Configuration Guide - Ethernet(V100R006C00_01).pdf

8/11/2019 Configuration Guide - Ethernet(V100R006C00_01).pdf

http://slidepdf.com/reader/full/configuration-guide-ethernetv100r006c0001pdf 1/442

Quidway S6700 Series Ethernet Switches

V100R006C00

Configuration Guide - Ethernet

Issue 01

Date 2011-07-15

HUAWEI TECHNOLOGIES CO., LTD.



Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the

customer. All or part of the products, services and features described in this document may not be within the

purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representations

of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2011-07-15) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com/



About This Document

Intended Audience

This document provides the basic concepts, configuration procedures, and configuration

examples in different application scenarios of the Ethernet feature supported by the S6700

device.

This document describes how to configure the Ethernet feature.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

DANGER

Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTION

Indicates a potentially hazardous situation, which if not

avoided, could result in equipment damage, data loss,

performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or save

time.

NOTE Provides additional information to emphasize or supplement

important points of the main text.


Configuration Guide - Ethernet About This Document



ii



Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by vertical

bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by vertical

bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be

selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by vertical

bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change History

Updates between document issues are cumulative. Therefore, the latest document issue contains

all updates made in previous issues.

Changes in Issue 01 (2011-07-15)

Initial commercial release.


Configuration Guide - Ethernet About This Document



iii



Contents

About This Document.....................................................................................................................ii

1 Ethernet Interface Configuration...............................................................................................1

1.1 Introduction to Ethernet Interfaces.....................................................................................................................2

1.2 Ethernet Inter face Features Supported by the S6700.........................................................................................21.3 Configuring Advanced Attributes of an Ethernet Interface................................................................................2

1.3.1 Establishing the Configuration Task.........................................................................................................2

1.3.2 (Optional) Configuring a Description for an Interface..............................................................................3

1.3.3 (Optional) Configuring Loopback on the Ethernet Interface....................................................................3

1.3.4 (Optional) Configuring the Interface Group..............................................................................................4

1.3.5 (Optional) Setting the Maximum Frame Length on the Ethernet Interface...............................................4

1.3.6 (Optional) Enabling Flow Control.............................................................................................................5

1.3.7 (Optional) Enabling Port Isolation............................................................................................................5

1.3.8 (Optional) Configuring a Loopback Test on an Interface.........................................................................6

1.3.9 Checking the Configuration.......................................................................................................................7

1.4 Maintaining Ethernet Interfaces.........................................................................................................................7

1.4.1 Debugging Ethernet Interfaces..................................................................................................................7

1.5 Configuration Examples.....................................................................................................................................7

1.5.1 Example for Configuring Port Isolation....................................................................................................8

2 Link Aggregation Configuration..............................................................................................10

2.1 Introduction to Link Aggregation.....................................................................................................................11

2.2 Link Aggregation Supported by the S6700......................................................................................................11

2.3 Configuring Link Aggregation in Manual Load Balancing Mode...................................................................12

2.3.1 Establishing the Configuration Task.......................................................................................................12

2.3.2 Conf iguring the Eth-Trunk to Work in Manual Load Balancing Mode..................................................13

2.3.3 Adding Member Interfaces to an Eth-Trunk...........................................................................................14

2.3.4 (Optional) Configuring the Load Balancing Mode.................................................................................15

2.3.5 (Optional) Limiting the Number of Active Interfaces.............................................................................16

2.3.6 Checking the Configuration.....................................................................................................................17

2.4 Configuring Link Aggregation in Static LACP Mode.....................................................................................17


2.4.2 Configuring the Eth-Trunk to Work in Static LACP Mode....................................................................18

2.4.3 Adding Member Interfaces to an Eth-Trunk...........................................................................................19


Configuration Guide - Ethernet Contents



iv



2.4.4 (Optional) Configuring the Load Balancing Mode.................................................................................20

2.4.5 (Optional) Limiting the Number of Active Interfaces.............................................................................21

2.4.6 (Optional) Setting the LACP Priority of the System...............................................................................22

2.4.7 (Optional) Setting the LACP Priority of an Interface..............................................................................23

2.4.8 (Optional) Enabling LACP Preemption and Setting the Delay for LACP Preemption...........................23

2.4.9 (Optional) Setting the Timeout Interval for Receiving LACP Packets...................................................24

2.4.10 Checking the Configuration...................................................................................................................25

2.5 Configuring an E-Trunk...................................................................................................................................25


2.5.2 Setting the LACP System ID and LACP Priority of an E-Trunk............................................................26

2.5.3 Creating an E-Trunk and Setting Its Priority...........................................................................................27

2.5.4 Configuring Local and Peer IP Addresses of an E-Trunk.......................................................................28

2.5.5 Binding an E-Trunk to a BFD Session....................................................................................................28

2.5.6 Adding an Eth-Trunk to an E-Trunk.......................................................................................................29

2.5.7 (Optional) Configuring the Working Mode of an Eth-Trunk in an E-Trunk..........................................29

2.5.8 (Optional) Setting the Password..............................................................................................................30

2.5.9 (Optional) Setting the Timeout of Hello Packets....................................................................................31

2.5.10 (Optional) Setting the Revertive Switching Delay................................................................................32


2.6 Maintaining Link Aggregation.........................................................................................................................33

2.6.1 Clearing Statistics of LACP Packets.......................................................................................................33

2.6.2 Debugging the Link Aggregation Group.................................................................................................33

2.6.3 Monitoring the Operation Status of the Link Aggregation Group..........................................................342.7 Configuration Examples...................................................................................................................................34

2.7.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode.....................................34

2.7.2 Example for Configuring Link Aggregation in Static LACP Mode.......................................................37

3 VLAN Configuration..................................................................................................................41

3.1 Introduction......................................................................................................................................................43

3.2 VLAN Featur es Supported by the S6700.........................................................................................................50

3.3 Dividing a LA N into VLANs...........................................................................................................................54


3.3.2 Dividing a LAN into VLANs Based on Ports.........................................................................................573.3.3 Dividing a LAN into VLANs Based on MAC Addresses.......................................................................59

3.3.4 Dividing a LAN into VLANs Based on IP Subnets................................................................................60

3.3.5 Dividing a LAN into VLANs Based on Protocols..................................................................................62

3.3.6 Dividing a LAN into VLANs Based on Policies.....................................................................................64


3.4 Creating a VLANIF Interface...........................................................................................................................65


3.4.2 Creating a VLANIF Interface..................................................................................................................66

3.4.3 Assigning an IP Address to a VLANIF Interface....................................................................................67

3.4.4 (Optional) Setting a Delay After Which a VLANIF Interface Goes Down............................................67





v



3.4.5 (Optional) Setting the MTU of a VLANIF Interface...............................................................................68


3.5 Configuring Inter-VLAN Communication.......................................................................................................69


3.5.2 Configuring VLANIF Interfaces for Inter-VLAN Communication........................................................70


3.6 Configuring VLAN Aggregation to Save IP Addresses...................................................................................72


3.6.2 Creating a Sub-VLAN.............................................................................................................................73

3.6.3 Creating a Super-VLAN..........................................................................................................................74

3.6.4 Assigning an IP Address to the VLANIF Interface of a Super-VLAN...................................................75

3.6.5 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN......................................75


3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic.................................................................................77


3.7.2 Configuring a Principal VLAN for a MUX VLAN................................................................................78

3.7.3 Conf iguring a Group VLAN for a Subordinate VLAN...........................................................................79

3.7.4 Configuring a Separate VLAN for a Subordinate VLAN.......................................................................79

3.7.5 Enabling the MUX VLAN Function on a Port........................................................................................80


3.8 Configuring a Voice VLAN to Transmit Voice Data.......................................................................................81


3.8.2 Enabling the Voice VLAN Function.......................................................................................................833.8.3 Configuring an OUI for a Voice VLAN..................................................................................................84

3.8.4 (Optional) Setting an Aging Timer for a Voice VLAN...........................................................................84

3.8.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN.............................85

3.8.6 (Optional) Configuring the Mode in Which Ports Are Added to a Voice VLAN...................................86

3.8.7 (Optional) Configuring the Working Mode for a Voice VLAN..............................................................87

3.8.8 (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor.....................88


3.9 Configuring an mVLAN to Implement Integrated Management.....................................................................89


3.9.2 Configuring an mVLAN..........................................................................................................................90

3.9.3 Conf iguring a VLANIF Interface for an mVLAN..................................................................................90


3.10 Maintaining VLAN.........................................................................................................................................91

3.10.1 Clearing the Statistics of VLAN Packets..............................................................................................91

3.11 Configuration Examples.................................................................................................................................91

3.11.1 Example for Configuring Interface-based VLANs................................................................................92

3.11.2 Example for Configuring MAC Address-based VLAN Assignment....................................................94

3.11.3 Example for Configuring IP Subnet-based VLAN Assignment...........................................................96

3.11.4 Example for Configuring Protocol-based VLAN Assignment............................................................100





vi



3.11.5 Example for Implementing Communication Between VLANs by Using VLANIF Interfaces...........103

3.11.6 Example for Configuring VLAN Aggregation....................................................................................105

3.11.7 Example for Configuring the MUX VLAN........................................................................................108

3.11.8 Example for Configuring a Voice VLAN in Auto Mode....................................................................111

3.11.9 Example for Configuring a Voice VLAN in Manual Mode................................................................114

4 VLAN Mapping Configuration..............................................................................................118

4.1 Introduction to VLAN Mapping.....................................................................................................................119

4.2 VLAN Mapping Features Supported by the S6700........................................................................................119

4.3 Configuring VLAN Mapping of Single VLAN Tag......................................................................................119

4.3.1 Esta blishing the Configuration Task................................................................ .....................................119

4.3.2 Replacing a Single Tag..........................................................................................................................120


4.4 Configuring VLAN Mapping of Double VLAN Tags...................................................................................121


4.4.2 Replacing the Outer VLAN Tag............................................................................................................121



4.5.1 Example for Configuring Single-Tag VLAN Mapping........................................................................123

4.5.2 Example for Configuring N:1 VLAN Mapping....................................................................................126

5 QinQ Configuration..................................................................................................................129

5.1 Concept of QinQ.............................................................................................................................................130

5.2 QinQ Features Supported by the S6700.........................................................................................................130

5.3 Configuring QinQ on an Interface..................................................................................................................130

5.3.1 Establishing the Configuration Task.....................................................................................................130

5.3.2 Setting the Link Type of an Interface....................................................................................................131

5.3.3 Specifying the Outer VLAN ID.............................................................................................................131


5.4 Configuring Selective QinQ...........................................................................................................................132


5.4.2 Setting the Link Type of an Interface....................................................................................................133

5.4.3 Adding an Outer VLAN Tag.................................................................................................................133

5.4.4 Configuring Selective QinQ..................................................................................................................1345.4.5 Checking the Configuration...................................................................................................................134

5.5 Configuring QinQ Stacking on a VLANIF Interface.....................................................................................135


5.5.2 Configuring QinQ Stacking on a VLANIF Interface............................................................................136


5.6 Setting the Pr otocol Type in the Outer VLAN Tag........................................................................................137


5.6.2 Conf iguring the Type of an Interface....................................................................................................138

5.6.3 Setting the Protocol Type in the Outer VLAN Tag...............................................................................138






vii




5.7.1 Example for Configuring QinQ on Interfaces.......................................................................................139

5.7.2 Example for Configuring Selective QinQ.............................................................................................142

5.7.3 Example for Configuring Selective QinQ with VLAN Mapping..........................................................146

5.7.4 Example for Configuring QinQ Stacking on the VLANIF Interface....................................................148

6 GVRP Configuration................................................................................................................152

6.1 GVRP Overview.............................................................................................................................................153

6.2 GVRP Features Supported by the S6700.......................................................................................................156

6.3 Configuring GVRP.........................................................................................................................................157


6.3.2 Enabling GVRP.....................................................................................................................................157

6.3.3 (Optional) Setting the Registration Mode of a GVRP Interface............................................................158

6.3.4 (Optional) Setting the GARP Timers....................................................................................................159


6.4 Maintaining GVRP.........................................................................................................................................160

6.4.1 Clearing GARP Statistics......................................................................................................................160


6.5.1 Example for Configuring GVRP...........................................................................................................161

7 MAC Address Table Configuration.......................................................................................165

7.1 MAC Address Table Overview......................................................................................................................167

7.2 MAC Address Features Supported by the S6700...........................................................................................168

7.3 Configuring a Static MAC Address Entry......................................................................................................169

7.4 Configuring a Blackhole MAC Address Entry...............................................................................................171

7.5 Setting the Aging Time of Dynamic MAC Address Entries..........................................................................172

7.6 Disabling MAC Address Learning.................................................................................................................173


7.6.2 Disa bling MAC Address Learning on an Interface...............................................................................174

7.6.3 Disabling MAC Address Learning in a VLAN.....................................................................................175


7.7 Limiting the Number of Learned MAC Addresses........................................................................................175


7.7.2 Limiting the Number of MAC Addresses Learned on an Interface......................................................1777.7.3 Limiting the Number of MAC Addresses Learned in a VLAN............................................................177


7.8 Configuring Port Security...............................................................................................................................178


7.8.2 Configuring the Secure Dynamic MAC Function on an Interface........................................................179

7.8.3 Configuring the Sticky MAC Function on an Interface........................................................................181


7.9 Configuring MAC Address Anti-Flapping.....................................................................................................182


7.9.2 Setting the MAC Address Learning Priority of an Interface.................................................................183





viii



7.9.3 Prohibiting MAC Address Flapping Between Interfaces with the Same Priority.................................184


7.10 Configuring MAC Address Flapping Detection...........................................................................................185

7.10.1 Establishing the Configuration Task...................................................................................................185

7.10.2 Configuring MAC Address Flapping Detection..................................................................................186

7.10.3 (Optional) Unblocking a Blocked Interface or MAC Address............................................................186

7.10.4 Checking the Configuration.................................................................................................................187

7.11 Configur ing the S6700 to Discard Packets with an All-0 MAC Address....................................................187

7.12 Enabling MAC Address Triggered ARP Entry Update................................................................................188

7.13 Enabling Por t Bridge....................................................................................................................................189

7.14 Configuration Examples...............................................................................................................................190

7.14.1 Example for Configuring the MAC Address Table.............................................................................190

7.14.2 Example for Configuring the Limitation on MAC Address Learning Based on VLANs...................193

7.14.3 Example for Configuring Interface Security.......................................................................................195

7.14.4 Example for Configuring MAC Address Anti-Flapping.....................................................................197

8 STP/RSTP Configuration.........................................................................................................200

8.1 STP/RSTP Overview......................................................................................................................................201

8.1.1 STP/RSTP Overview.............................................................................................................................201

8.1.2 STP/RSTP Features Supported by the S6700........................................................................................206

8.2 Configuring Basic STP/RSTP Functions.......................................................................................................208


8.2.2 Configuring the STP/RSTP Mode.........................................................................................................210

8.2.3 (Optional) Configuring Switching Device Priorities.............................................................................210

8.2.4 (Optional) Setting the Path Cost for a Port............................................................................................211

8.2.5 (Optional) Configuring Port Priorities...................................................................................................212

8.2.6 Enabling STP/RSTP..............................................................................................................................213


8.3 Configuring STP/RSTP Parameters on an Interface......................................................................................214


8.3.2 Setting System Parameters....................................................................................................................217

8.3.3 Setting Port Parameters.........................................................................................................................218

8.3.4 Checking the Configuration...................................................................................................................2208.4 Configuring R STP Protection Functions........................................................................................................220


8.4.2 Configuring BPDU Protection on a Switching Device.........................................................................222

8.4.3 Configuring TC Protection on a Switching Device...............................................................................223

8.4.4 Conf iguring Root Protection on a Port..................................................................................................223

8.4.5 Conf iguring Loop Protection on a Port.................................................................................................224


8.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices....................225


8.5.2 Configuring the Proposal/Agreement Mechanism................................................................................226





ix




8.6 Maintaining STP/RSTP..................................................................................................................................227

8.6.1 Clearing STP/RSTP Statistics...............................................................................................................228


8.7.1 Example for Configuring Basic STP Functions....................................................................................228

8.7.2 Example for Configuring Basic RSTP Functions..................................................................................233

9 MSTP Config uration.................................................................................................................238

9.1 MSTP Overview.............................................................................................................................................240

9.1.1 MSTP Introduction................................................................................................................................240

9.1.2 MSTP Features Supported by the S6700...............................................................................................248

9.2 Configuring Basic MSTP Functions...............................................................................................................252


9.2.2 Configuring the MSTP Mode................................................................................................................254

9.2.3 Configuring and Activating an MST Region........................................................................................255

9.2.4 (Optional) Setting a Priority for a Switching Device in an MSTI.........................................................256

9.2.5 (Optional) Setting a Path Cost of a Port in an MSTI.............................................................................257

9.2.6 (Optional) Setting a Port Priority in an MSTI.......................................................................................258

9.2.7 Enabling MSTP.....................................................................................................................................259


9.3 Configuring MSTP Multi-process..................................................................................................................260


9.3.2 Creating an MSTP Process....................................................................................................................261

9.3.3 Adding an Interface to an MSTP Process - Access Links.....................................................................262

9.3.4 Adding an Interface to an MSTP Process - Share Link.........................................................................262

9.3.5 Configuring Priorities and Root Protection in MSTP Multi-process....................................................263

9.3.6 Configuring TC Notification in MSTP Multi-process..........................................................................263


9.4 Configuring MSTP Parameters on an Interface.............................................................................................264


9.4.2 Configuring System Parameters............................................................................................................265

9.4.3 Configuring Port Parameters.................................................................................................................267

9.4.4 Checking the Configuration...................................................................................................................2689.5 Configuring MSTP Protection Functions.......................................................................................................269


9.5.2 Configuring BPDU Protection on a Switching Device.........................................................................271

9.5.3 Configuring TC Protection on a Switching Device...............................................................................272

9.5.4 Conf iguring Root Protection on an Interface........................................................................................273

