of the switch is in the normal state.

c. Verifying that the fans of the switch operate properly.

d. Verifying that the temperature of the switch is normal and there is no abnormalsmell in the equipment room.

e. Checking the system alarms.

2. Checking the communication between the switch and each connected device.

Log in to the switch through HyperTerminal or Telnet. Run the ping command to testvarious network segments for connectivity check.

3. Verifying the services related to the switch are normal.4. Recording operations and phenomena on the current day.

The operations are those performed on the switch. The phenomena include the switchstate and equipment room environment.

Monthly Maintenance Items1. Summarizing daily operations every month.

a. Summarizing problems encountered during daily operation. If necessary, discusswith ZTE maintenance engineers.

b. Summarizing daily maintenance experience to performmore efficient maintenancein the future.

2. Cleaning the equipment room.

a. Cleaning the air conditioner and check its performance.

7-1



b. Cleaning cable troughs and secure loosened wires.

3. Cleaning the switch.

Ensuring that the cloth is not too wet and that the operation does not affect interfaces.

4. Backing up alarm information, statistics information, and configuration information.

Maintenance PeriodFor the maintenance period of the Ethernet switch, refer to Table 7-1.

Table 7-1 Maintenance Period of the Ethernet Switch

No. Maintenance Item Maintenance Period

1 Checking the switch running state Day

2 Checking the equipment room temperature and

humidity, and power supply

Day

3 Checking the communication state between the

switch and each connected device

Day

4 Checking service state Day

5 Monthly summary of daily problems Month

6 Monthly summary of daily maintenance

experience

Month

7 Cleaning the equipment room Month

8 Cleaning the switch Month

9 Yearly summary Year

10 Full maintenance and check of devices in the

monitoring room

Year

7.2 Virtual Circuit TesterThe Virtual Circuit Tester (VCT) uses a Time Domain Reflectometry (TDR) to diagnose theline state, such as Open, Short, Impedance Mismatch and Good termination, and calculatethe location of a faulty line using a fitting formula.

Run the show vct port <1-28> command to check the VCT detection result of the specifiedport.

Example 1zte(cfg)#show vct port 1

Cable Test Result for Port 1

RX PAIR : /* Wiring pair for receiving data in the twisted pair cable */

Cable Test Passed. No problem found.

7-2


Chapter 7 Maintenance

Cable Length is unknown.

TX PAIR : /* Wiring pair for sending data in the twisted pair cable */

Cable Test Passed. No problem found.

Cable Length is unknown.

Example 2zte(cfg)#show vct port 8

Cable Test Result for Port 8

RX PAIR :

Cable Test Passed. Cable is open.

Approximately 7 meters from the tested port.

TX PAIR :

Cable Test Passed. Cable is open.

Approximately 6 meters from the tested port.

7.3 Common Fault Handling

7.3.1 OverviewFaults include hardware faults and software faults. Hardware faults can be removed bychanging hardware if the faults are correctly located. Software and configuration faultscan be removed by correct operations.

During handling faults, first of all, you should verify that the device configurations arecorrect, the device cables are connected properly, and the device environment satisfiesrequirements.

7.3.2 Configuration Through the Console Port Failed

SymptomFailed to configure the switch through the console port.

Related Component CheckCheck the configuration cable, serial port of HyperTerminal, and console port of the switch.

Fault Analysis1. The configuration cable is incorrect.2. The serial port attributes of HyperTerminal are incorrect, or the serial port is faulty.3. The console port of the switch is faulty.

7-3



Solution1. Use a correct configuration cable.2. Check the serial port attributes of HyperTerminal. The correct settings are as follows:

Bits per Second (baud rate) is 9600, Data bit is 8, Parity is None, and Flow controlis None. Verify that the serial port is normal and replace the terminal if necessary.

3. Verity that the Console port of the switch is normal.

7.3.3 Telnet Connection Failed

SymptomFailed to connect the Switch through Telnet.