9.5.5 Configuring Loop Protection on an Interface........................................................................................273

9.5.6 Configuring Share-Link Protection on a Switching Device..................................................................274


9.6 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices...........................275






x



9.6.2 Configuring a Proposal/Agreement Mechanism...................................................................................276

9.6.3 Configuring the MSTP Protocol Packet Format on an Interface...........................................................277

9.6.4 Enabling the Digest Snooping Function................................................................................................278


9.7 Maintaining MSTP.........................................................................................................................................279

9.7.1 Clearing MSTP Statistics.......................................................................................................................279


9.8.1 Example for Configuring Basic MSTP Functions.................................................................................280

9.8.2 Exam ple for Configuring MSTP Multi-Process for Layer 2 Single-Access Rings and Layer 2 Multi-Access

Rings...............................................................................................................................................................287

10 SEP Configuration...................................................................................................................295

10.1 SEP Overview...............................................................................................................................................297

10.1.1 SEP Overview......................................................................................................................................297

10.1.2 SEP Features Supported by the S6700................................................................................................310

10.2 Configuring Basic SEP Functions................................................................................................................316


10.2.2 Configuring an SEP Segment..............................................................................................................317

10.2.3 Configuring a Control VLAN..............................................................................................................317

10.2.4 Creating a Protected Instance..............................................................................................................318

10.2.5 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface...................319


10.3 Specifying an Interface to Block..................................................................................................................321


10.3.2 Setting an Interface Blocking Mode....................................................................................................322

10.3.3 Configuring the Preemption Mode......................................................................................................324


10.4 Configur ing SEP Multi-Instance..................................................................................................................325


10.4.2 Configuring and Activating Mappings Between Protected Instances and VLANs.............................327


10.5 Configuring the Topology Change Notification Function...........................................................................328


10.5.2 Reporting Topology Changes of a Lower-Layer Network - SEP Topology Change Notification.....330

10.5.3 Reporting Topology Changes of a Lower-Layer Network - Enabling the Edge Devices in a SEP Segment

to Process SmartLink Flush Packets...............................................................................................................331


10.6 Maintaining SEP...........................................................................................................................................332

10.6.1 Clearing SEP Statistics........................................................................................................................332

10.6.2 Debugging SEP....................................................................................................................................332


10.7.1 Example for Configuring SEP on a Closed Ring Network.................................................................333

10.7.2 Example for Configuring SEP on a Multi-ring Network....................................................................339

10.7.3 Example for Configuring SEP on a Hybrid-ring Network..................................................................351





xi



10.7.4 Example for Configuring a Hybrid SEP+RRPP Ring Network (Reporting the Topology Changes of a

Lower-Layer Network)...................................................................................................................................360

10.7.5 Example for Configuring SEP Multi-Instance on a Closed Ring Network.........................................372

11 Layer 2 Protocol Transparent Transmission Configuration............................................381

11.1 Overview of Layer 2 Protocol Transparent Transmission............................................................................383

11.2 Layer 2 Protocol Transparent Transmission Features Supported by the S6700...........................................384

11.3 Configur ing Interface-based Layer 2 Protocol Transparent Transmission...................................................389


11.3.2 (Optional) Defining Characteristic Information About a Layer 2 Protocol........................................389

11.3.3 Configuring the Transparent Transmission Mode of Layer 2 Protocol Packets.................................390

11.3.4 Enabling Layer 2 Protocol Transparent Transmission on an Interface...............................................391

11.3.5 Checking Configuration......................................................................................................................392

11.4 Configuring VLAN-based Layer 2 Protocol Transparent Transmission......................................................392




11.4.4 Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an Interface.........................394


11.5 Configuring QinQ-based Layer 2 Protocol Transparent Transmission........................................................395




11.5.4 Ena bling QinQ-based Layer 2 Transparent Transmission on an Interface..........................................398


11.6 Maintaining Layer 2 Protocol Transparent Transmission............................................................................399

11.6.1 Debugging Layer 2 Protocol Transparent Transmission.....................................................................399


11.7.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission.....................400

11.7.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission........................406

11.7.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission..........................413

12 Loopback Detection Configuration.....................................................................................421

12.1 Loopback Detection Overview.....................................................................................................................422

12.2 Configuring Loopback Detection.................................................................................................................422


12.2.2 Ena bling Loopback Detection.............................................................................................................424

12.2.3 Specifying VLAN IDs of Loopback Detection Packets......................................................................424

12.2.4 (Optional) Configuring an Action to Perform After a Loopback Is Detected.....................................425

12.2.5 (Optional) Setting the Interface Recovery Time After a Loop Is Removed........................................426

12.2.6 (Optional) Setting the Interval for Sending Loopback Detection Packets on an Interface.................427


12.3 Configur ation Examples...............................................................................................................................427





xii



12.3.1 Example for Configuring Loopback Detection...................................................................................427





xiii



1 Ethernet Interface Configuration

About This Chapter

This chapter describes the basic knowledge, methods, and examples for configuring the Ethernet

interface.

1.1 Introduction to Ethernet Interfaces

This section describes the Ethernet interfaces.

1.2 Ethernet Interface Features Supported by the S6700

This section describes the Ethernet interface features supported by the S6700.

1.3 Configuring Advanced Attributes of an Ethernet InterfaceThis section describes how to configure the interface description, loopback on the Ethernet

Interface, por t group, maximum frame size, flow control, loopback test, and port isolation.

1.4 Maintaining Ethernet Interfaces

This section describes how to maintain Ethernet interfaces.

1.5 Configuration Examples

This section provides several configuration examples of Ethernet interfaces.


Configuration Guide - Ethernet 1 Ethernet Interface Configuration



1



1.1 Introduction to Ethernet Interfaces

This section describes the Ethernet interfaces.

The Ethernet is flexible, simple, and easy to implement; therefore, it becomes an important local

area network (LAN) networking technology.

The S6700 provides 10 GE optical interfaces. A 10 GE optical interface works in full duplex

non-auto negotiation mode, and the maximum rate is 10000 Mbit/s.

1.2 Ethernet Interface Features Supported by the S6700

This section describes the Ethernet interface features supported by the S6700.

Port Group

The port group function enables you to configure multiple interfaces at the same time. You can

run commands in the port group view to configure all the interfaces in the group.

Port Isolation

The port isolation function isolates Layer 2 and Layer 3 communication between ports in the

same VLAN. This function restricts packet transmission between ports flexibly, providing a

secure and flexible network solution.

1.3 Configuring Advanced Attributes of an EthernetInterface

This section describes how to configure the interface description, loopback on the Ethernet

Interface, port group, maximum frame size, flow control, loopback test, and port isolation.

1.3.1 Establishing the Configuration Task

Applicable Environment

The configuration task is applicable to the following situations:

l The S6700 provides the interface group function, which enables you to configure multiple

interfaces at the same time.

l If the traffic volume received on an interface of the S6700 may exceed the processing

capability of the interface and the directly connected interface supports traffic control,

enable the traffic control function on the interface. When the rate of received traffic reaches

the threshold, the interface sends a Pause frame (in full duplex mode) to notify the peer

interface. If the peer interface supports traffic control, it decreases the rate of at which it

sends traffic so that the local interface can properly process received traffic.





2



l Ports enabled with port isolation cannot communicate with each other so that ports on the

same VLAN can be isolated. Port isolation provides secure and flexible networking

schemes for customers.

Pre-configuration Tasks None.

Data Preparation

To configure the advanced functions of Ethernet interfaces, you need the following data.

No. Data

1 Interface number

2 (Optional) Maximum frame length allowed on the interface

1.3.2 (Optional) Configuring a Description for an Interface

Context

Perform the following steps on the S6700.

ProcedureStep 1 Run:

system-view

The system view is displayed.

Step 2 Run:

interface interface-type interface-number

The interface view is displayed.

Step 3 Run:

description description

A description is configured for the interface.

By default, the description of an interface is "HUAWEI, Quidway Series, X interface". X

specifies the interface type and number.

----End

1.3.3 (Optional) Configuring Loopback on the Ethernet Interface

Context

Do as follows on the S6700 where you need to configure the loopback.





3



Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

loopback internal

The loopback is configured on the Ethernet interface.

By default, loopback is not configured on an Ethernet interface.

----End

1.3.4 (Optional) Configuring the Interface Group

Context

Do as follows on the S6700 where you need to configure interface groups.


system-view


Step 2 Run:

port-group port-group-name

The interface group view is displayed.

Step 3 Run:

group-member interface-type interface-number

The Ethernet interface is added to the interface group.

----End

1.3.5 (Optional) Setting the Maximum Frame Length on theEthernet Interface

Context

Do as follows on the S6700 where you need to set the maximum frame length.





4



Procedure

Step 1 Run:

system-view


Step 2 Run:


The Ethernet interface view is displayed.

Step 3 Run:

jumboframe enable [ value ]

The maximum length of the frame is set on the Ethernet interface.

By default, the maximum frame length allowed by an interface is 9216 bytes.

----End

1.3.6 (Optional) Enabling Flow Control

Context

Do as follows on the S6700 where you need to enable flow control.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

flow-control

Flow control is enabled on the Ethernet interface.

By default, flow control is disabled on an Ethernet interface.

To implement flow control, you must enable this function on both the local interface and peer

interface.

----End

1.3.7 (Optional) Enabling Port Isolation

Context

Do as follows on the S6700 where you need to enable port isolation.





5



Procedure

Step 1 Run:

system-view


Step 2 Run:

port-isolate mode { l2 | all }

The port isolation mode is set.

By default, ports are isolated on Layer 2 but can communicate on Layer 3.

Step 3 Run:



Step 4 (Optional) Run:

am isolate interface-type interface-number [ to interface-number ]

The Ethernet interface is isolated from another interface unidirectionally.

NOTE

After interface A is isolated from interface B unidirectionally, packets sent by interface A cannot reach

interface B, whereas packets sent from interface B can reach interface A.

Step 5 Run:

port-isolate enable [ group group-id ]

Port isolation is enabled.

NOTE

Ports in a port isolation group are isolated from each other, and ports in different port isolation groups can

communicate with each other. If group-id is not specified, a port is added to port isolation group 1.

----End

1.3.8 (Optional) Configuring a Loopback Test on an Interface

Context

Perform the following steps on the S6700 where a loopback test needs to be performed.

Procedure

Step 1 Run:

system-view


Step 2 Run:







6



Step 3 Run:

loopbacktest internal

A loopback test is configured on the interface.

By default, no loopback test is configured on an interface.

----End

1.3.9 Checking the Configuration

Procedure

l Run the display port-group [ all | port-group-name ] command to check information about

a port group.

l Run the display interface [ interface-type [ interface-number ] ] command to check the

configuration of an Ethernet interface.

----End

1.4 Maintaining Ethernet Interfaces

This section describes how to maintain Ethernet interfaces.

1.4.1 Debugging Ethernet Interfaces

Context

CAUTION

Debugging affects the performance of the system. So, after debugging, run the undo debugging

all command to disable it immediately.

When an Ethernet interface or Eth-Trunk fault occurs, run the following debugging commands

in the user view to locate the fault.

Procedure

Step 1 Run the debugging l2if [ error | event | msg | updown ] command to enable the debugging of

link layer features.

----End


This section provides several configuration examples of Ethernet interfaces.





7



1.5.1 Example for Configuring Port Isolation

Networking Requirements

As shown in Figure 1-1, it is required that PC1 and PC2 cannot communicate with each other,

but they can communicate with PC3.

Figure 1-1 Networking diagram for configuring port isolation

Switch

PC1 PC2 PC3

XGE0/0/3X G E

0

/ 0 / 2

XGE0/0/1

10.10.10.1/24 10.10.10.2/24 10.10.10.3/24

Configuration Roadmap

The configuration roadmap is as follows:

1. Enable port isolation on the ports connected to PC1 and PC2 respectively to prevent PC1

and PC2 from communicating with each other.

Data Preparation

To complete the configuration, you need the following data:

l Number of the port connected to PC1

l Number of the port connected to PC2

l Port isolation mode: Layer 2 isolation and Layer 3 communication (default configuration)

l ID of the VLAN that the ports connected to PC1, PC2, and PC3 belong to (VLAN 1 by

default)

l Port isolation group that the ports connected to PC1 and PC2 belong to (group 1 by default)

Procedure

Step 1 Enable port isolation.

# Isolate ports on Layer 2 and allow them to communicate on Layer 3.

<Quidway> system-view

[Quidway] port-isolate mode l2

# Enable port isolation on XGigabitEthernet 0/0/1.





8




[Quidway] interface xgigabitethernet 0/0/1

[Quidway-XGigabitEthernet0/0/1] port-isolate enable

[Quidway-XGigabitEthernet0/0/1] quit

# Enable port isolation on XGigabitEthernet 0/0/2.



[Quidway-XGigabitEthernet0/0/2] port-isolate enable


Step 2 Verify the configuration.

PC1 and PC2 cannot ping each other.

PC1 and PC3 can ping each other.

PC2 and PC3 can ping each other.

----End

Configuration Files

Configuration file of the Switch

#

sysname Quidway

#

interface XGigabitEthernet0/0/1

port-isolate enable group 1

#


port-isolate enable group 1

#

interface XGigabitEthernet0/0/3#

return





9



2 Link Aggregation Configuration

About This Chapter

This chapter describes the concepts, configuration procedures, and configuration examples of

link aggregation.

2.1 Introduction to Link Aggregation

This section describes the concept of link aggregation.

2.2 Link Aggregation Supported by the S6700

This section describes link aggregation features supported by the S6700.

2.3 Configuring Link Aggregation in Manual Load Balancing ModeThis section describes how to configure link aggregation in manual load balancing mode.

2.4 Configuring Link Aggregation in Static LACP Mode

This section describes how to configure link aggregation in static LACP mode.

2.5 Configuring an E-Trunk

As an extension to the Link Aggregation Protocol (LACP) that implements link aggregation on

a single device, the Enhanced Trunk (E-Trunk) protocol implements link aggregation between

different devices. This improves link reliability between devices.

2.6 Maintaining Link Aggregation

This section describes how to clear the statistics of received and sent LACP packets, debug the

link aggregation group, and monitor the running status of the link aggregation group.


This section provides several configuration examples of link aggregation in manual load

balancing mode and in static LACP mode.


Configuration Guide - Ethernet 2 Link Aggregation Configuration



10



2.1 Introduction to Link Aggregation

This section describes the concept of link aggregation.

Link aggregation refers to a method of bundling a group of physical interfaces into a logical

interface to increase bandwidth. It is also called multi-interface load sharing group or link

aggregation group. For details, refer to IEEE802.3ad.

By setting up a link aggregation group between two devices, you can obtain higher bandwidth

and reliability. Link aggregation provides redundancy protection for communication among

devices without upgrading the hardware.

2.2 Link Aggregation Supported by the S6700

This section describes link aggregation features supported by the S6700.

Manual Load Balancing Mode

In load balancing mode, you can manually add member interfaces to the link aggregation group.

All the interfaces configured with load balancing are in forwarding state. The S6700 can perform

load balancing based on destination MAC addresses, source MAC addresses, source MAC

address exclusive-or destination MAC address, source IP addresses, destination IP addresses,

source address exclusive-or destination IP address.

You must set up the Eth-Trunk and add an interface to the Eth-Trunk manually. The Link

Aggregation Control Protocol (LACP) is not used.

The manual load balancing mode is usually used when the peer device does not support LACP.

Static LACP Mode

The static LACP mode is a link aggregation mode in which the two parties negotiate aggregation

parameters by exchanging LACP packets. After the negotiation, the two parties determine the

active interface and the inactive interface. In static LACP mode, you need to create an Eth-Trunk

manually and add members to the Eth-Trunk. The active interfaces and inactive interfaces are

determined by LACP negotiation.

The static LACP mode is also called the M:N mode. In this mode, links can implement load balancing and redundancy at the same time. In a link aggregation group, M links are active and

they forward data in load balancing mode. N links are inactive and they function as backup links.

The backup links do not forward data. When an active link fails, the backup link with the highest

priority replaces the failed link to forward data and its status changes to active.

In static LACP mode, some links function as backup links. In manual load balancing mode, all

member interfaces work in forwarding state to share the traffic. This is the main difference

between the two modes.

Link aggregation can also be implemented in dynamic LACP mode. In dynamic LACP mode,

LACP creates the Eth-Trunk and adds member interfaces automatically without human

intervention. This mode is easy for users, but is too flexible and hard for management; therefore,the S6700 does not support dynamic LACP mode.





11



Active Interface and Inactive Interface

Active interfaces refer to the interfaces that are in active state and are responsible for forwarding

data. The interfaces that do not forward data and are in inactive state are called inactive interfaces.

According to the operation modes, active and inactive interfaces are classified as follows:

l Manual load balancing mode: Generally, all member interfaces are active interfaces unless

a fault occurs on these interfaces.

l Static LACP mode: The interfaces connected to M links are active interfaces that are

responsible for forwarding data; the interfaces connected to N links are inactive interfaces

that are used for redundancy backup.

Actor and Partner

In static LACP mode, the device in the link aggregation group with a higher LACP priority is

the Actor and the device with a lower LACP priority is the Partner.

If the two devices have the same LACP priority, the Actor is selected based on the MACaddresses of the devices. The device with a smaller MAC address becomes the Actor.

Differentiating the Actor and the Partner is to keep the active interfaces of devices at both ends

consistent. If the devices at both ends select active interfaces according to the priority of their

own interfaces, the active interfaces may be different and the active links cannot be set up.

Therefore, the Actor is first determined. The Partner selects active interfaces according to the

priority of the interfaces of the Actor. Figure 2-1 shows the process of selecting active interfaces.

Figure 2-1 Determining the active links in static LACP mode

SwitchA SwitchB

SwitchBSwitchA

The Actor determines

the active link

Device with high

priority

Device with low

priority

Active interface selected by SwitchA

Active interface selected by SwitchB

2.3 Configuring Link Aggregation in Manual LoadBalancing Mode

This section describes how to configure link aggregation in manual load balancing mode.






12




When the bandwidth or the reliability of two devices should be increased and either of the two

devices does not support LACP, you should create an Eth-Trunk in manual load balancing mode

on Switches and add member interfaces to the Eth-Trunk to increase the bandwidth and improve

reliability of devices.

As shown in Figure 2-2, Eth-Trunks are created between SwitchA and SwitchB.

Figure 2-2 Networking diagram for configuring link aggregation in load balancing mode

SwitchA SwitchB

Eth-Trunk

Eth-Trunk 1 Eth-Trunk 1

Pre-configuration Tasks

Before configuring an Eth-Trunk in manual load balancing mode, complete the following tasks:

l Powering on the S6700

l Creating the Eth-Trunks

Data Preparation

To configure an Eth-Trunk in manual load balancing mode, you need the following data.

No. Data

1 Number of the Eth-Trunk in manual load balancing mode

2 Type and number of the member interface

2.3.2 Configuring the Eth-Trunk to Work in Manual Load Balancing

Mode

Context

NOTE

Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the

Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be

changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk trunk-id command in

the interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk

view.

Do as follows on the S6700 where you need to configure an Eth-Trunk in manual load balancingmode.





13



Procedure

Step 1 Run:

system-view


Step 2 Run:

interface eth-trunk trunk-id

The Eth-Trunk view is displayed.

Step 3 Run:

mode manual [ load-balance ]

The operation mode of the Eth-Trunk is set to load balancing.

By default, an Eth-Trunk works in manual load balancing mode.

If the local device is configured with the Eth-Trunk in manual load balancing mode, you needto configure the Eth-Trunk in manual load balancing mode on the peer device.

----End

2.3.3 Adding Member Interfaces to an Eth-Trunk

Context

Do as follows on the S6700 where you need to configure member interfaces of an Eth-Trunk.

Procedure

l Configuration in the Eth-Trunk interface view

1. Run:

system-view


2. Run:


The Eth-Trunk interface view is displayed.

3. Run:trunkport interface-type { interface-number1 [ to interface-number2 ] }

&<1-8>

Member interfaces are added to the Eth-Trunk.

l Configuration in the member interface view

1. Run:

system-view


2. Run:







14



3. Run:

eth-trunk trunk-id

The interface is added to the Eth-Trunk.

When adding an interface to an Eth-Trunk, pay attention to the following points:

– An Eth-Trunk contains a maximum of eight member interfaces.

– A member interface cannot be configured with any service or static MAC address.

– When adding an interface to an Eth-Trunk, ensure that the interface is a hybrid interface,

which is the default interface type.

– An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk.

– An Ethernet interface can be added to only one Eth-trunk interface. To add the Ethernet

interface to another Eth-trunk, delete the Ethernet interface from the current Eth-Trunk

first.

– The member interfaces of an Eth-trunk must be of the same type. For example, the FE

interface and the GE interface cannot be added to the same Eth-trunk.

– Ethernet interfaces on different LPUs can be added to the same Eth-Trunk.

– The peer interface directly connected to the Eth-Trunk on the local end must also be

added to an Eth-Trunk; otherwise, the two ends cannot communicate.

– When the rates of member interfaces are different, the interfaces with a smaller rate may

be congested, and packets may be lost.

– After an interface is added to an Eth-Trunk, MAC address learning is performed by the

Eth-Trunk rather than the member interfaces.

----End

2.3.4 (Optional) Configuring the Load Balancing Mode

Context

Do as follows on the S6700 where the Eth-Trunk load balancing mode needs to be configured.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }

The load balancing mode is configured for the Eth-Trunk.

The default load balancing mode is src-dst-ip.

The S6700 supports the following load balancing modes:





15



l dst-ip: load balancing based on the destination IP address. In this mode, the system obtains

the specified three bits from each of the destination IP address and the TCP or UDP port

number in outgoing packets to perform the Exclusive-OR calculation, and then selects the

outgoing interface from the Eth-Trunk table according to the calculation result.

l dst-mac: load balancing based on the destination MAC address. In this mode, the systemobtains the specified three bits from each of the destination MAC address, VLAN ID,

Ethernet type, and incoming interface information to perform the Exclusive-OR calculation,

and then selects the outgoing interface from the Eth-Trunk table according to the calculation

result.

l src-ip: load balancing based on the source IP address. In this mode, the system obtains the

specified three bits from each of the source IP address and the TCP or UDP port number in

incoming packets to perform the Exclusive-OR calculation, and then selects the outgoing

interface from the Eth-Trunk table according to the calculation result.

l src-mac: load balancing based on the source MAC address. In this mode, the system obtains

the specified three bits from each of the source MAC address, VLAN ID, Ethernet type, and

incoming interface information to perform the Exclusive-OR calculation, and then selectsthe outgoing interface from the Eth-Trunk table according to the calculation result.

l src-dst-ip: load balancing based on the Exclusive-OR result of the source IP address and

destination IP address. In this mode, the system performs the Exclusive-OR calculation

between the Exclusive-OR results of the dip and dmac modes, and then selects the outgoing


l src-dst-mac: load balancing based on the Exclusive-OR result of the source MAC address

and destination MAC address. In this mode, the system obtains three bits from each of the

source MAC address, destination MAC address, VLAN ID, Ethernet type, and incoming

interface information to perform the Exclusive-OR calculation, and then selects the outgoing


Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end and the

remote end can use different load balancing modes, and the load balancing mode on one end

does not affect load balancing on the other end.

----End

2.3.5 (Optional) Limiting the Number of Active Interfaces

Context

Do as follows on the S6700 where you need to limit the number of active interfaces.

Procedure

l Setting the upper threshold of the number of interfaces that determine bandwidth of the

Eth-Trunk

1. Run:

system-view


2. Run:







16



3. Run:

max bandwidth-affected-linknumber link-number

The maximum number of interfaces that determine bandwidth of the Eth-Trunk is set.

By default, the maximum number of interfaces that determine bandwidth of the Eth-Trunk is 8.

NOTE

l The upper threshold the number of interfaces that determine bandwidth of the Eth-Trunk of the

local S6700 and that of the remote S6700 can be different. If the upper thresholds at two ends

are different, the smaller one is used.

l Setting the lower threshold of the number of active interfaces

1. Run:

system-view


2. Run:interface eth-trunk trunk-id


3. Run:

least active-linknumber link-number

The lower threshold of the number of active interfaces is set.

By default, the lower threshold of the number of active interfaces is 1.

In manual load balancing mode, you can determine the minimum number of active

interfaces in the Eth-Trunk by setting the lower threshold. If the number of active interfaces

is smaller than the value in manual load balancing mode, the status the Eth-Trunk becomesDown.

NOTE

l The lower threshold of the number of active interfaces of the local S6700 and that of the remote

S6700 can be different. If the lower thresholds at two ends are different, the larger one is used.

----End


Procedure

l Run the display trunkmembership eth-trunk trunk-id command to display the member

interfaces of the Eth-Trunk.

l Run the display eth-trunk trunk-id command to display the load balancing status of the

Eth-Trunk.

----End

2.4 Configuring Link Aggregation in Static LACP Mode

This section describes how to configure link aggregation in static LACP mode.





17





To increase the bandwidth and improve the connection reliability, you can configure a link

aggregation group on two directly connected Switches. The requirements are as follows:

l The links between two devices can implement redundancy backup. When a fault occurs on

some links, the backup links replace the faulty ones to keep data transmission uninterrupted.

l The active links have the load balancing capability.

Figure 2-3 Typical networking of link aggregation in static LACP mode

SwitchB

Eth-Trunk 1

SwitchA

Eth-Trunk 1

Eth-Trunk Active link

Standby link


Before configuring an Eth-Trunk in static LACP mode, complete the following tasks:

l Powering on the S6700

l Creating the Eth-Trunk

Data Preparation

To configure an Eth-Trunk in static LACP mode, you need the following data.

No. Data

1 Number of the Eth-Trunk

2 Type and number of the member interface

3 Maximum number of active interfaces

2.4.2 Configuring the Eth-Trunk to Work in Static LACP Mode

Context

NOTE

Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the

Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be

changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk trunk-id command in

the interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk view.





18



Do as follows on the S6700 where you need to configure an Eth-Trunk of static LACP mode.

Procedure

Step 1 Run:system-view


Step 2 Run:



Step 3 Run:

bpdu enable

The Eth-Trunk member interfaces are configured to send received BPDUs to the CPU.

Step 4 Run:

mode lacp-static

The Eth-Trunk is configured to work in static LACP mode.

By default, an Eth-Trunk works in manual load balancing mode.

If the local device is configured with an Eth-Trunk of static LACP mode, you must configure

the Eth-Trunk of static LACP mode on the peer device.

----End

2.4.3 Adding Member Interfaces to an Eth-Trunk

Context

Do as follows on the S6700 where you need to configure member interfaces of an Eth-Trunk.

Procedure

l Configuration in the Eth-Trunk interface view

1. Run:

system-view


2. Run:



3. Run:

trunkport interface-type { interface-number1 [ to interface-number2 ] }

&<1-8>

Member interfaces are added to the Eth-Trunk.

l Configuration in the member interface view

1. Run:system-view





19




2. Run:



3. Run:

eth-trunk trunk-id

The interface is added to the Eth-Trunk.

When adding an interface to an Eth-Trunk, pay attention to the following points:

– An Eth-Trunk contains a maximum of eight member interfaces.

– A member interface cannot be configured with any service or static MAC address.

– When adding an interface to an Eth-Trunk, ensure that the interface is a hybrid interface,

which is the default interface type.

– An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk.– An Ethernet interface can be added to only one Eth-Trunk interface. To add the Ethernet

interface to another Eth-Trunk, delete the Ethernet interface from the current Eth-Trunk

first.

– The member interfaces of an Eth-Trunk must be of the same type. For example, the FE

interface and the GE interface cannot be added to the same Eth-Trunk.

– Ethernet interfaces on different LPUs can be added to the same Eth-Trunk.

– The peer interface directly connected to the Eth-Trunk on the local end must also be

added to an Eth-Trunk; otherwise, the two ends cannot communicate.

– When the rates of member interfaces are different, the interfaces with a smaller rate may

be congested, and packets may be lost.– After an interface is added to an Eth-Trunk, MAC address learning is performed by the

Eth-Trunk rather than the member interfaces.

----End

2.4.4 (Optional) Configuring the Load Balancing Mode

Context

Do as follows on the S6700 where you need to configure the Eth-Trunk load balancing mode.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }





20



The load balancing mode is configured for the Eth-Trunk.

The default load balancing mode is src-dst-ip.

The S6700 supports the following load balancing modes:

l dst-ip: load balancing based on the destination IP address. In this mode, the system obtains

the specified three bits from each of the destination IP address and the TCP or UDP port

number in outgoing packets to perform the Exclusive-OR calculation, and then selects the

outgoing interface from the Eth-Trunk table according to the calculation result.

l dst-mac: load balancing based on the destination MAC address. In this mode, the system

obtains the specified three bits from each of the destination MAC address, VLAN ID,

Ethernet type, and incoming interface information to perform the Exclusive-OR calculation,

and then selects the outgoing interface from the Eth-Trunk table according to the calculation

result.

l src-ip: load balancing based on the source IP address. In this mode, the system obtains the

specified three bits from each of the source IP address and the TCP or UDP port number in

incoming packets to perform the Exclusive-OR calculation, and then selects the outgoing


l src-mac: load balancing based on the source MAC address. In this mode, the system obtains

the specified three bits from each of the source MAC address, VLAN ID, Ethernet type, and

incoming interface information to perform the Exclusive-OR calculation, and then selects

the outgoing interface from the Eth-Trunk table according to the calculation result.

l src-dst-ip: load balancing based on the Exclusive-OR result of the source IP address and

destination IP address. In this mode, the system performs the Exclusive-OR calculation

between the Exclusive-OR results of the dip and dmac modes, and then selects the outgoing


lsrc-dst-mac: load balancing based on the Exclusive-OR result of the source MAC addressand destination MAC address. In this mode, the system obtains three bits from each of the

source MAC address, destination MAC address, VLAN ID, Ethernet type, and incoming

interface information to perform the Exclusive-OR calculation, and then selects the outgoing


Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end and the

remote end can use different load balancing modes, and the load balancing mode on one end

does not affect load balancing on the other end.

----End

2.4.5 (Optional) Limiting the Number of Active Interfaces

Context

Do as follows on the S6700 where you need to limit the number of active interfaces.

Procedure

l Setting the upper threshold of the number of active interfaces

1. Run:

system-view






21



2. Run:



3. Run:

max active-linknumber link-number

The upper threshold of the number of active interfaces is set.

By default, the upper threshold of the number of active interfaces is 8.

In static LACP mode, you can limit the maximum number (M) of active interfaces in the

Eth-Trunk by setting the upper threshold. The other member interfaces function as backup.

If the upper threshold is not set, up to eight interfaces in the Eth-Trunk can be active.

NOTE

l The upper threshold of the number of active interfaces should not be smaller the lower threshold

for the number of active interfaces.

l The upper threshold of the number of active interfaces of the local S6700 and that of the remote

S6700 can be different. If the upper thresholds at two ends are different, the smaller one is used.

l Setting the lower threshold of the number of active interfaces

1. Run:

system-view


2. Run:



3. Run:

least active-linknumber link-number

The lower threshold of the number of active interfaces is set.

By default, the lower threshold of the number of active interfaces is 1.

In static LACP mode, you can determine the minimum number of active interfaces in the

Eth-Trunk by setting the lower threshold. If the number of active interfaces is smaller than

the value in static mode, the status of the Eth-Trunk becomes Down.

NOTE

l The lower threshold of the number of active interfaces should not be larger than the upper

threshold of the number of active interfaces.

l The lower threshold of the number of active interfaces of the local S6700 and that of the remote

S6700 can be different. If the lower thresholds at two ends are different, the larger one is used.

----End

2.4.6 (Optional) Setting the LACP Priority of the System

Context

Do as follows on the S6700 where you need to set the LACP priority of the system.





22



Procedure

Step 1 Run:

system-view


Step 2 Run:

lacp priority priority

The system LACP priority of the S6700 is set.

The smaller the LACP priority value of the system is, the higher the priority is. By default, the

LACP priority of the system is 32768.

The end of a smaller priority value functions as the Actor. If the two ends have the same priority,

the end with a smaller MAC address functions as the Actor.

----End

2.4.7 (Optional) Setting the LACP Priority of an Interface

Context

Perform the following steps on the S6700.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

lacp priority priority

The LACP priority of the interface is set.

By default, the interface LACP priority is 32768. A smaller priority value indicates a higher LACP priority.

----End

2.4.8 (Optional) Enabling LACP Preemption and Setting the Delayfor LACP Preemption

Context

Do as follows on the S6700 where you need to enable LACP preemption mode and set the delayfor LACP preemption.





23



Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

lacp preempt enable

The LACP preemption function is enabled on the Eth-Trunk.

By default, the LACP preemption function is disabled.

NOTE

To ensure normal running of an Eth-Trunk, it is recommended that you enable or disable LACP preemption

on both ends of the Eth-Trunk.

Step 4 Run:

lacp preempt delay delay-time

The delay for LACP preemption on the Eth-Trunk is set.

By default, the delay for LACP preemption is 30 seconds.

Enabling the LACP preemption function ensures that the interface with the highest LACP

priority can be an active interface. For example, when an interface with the highest priority

becomes inactive due to a failure, and then recovers, the interface can become an active interface

if the LACP preemption function is enabled; if the LACP preemption function is disabled, the

interface cannot become an active interface again.

The delay for LACP preemption refers to the period in which an inactive interface of the Eth-

Trunk in static LACP mode waits before it becomes active.

----End

2.4.9 (Optional) Setting the Timeout Interval for Receiving LACPPackets

Context

Do as follows on the S6700 where you need to set the timeout interval for receiving LACP

packets.

Procedure

Step 1 Run:

system-view


Step 2 Run:





24





Step 3 Run:

lacp timeout { fast | slow }

The timeout for receiving LACP protocol packets the Eth-Trunk is set.

NOTE

l After the lacp timeout command is used, the local end informs the peer end of the timeout interval

through LACP packets. If the fast is selected, the interval for sending LACP packets is 1 second. If

the slow keyword is selected, the interval for sending LACP packets is 30 seconds.

l The timeout interval for receiving LACP packets is three times the interval for sending LACP packets.

That is, when the fast keyword is used, the timeout interval for receiving LACP packets is 3s; when

the slow keyword is used, the timeout interval for receiving LACP packets is 90s.

l You can select different keywords on the two ends. To facilitate the maintenance, however, it is

recommended that you select the same keyword on both ends.

----End


Procedure



lRun the display eth-trunk [ trunk-id [interface interface-type interface-number ] ]command to display information about the Eth-Trunk and member interfaces.

----End

2.5 Configuring an E-Trunk

As an extension to the Link Aggregation Protocol (LACP) that implements link aggregation on

a single device, the Enhanced Trunk (E-Trunk) protocol implements link aggregation between

different devices. This improves link reliability between devices.


Before configuring an E-Trunk, familiarize yourself with the applicable environment, complete

the pre-configuration tasks, and obtain the data required for the configuration. This will help

you complete the configuration task quickly and accurately.


As shown in Figure 2-4, the E-Trunk is used to protect the links between a CE and two PEs

when the CE is dual-homed to the two PEs. The CE is connected to PE1 and PE2 through a static

LACP Eth-Trunk respectively. The two Eth-Trunks form an E-Trunk to implement backup of link aggregation groups between PE1 and PE2, enhancing the network reliability.





25



Figure 2-4 Networking diagram of the E-Trunk

PE1

PE2

CE

E t h - T r u

n k 1

E t h - T r u n k 2

E-Trunk1 Network


Before configuring an E-Trunk, complete the following tasks:

l Connecting physical links between devices correctly

l Configuring static LACP Eth-Trunk interfaces

Data Preparation

To configure an E-Trunk, you need the following data.