Fault Analysis1. The port PVID is incorrect.2. The port is disabled.3. The VLAN bound to the IP port is disabled.4. The IP address, subnet mask or default gateway of the switch is incorrect.5. The IP address of the switch conflicted with the IP address of another device.6. The wrongREMOTEACCESS setting of the switch caused the IP address to be filtered

out.

Solution1. Set the port PVID to be the same as the VLAN ID to which the port belongs.2. Enable the port.3. Enable the VLAN bound to the IP port.4. Configure a valid IP address, subnet mask and default gateway for the switch.5. Modify the IP address of the switch or another device to remove the IP address conflict.6. Set REMOTE ACCESS to “any”.

7.3.4 Web Management Failed

SymptomWhen the Web browser was opened on the local computer, the Web management pagesfailed to be opened.

Fault Analysis1. The browser version is too low.2. An incorrect address or port number was entered in the address bar.3. The communication between the local computer and the switch failed.4. The switch did not configure a management port or the IP address of the switch is

incorrect.

7-4



5. The switch did not enable the Web management function.

Solution1. Upgrade the browser version on the local computer to at least IE 6.0.2. Check the switch configuration to obtain a correct IP address and port number.3. Check the line between the local computer and the switch to ensure that the

communication is normal.4. Configure a correct management port and IP address for the switch.5. Enable the Web management function of the switch and set a port number.

7.3.5 Login Username or Password Lost

SymptomA user cannot log in to the switch after entering the username and password.

Fault AnalysisThe username or password used to log in to the switch is incorrect.

SolutionFirst of all, confirm whether the system administrator can find the original username andpassword. If the system administrator cannot find the original username and password,reboot the switch and delete the configuration file. The operation procedure is as follows:

1. Reboot the switch and press any key on the HyperTerminal to enter the boot state.ZXR10 2928E BootRom Version v1.15

Compiled May 21 2012 08:57:22

Copyright (c) 2010 by ZTE Corporation.


actport : 1

serverip : 10.40.89.78

netmask : 255.255.255.0

ipaddr : 10.40.89.79

bootfile : /img/zImage.B10

username : ZXR10

password : ZXR10

MAC : 00:d0:d0:29:28:01

Press any key to stop autoboot: 2

[ZXR10 Boot]:

2. In [ZXR10 Boot] state, enter [ZXR10 Boot]:zte to enter [BootManager] state of theswitch. Enter <?> for command help.[BootManager]: ?

? - alias for 'help'

7-5



cd - change current path

exit - exit from BootManager mode

format - format flash

ftp - get/put file from/to FTP server

help - print online help

load - load zImage

ls - list files in current directory

mv - change [source] name to [destination] name

poever - get poe firmware version

reboot - perform REBOOT of the CPU

rm - remove file

setBOOTpassword - set password for BOOT mode

setPtype- set packaged type

show - show board information

update - update boot or firmware

[BootManager]:

3. Run the rm command to delete the startrun.dat configuration file. Reboot theswitch.[bootManager]:cd cfg

[bootManager]: ls

/cfg/

startrun.dat 671

to_permmac.dat 98304

[bootManager]: rm startrun.dat

[bootManager]: ls

/cfg/

to_permmac.dat 98304

[bootManager]:

4. After the switch is rebooted, use the default username and password to log in to theswitch.

7.3.6 Enable Password Lost

SymptomA login user failed to enter global configuration mode after entering a password.

Fault AnalysisAn incorrect password was used when the user tried to enter global configuration mode.

SolutionFor the handling method, refer to 7.3.5 Login Username or Password Lost.

7-6



NoteBefore the switch is rebooted, record the current configuration for reconfiguration.

7.3.7 Two Devices in the Same VLAN Cannot Communicate

SymptomTwo devices connected to two ports in the same one VLAN of the switch cannotcommunicate.

Fault Analysis1. The port PVID is incorrect.2. The ports are disabled.3. The VLAN bound to the ports is disabled.4. When the ports were added in the VLAN, tag was selected.5. IP addresses of the devices were not set or not in the same network segment.