No. Data

1 LACP system ID and priority

2 ID and priority of the E-Trunk

3 Interface numbers and working modes of the Eth-Trunks

4 Local and peer IP addresses

5 Encrypted password

6 Interval for sending hello packets and time multiplier for detecting hello packets

2.5.2 Setting the LACP System ID and LACP Priority of an E-Trunk

In an E-Trunk, the two PEs must be configured with the same LACP system ID and priority so

that the CE considers the two PEs as one device.

Context

Do as follows on the member devices of the E-Trunk.





26



Procedure

Step 1 Run:

system-view


Step 2 Run:

lacp e-trunk system-id mac-address

The LACP system ID is set for the E-Trunk.

By default, the MAC address of Ethernet interface on the MPU is used as the LACP system ID

a device.

The master and backup devices in an E-Trunk must use the same LACP system ID.

Step 3 Run:

lacp e-trunk priority priority

The LACP priority of the E-Trunk member is set.

By default, the LACP priority of an E-Trunk is 32768.

The master and backup devices in an E-Trunk must use the same LACP priority.

----End

2.5.3 Creating an E-Trunk and Setting Its Priority

The E-Trunk priority determines whether a device in the E-Trunk is the master device or the

standby device.

Context


Procedure

Step 1 Run:

system-view


Step 2 Run:

e-trunk e-trunk-id

An Eth-Trunk is created.

If the specified E-Trunk already exists, the E-Trunk view is displayed directly.

The member devices in an E-Trunk must be configured with the same E-Trunk ID.

At most 16 E-Trunks can be created on a device.

Step 3 Run:

priority priority

The priority of the E-Trunk is set.





27



The E-Trunk priority is applied to master/backup negotiation between two devices. The device

of higher priority is the master. A smaller priority value indicates a higher priority.

If the priorities of two devices are the same, the device with the smaller system ID is the master.

By default, the priority of an E-Trunk is 100.

----End

2.5.4 Configuring Local and Peer IP Addresses of an E-Trunk

E-Trunk packets are sent through the local IP address and port configured on the local device.

When changing the local IP address or peer IP address on a device, you must change the

corresponding address on the peer device. Otherwise, LACP packets are discarded.

Context


Procedure

Step 1 Run:

system-view


Step 2 Run:

e-trunk e-trunk-id

The E-Trunk view is displayed.

Step 3 Run:

peer-address peer-ip-address source-address source-ip-address

The local and peer IP addresses of the E-Trunk are configured.

The peer IP address of the local device is the local IP address of the peer device. For example,

an E-Trunk is set up between device A and device B. On device A, the peer IP address is 2.2.2.2

and the local IP address is 1.1.1.1. Then, on device B, the peer IP address is 1.1.1.1 and the local

IP address is 2.2.2.2.

----End

2.5.5 Binding an E-Trunk to a BFD SessionIf the local device in an E-Trunk cannot detect whether the peer device is faulty by sending E-

Trunk packets, it can use the Bidirectional Fast Detection (BFD) protocol to detect faults on the

peer device. Each E-Trunk needs to be configured with a peer IP address. You can create a BFD

session to check whether the route to the peer is reachable. The E-Trunk can detect faults reported

by the BFD session and handles the faults quickly.


Procedure






28




Step 2 Run:

e-trunk e-trunk-id

The E-Trunk view is displayed.Step 3 Run:

e-trunk track bfd-session session-id

The E-Trunk is bound to a BFD session.

BFD sessions are used to fast detect the fault of the control link between the two devices of the

E-Trunk.

----End

2.5.6 Adding an Eth-Trunk to an E-Trunk

After configuring an E-Trunk, you must add Eth-Trunks to the E-Trunk to implement link aggregation between the two devices. In this manner, backup of aggregation groups is

implemented between devices and the network reliability is enhanced.

Context


Procedure

Step 1 Run:

system-view


Step 2 Run:



Only static LACP Eth-Trunks can be added to an E-Trunk.

Step 3 Run:

e-trunk e-trunk-id

The Eth-Trunk is added to an E-Trunk.

An Eth-Trunk can be added to only one E-Trunk.

On the two devices in an E-Trunk, the IDs of the Eth-Trunks added to the E-Trunk must be the

same. For example, if you add Eth-Trunk 1 and Eth-Trunk 2 to E-Trunk 1 on device A, you must

also add Eth-Trunk 1 and Eth-Trunk 2 to E-Trunk 1 on device B.

----End

2.5.7 (Optional) Configuring the Working Mode of an Eth-Trunk inan E-Trunk

You can configure the working mode of an Eth-Trunk only after adding the Eth-Trunk to an E-Trunk. The working mode of an Eth-Trunk can be automatic, forced master, or forced backup.





29



Context



system-view


Step 2 Run:



Only static LACP Eth-Trunks can be added to an E-Trunk.

Step 3 Run:e-trunk mode { auto | force-master | force-backup }

The working mode of the Eth-Trunk in the E-Trunk is configured.

By default, an Eth-Trunk works in automatic mode in an E-Trunk.

The e-trunk mode command is valid only for an Eth-Trunk in an E-Trunk. When the Eth-Trunk

exits from the E-Trunk, the configuration is cancelled.

When the Eth-Trunk works in automatic mode, the master/backup status of the Eth-Trunk is

determined by the E-Trunk status of the local device and the fault information of the peer Eth-

Trunk.

l If the local E-Trunk is the master, the local Eth-Trunk works in master state.

l If the local E-Trunk is the backup and the peer Eth-Trunk is faulty, the local Eth-Trunk works

in master state. When the local Eth-Trunk receives the message informing that the peer Eth-

Trunk recovers, the local Eth-Trunk becomes the backup.

When the E-Trunk works properly, changing the interval for sending packets or timeout of hello

packets make the E-Trunk alternate between the master state and the backup state. Therefore, it

is recommended that you set the working mode of a member Eth-Trunk to forcible master/backup

before changing the interval for sending packets or the timeout of hello packets. After new

configurations take effect, you can restore the working mode to automatic.

----End

2.5.8 (Optional) Setting the Password

An encrypted password can be set to enhance the system security. The encrypted passwords set

on the two devices of an E-Trunk must be the same.

Context

You can encrypt the password in plain text or cipher text.

l When the password is encrypted in plain text, it can be displayed in the configuration file.

l When the password is encrypted in cipher text, it is displayed as unidentifiable characters.






30



Procedure

Step 1 Run:

system-view


Step 2 Run:

e-trunk e-trunk-id


Step 3 Run:

security-key { simple simple-key | cipher cipher-key }

The password for encrypting packets is configured.

CAUTION

If simple is selected, the password is saved in the configuration file in plain text. In this case,

users at a lower level can easily obtain the password by viewing the configuration file. This

brings security risks. Therefore, it is recommended that you select cipher to save the password

in cipher text.

----End

2.5.9 (Optional) Setting the Timeout of Hello Packets

If the backup device in an E-Trunk does not receive any hello packet from the peer device within

the timeout interval, it becomes the master device. The timeout interval here refers to the timeout

interval contained in the hello packets sent by the peer device rather than that set on the local

device.

Context


Procedure

Step 1 Run:

system-view


Step 2 Run:

e-trunk e-trunk-id


Step 3 Run:

timer hello hello-times

The interval for sending Hello packets is set.





31



By default, the value of hello-times is 10. Since the unit is 100 ms, the interval for sending hello

packets is 1s.

Step 4 Run:

timer hold-on-failure multiplier multiplier

The time multiplier for detecting Hello packets is set.

The peer device checks the timeout interval contained in the received packet to check whether

the local device times out. If the peer device is the backup and does not receive hello packets

from the local device within the timeout interval, the peer device becomes the master.

Timeout interval = Interval for sending hello packets x Time multiplier. It is recommended that

you set the time multiplier to at least 3.

By default, the time multiplier for detecting hello packets is 20.

----End

2.5.10 (Optional) Setting the Revertive Switching Delay

After the revertive switching delay is set, the local Eth-Trunk must wait until the delay timer

times out to become the master again after it recovers from a fault. This delays the revertive

switching of the service traffic, ensuring uninterrupted forwarding of the service traffic.

Context

If an E-Trunk works with other services, after the master device recovers from a fault, the status

of the member Eth-Trunk on the master device may be restored before other services are restored.

If traffic is immediately switched back to the master device, service traffic will be interrupted.

After the revertive switching delay is set, the local Eth-Trunk becomes Up only after the delay

timer times out. Then the local device becomes the master again. This delays the revertive

switching of the service traffic, thus ensuring uninterrupted forwarding of the service traffic.


Procedure

Step 1 Run:

system-view


Step 2 Run:

e-trunk e-trunk-id


Step 3 Run:

timer revert delay delay-value

The revertive switching delay is set.

By default, the revertive switching delay of an E-Trunk is 120 seconds.

----End





32




After configuring an E-Trunk, you can view information about the E-Trunk, including its

priority, system ID, local IP address, peer IP address, revertive switching delay, master/backup

status, and cause of status change.

Procedure

l Run the display e-trunk e-trunk-id command to view information about the E-Trunk.

----End

2.6 Maintaining Link Aggregation

This section describes how to clear the statistics of received and sent LACP packets, debug the

link aggregation group, and monitor the running status of the link aggregation group.

2.6.1 Clearing Statistics of LACP Packets

Context

CAUTION

The statistics of LACP packets cannot be restored after you clear them. So, confirm the action before you use the command.

Procedure

l Run the reset lacp statistics eth-trunk [ trunk-id ] command to clear statistics of received

and sent LACP packets.

----End

2.6.2 Debugging the Link Aggregation Group

Context

CAUTION



When a running fault occurs in the link aggregation group, run the following debuggingcommands in the user view to check the debugging information, and locate and analyze the fault.





33



Procedure

l Run the debugging trunk error command to enable the debugging of Eth-Trunk errors.

l Run the debugging trunk event command to enable the debugging of Eth-Trunk events.

lRun the debugging trunk lacp-pdu command to enable the debugging of LACP packets.

l Run the debugging trunk lagmsg command to enable the debugging of LACP protocol

messages.

l Run the debugging trunk msg command to enable the debugging of Eth-Trunk messages.

l Run the debugging trunk state-machine command to enable the debugging of Eth-Trunk

status machine.

l Run the debugging trunk updown command to enable the debugging of Eth-Trunk Up

and Down messages.

l Run the debugging trunk command to enable the debugging of Eth-Trunk messages.

----End

2.6.3 Monitoring the Operation Status of the Link AggregationGroup

Context

During the daily maintenance, you can run the following commands in any view to check the

operation status of the link aggregation group.

Procedurel Run the display eth-trunk [ trunk-id [ interface interface-type interface-number ] ]

command to display the status of the link aggregation group.

l Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-

number ] ] command to display the statistics of sent and received LACP packets.



----End

2.7 Configuration ExamplesThis section provides several configuration examples of link aggregation in manual load

balancing mode and in static LACP mode.

2.7.1 Example for Configuring Link Aggregation in Manual LoadBalancing Mode


As shown in Figure 2-5, the Switch is connected to the SwitchA through an Eth-Trunk. Thelink between the Switch and SwitchA must ensure high reliability.





34



Figure 2-5 Networking diagram for configuring link aggregation in manual load balancing mode

Switch

Eth-Trunk 1

LAN Switch

XGE0/0/1

VLAN 100-150

E t h - T r

u n k

Eth-Trunk 1

XGE0/0/3XGE0/0/4

XGE0/0/2

VLAN 151-200

SwitchA

LAN Switch



1. Create an Eth-Trunk.

2. Add member interfaces to the Eth-Trunk.

Data Preparation


l Number of the Eth-Trunk

l Types and numbers of the member interfaces in the Eth-Trunk

Procedure

Step 1 Create an Eth-Trunk.

# Create Eth-Trunk 1.


[Quidway] sysname Switch

[Switch] interface eth-trunk 1

[Switch-Eth-Trunk1] quit

Step 2 Add member interfaces to the Eth-Trunk.





35



# Add XGE 0/0/3 to Eth-Trunk 1.

[Switch] interface xgigabitethernet 0/0/3

[Switch-XGigabitEthernet0/0/3] eth-trunk 1

[Switch-XGigabitEthernet0/0/3] quit

# Add XGE 0/0/4 to Eth-Trunk 1.


[Switch-XGigabitEthernet0/0/4] eth-trunk 1


Step 3 Configure Eth-Trunk 1.

# Configure Eth-Trunk 1 to allow packets of VLANs 100 to 200 to pass through.

[Switch] interface eth-trunk 1

[Switch-Eth-Trunk1] port link-type trunk

[Switch-Eth-Trunk1] port trunk allow-pass vlan 100 to 200

[Switch-Eth-Trunk1] quit


Run the display trunkmembership command in any view to check whether Eth-Trunk 1 is

created and whether member interfaces are added.

[Switch] display trunkmembership eth-trunk 1

Trunk ID: 1

used status: VALID

TYPE: ethernet

Working Mode : Normal

Number Of Ports in Trunk = 2

Number Of UP Ports in Trunk = 2

operate status: up

Interface XGigabitEthernet0/0/3, valid, operate up, weight=1,

Interface XGigabitEthernet0/0/4, valid, operate up, weight=1,

# Display the configuration of Eth-Trunk 1.

[Switch] display eth-trunk 1

Eth-Trunk1's state information is:

WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA

Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8

Operate status: up Number Of Up Port In Trunk: 2

--------------------------------------------------------------------------------

PortName Status Weight

XGigabitEthernet0/0/3 Up 1

XGigabitEthernet0/0/4 Up 1

The preceding information indicates that Eth-Trunk 1 consists of member interfaces XGE 0/0/3

and XGE 0/0/4. The member interfaces are both in Up state.

----End

Configuration Files


#

sysname Switch

#

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 100 to 200

#

interface XGigabitEthernet0/0/3eth-trunk 1





36



#


eth-trunk 1

#

return

2.7.2 Example for Configuring Link Aggregation in Static LACPMode


To improve the bandwidth and the connection reliability, configure the link aggregation group

on two directly connected Switches, as shown in Figure 2-6. The requirements are as follows:

l M active links can implement load balancing.

l N links between two Switches can carry out redundancy backup. When a fault occurs onan active link, the backup link replaces the faulty link to keep the reliability of data

transmission.

Figure 2-6 Networking diagram for configuring link aggregation in static LACP mode

SwitchB

Eth-Trunk 1

SwitchA

Eth-Trunk 1

Eth-Trunk Active link

Backup link

XGE 0/0/1XGE 0/0/2XGE 0/0/3

XGE 0/0/2XGE 0/0/1

XGE 0/0/3



1. Create an Eth-Trunk on the Switch and configure the Eth-Trunk to work in static LACP

mode.

2. Add member interfaces to the Eth-Trunk.

3. Set the system priority and determine the Actor.

4. Set the upper threshold of the active interfaces.

5. Set the priority of the interface and determine the active link.

Data Preparation


l Numbers of the link aggregation groups on the Switches

l System priority of SwitchA

l Upper threshold of active interfaces

l LACP priority of the active interface





37



Procedure

Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static LACP mode.

# Configure SwitchA.


[Quidway] sysname SwitchA

[SwitchA] interface eth-trunk 1

[SwitchA-Eth-Trunk1] bpdu enable

[SwitchA-Eth-Trunk1] mode lacp-static

[SwitchA-Eth-Trunk1] quit

# Configure SwitchB.


[Quidway] sysname SwitchB

[SwitchB] interface eth-trunk 1

[SwitchB-Eth-Trunk1] bpdu enable

[SwitchB-Eth-Trunk1] mode lacp-static

[SwitchB-Eth-Trunk1] quit

Step 2 Add member interfaces to the Eth-Trunk.

# Configure SwitchA.

[SwitchA] interface xgigabitethernet 0/0/1

[SwitchA-XGigabitEthernet0/0/1] eth-trunk 1

[SwitchA-XGigabitEthernet0/0/1] quit







# Configure SwitchB.

[SwitchB] interface xgigabitethernet 0/0/1

[SwitchB-XGigabitEthernet0/0/1] eth-trunk 1

[SwitchB-XGigabitEthernet0/0/1] quit







Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.

[SwitchA] lacp priority 100

Step 4 Set the upper threshold M of active interfaces on SwitchA to 2.

[SwitchA] interface eth-trunk 1

[SwitchA-Eth-Trunk1] max active-linknumber 2

[SwitchA-Eth-Trunk1] quit

Step 5 Set the priority of the interface and determine active links on SwitchA.


[SwitchA-XGigabitEthernet0/0/1] lacp priority 100



[SwitchA-XGigabitEthernet0/0/2] lacp priority 100







38



# Check information about the Eth-Trunk of the Switches and check whether the negotiation is

successful on the link.

[SwitchA] display eth-trunk 1


Local:

LAG ID: 1 WorkingMode: STATIC

Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA

System Priority: 100 System ID: 00e0-fca8-0417

Least Active-linknumber: 1 Max Active-linknumber: 2

Operate status: Up Number Of Up Port In Trunk: 2

------------------------------------------------------------------------------

ActorPortName Status PortType PortPri PortNo PortKey PortState

Weight

XGigabitEthernet0/0/1 Selected 10GE 100 6145 2865 11111100

1


1

XGigabitEthernet0/0/3 Unselect 10GE 32768 6147 2865 11100000

1

Partner: ------------------------------------------------------------------------------

PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState

XGigabitEthernet0/0/1 32768 00e0-fca6-7f85 32768 6145 2609

11111100


11111100


11110000

[SwitchB] display eth-trunk 1


Local:

LAG ID: 1 WorkingMode: STATIC

Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA

System Priority: 32768 System ID: 00e0-fca6-7f85

Least Active-linknumber: 1 Max Active-linknumber: 8

Operate status: Up Number Of Up Port In Trunk: 2

------------------------------------------------------------------------------

ActorPortName Status PortType PortPri PortNo PortKey PortState

Weight


1


1

XGigabitEthernet0/0/3 Unselect 10GE 32768 6147 2609 11100000

1

Partner:

------------------------------------------------------------------------------

PartnerPortName SysPri SystemID PortPri PortNo PortKey

PortState XGigabitEthernet0/0/1 100 00e0-fca8-0417 100 6145 2865

11111100

XGigabitEthernet0/0/2 100 00e0-fca8-0417 100 6146 2865

11111100

XGigabitEthernet0/0/3 100 00e0-fca8-0417 32768 6147 2865

11110000

The preceding information shows that the system priority of SwitchA is 100 and it is higher than

the system priority of SwitchB. Member interfaces XGE0/0/1 and XGE0/0/2 become the active

interfaces and are in Selected state. Interface XGE0/0/3 is in Unselect state. M active links work

in load balancing mode and N links are the backup links.

----End





39



Configuration Files

l Configuration file of SwitchA

#

sysname SwitchA

# lacp priority 100

#


mode lacp-static

max active-linknumber 2

#


eth-trunk 1

lacp priority 100

#


eth-trunk 1

lacp priority 100

#


eth-trunk 1#

return

l Configuration file of SwitchB

#

sysname SwitchB

#


mode lacp-static

#


eth-trunk 1

#


eth-trunk 1#


eth-trunk 1

#

return





40



3 VLAN Configuration

About This Chapter

Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security

enhancement, flexible networking, and good extensibility.

3.1 Introduction

The VLAN technology is important for forwarding on Layer 2 networks. This section describes

the background, functions, and advantages of the VLAN technology.

3.2 VLAN Features Supported by the S6700

This section describes VLAN features supported by the S6700 to help you understand VLAN

configurations.

3.3 Dividing a LAN into VLANs

A LAN can be divided into several VLANs and users in each VLAN can communicate with

each other. Currently, the S6700 supports several VLAN division modes. You can choose one

of them as required.

3.4 Creating a VLANIF Interface

VLANIF interfaces are Layer 3 logical interfaces. After creating VLANIF interfaces on Layer

2 devices, you can configure Layer 3 features on these interfaces.

3.5 Configuring Inter-VLAN Communication

Configuring inter-VLAN communication allows users in different VLANs to communicate with

each other. Currently, the S6700 supports several inter-VLAN communication schemes. Chooseone of them as required.

3.6 Configuring VLAN Aggregation to Save IP Addresses

VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN

communication.

3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic

Configuring a MUX VLAN allows users in different VLANs to communicate with each other,

and separates users in a certain VLAN.

3.8 Configuring a Voice VLAN to Transmit Voice Data

A voice VLAN is used to transmit voice data.

3.9 Configuring an mVLAN to Implement Integrated Management


Configuration Guide - Ethernet 3 VLAN Configuration



41



Configuring an mVLAN allows users to use the IP address of the VLANIF interface

corresponding to the mVLAN to log in to a management switch to manage devices attached to

the switch.

3.10 Maintaining VLAN

A command of clearing statistics helps to locate the faults in a VLAN.


This section provides several examples of VLAN configuration.





42



3.1 Introduction

The VLAN technology is important for forwarding on Layer 2 networks. This section describes

the background, functions, and advantages of the VLAN technology.

Overview of VLAN

The Ethernet technology is for sharing communication mediums and data based on the Carrier

Sense Multiple Access/Collision Detect (CSMA/CD). If there are a large number of PCs on an

Ethernet network, collision becomes a serious problem and can lead to broadcast storms. As a

result, network performance deteriorates. This can even cause the Ethernet network to become

unavailable. Switches can be used to interconnect local area networks (LANs). Switches forward

information received by inbound ports to specified outbound ports, thereby preventing access

collision in a shared medium. If no specified outbound port is found for information received

by an inbound port, the switch will forward the information from all ports except the inbound port. This forms a broadcast domain.

To prevent broadcast domains from being too broad and causing problems, you can divide a

network into segments. In this manner, a large broadcast domain is divided into multiple small

broadcast domains to confine the possible scope of broadcast packets. Routers can be deployed

at the network layer to separate broadcast domains, but this method has disadvantages, which

include: com plex networ k planning, inflexible networking, and high levels of expenditure. The

Virtual Local Area Network (VLAN) technology can divide a large Layer 2 network into

broadcast domains to prevent broadcast storms and protect network security.

Definition of VLAN

The VLAN technology is used to divide a physical LAN into multiple logical broadcast domains,

each of which is called a VLAN. Each VLAN contains a group of PCs that have the same

requirements. A VLAN has the same attributes as a LAN. PCs of a VLAN can be placed on

different LAN segments. If two PCs are located on one LAN segment but belong to different

VLANs, they do not broadcast packets to each other. With VLAN, the broadcast traffic volume

is reduced; fewer devices are required; network management is simplified; and network security

is improved.

Figure 3-1 shows a typical VLAN application. Three switches are placed in different locations,

for example, different stories of an office building. If each enterprise builds up a LAN, a high

level of expenditure is required. If enterprises in the office building use the existing LAN,

enterprise information security cannot be guaranteed. The VLAN technology allows enterprises

to share LAN facilities and ensures information security for each enterprise network.





43



Figure 3-1 Schematic diagram for a typical VLAN application

VLAN-A

VLAN-B

VLAN-C

Router

Switch1 Switch2 Switch3

This application shows the following VLAN advantages:

l Broadcast domains are confined. A broadcast domain is confined to a VLAN. This saves

bandwidth and improves network processing capabilities.

l Network security is enhanced. Packets from different VLANs are separately transmitted.

PCs in one VLAN cannot directly communicate with PCs in another VLAN.

l Network robustness is improved. A fault in a VLAN does not affect PCs in other VLANs.

l Virtual groups are set up flexibly. With the VLAN technology, PCs in different

geographical areas can be grouped together. This facilitates network construction and

maintenance.

Basic VLAN Concepts and Principles

l 802.1Q and VLAN frame format

A conventional Ethernet frame is encapsulated with the Length/Type field for an upper-

layer protocol following the Destination address and Source address fields, as shown in

Figure 3-2.

Figure 3-2 Conventional Ethernet frame format

2bytes6bytes 6bytes 46-1500bytes 4bytes

Destination

address

Source

addressLength/Type Data FCS

IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It

adds a 32-bit field between the Source address and the Length/Type fields of the originalframe, as shown in Figure 3-3.





44



Figure 3-3 802.1Q frame format

2bytes 3bits 12bits1bit

4bytes 2bytes

802.1Q

TagData FCS

TPID PRI CFI VID

6bytes 6bytes 42-1500bytes 4bytes

Destination

address

Source

address

Length/Type

– Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify

the frame as an IEEE 802.1Q-tagged frame. If an 802.1Q-incapable device receives an

802.1Q frame, it will discard the frame.

– Priority (PRI): a 3-bit field which indicates the frame priority. The value ranges from 0

to 7. The greater the value, the higher the priority. These values can be used to prioritize

different classes of traffic to ensure that frames with high priorities are transmitted first

when traffic is heavy.

– Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC

address is in the non-canonical format. If the value is 0, the MAC address is in the

canonical format. CFI is used to ensure compatibility between Ethernet networks and

Token Ring networks. It is always set to zero for Ethernet switches.

– VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs.

On the S6700, VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved,

and therefore VLAN IDs range from 1 to 4094.

Each frame sent by an 802.1Q-capable switch carries a VLAN ID. On a VLAN, Ethernet

frames are classified into the following types:

– Tagged frames: frames with 32-bits 802.1Q tags.

– Untagged frames: frames without 32-bits 802.1Q tags.

l VLAN division methods

Table 3-1 shows VLAN division methods.

Table 3-1 VLAN division methods

VLANDivisionMethod

Definition

Port-based

VLAN division

VLANs are configured based on ports on a switch. For example, ports

1 to 4 on a switch are added to VLAN 2; ports 5 to 8 are added to

VLAN 3.

Ports on different Ethernet switches can be added to one VLAN. For

example, ports 1 to 4 on switch A and ports 3 to 6 on switch B can

be added to the same VLAN.

Each switch maintains a VLAN mapping table that records mappings

between local ports and VLANs.





45



VLANDivisionMethod

Definition

MAC address-

based VLAN

division

PCs are added to VLANs based on their MAC addresses.

A switch maintains a VLAN mapping table that records mappings

between MAC addresses and VLANs.

IP subnet-based

VLAN division

VLANs are configured based on IP addresses of PCs. PCs belonging

to one IP subnet are added to the same VLAN.


between IP subnets and VLANs.

Protocol-based

VLAN division

VLANs are configured based on the Length/Type fields in Layer 2

frames. Currently, IPv4, IPv6, IPX, or AppleTalk can be specified in

the Length/Type field of a Layer 2 frame to indicate the running

network protocol.A switch maintains a VLAN mapping table that records mappings

between protocols and VLANs.

Policy-based

VLAN division

PCs are added to VLANs based on their MAC and IP addresses.


between MAC addresses, IP addresses, interfaces, and VLANs.

l Type of VLAN links

Figure 3-4 Schematic diagram for VLAN links

Trunk link

CE1 CE2

PC3

VLAN3 VLAN3PC4

PC1

VLAN2 VLAN2

PC2

3

2

3

2

2

3

Access link

Access link

Trunk link

PE

As shown in Figure 3-4, there are the following types of VLAN links:





46



– Access link: connects a PC to a switch. Generally, a PC does not know which VLAN

it belongs to, and PC hardware cannot distinguish frames with VLAN tags. Therefore,

PCs send and receive only untagged frames.

– Trunk link: connects a switch to another switch or to a router. Data of different VLANs

are transmitted along a trunk link. The two ends of a trunk link must be able to distinguishframes with VLAN tags. Therefore, only tagged frames are transmitted along trunk

links.

l Port types

Table 3-2 lists VLAN port types.

Table 3-2 Port types

PortType

Method ofProcessing Received

Untagged Frames

Method ofProcessing Received

TaggedFrames

Method ofSending Frames

Application

Access

port

Accepts an untagged

frame and adds a tag

with the default

VLAN ID to the

frame.

l Accepts a

tagged

frame if the

VLAN ID

carried in

the frame is

the same as

the default

VLAN ID.

l Discards atagged

frame if the

VLAN ID

carried in

the frame is

different

from the

default

VLAN ID.

Removes the tag

from a frame and

sends the frame.

An access port

connects a

switch to a PC

and can be

added to only

one VLAN.





47



PortType

Method ofProcessing ReceivedUntagged Frames

Method ofProcessing ReceivedTagged

Frames


Application

Trunk

port

l Adds a tag with

the default

VLAN ID to an

untagged frame

and accepts the

frame if the port

permits the

default VLAN

ID.

l Adds a tag with

the defaultVLAN ID to an

untagged frame

and discards the

frame if the port

denies the default

VLAN ID.

l Accepts a

tagged

frame if the

port permits

the VLAN

ID carried in

the frame.

l Discards a

tagged

frame if the

port deniesthe VLAN

ID carried in

the frame.

l Removes the

tag from a

received

frame and

sends the

frame if the

VLAN ID

carried in the

frame is the

same as the

defaultVLAN ID

and

permitted by

the port.

l Directly

sends a

received

frame if the

VLAN ID

carried in the

frame is

differentfrom the

default

VLAN ID

but permitted

by the port.

A trunk port

can be added to

multiple

VLANs to send

and receive

frames for these

VLANs. A

trunk port

connects a

switch to

another switchor to a router.

Hybrid

port

Sends a received

frame if the port

permits the

VLAN ID

carried in the

frame. Aspecified

command can be

used to

determine

whether a hybrid

port sends

frames with or

without tags.

A hybrid port

can be added to

multiple

VLANs to send

and receive

frames for theseVLANs. A

hybrid port can

connect a

switch to a PC

or connect a

network device

to another

network

device.





48



PortType

Method ofProcessing ReceivedUntagged Frames

Method ofProcessing ReceivedTagged

Frames


Application

QinQ

port

QinQ ports are enabled with the IEEE 802.1QinQ protocol. A QinQ port adds

a tag to a single-tagged frame, and thus supports a maximum of 4094 x 4094

VLAN tags, which meets the requirement of a Networkfor the number of

VLANs.

Each access, trunk, hybrid, or QinQ port can be configured with a default VLAN, namely,

the port default VLAN ID (PVID) to specify the VLAN to which the port belongs.

– The PVID of an access port indicates the VLAN to which the port belongs.

– As a trunk or hybrid port can be added to multiple VLANs, the port must be configured

with PVIDs.

By default, a port is added to VLAN 1.

l Principle for data switching in a VLAN

Use the network shown in Figure 3-4 as an example. If PC 1 in VLAN 2 intends to send

data to PC 2, the data is forwarded as follows:

1. An access port on CE 1 receives an untagged frame from PC 1 and adds a PVID

(VLAN 2) to the frame. CE 1 searches the MAC address table for an outbound port.

NOTE

Assume that VLANs are configured based on MAC addresses. After an access port on CE 1

receives an untagged frame from PC 1, the port checks the VLAN mapping table for a VLAN

ID corresponding to the source MAC address, and adds a tag with the obtained VLAN ID to

the frame.

2. After the trunk port on CE 1 and PE receives the frame, the port checks whether the

VLAN ID carried in the frame is the same as that configured on the port. If the VLAN

ID has been configured on the port, the port transparently transmits the frame to CE

2. If the VLAN ID is not configured on the port, the port discards the frame.

3. After a trunk port on CE 2 receives the frame, the system searches the MAC address

table for an outbound port.

4. After the frame is sent to the access port connecting CE 2 to PC 2, the port checks that

the VLAN ID carried in the frame is the same as that configured on the port. The portthen removes the tag from the frame and sends the untagged frame to PC 2.

l VLANIF interface

A VLANIF interface is a Layer 3 logical interface, which can be configured on either a

Layer 3 switch or a router.

Layer 3 switching combines routing and switching techniques to implement routing on a

switch, thus improving the overall network performance. After sending the first data flow,

a Layer 3 switch generates mappings between MAC addresses and IP addresses. To send

the same data flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based

on this mapping table. In this manner, delays on the network caused by route selection are

eliminated, thus improving data forwarding efficiency. Layer 3 switches have bothswitching and routing functions.





49



To allow that new data flows are correctly forwarded based on the routing table, be sure

that the routing table's routing entries are correct. Therefore, VLANIF interfaces and

routing protocols must be configured on Layer 3 switches for reachable Layer 3 routes.

NOTE

Key points are summarized as follows:

l A PC does not need to know the VLAN to which it belongs. It sends only untagged frames.

l After receiving an untagged frame from a PC, a switching device determines the VLAN to which

the frame belongs. The determination is based on the configured VLAN division method such as port

information, and then the switching device processes the frame accordingly.

l If the frame needs to be forwarded to another switching device, the frame must be transparently

transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow

other switching devices to properly forward the frame based on the VLAN information.

l Before sending the frame to the destination PC, the switching device connected to the destination PC

removes the VLAN tag from the frame to ensure that the PC receives an untagged frame.

Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on

access links. In this manner, switching devices on the network can properly process VLAN informationand PCs are not concerned about VLAN information.

3.2 VLAN Features Supported by the S6700

This section describes VLAN features supported by the S6700 to help you understand VLAN

configurations.

The VLAN technology helps set up virtual groups to separate broadcast domains and implements

both intra-VLAN and inter-VLAN communication.

1. After VLANs are configured, users in a VLAN can communicate with each other.2. In addition to intra-VLAN communication, users in different VLANs need to communicate

with each other sometimes.

NOTE

Intra-VLAN communication and inter-VLAN communication are basic VLAN functions.

3. The following VLAN features are also supported to meet requirements of special

applications and extended functions:

l VLAN aggregation: prevents the waste of IP addresses and implements inter-VLAN

communication.

l MUX VLAN: provides a mechanism to isolate Layer 2 traffic between interfaces in a

VLAN.

l Voice VLAN: select voice data packets from various packets and changes the priority

of voice data packets to improve the voice data transmission quality.

l Management VLAN (mVLAN): helps implement integrated management by using a

remote device. A user can use the IP address of the VLANIF interface corresponding

to the mVLAN to telnet to a management switch.

VLAN Assignment

VLAN assignment is a basic VLAN configuration. After VLANs are configured, users in a

VLAN can communicate with each other. VLANs are configured in different manners, as shown

in Table 3-3.





50



Table 3-3 VLAN assignment in different usage scenarios

VLANAssignmentMethod

Advantage Disadvantage Usage Scenario

Port-based

VLAN

assignment

The configuration is

simple. It is the most

common VLAN

assignment method.


not flexible. If a port

needs to transmit

frames of another

VLAN, the port must

be deleted from the

original VLAN and

added to the new

VLAN. For a network

having a large number

of traveling users, the

network administrator needs to spend more

time on maintenance.

Port-based VLAN

assignment is applicable

to large-scale networks

that do not have high

security requirements.

MAC address-

based VLAN

assignment

If a user travels from

one place to another,

the user does not need

to be added to a new

VLAN. This improves

security and flexibility

for terminal users.

A network

administrator needs to

configure a switch

with a MAC address

associated with a

specific VLAN. For a

network with a large

number of terminals,

configuration will takethe network

administrator a lot of

work before VLAN-

based communication

can be enabled.

MAC address-based

VLAN assignment is

applicable to networks

that have high security

requirements and many

traveling users.

IP subnet-

based VLAN

assignment

IP subnet-based and

protocol-based VLAN

assignment are both

called network layer-

based VLAN

assignment. Network layer-based

VLAN assignment

greatly reduces the

workload of manual

configurations and

allows users to easily

join a VLAN, move

from one VLAN to

another VLAN, or

leave a VLAN.

Switches need to parse

the source IP addresses

of packets and convert

them into MAC

addresses. This slows

down the response of switches.

IP subnet-based VLAN


to networks that have

traveling users and

require simple

management.

Protocol-

based VLAN

assignment

Switches need to

analyze protocol

address formats and

convert between them.

This slows down the

response of switches.

Currently, VLANs can

be configured based on

AppleTalk, IPv4, IPv6,

or IPX.





51





Policies-based

VLAN

assignment

MAC and IP

addresses-based or

MAC addresses, IP

addresses and

interfaces-based

VLAN assignment is

of high security. This

VLAN assignment

method does not allow

users to change MAC

addresses or IP

addresses based on

which VLANs areconfigured.