Solution1. Set the port PVID to be the same as the VLAN ID to which the ports belong.2. Enable all the ports used.3. Enable the VLAN used.4. Add the ports in the VLAN again, and select untag.5. Set correct IP addresses for the devices.

7.3.8 Authentication Timed Out in Campus Network

SymptomThere were six buildings in the student dormitory of school A. If students wanted to accessthe Internet, their computers must pass the authentication and accounting system. TheRadius server software and Bras hardware devices of the authentication and accountingsystem were provided by company B. The DOT1X port authentication function must beenabled on the access layer device ZXR10 2900E and it works with the authenticationand accounting system of company B to provide authentication and accounting servicesfor the students.

Company B completed the debugging of the Radius server and Bras devices andallocated the authentication and accounting clients to each building for installation. Moststudents registered and activated their accounts. After the preparation was completed,ZTE’s maintenance engineers enabled the DOT1X function on the access layer devicesof the six buildings, as required by the customer. The configuration of the ZXR10 2900Ewas as follows:

Two devices connected to two ports in the same VLAN cannot ping each other.

set port 1-24 security enable

7-7



config nas

radius isp test defaultisp enable

radius isp test sharedsecret amtium

/*Shared key negotiated with company B*/

radius isp test add accounting 10.150.12.101

/*Address of the authentication and accounting server of company B*/

radius isp test add authentication 10.150.12.101

/*Address of the authentication and accounting server of company B*/

radius isp test client 172.16.0.181

/*ISP name and IP address accessing the switch*/

aaa-control port 1-24 dot1x enable

aaa-control port 1-24 accounting enable

aaa-control port 1-24 port-mode auto

When the configuration was completed, the authentication of some computers in B1, B2and B3 timed out.

Fault AnalysisThe students’ accounts and configuration were correct, and the configuration of the ZXR102900E was correct. Even if ZTE’s maintenance engineers replaced the faulty switch witha new one, the problem still existed. The diagnosis result was that the interconnectionbetween devices of ZTE and company B was faulty.

By capturing packets, ZTE’s maintenance engineers found that the ZXR10 2900E sent aRadius Access Request message to the authentication and accounting server of companyB, but did not receive a response message. In normal circumstance, the Radius messagereceiving and sending procedure is as follows:

1. When the server accesses the switch, the switch sends an Access Request message.2. The server returns an Access Challenge message.3. The switch sends an Access Request message again.4. The server returns an Access Accept message.5. The switch sends an Accounting Request message.6. The server returns an Accounting Response message.

Because the authentication data packet flows captured on the two same ZXR10 2900Edevices were not the same, the diagnosis result was that the configuration of theauthentication and accounting server of company B was incorrect. Engineers of companyB checked alarms on the authentication and accounting server, and an alarm " AP notsupport user auth type” was located. That is, authentication types of the server andthe switch were different. When the back-end configuration of the authentication andaccounting server was checked, it was found that the shared key on the switches ofbuildings B1, B2 and B3 was set to “antium”, but the negotiated key was "amtium".

7-8



SolutionThe engineers of company B change the shared key to “amtium”, and the problem is solvedcompletely.

7.3.9 Solution to ARP Attacks in Campus Network

SymptomEleven access layer switches ZXR10 2900E in the same VLAN in a student dormitorybuilding cannot connect the network. 40% of users in this building failed to access theInternet.

Fault AnalysisAfter checking the network management system, maintenance engineers found that theeleven switches were disconnected and failed to be pinged. The maintenance engineersarrived at the weak electricity well in which four switches were installed, accessed theswitch whose IP address was 172.168.0.123 through HyperTerminal, and found its CPUusage reached 93%–100%. The maintenance engineers checked the alarm informationand configuration information, but no exception was found. The maintenance engineersthen accessed the convergence layer switch T40G and found an alarm “port 4 receivestoo many ARP broadcast packets”. After checking the traffic on this port, the maintenanceengineers found that about 100,000 broadcast packets were added every ten seconds.

After analyzing the ZXR10 2900E connected to the port, the maintenance engineers foundthe following conditions:

1. There was a loop on the user side.2. A user’s computer was infected by a virus and sent broadcast packets continuously.3. A user’s computer was installed with the ARP attack software and sent ARP attack

packets continuously.

The IP address of the ZXR10 2900E connected to the port was 172.168.0.111. Themaintenance engineers connected the switch through a network cable and capturedpackets. After analyzing the packets, the maintenance engineers found that a computerwith the MAC address “00:19:e0:a9:5a:fc” sent ARP broadcast packets continuously.Based on the label on the network cable, the computer was in room 2606. After themaintenance engineers removed its network cable, the eleven switches recovered normaland CPU utilization was no more than 5%.

Solution1. Filter out the MAC address of the computer on the access layer switch and prohibit it

from accessing the Internet.2. Notify the central equipment room of the school to prohibit the computer from

accessing the Internet before its hard disk is formatted and the system is reinstalled.3. Install an ARP virus kill tool on all computers.

7-9




7-10


FiguresFigure 3-1 ZXR10 2900E's Configuration Modes ...................................................... 3-1

Figure 3-2 Connection Description Dialog Box .......................................................... 3-2

Figure 3-3 Connect To Dialog Box ............................................................................ 3-2

Figure 3-4 COM1 Properties Dialog Box ................................................................... 3-3

Figure 3-5 Running Telnet......................................................................................... 3-4

Figure 3-6 Telnet Window ......................................................................................... 3-4

Figure 4-1 TFTP Server ............................................................................................ 4-4

Figure 4-2 Tftpd Settings Dialog Box......................................................................... 4-4

Figure 4-3 Connect to Server Dialog Box .................................................................. 4-5

Figure 4-4 FileZilla Server Window ........................................................................... 4-5

Figure 4-5 Users Dialog Box ..................................................................................... 4-6

Figure 4-6 Directory Setting ...................................................................................... 4-6

Figure 4-7 Network Architecture for Automatic Configuration File Download ........... 4-10

Figure 4-8 Network Structure for Automatic Configuration File Upload .................... 4-10

Figure 5-1 PoE Application ....................................................................................... 5-8

Figure 5-2 Port Mirroring Configuration Instance..................................................... 5-12

Figure 5-3 LACP Configuration Instance................................................................. 5-19

Figure 5-4 Network Topology of IGMP Snooping Configuration Instance................. 5-23

Figure 5-5 MLD Snooping Configuration Instance................................................... 5-26

Figure 5-6 IPTV Configuration Instance 1 ............................................................... 5-31

Figure 5-7 IPTV Configuration Instance 2 ............................................................... 5-32

Figure 5-8 MSTP Topological Structure................................................................... 5-35

Figure 5-9 STP Configuration Instance ................................................................... 5-39

Figure 5-10 RSTP Configuration Instance............................................................... 5-40

Figure 5-11 MSTP Configuration Instance............................................................... 5-41

Figure 5-12 ACL Configuration Instance ................................................................. 5-53

Figure 5-13 QoS Configuration Instance ................................................................. 5-59

Figure 5-14 PVLAN Configuration Example 1 ......................................................... 5-61

Figure 5-15 PVLAN Configuration Example 2 ......................................................... 5-62

Figure 5-16 Layer 2 Protocol Transparent Transmission ConfigurationTopology ............................................................................................... 5-64

Figure 5-17 Layer-3 Configuration Instance ............................................................ 5-67

I



Figure 5-18 Layer-3 IPv6 Configuration Instance .................................................... 5-69

Figure 5-19 DAI Configuration InstanceTopology .................................................... 5-70

Figure 5-20 Using PAP Mode for Identity Authentication ......................................... 5-73

Figure 5-21 Using Chap Mode for Identity Authentication ....................................... 5-74

Figure 5-22 Using EAP Mode for Identity Authentication ......................................... 5-74

Figure 5-23 Access Authentication Configuration Instance...................................... 5-78

Figure 5-24 Typical QinQ Network .......................................................................... 5-80

Figure 5-25 QinQ Configuration Instance ................................................................ 5-82