Compared with other

VLAN assignment

methods, policies-

based VLAN

assignment has the

highest priority.

Each policy needs to

be manually

configured.

Policies-based VLAN


to small-scale networks

that have strict security

requirements and a large

number of traveling

users.

Inter-VLAN CommunicationAfter VLANs are configured, users in a VLAN can communicate with each other. Users in

different VLANs cannot directly communicate with each other. Table 3-4 lists schemes for inter-

VLAN communication.





52



Table 3-4 Schemes for inter-VLAN communication

Inter-VLANCommunication Scheme


VLANIF

interface

After VLANIF

interfaces are

configured, users in

different VLANs and

network segments can

communicate with

each other as long as

routes are reachable.

Inter-VLAN

communication can

also be implemented by

Layer 3 switches if


This scheme boasts of

low operating costs.

If multiple users on a

network belong to

different VLANs, each

VLAN requires a

VLANIF interface.

Each VLANIF interface

needs to be assigned an

IP address. This

increases configuration

workload and uses a lot

of IP addresses.

This scheme is

applicable to small-

scale networks on

which users belong to

different network

segments and IP

addresses of these

users are seldom

changed.

VLAN Aggregation

To implement inter-VLAN communication on switches, configure IP addresses for the VLANIF

interfaces. When many VLANs are deployed, a great number of IP addresses are occupied.

VLAN aggregation can solve the problem of occupation of excessive IP addresses.

VLAN aggregation means that multiple VLANs are aggregated into a super-VLAN. The VLANs

that form the super-VLAN is called sub-VLANs.

You can create a VLANIF interface for a super-VLAN. Then, you can configure an IP address

only for this interface rather than for each sub-VLAN. All sub-VLANs share the same IP network

segment, which optimizes the use of IP addresses.

MUX VLAN

A MUX VLAN is used to isolate Layer 2 traffic between interfaces in a VLAN. For example,

on an intranet, a user interface can communicate with a server interface, but the user interfaces

cannot communicate with each other.

In MUX VLAN implementation, VLANs are classified in to MUX VLANs and subordinate

VLANs. Subordinate VLANs are classified into subordinate group VLANs and subordinate

separate VLANs.

The MUX VLAN can communicate with the subordinate VLANs, but the subordinate VLANs

cannot communicate with each. Interfaces in a subordinate group VLAN can communicate with

each other, but interfaces in a subordinate separate VLAN cannot communicate with each other.

You can implement inter-device MUX VLAN by configuring the same MUX VLAN on multiple

devices and configuring interfaces between the devices to allow packets of the MUX VLAN.

Implementation of inter-device MUX VLAN is the same as the implementation of MUX VLANon a single device.





53



3.3 Dividing a LAN into VLANs

A LAN can be divided into several VLANs and users in each VLAN can communicate with

each other. Currently, the S6700 supports several VLAN division modes. You can choose one

of them as required.


Before dividing a LAN into VLANs, familiarize yourself with the applicable environment,

complete the pre-configuration tasks, and obtain the data required for the configuration. This

will help you complete the configuration task quickly and accurately.


Currently, the S6700 supports the following VLAN division modes. You can choose one of themas required. Table 3-5 lists VLAN division modes.

Table 3-5 VLAN assignment in different usage scenarios



Port-based

VLAN

assignment


simple. It is the most

common VLAN

assignment method.


not flexible. If a port

needs to transmit

frames of another VLAN, the port must

be deleted from the

original VLAN and

added to the new

VLAN. For a network

having a large number

of traveling users, the

network administrator

needs to spend more

time on maintenance.

Port-based VLAN


to large-scale networks

that do not have highsecurity requirements.





54





MAC address-

based VLAN

assignment

If a user travels from

one place to another,

the user does not need

to be added to a new

VLAN. This improves

security and flexibility

for terminal users.

A network

administrator needs to

configure a switch

with a MAC address

associated with a

specific VLAN. For a

network with a large

number of terminals,

configuration will take

the network

administrator a lot of

work before VLAN-

based communicationcan be enabled.

MAC address-based

VLAN assignment is

applicable to networks

that have high security

requirements and many

traveling users.

IP subnet-

based VLAN

assignment

IP subnet-based and

protocol-based VLAN

assignment are both

called network layer-

based VLAN

assignment.

Network layer-based

VLAN assignment

greatly reduces the

workload of manualconfigurations and

allows users to easily

join a VLAN, move

from one VLAN to

another VLAN, or

leave a VLAN.

Switches need to parse

the source IP addresses

of packets and convert

them into MAC

addresses. This slows

down the response of

switches.

IP subnet-based VLAN


to networks that have

traveling users and

require simple

management.

Protocol-

based VLAN

assignment

Switches need to

analyze protocol

address formats and

convert between them.

This slows down the

response of switches.

Currently, VLANs can

be configured based on

AppleTalk, IPv4, IPv6,

or IPX.





55





Policies-based

VLAN

assignment

MAC and IP

addresses-based or

MAC addresses, IP

addresses and

interfaces-based

VLAN assignment is

of high security. This

VLAN assignment

method does not allow

users to change MAC

addresses or IP

addresses based on

which VLANs areconfigured.

Compared with other

VLAN assignment

methods, policies-

based VLAN

assignment has the

highest priority.

Each policy needs to

be manually

configured.

Policies-based VLAN


to small-scale networks

that have strict security

requirements and a large

number of traveling

users.

NOTE

In the case that the S6700 supports multiple VLAN division modes, the priorities of these VLAN division

modes are in descending order:

1. Policies-based VLAN division

This mode has the highest priority, but is not commonly used.

2. MAC address-based VLAN division and IP subnet-based VLAN division

By default, MAC address-based VLAN division is set as the preference. You can run commands to

change priorities of these two VLAN division modes.

3. Protocol-based VLAN division

4. Port-based VLAN division

Port-based VLAN division has the lowest priority, but is most commonly used.


Before dividing a LAN into VLANs, complete the following task:

l Connecting ports and configuring physical parameters of the ports, ensuring that the ports

are physically Up

Data Preparation

To dividing a LAN into VLANs, you need the following data.





56



No. Data

1 VLAN ID, number of each Ethernet port to be added to the VLAN, and (optional)

attributes of Ethernet ports

2 (Optional) Priority of each Ethernet port

3 MAC address and IP address mapped to the VLAN and (optional) number of the

Ethernet port added to a VLAN based on its MAC and IP addresses

4 MAC address mapped to the VLAN and (optional) 802.1p priority value related

to the MAC address

5 (Optional) IP subnet index, IP address mapped to the VLAN, and (optional)

802.1p priority value related to the IP address or network segment

6 (Optional) Protocol template index, protocol type mapped to the VLAN, and

(optional) 802.1p priority value related to the protocol

3.3.2 Dividing a LAN into VLANs Based on Ports

Dividing a LAN into VLANs based on ports is the most simple and effective VLAN division

mode.

Context

After VLANs are configured based on ports, the VLANs can process tagged and untagged frames

in the following manners:

l After receiving an untagged frame, a port adds the PVID to the frame, searches the MAC

address table for an outbound port, and sends the tagged frame from the outbound port.

l After a port receives a tagged frame, it checks the VLAN ID carried in the frame:

– If the port allows frames with the specified VLAN ID to pass through, it forwards the

frame.

– If the port does not allow frames with the specified VLAN ID to pass through, it discards

the frame.


1. Create VLANs.

2. Configure the port type and features.

(1) Configure the port type (access, trunk, hybrid, or QinQ).

3. Add ports to VLANs.

Procedure

Step 1 Run:

system-view


Step 2 Run:vlan vlan-id





57



A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,

the VLAN view is directly displayed.

The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan

batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run

the vlan vlan-id command to enter the view of a specified VLAN.

Step 3 Run:

quit


Step 4 Configure the port type and features.

1. Run the interface interface-type interface-number command to enter the view of an

Ethernet port to be added to the VLAN.

2. Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure

the port type.

By default, the port type is hybrid.

l If a Layer 2 Ethernet port is directly connected to a terminal, set the port type to access

or hybrid. Setting the port type to access is recommended.

l If a Layer 2 Ethernet port is connected to another switch, the port type can be set to

access, trunk, hybrid, or QinQ. Setting the port type to trunk is recommended.

Step 5 Add ports to the VLAN.

Run either of the following commands as needed:

l For access or QinQ ports:

Run the port default vlan vlan-id command to add a port to a specified VLAN.

To add ports to a VLAN in batches, run the port interface-type { interface-number1 [ to

interface-number2 ] } &<1-10> command in the VLAN view.

l For trunk ports:

– Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

command to add the port to specified VLANs.

– (Optional) Run the port trunk pvid vlan vlan-id command to specify the default VLAN

for a trunk interface.

l For hybrid ports:

– Run either of the following commands to add a port to VLANs in untagged or tagged

mode:– Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

command to add a port to VLANs in untagged mode.

In untagged mode, a port removes tags from frames and then forwards the frames.

This is applicable to scenarios in which Layer 2 Ethernet ports are connected to

terminals.

– Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

command to add a port to VLANs in tagged mode.

In tagged mode, a port forwards frames without removing their tags. This is applicable

to scenarios in which Layer 2 Ethernet ports are connected to switches.

–

(Optional) Run the port hybrid pvid vlan vlan-id command to specify the default VLANof a hybrid interface.





58



By default, all ports are added to VLAN 1.

----End

3.3.3 Dividing a LAN into VLANs Based on MAC AddressesMAC address-based VLAN division is used if user locations do not need to be concerned. This

improves security and flexibility for terminal users.

Context

VLANs configured based on MAC addresses process only untagged frames, and treat tagged

frames in the same manner as VLANs configured based on ports.

After receiving an untagged frame, a port searches for a MAC-VLAN mapping based on the

source MAC address in the frame.

l If a mapping is found, the port forwards the frame based on the VLAN ID and priority

value in the mapping.

l If no matching mapping is found, the port matches the frame with other matching rules.


1. Create VLANs.

2. Map MAC addresses to VLAN IDs.


(1) Set the port type to hybrid.

(2) Configure a port to allow frames with specified VLAN IDs to pass through.

4. (Optional) Configure the highest priority for MAC address-based VLAN division.

NOTE

By default, MAC address-based VLAN division is set as the preference. To use IP subnet-based

VLAN division, set a higher priority for it.

5. Enable MAC address-based VLAN division.

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id






Step 3 Run:

mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length ][ priority priority ]





59



Map a MAC address to the VLAN.

l The mac-address value is in the H-H-H format. H is a hexadecimal number that contains one

to four digits, such as 00e0 and fc01. If an H contains less than four digits, 0s are padded

ahead. For example, if you specify an H as e0, it is displayed as 00e0. A MAC address cannot

be set to all 0s or all Fs.

l The optional parameter priority specifies the 802.1p priority value related to the MAC

addresses. The value ranges from 0 to 7. The greater the value, the higher the priority. The

default value is 0. After the 802.1p priority value is specified, frames with high priorities are

first forwarded when traffic is congested.

Step 4 Run:

quit



1. Run the interface interface-type interface-number command to enter the view of the portto be configured to allow frames with a specified VLAN ID to pass through.

2. Run the port link-type hybrid command to set the port type to hybrid.


3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command

to configure the hybrid port to allow frames with a specified VLAN ID to pass through.

Step 6 (Optional) Run the vlan precedence mac-vlan command to configure a higher priority for MAC

address-based VLAN division.

By default, MAC address-based VLAN division is set as the preference.

Step 7 Run: mac-vlan enable

MAC address-based VLAN division is enabled.

By default, MAC address-based VLAN division is disabled.

NOTE

MAC address-based VLAN assignment conflict with MUX VLAN. They cannot be configured on the same

interface.

----End

3.3.4 Dividing a LAN into VLANs Based on IP SubnetsIP subnet-based and protocol-based VLAN division are called network layer-based VLAN

division, which reduces manual VLAN configuration workload and allows users to easily join

a VLAN, transfer from one VLAN to another, and exit from a VLAN. IP subnet-based VLAN

division is applicable to networks that have traveling users and require simple management.

Context

VLANs configured based on IP subnets process only untagged frames. and treat tagged frames

in the same manner as VLANs configured based on ports.

After receiving untagged frames, a device determines the VLANs to which the frames belong based on their source IP addresses before sending them to corresponding VLANs.





60




1. Create VLANs.

2. Associate IP subnets with VLANs to determine mappings between subnets and VLANs.

3. Configure the port type and features.(1) Set the port type to hybrid.

(2) Configure a port to allow frames with the specified VLAN IDs to pass through.

4. (Optional) Set a higher priority for IP subnet-based VLAN division.

NOTE

By default, MAC address-based VLAN division is set as the preference. To use IP subnet-based

VLAN division, set a higher priority for it.

5. Enable IP subnet-based VLAN division.

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id




batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then runthe vlan vlan-id command to enter the view of a specified VLAN.

Step 3 Run:

ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length }

[ priority priority ]

An IP subnet is associated with the VLAN.

l The optional parameter ip-subnet-index specifies the IP subnet index. The subnet index can

be specified by a user or automatically generated by the system.

l The parameter ip-address specifies the source IP address or network address based on which

a VLAN is configured. The value is in dotted decimal notation.

l The optional parameter priority specifies the 802.1p priority value related to the VLAN

configured based on the IP address or network address. The value ranges from 0 to 7. The

greater the value, the higher the priority. The default value is 0. After the 802.1p priority

value is specified, frames with high priorities are first forwarded when traffic is congested.

Step 4 Run:

quit



1. Run the interface interface-type interface-number command to enter the view of the portto be configured to allow frames with the specified VLAN ID to pass through.





61






to allow frames with the specified VLAN ID to pass through.


vlan precedence ip-subnet-vlan

IP subnet-based VLAN division is configured with a higher priority.

By default, MAC address-based VLAN division is set as the preference.

Step 7 Run:

ip-subnet-vlan enable

IP subnet-based VLAN division is enabled.

By default, IP subnet-based VLAN division is disabled.

----End

3.3.5 Dividing a LAN into VLANs Based on Protocols

IP subnet-based and protocol-based VLAN division are called network layer-based VLAN

division, which reduces manual VLAN configuration workload and allows users to easily join

a VLAN, transfer from one VLAN to another, and exit from a VLAN.

Context

VLANs configured based on protocols process only untagged frames. and treat tagged frames

in the same manner as VLANs configured based on ports.

After receiving an untagged frame, a port identifies the protocol template used by the frame to

determine the VLAN to which the frame belongs.

l If the port has been added to VLANs corresponding to some protocols, and the protocol

template adopted by the frame matches one of these protocols, the port adds the

corresponding VLAN ID to the frame.

l If the port has been added to VLANs corresponding to some protocols, but the protocol

template adopted by the frame does not match any one of these protocols, the port adds the

PVID to the frame.


1. Create VLANs.

2. Associate protocols with VLANs to determine mappings between protocols and VLANs.



(2) Configure a port to allow frames with the specified VLAN ID to pass through.

(3) Associate ports with VLANs.

After receiving a frame associated with a specified protocol, the system automaticallyassigns the VLAN ID associated with the protocol to the frame.





62



Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id






Step 3 Run:

protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw

| snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id | snap-

etype etype-id2 } }

A protocol is associated with a VLAN and the protocol template is specified.

l The optional parameter protocol-index specifies the protocol template index.

The protocol template is determined by the protocol type and encapsulation format. A

protocol VLAN can be defined by a protocol template.

l When configuring the source and destination service access points, note the following points:

– dsap-id and ssap-id cannot be both set to 0xaa.

–

dsap-id and ssap-id cannot be both set to 0xe0, which corresponds to the Logical Link Control (LLC) encapsulation format for IPX packets.

– dsap-id and ssap-id cannot be both set to 0xff, which corresponds to the RAW

encapsulation format for IPX packets.


1. Run the interface interface-type interface-number command to enter the view of the port

to be configured to allow frames with the specified VLAN ID to pass through.




to allow frames with the specified VLAN ID to pass through.

4. Run:

protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] }

[ priority priority ]

The port is associated with the VLAN.

l The parameter vlan-id specifies the ID of a VLAN configured based on a protocol.

l The optional parameter priority specifies the 802.1p priority value related to the

protocol. The value ranges from 0 to 7. The greater the value, the higher the priority.

The default value is 0. After the 802.1p priority value is specified, frames with high

priorities are first forwarded when traffic is congested.

----End





63



3.3.6 Dividing a LAN into VLANs Based on Policies

VLANs configured based on policies are also called policy VLANs. Policy VLANs allow

terminals to plug and play and data for different users to be separately transmitted.

Context

A LAN can be divided into VLANs based on MAC and IP addresses or based on MAC and IP

addresses and interfaces.

To divide a LAN into VLANs based on policies, configure MAC and IP addresses of terminals

on a switch and associate pairs of MAC addresses ,IP addresses and interfaces with VLANs.

Only users matching a policy can be added to a specified VLAN. If the IP or MAC addresses

of users added to a VLAN are changed, they will exit from the VLAN.

Policy VLANs process only untagged frames. and treat tagged frames in the same manner as

VLANs configured based on ports.

After receiving an untagged frame, the device finds a VLAN matching both MAC and IP

addresses of the frame, and transmits the frame in the VLAN.


1. Create VLANs.

2. Associate pairs of MAC and IP addresses with VLANs to divide a LAN into VLANs based

on both MAC and IP addresses.



(2) Configure a port to allow frames with specified MAC and IP addresses to pass through.

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id






Step 3 Run:

policy-vlan mac-address mac-address ip ip-address [ interface interface-type

interface-number ] [ priority priority ]

Policy VLAN is configured.

If interface interface-type interface-number is not specified, the MAC and IP address policy

will be applied to all ports in the VLAN. If interface interface-type interface-number isspecified, the MAC and IP address policy will be applied to the specified port in the VLAN.





64



Before deleting a policy VLAN, run the undo policy-vlan command to disable the policy VLAN

function.