Figure 5-26 SQinQ Configuration Instance.............................................................. 5-83

Figure 5-27 VLAN Transparent Transmission Configuration Instance...................... 5-86

Figure 5-28 VLAN Mapping Network Diagram......................................................... 5-87

Figure 5-29 VLAN Mapping Configuration Instance................................................. 5-89

Figure 5-30 GVRP Configuration Instance .............................................................. 5-94

Figure 5-31 DHCP Snooping/Option82 Configuration Instance Topology ................ 5-99

Figure 5-32 DHCP Client Configuration Instance Topology ................................... 5-101

Figure 5-33 DHCPv6 Snooping/Option82 Configuration Instance.......................... 5-103

Figure 5-34 VBAS Typical Network ...................................................................... 5-105

Figure 5-35 VBAS Configuration Instance Topology.............................................. 5-106

Figure 5-36 PPPOE-PLUS Configuration Instance Topology................................. 5-107

Figure 5-37 Diagram of the Master Node Blocking its Secondary Port When theRing is in UP State.............................................................................. 5-109

Figure 5-38 Diagram of the Master Node Opening its Secondary Port When theRing is in DOWN State ....................................................................... 5-110

Figure 5-39 Transmission Link Fault Diagram ........................................................5-111

Figure 5-40 ZESR Single-Domain Multi-Ring Configuration Example.................... 5-115

Figure 5-41 ZESR Single-Ring Multi-Domain Configuration Example.................... 5-118

Figure 5-42 ZESR Dual-Node Dual-Uplink Configuration Example........................ 5-120

Figure 5-43 ZESS Network Topology .................................................................... 5-123

Figure 5-44 ZESS Networking Configuration......................................................... 5-125

Figure 5-45 Remote Loop Network ....................................................................... 5-128

Figure 5-46 Link Control Network.......................................................................... 5-131

Figure 5-47 PP Configuration Instance ................................................................. 5-134

Figure 5-48 LLDP Configuration Instance ............................................................. 5-137

Figure 5-49 Single Port Loop Detection Configuration Topology............................ 5-139

Figure 5-50 Double Ports Loop Detection Configuration Topology......................... 5-140

Figure 5-51 UDLD Configuration Instance............................................................. 5-142

II


Figures

Figure 5-52 TACACS+ Configuration Instance ...................................................... 5-145

Figure 5-53 Voice VLAN Configuration Instance ................................................... 5-147

Figure 5-54 Single Management Domain .............................................................. 5-149

Figure 5-55 Single-Domain CFM Network Without MIP......................................... 5-152

Figure 5-56 Single-Domain CFM Network With MIP.............................................. 5-153

Figure 5-57 LM Network Configuration Instance ................................................... 5-155

Figure 5-58 DM Network Configuration Instance................................................... 5-156

Figure 5-59 AIS/LCK Network Configuration Instance........................................... 5-157

Figure 5-60 DHCP Relay Configuration Instance .................................................. 5-162

Figure 5-61 MFF Configuration Instance............................................................... 5-166

Figure 5-62 SSL Configuration Instance ............................................................... 5-168

Figure 5-63 Internet Options Dialog Box ............................................................... 5-169

Figure 5-64 Certificates Dialog Box....................................................................... 5-169

Figure 5-65 Certificates Dialog Box—Importing a Certificate ................................. 5-170

Figure 5-66 SSL Login Page................................................................................. 5-170

Figure 5-67 Main Page for Web-Based Management............................................ 5-171

Figure 5-68 Example of the Primary Node Blocking the Secondary Port (RingStatus: UP)......................................................................................... 5-173

Figure 5-69 Example of the Primary Node Enabling the Secondary Port (Ringstatus: DOWN) ................................................................................... 5-173

Figure 5-70 Configuration Example of a Single ERPS Domain with MultipleLoops ................................................................................................. 5-175

Figure 5-71 Configuration Example of Multiple ERPS Domains ............................ 5-177

Figure 6-1 SSH Remote Login Example.................................................................... 6-4

Figure 6-2 Setting IP Address and Port Number of the SSH Server .......................... 6-4

Figure 6-3 Setting the SSH Version Number ............................................................. 6-5

Figure 6-4 User Confirmation Dialog Box .................................................................. 6-5

Figure 6-5 SSH Login Result .................................................................................... 6-6

Figure 6-6 SFTP File Upload and Download Instance............................................... 6-6

Figure 6-7 WinSCP Login Dialog Box—Creating a Session ...................................... 6-7

Figure 6-8 WinSCP Login Dialog Box—Setting SFTP Parameters ............................ 6-8

Figure 6-9 Preferences Dialog Box ........................................................................... 6-9

Figure 6-10 Warning Dialog Box ............................................................................... 6-9

Figure 6-11 Authentication Banner Dialog Box ........................................................ 6-10

Figure 6-12 Password Dialog Box........................................................................... 6-10

Figure 6-13 Authentication Banner Dialog Box—Successful Authentication ............ 6-11

III



Figure 6-14 WinSCP Desktop Window.................................................................... 6-11

Figure 6-15 MAC Change Notification Configuration Network ................................. 6-17

Figure 6-16 Cluster Management Network.............................................................. 6-22

Figure 6-17 Changeover Rules of Roles ................................................................. 6-23

Figure 6-18 Cluster Management Network.............................................................. 6-26

Figure 6-19 System Login Interface ........................................................................ 6-30

Figure 6-20 System Main Interface ......................................................................... 6-30

Figure 6-21 System Information Page..................................................................... 6-31

Figure 6-22 Port State Information Page................................................................. 6-32

Figure 6-23 Port Configuration Information Page .................................................... 6-33

Figure 6-24 Single Port Configuration Page ............................................................ 6-34

Figure 6-25 Bulk Port Configuration Page ............................................................... 6-35

Figure 6-26 VLAN Information Page ....................................................................... 6-35

Figure 6-27 VLAN Number Entering Page .............................................................. 6-36

Figure 6-28 Single VLAN Configuration Page ......................................................... 6-37

Figure 6-29 Bulk VLAN Configuration Page ............................................................ 6-37

Figure 6-30 PVLAN Information Page ..................................................................... 6-38

Figure 6-31 PVLAN Configuration Page.................................................................. 6-39

Figure 6-32 Mirror Information Page ....................................................................... 6-40

Figure 6-33 Mirroring Port Configuration Page ........................................................ 6-40

Figure 6-34 LACP Basic Attribute Page .................................................................. 6-41

Figure 6-35 Bulk Aggregation Port Configuration Page ........................................... 6-42

Figure 6-36 Aggregation Group Information Page................................................... 6-42

Figure 6-37 Aggregation Group Configuration Page................................................ 6-43

Figure 6-38 Terminal Log Information Page ............................................................ 6-44

Figure 6-39 Port Statistics Information Page ........................................................... 6-44

Figure 6-40 Configuration Information Page............................................................ 6-45

Figure 6-41 Saving Configuration Page .................................................................. 6-46

Figure 6-42 Reboot Function Page ......................................................................... 6-46

Figure 6-43 File Upload Page ................................................................................. 6-47

Figure 6-44 User Management Page ...................................................................... 6-48

Figure 6-45 Adding User Page................................................................................ 6-48

Figure 6-46 Adding User Page................................................................................ 6-49

Figure 6-47 Deleting User Page.............................................................................. 6-49

Figure 6-48 Telnet Login Instance ........................................................................... 6-53

IV


Figures

Figure 6-49 Executing the Telnet Command on the PC........................................... 6-53

Figure 6-50 Telnet Login Result .............................................................................. 6-54

V


Figures


VI


TablesTable 3-1 Configuration Command............................................................................ 3-3

Table 3-2 Common Command Parameters ............................................................. 3-11

Table 3-3 Editing Commands Through Keystrokes.................................................. 3-14

Table 5-1 Port Role and Port State.......................................................................... 5-35

Table 5-2 Syslog Log Information............................................................................ 5-90