Step 4 Run:

quit



1. Run the interface interface-type interface-number command to enter the view of the port

to be configured with a policy VLAN.




to allow frames with specified MAC and IP addresses to pass through.

----End


After dividing a LAN into VLANs, you can view information about VLANs configured in

different modes. For example, which VLANs are classified based on ports or MAC addresses.

Prerequisite

The configurations of VLAN division are complete.

Procedure

l Run the display vlan [ vlan-id [ verbose ] ] command to check information about all

VLANs or a specified VLAN.

l Run the display mac-vlan { mac-address { all | mac-address [ mac-address-mask | mac-

address-mask-length ] } | vlan vlan-id } command to check information about VLANs

configured based on MAC addresses.

l Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check

information about VLANs configured based on IP subnets.

l Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check

information about VLANs configured based on protocols.

l Run the display protocol-vlan interface { all | interface-type interface-number } command

to check information about VLANs configured based on protocols associated with ports.

l Run the display policy-vlan { all | vlan vlan-id } command to check information about

policy vlan.

----End

3.4 Creating a VLANIF Interface

VLANIF interfaces are Layer 3 logical interfaces. After creating VLANIF interfaces on Layer

2 devices, you can configure Layer 3 features on these interfaces.





65




Before creating a VLANIF interface, familiarize yourself with the applicable environment,




Layer 3 switching combines routing and switching techniques to implement routing on a switch,

thus improving the overall network performance. After sending the first data flow, a Layer 3

switch generates mappings between MAC addresses and IP addresses. To send the same data

flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based on this mapping

table. In this manner, delays on the network caused by route selection are eliminated, thus

improving data forwarding efficiency. Layer 3 switches have both switching and routing

functions.

To allow that new data flows are correctly forwarded based on the routing table, be sure that the

routing table's routing entries are correct. Therefore, VLANIF interfaces and routing protocols

must be configured on Layer 3 switches for reachable Layer 3 routes.


Before creating a VLANIF interface, complete the following task:

l Creating a VLAN

Data Preparation

To create a VLANIF interface, you need to the following data.

No. Data

1 VLAN ID

2 IP address to be assigned to the VLANIF interface

3 (Optional) Delay after which the VLANIF interface goes Down

4 (Optional) MTU of the VLANIF interface

3.4.2 Creating a VLANIF Interface

Before configure Layer 3 features on a Layer 2 device, you must create a VLANIF interface on

the device.

Procedure

Step 1 Run:

system-view


Step 2 Run:





66



interface vlanif vlan-id

A VLANIF interface is created and the VLAIF interface view is displayed.

The VLAN ID specified in this command must be the ID of an existing VLAN.

NOTE

A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.

----End

3.4.3 Assigning an IP Address to a VLANIF Interface

As a VLANIF interface is a Layer 3 logical interface, it can communicate with other interfaces

at the network layer only after being assigned an IP address.


system-view


Step 2 Run:


The VLANIF interface view is displayed.


Step 3 Run:

ip address ip-address { mask | mask-length } [ sub ]

An IP address is assigned to the VLANIF interface for communication at the network layer.

----End

3.4.4 (Optional) Setting a Delay After Which a VLANIF InterfaceGoes Down

Setting a delay after which a VLANIF interface goes Down prevents network flapping caused

by changes of VLANIF interface status. This function is also called VLAN damping.

Context

If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports

the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF

interface to go Down.

To prevent network flapping caused by changes of VLANIF interface status, enable VLAN

damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system

starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event

after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIFinterface remains Up.





67



Procedure

Step 1 Run:

system-view


Step 2 Run:




Step 3 Run:

damping time delay-time

The delay for VLAN damping is set.

The delay-time value ranges from 0 to 20, in seconds. By default, the value is 0 seconds,

indicating that VLAN damping is disabled.

----End

3.4.5 (Optional) Setting the MTU of a VLANIF Interface

Context

NOTE

lAfter changing the maximum transmission unit (MTU) by using the mtu command on a specifiedinterface, you need to restart the interface to make the new MTU take effect. To restart the interface,

run the shutdown command and then the undo shutdown command, or run the restart command in

the interface view.

l If you change the MTU of an interface, you need to change the MTU of the peer interface to the same

value by using the mtu command; otherwise, services may be interrupted.

l To ensure availability of Layer 3 functions, set the MTU value of the VLANIF interface to be smaller

than the maximum length of frames on the physical interface in the corresponding VLAN.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

mtu mtu

The MTU of the VLANIF interface is set.

The MTU of a VLANIF interface ranges from 128 to 9216, in bytes. The default value is 1500.





68



NOTE

If the MTU is too small whereas the packet size is large, the packet is probably split into many fragments.

Therefore, the packet may be discarded due to the insufficient QoS queue length. To avoid this situation,

lengthen the QoS queue accordingly.

----End


After a VLANIF interface is configured for communication at the network layer, you can check

the IP address and status of a specified VLANIF interface.

Prerequisite

The configurations of a VLANIF interface are complete.

Procedurel Run the display interface vlanif [ vlan-id ] command to check the physical status, link

protocol status, description, and IP address of the VLANIF interface.

----End

3.5 Configuring Inter-VLAN Communication

Configuring inter-VLAN communication allows users in different VLANs to communicate with

each other. Currently, the S6700 supports several inter-VLAN communication schemes. Choose

one of them as required.


Before configuring inter-VLAN communication, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the data required for the

configuration. This will help you complete the configuration task quickly and accurately.


Currently, schemes listed in Table 3-6 are provided for inter-VLAN communication. You can

choose one of them based on the real world situation.





69



Table 3-6 Schemes for inter-VLAN communication

Inter-VLANCommunication Scheme


VLANIF

interface

After VLANIF

interfaces are

configured, users in

different VLANs and

network segments can

communicate with

each other as long as


Inter-VLAN

communication can

also be implemented by

Layer 3 switches if


This scheme boasts of

low operating costs.

If multiple users on a

network belong to

different VLANs, each

VLAN requires a

VLANIF interface.

Each VLANIF interface

needs to be assigned an

IP address. This

increases configuration

workload and uses a lot

of IP addresses.

This scheme is

applicable to small-

scale networks on

which users belong to

different network

segments and IP

addresses of these

users are seldom

changed.


Before configuring inter-VLAN communication, complete the following task:

l Creating VLANs

Data Preparation

To configure inter-VLAN communication, you need the following data.

No. Data

1 VLAN ID, VLANIF interface number, IP address and mask of the VLANIF

interface

3.5.2 Configuring VLANIF Interfaces for Inter-VLANCommunication

Configuring VLANIF interfaces for inter-VLAN communication saves expenditure and helps

implement fast forwarding.

Context

VLAIF interfaces are Layer 3 logical interfaces. After being assigned IP addresses, VLANIF

interfaces are able to communicate at the network layer.

By using VLANIF interfaces to implement inter-VLAN communication, you need to configurea VLANIF interface for each VLAN and assign an IP address to each VLANIF interface.





70



Figure 3-5 Networking diagram for configuring VLANIF interfaces for inter-VLAN

communication

Switch

VLAN2 VLAN3

VLANIF2 VLANIF3

NOTE

The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF

interface. Otherwise, inter-VLAN communication will fail.

Procedure

Step 1 Run:

system-view


Step 2 Run:




NOTE

A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.

Step 3 Run:


An IP address is assigned to the VLANIF interface.

VLANIF interfaces must belong to different network segments.

----End





71




After inter-VLAN communication is configured, you can check whether users in different

VLANs can communicate with each other and check information about VLANs to which users

belong.

Prerequisite

The configurations of inter-VLAN communication are complete.

Procedure

l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-

type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -system-time | -t

timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host command to check

whether users in different VLANs can communicate with each other.

If the ping fails, you can run the following commands to locate the fault:

– Run the display vlan [ vlan-id [ verbose ] ] command to check information about all

VLANs or a specified VLAN.

– Run the display interface vlanif [ vlan-id ] command to check information about

VLANIF interfaces.

Before running this command, ensure that VLANIF interfaces have been configured.

----End

3.6 Configuring VLAN Aggregation to Save IP Addresses

VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN

communication.


Before configuring VLAN aggregation, familiarize yourself with the applicable environment,




As networks expand, address resources become insufficient. VLAN aggregation is developed

to save IP addresses.

In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical ports

cannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and an

IP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN but

no VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use the

same IP address with the VLANIF interface of the super-VLAN. This saves subnet IDs, default

gateway addresses of the subnets, and directed broadcast addresses of the subnets. In addition,

different broadcast domains can use the addresses in the same subnet segment. As a result, subnet

differences are eliminated, addressing becomes flexible, and the number of idle addresses is

reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain andreduces the waste of IP addresses to be assigned to ordinary VLANs.





72



Figure 3-6 shows the typical VLAN aggregation networking.

Figure 3-6 Typical networking diagram for VLAN aggregation

Super

VLAN4

PE

Sub-VLAN 2

CE1

Sub-VLAN 3

CE2


Before configuring VLAN aggregation, complete the following task:

l Connecting ports and configuring physical parameters of the ports, ensuring that the ports

are physically Up

Data Preparation

To configure VLAN aggregation, you need the following data.

No. Data

1 ID of each sub-VLAN and number of each port belonging to the sub-VLAN

2 ID of a super-VLAN

3 IP address and mask of a VLANIF interface

3.6.2 Creating a Sub-VLAN

Each sub-VLAN functions as a broadcast domain.





73



Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

port link-type access

The link type of the interface is set to access.

Step 4 Run:

quit

Return to the system view.

Step 5 Run:

vlan vlan-id

A sub-VLAN is created and the sub-VLAN view is displayed.

Step 6 Run:

port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>

A port is added to the sub-VLAN.

----End

3.6.3 Creating a Super-VLAN

A super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN,

but a VLANIF interface can be configured for the super-VLAN and an IP address can be assigned

to the VLANIF interface.

Context

NOTE

Before configuring a super-VLAN, ensure that sub-VLANs have been configured.

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id

A VLAN is created, and the VLAN view is displayed.

The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.





74



Step 3 Run:

aggregate-vlan

A super-VLAN is created.

A super-VLAN cannot contain any physical interfaces.

VLAN 1 cannot be configured as a super-VLAN.

Step 4 Run:

access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

A sub-VLAN is added to a super-VLAN.

Before adding sub-VLANs to a super-VLAN in batches, ensure that these sub-VLANs are not

configured with VLANIF interfaces.

----End

3.6.4 Assigning an IP Address to the VLANIF Interface of a Super-VLAN

The IP address of the VLANIF interface of a super-VLAN must contain the subnet segments

where users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIF

interface of the super-VLAN, thus saving IP addresses.

Procedure

Step 1 Run:

system-view


Step 2 Run:


A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is

displayed.

Step 3 Run:


An IP address is assigned to the VLANIF interface.

----End

3.6.5 (Optional) Enabling Proxy ARP on the VLANIF Interface of aSuper-VLAN

PCs in different sub-VLANs cannot directly communicate with each other. To allow these PCs

to communicate with each other at Layer 3, enable proxy ARP on the VLANIF interface of the

super-VLAN.

Context

VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs indifferent sub-VLANs from communicating with each other at the network layer.





75



PCs in ordinary VLANs can communicate with each other at the network layer by using different

gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address

and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate

with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer

2. Consequently, PCs in different sub-VLANs cannot communicate with each other.

Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another sub-

VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,

proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and

reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network

layer.

NOTE

An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.

Otherwise, proxy ARP cannot take effect.

VLAN aggregation simplifies configurations for the network where many VLANs are

configured and PCs in different VLANs need to communicate with each other.

Procedure

Step 1 Run:

system-view


Step 2 Run:


The view of the VLANIF interface of the super-VLAN is displayed.

Step 3 Run:

arp-proxy inter-sub-vlan-proxy enable

Inter-sub-VLAN proxy ARP is enabled.

----End


After VLAN aggregation is configured, you can view VLAN types and information about

VLANIF interfaces, such as the physical status, link protocol status, IP address, and mask.

Prerequisite

The VLAN aggregation configurations are complete.

Procedure

l Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN information.

l Run the display interface vlanif [vlan-id ] command to check information about a specific

VLANIF interface.

----End





76



3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic

Configuring a MUX VLAN allows users in different VLANs to communicate with each other,

and separates users in a certain VLAN.


Before configuring a MUX VLAN, familiarize yourself with the applicable environment,




In an enterprise network, all employees of the enterpr ise can access the enterprise's server. It is

required that some employees be able to communicate with each other, whereas some employeesnot communicate with each other.

Configuring a MUX VLAN on the switch connected to PCs helps to save VLAN ID resources,

reduce the configuration workload of the network administrator, and facilitate network

maintenance.

Figure 3-7 Networking diagram for a MUX VLAN

Enterpriseserver

Switch

Group PORT Separate PORT

Principal PORT

Enterprise

employee1

Enterprise

employee2

In the MUX VLAN shown in Figure 3-7, the principal port connects the switch to the enterprise's

server; separate ports connect the switch to employees that do not communicate with each other;

group ports connect the switch to employees that need to communicate with each other. A MUX

VLAN consists of VLANs in different types listed in Table 3-7.





77



Table 3-7 Components of a MUX VLAN

MUXVLAN

VLANType

Port Type Communication Rights

PrincipalVLAN

- Principal port A principal port can communicate with every port in the MUX VLAN.

Subordinate

VLAN

Separate

VLAN

Separate port A separate port can only communicate with

principal ports.

Each separate VLAN must be associated with

a principal VLAN.

Group

VLAN

Group port A group port can communicate with both

principal ports and other group ports in the

same group VLAN but cannot communicate

with group ports in other group VLANs or

separate ports.Each group VLAN must be associated with a

principal VLAN.


Before configuring a MUX VLAN, complete the following task:

l Creating VLANs

Data Preparation

To configure a MUX VLAN, you need the following data.

No. Data

1 ID of each principal VLAN and number of each port belonging to the principal VLAN

2 ID of each group VLAN and number of each port belonging to the group VLAN

3 ID of each separate VLAN and number of each port belonging to the separate VLAN

3.7.2 Configuring a Principal VLAN for a MUX VLAN

Ports added to a principal VLAN can communicate with every port in the MUX VLAN.

Procedure

Step 1 Run:

system-view


Step 2 Run:





78



vlan vlan-id






Step 3 Run:

mux-vlan

The VLAN is configured as a principal VLAN.

The VLAN ID assigned to a principal VLAN can no longer be used to configure any VLANIF

interface, super-VLAN, or sub-VLAN.

----End

3.7.3 Configuring a Group VLAN for a Subordinate VLANA VLAN associated with a group port is called a group VLAN. Group ports in a group VLAN

can communicate with each other.

Context

In a MUX VLAN, group VLANs cannot share the same VLAN ID with a separate VLAN.

Do as follows on a switching device that requires a group VLAN:

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id

The view of a created principal VLAN is displayed.

Step 3 Run:

subordinate group vlan-id1 [ to vlan-id2 ]

A group VLAN is configured for the subordinate VLAN.

In this command, vlan-id1 and vlan-id2 specify a range of VLAN IDs. The value is an integer

ranging from 1 to 4094. The value of vlan-id2 must be greater than the value of vlan-id1.

The VLAN ID assigned to a group VLAN can be assigned to no other VLANIF interface, super-

VLAN, or sub-VLAN.

----End

3.7.4 Configuring a Separate VLAN for a Subordinate VLAN

A VLAN associated with separate ports is called a separate VLAN. Ports in a separate VLANcannot communicate with each other.





79



Context

Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.

Do as follows on a switching device that requires a separate VLAN:

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id

The view of a created principal VLAN is displayed.

Step 3 Run:

subordinate separate vlan-id

A separate VLAN is configured for a subordinate VLAN.

Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.

----End

3.7.5 Enabling the MUX VLAN Function on a Port

After the MUX VLAN function is enabled on a port, the principal VLAN and subordinate VLANcan communicate with each other; ports in a group VLAN can communicate with each other;

ports in a separate VLAN cannot communicate with each other.

Context

Before the MUX VLAN function is enabled on a port, ensure that:

l The port has been added to only one ordinary VLAN. If the port has been added to multiple

VLANs, the MUX VLAN function cannot be enabled on this port.

l The port has been added to a principal or subordinate VLAN.

Do as follows on the switching device on which a port needs to be enabled with the MUX VLANfunction:

Procedure

Step 1 Run:

system-view


Step 2 Run:


The view of an Ethernet port connecting users is displayed.





80



Step 3 Run:

port mux-vlan enable

The MUX VLAN function is enabled.

The interface has been added only to a principal VLAN or a subordinate VLAN.After being enabled with the MUX VLAN function, the port can no longer be configured with

VLAN mapping or VLAN stacking.

NOTE

l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface

affects the MUX VLAN function on the interface.

l The MUX VLAN and port security functions cannot be enabled on the same interface.

l The MUX VLAN and MAC address authentication cannot be enabled on the same interface.

l The MUX VLAN and 802.1x authentication cannot be enabled on the same interface.

----End


After a MUX VLAN is configured, you can check the principal VLAN ID, subordinate VLAN

ID, and VLAN type.

Prerequisite

The configurations of a MUX VLAN are complete.

Procedure

Step 1 Run the display mux-vlan command to check information about the MUX VLAN.

----End

3.8 Configuring a Voice VLAN to Transmit Voice DataA voice VLAN is used to transmit voice data.


Before configuring a voice VLAN, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. This



Voice and non-voice data are transmitted on networks. Voice data is configured with a higher

priority than non-voice data to reduce the probability of the transmission delay and packet loss.

In most cases, an Access Control List (ACL) is configured to distinguish voice data from non-

voice data, and the Quality of Service (QoS) is used to ensure the transmission quality of voice

data.

Voice over IP (VoIP) phones are commonly used. If an ACL is configured to distinguish voicedata from non-voice data, and QoS is used to ensure the transmission quality of voice data, each





81



terminal needs to be configured with an ACL rule. This increases the network administrator's

workload and burdens maintenance.

The voice VLAN technique is introduced to solve the preceding problem.