Table 5-3 Basic ZESR Concepts ........................................................................... 5-108

Table 5-4 Basic ZESS Concepts ........................................................................... 5-121

Table 6-1 ZXR10 2900E Port Indicator Descriptions................................................ 6-50

Table 7-1 Maintenance Period of the Ethernet Switch ............................................... 7-2

VII


Tables


VIII


GlossaryACL- Access Control List

AIS- Alarm Indication Signal

AP- Access Point

ARP- Address Resolution Protocol

BAS- Broadband Access Server

BPDU- Bridge Protocol Data Unit

CAR- Committed Access Rate

CCM- Continuity Check Message

CFM- Connectivity Fault Management

CIST- Common and Internal Spanning Tree

CoS- Class of Service

CST- Common Spanning Tree

C-VLAN- Customer VLAN

DAI- Dynamic ARP Inspection

DHCP- Dynamic Host Configuration Protocol

DM- Delay Measurement

DoS- Denial of Service

IX



DSCP- Differentiated Services Code Point

EAPOL- Extensible Authentication Protocol Over LAN

EAPS- Ethernet Automatic Protection Switching

ERPS- Ethernet Ring Protection Switching

FTP- File Transfer Protocol

GARP- Generic Attribute Registration Protocol

GVRP- GARP VLAN Registration Protocol

IETF- Internet Engineering Task Force

IGMP- Internet Group Management Protocol

IP- Internet Protocol

IPTV- Internet Protocol Television

IST- Internal Spanning Tree

LACP- Link Aggregation Control Protocol

LBM- Loopback Message

LBR- Loopback Reply

LCK- Locked

LLDP- Link Layer Discovery Protocol

LM- Loss Measurement

LTM- Link Trace Message

X


Glossary

LTR- Link Trace Reply

MDI/MDIX- Media-Dependent Interface/Media-Dependent Interface-crossover

MEP- Maintenance association End Point

MFF- MAC-Forced Forwarding

MIB- Management Information Base

MIP- Maintenance domain Intermediate Point

MLD- Multicast Listener Discovery

MST- Multiple Spanning Tree

MSTP- Multiple Spanning Tree Protocol

NAS- Network Access Service

NMS- Network Management System

NTP- Network Time Protocol

OAM- Operation, Administration and Maintenance

OUI- Organizationally Unique Identifier

PE- Provider Edge

PoE- Power over Ethernet

PPPoE- Point to Point Protocol over Ethernet

PVLAN- Private Virtual Local Area Network

QoS- Quality of Service

XI



RADIUS- Remote Authentication Dial In User Service

RDI- Remote Defect Indication

RMON- Remote Monitoring

RPL- Ring Protection Link

RSTP- Rapid Spanning Tree Protocol

SBT- Side Smart Bias Tee

SNMP- Simple Network Management Protocol

SP- Strict Priority

SQinQ- Selective QinQ

SSH- Secure Shell

SSL- Secure Sockets Layer

STP- Spanning Tree Protocol

TACACS+- Terminal Access Controller Access-Control System Plus

TC- Traffic Classification

TCP- Transmission Control Protocol

TDR- Time Domain Reflectometry

TFTP- Trivial File Transfer Protocol

UDLD- Unidirectional Link Detection

UDP- User Datagram Protocol

XII


Glossary

VBAS- Virtual Broadband Access Server

VLAN- Virtual Local Area Network

VPN- Virtual Private Network

WRR- Weighted Round Robin

ZDP- ZTE Discovery Protocol

ZESR- ZTE Ethernet Switch Ring

ZESS- ZTE Ethernet Smart Switch

ZTP- ZTE Topology Protocol

XIII


ZXR102900ESeriesnova-minsk.com/ZTE/29E/SJ-20130731155059-002-ZXR10 2900E... · 2016-09-30 ·...

Documents

Transcript of ZXR102900ESeriesnova-minsk.com/ZTE/29E/SJ-20130731155059-002-ZXR10 2900E... · 2016-09-30 ·...