After being enabled with the voice VLAN function, a device determines voice data based onsource MAC addresses of received frames, adds ports that receive voice data to a voice VLAN,

and automatically applies priority rules to ensure high priorities and good qualities of voice data.

This simplifies user configuration and facilitates management on voice data.

On the network shown in Figure 3-8, a user's High Speed Internet (HSI), VoIP, and Internet

Protocol Television (IPTV) services are connected to a switch. A voice VLAN can be configured

on the switch to implement QoS for voice data, prioritize voice data, and ensure the

communication quality.

Figure 3-8 Networking diagram for configuring a voice VLAN

Network

Server

HSI VoIP IPTV HSI VoIP IPTV

Switch

LAN Switch2

Voice flow

Voice VLAN

VLAN 10

LAN Switch1


Before configuring a voice VLAN, complete the following task:

l Creating VLANs

Data Preparation

To configure a voice VLAN, you need the following data.





82



No. Data

1 The Organizationally Unique Identifier (OUI) address and mask of the voice VLAN

2 (Optional) Aging timer value of the voice VLAN

3 (Optional) 802.1p priority and DSCP value for the voice VLAN

4 Type and number of the port enabled with the voice VLAN function

5 Mode in which the port is added to the voice VLAN

6 (Optional) Security mode of the voice VLAN

3.8.2 Enabling the Voice VLAN Function

After being enabled with the voice VLAN function, a device is able to identify voice data based

on source MAC addresses of received frames.

Procedure

Step 1 Run:

system-view


Step 2 Run:


The view of a port connecting the device to users' voice devices is displayed.

Step 3 Run:

voice-vlan vlan-id enable

A voice VLAN is configured and the voice VLAN function is enabled on the port.

By default, the voice VLAN function is disabled on ports.

NOTE

l VLAN 1 cannot be configured as a voice VLAN.

l The voice VLAN and default VLAN on a port must be assigned different VLAN IDs to ensure that

every function works properly.

l Only one VLAN on a port can be configured as a voice VLAN at a time.

l If the voice VLAN configured on an interface works in automatic mode, you need to run the port link-

type command to set the interface type to trunk, or hybrid.

l Before deleting a voice VLAN, run the undo voice-vlan enable command to disable the voice VLAN

function.

l The port enabled with the voice VLAN function cannot be configured with VLAN mapping, VLAN

stacking, or traffic policies.

----End





83



3.8.3 Configuring an OUI for a Voice VLAN

A voice VLAN-enabled port checks source MAC addresses of received frames. If the source

MAC addresses match OUIs, the frames are considered voice data.

Context

An OUI is a globally-unique identifier assigned by the Institute of Electrical and Electronics

Engineers (IEEE) to a specific equipment vendor. An OUI represents the first 24 bits of a binary

MAC address.

An OUI represents a MAC address segment that is obtained by performing the AND operation

between a 48-bit MAC address and a mask. For example, the MAC address is 1-1-1, and the

mask is FFFF-FF00-0000. The AND operation is performed between the MAC address and the

mask to obtain the OUI 0001-0000-0000. If the first 24 bits of the MAC address of a device are

the same as an OUI, a voice VLAN-enabled port considers the device as a voice device and data

from the device as voice data.

Procedure

Step 1 Run:

system-view


Step 2 Run:

voice-vlan mac-address mac-address mask oui-mask [ description text ]

An OUI is configured.

l The mac-address value cannot be all 0s or a multicast or broadcast address.

l A device can be configured with a maximum of 16 OUIs. When the device is configured

with 16 OUIs, subsequent configurations will not take effect.

l When using the undo voice-vlan mac-address command to delete an OUI, specify the mac-

address value in this command as the result of the AND operation by using the configured

MAC address and mask.

NOTE

When the source MAC address of a packet matches the OUI, the S6700 changes the priority of the packet

basing on the configuration of 3.8.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for

the Voice VLAN to improve the transmission quality.

----End

3.8.4 (Optional) Setting an Aging Timer for a Voice VLAN

In automatic mode, a voice VLAN-enabled port learns source MAC addresses of frames from

voice devices, adds ports connecting the device to voice devices to a voice VLAN, and uses the

voice VLAN aging timer to control the number of ports in the voice VLAN.

Context

The aging timer of a voice VLAN is effective only when ports are automatically added to thevoice VLAN.





84



If a voice VLAN-enabled port does not receive voice data from a voice device before the aging

timer expires, the port will be automatically deleted from the voice VLAN. If the port receives

voice data from the voice device again, the port will be automatically added to the voice VLAN.

Procedure

Step 1 Run:

system-view


Step 2 Run:

voice-vlan aging-time minutes

The aging timer is set for a voice VLAN.

The aging timer value ranges from 5 to 43200, in minutes. The default value is 1440 minutes.

----End

3.8.5 (Optional) Configuring an 802.1p Priority and a DSCP Valuefor the Voice VLAN

Different 802.1p priorities and DiffServ Code Point (DSCP) values can be configured for

different voice VLANs, which makes voice service deployment more flexible.

Context

By default, the 802.1p priority and DSCP value for each voice VLAN are 6 and 46 respectively.Manual configuration of the 802.1p priority and DSCP value will allow you to plan priorities

for different voice services at will.

NOTE

l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN frame. This

field determines the transmission priority for data packets when a switching device is congested.

l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4 packet header.

DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks. The traffic controller

on the network gateway takes actions merely based on the information carried by the 6 bits.


system-view


Step 2 Run:

voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *

An 802.1p priority and a DSCP value are configured for a voice VLAN.

By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.

----End





85



3.8.6 (Optional) Configuring the Mode in Which Ports Are Addedto a Voice VLAN

On a switching device, only one VLAN on a port can be configured as a voice VLAN. Ports can

be added to the voice VLAN in either automatic or manual mode.

Context

Ports can be added to a voice VLAN in either of the following modes:

l Automatic mode

A voice VLAN-enabled port learns source MAC addresses of frames from voice devices,

adds ports connecting the device to voice devices to a voice VLAN, and uses the voice

VLAN aging timer to control the number of ports in the voice VLAN. If a voice VLAN-

enabled port does not receive voice data from a voice device before the aging timer expires,

the port will be automatically deleted from the voice VLAN. If the port receives voice datafrom the voice device again, the port will be automatically added to the voice VLAN.

l Manual mode

After the voice VLAN function is enabled, ports connected to voice devices must be

manually added to a voice VLAN. Otherwise, the voice VLAN function does not take

effect.

Procedure

Step 1 Run:

system-view


Step 2 Run:


The view of a port connecting the device to users' voice devices is displayed.

Step 3 Run:

voice-vlan mode { auto | manual }

The mode in which ports are added to a voice VLAN is configured.

By default, ports are automatically added to a voice VLAN.

l If the auto parameter is configured, ports will be automatically added to a voice VLAN.

l If the manual parameter is configured, ports will be manually added to a voice VLAN.

– If trunk ports are connected to voice devices, run the port trunk allow-pass vlan

{ { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to manually add these ports to a

voice VLAN.

– If hybrid ports are connected to voice devices, do as follows as required:

– Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

command to manually add these ports to a voice VLAN in untagged mode.

–

Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }command to manually add these ports to a voice VLAN in tagged mode.





86



NOTE

In Access ports cannot be automatically added to a voice VLAN. To add a port of the access type to the

voice VLAN, run the port link-type command to change the port type to trunk or hybrid.

----End

3.8.7 (Optional) Configuring the Working Mode for a Voice VLAN

A voice VLAN works in either security or ordinary mode to transmit merely voice data or both

voice and non-voice data.

Context

Based on the data filtering mechanism, a voice VLAN works in either security or ordinary mode:

l Security mode

A voice VLAN-enabled inbound port transmits only frames of which the source MAC

addresses match OUIs configured on the device, discards the voice data not belong to the

current voice VLAN and the other data can be forwarded normally.

The security mode prevents a voice VLAN from being attacked by malicious data flows,

but consumes system resources to check frames.

l Ordinary mode

A voice VLAN-enabled inbound port transmits both voice and non-voice data. The port

does not compare source MAC addresses in received frames with configured OUIs,

exposing a voice VLAN to malicious attacks.

NOTE

Transmitting voice and service data at the same time in a voice VLAN is not recommended. If a voice

VLAN must transmit both voice and service data, ensure that the voice VLAN works in ordinary mode.

Table 3-8 shows how to process frames in different voice VLAN working modes.

Table 3-8 Frame processing in different voice VLAN working modes

Voice VLAN Working Mode

Frame Processing Mode

Security mode If the source MAC address of a frame and the OUI do not match,

the priority of the frame is not changed and the frame is prohibited

from forwarding in the voice VLAN.

Ordinary mode If the source MAC address of a frame and the OUI do not match,

the priority of the frame is not changed and the frame is allowed to

be forwarded in the voice VLAN.

Procedure

l Security mode

1. Run the system-view command to enter the system view.

2. Run the interface interface-type interface-number command to enter the view of a port connecting the device to users' voice devices.





87





Prerequisite

The configurations of a voice VLAN are complete.

Procedurel Run the display voice-vlan [ vlan-id ] status command to check information about the

voice VLAN, including the working mode, security mode, aging timer value and the 802.1p

priority and DSCP value as well as the configuration of the port enabled with the voice

VLAN function.

l Run the display voice-vlan oui command to check information about the OUI of the voice

VLAN, including the mask and description of the OUI.

----End

3.9 Configuring an mVLAN to Implement IntegratedManagement

Configuring an mVLAN allows users to use the IP address of the VLANIF interface

corresponding to the mVLAN to log in to a management switch to manage devices attached to

the switch.


Before configuring an mVLAN to implement integrated management, familiarize yourself with

the applicable environment, complete the pre-configuration tasks, and obtain the data required

for the configuration. This will help you complete the configuration task quickly and accurately.


An mVLAN can be configured to help a user use an NMS to manage indirectly-connected

devices.

After an mVLAN is configured, a user can use the IP address of the VLANIF interface

corresponding to the mVLAN to telnet to a management switch and manage devices attached

to the switch.


Before configuring an mVLAN, complete the following task:

l Creating a VLAN

Data Preparation

To configure an mVLAN, you need the following data.

No. Data

1 VLAN ID





89



3.9.2 Configuring an mVLAN

An mVLAN allows a user to use the IP address of the VLANIF interface corresponding to the

mVLAN to telnet to a management switch to manage devices attached to the switch.

Do as follows on the device that requires an mVLAN:

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id

The VLAN view is displayed.

Step 3 Run:

management-vlan

An mVLAN is configured.

An mVLAN cannot be configured as a multicast VLAN, control VLAN of RRPP, or control

VLAN of SEP.

Only a trunk or hybrid port can be added to an mVLAN.

After the undo management-vlan command is used for an mVLAN, the mVLAN becomes an

ordinary VLAN, to which access, trunk, or hybrid ports can be added.

----End

3.9.3 Configuring a VLANIF Interface for an mVLAN

You need to use the IP address of the VLANIF interface corresponding to an mVLAN to telnet

to a management switch to manage attached devices.

Do as follows on the device that requires an mVLAN:

Procedure

Step 1 Run:

system-view


Step 2 Run:



The ID of the VLANIF interface must be the ID of a configured mVLAN.

Step 3 Run:ip address ip-address { mask | mask-length } [ sub ]





90



After assigning an IP address to the VLANIF interface, you can run the telnet command to log

in to a management switch to manage attached devices.

----End


After an mVLAN is configured, you can check information about the mVLAN.

Prerequisite

The configurations of an mVLAN are complete.

Procedure

l Run the display vlan command to check information about the mVLAN. The command

output shows information about the mVLAN in the line started with an asterisk sign (*).

----End

3.10 Maintaining VLAN

A command of clearing statistics helps to locate the faults in a VLAN.

3.10.1 Clearing the Statistics of VLAN Packets

Before collecting traffic statistics in a specified time period on an interface, you need to reset

the original statistics on the interface.

Context

CAUTION

Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before

you use the command.

To clear the Statistics of VLAN Packets, run the following reset command in the user view:

Procedure

l Run the reset vlan vlan-id statistics command to clear packets of a specified VLAN

statistics.

----End


This section provides several examples of VLAN configuration.





91



3.11.1 Example for Configuring Interface-based VLANs

It is easy to divide a LAN into VLANs based on ports. After ports are added to different VLANs,

users in the same VLAN can directly communicate with each other, whereas users in different

VLANs cannot directly communicate with each other.


An enterprise has multiple departments. It is required that departments in charge of the same

service can communicate with each other, and departments in charge of different services cannot

communicate with each other.

It is required that on the network shown in Figure 3-9, the requirements are as follows:

l Department 1 and Department 2 are isolated from Department 3 and Department 4.

l Department 1 and Department 2 can communicate with each other.

l Department 3 and Department 4 can communicate with each other.

Figure 3-9 Networking diagram for configuring interface-based VLANs

XGE0/0/1

XGE0/0/2 XGE0/0/3

XGE0/0/4

Group 2

VLAN 3

Switch

VLAN 3

Network

VLAN 2Department 3Department 2 Department 4Department 1



1. Create VLANs and determine mappings between employees and VLANs.

2. Configure port types to determine the device connected to each port.





92



3. Add the ports connected to department 1 and department 2 to VLAN 2 and the ports

connected to department 3 and department 4 to VLAN 3 to prevent employees in department

1 or department 2 from communicating with employees in department 3 or department 4.

Data Preparation


l XGE 0/0/1 and XGE 0/0/2 belong to VLAN 2.


Procedure

Step 1 Configure the Switch.

# Create VLAN 2.


[Quidway] vlan 2

[Quidway-vlan2] quit

# Set the link type of XGE 0/0/1 to trunk and add XGE 0/0/1 to VLAN 2.


[Quidway-XGigabitEthernet0/0/1] port link-type trunk

[Quidway-XGigabitEthernet0/0/1] port trunk allow-pass vlan 2



[Quidway]interface xgigabitethernet 0/0/2




# Create VLAN 3.

[Quidway] vlan 3













Ping any host in VLAN 3 from a host in VLAN 2. The ping operation fails. This indicates that

Department 1 and Department 2 are isolated from Department 3 and Department 4.

Ping any host in Department 2 from a host in Department 1. The ping operation is successful.This indicates that Department 1 and Department 2 can communicate with each other.





93



Ping any host in Department 4 from a host in Department 3. The ping operation is successful.

This indicates that Department 3 and Department 4 can communicate with each other.

----End

Configuration Files

The following lists the configuration file of the Switch.

#

sysname Quidway

#

vlan batch 2 to 3

#



port trunk allow-pass vlan 2

#




#




#




#

return

3.11.2 Example for Configuring MAC Address-based VLAN

AssignmentMAC address-based VLAN assignment is applicable only to simple networks where network

adapters are not changed frequently.


On an enterprise network, the network administrator adds PCs of employees in a department to

the same VLAN. To improve information security, only employees is this department are

allowed to access the intranet.

As shown in Figure 3-10, only PC1, PC2, and PC3 are allowed to access the intranet through

SwitchA and Switch.





94



Figure 3-10 Network diagram of MAC address-based VLAN assignment

PC1 PC2 PC3

Switch

SwitchA

Network

XGE0/0/1

XGE0/0/1

XGE0/0/2

MAC:22-22-22MAC:33-33-33 MAC:44-44-44

VLAN 10



1. Create VLANs and determine the VLAN that PCs of employees belong to.

2. Add Ethernet interfaces to VLANs.

3. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the

Switch can assign the VLAN to packets according to their source MAC addresses.

Data Preparation


l The PVID of XGE0/0/1 on the Switch is 100.

l XGE0/0/1 of the Switch needs to be added to VLAN 10 in untagged mode.

l XGE0/0/2 of the Switch needs to be added to VLAN 10 in tagged mode.

l All the interfaces on SwitchA need to be added to VLAN 1 in untagged mode.

l MAC addresses of PC1, PC2, and PC3 need to be associated with VLAN 10.

Procedure


# Create VLANs.





95




[Quidway] vlan batch 10 100

# Set the PVID of interfaces and add interfaces to the VLANs.


[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 100[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10



[Quidway-XGigabitEthernet0/0/2] port hybrid tagged vlan 10


# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.

[Quidway] vlan 10

[Quidway-Vlan10] mac-vlan mac-address 22-22-22



[Quidway-Vlan10] quit

# Enable MAC address-based VLAN assignment on XGE0/0/1.


[Quidway-XGigabitEthernet0/0/1] mac-vlan enable



PC1, PC2, and PC3 can access the intranet, whereas PCs of non-employees cannot access the

intranet.

----End

Configuration FilesConfiguration file of the Switch

#

sysname Quidway

#

vlan batch 10 100

#

vlan 10

mac-vlan mac-address 0022-0022-0022



#


port hybrid pvid vlan 100

port hybrid untagged vlan 10

mac-vlan enable

#


port hybrid tagged vlan 10

#

return

3.11.3 Example for Configuring IP Subnet-based VLANAssignment

After a LAN is divided into VLANs based on IP subnets, frames from a certain network segment

or IP address are transmitted in a specified VLAN. This reduces the configuration workload of network administrators and facilitates management.





96




A company has multiple services including the IPTV, VoIP, and Internet access services. Each

service uses a unique IP address. Packets of the same service must be transmitted in the same

VLAN and packets of different services must be transmitted in different VLANs.

On the network shown in Figure 3-11, a switch receives Internet, IPTV, and voice services from

users of which IP addresses are diverse. It is required that different types of services be

transmitted in separate VLANs. This allows each type of services to be sent to a remote dedicated

server.

Figure 3-11 Networking diagram of IP subnet-based VLAN assignment

Internet

IPTV

server Voice

Network

192.168.1.2

192.168.2.2

192.168.3.2

XGE0/0/1

XGE0/0/3

XGE0/0/2

Switch

RouterA

XGE0/0/4

RouterB

RouterC



1. Create VLANs and determine mappings between services and VLANs.

2. Associate IP subnets with VLANs.

The switch determines the VLAN mapped to a frame based on the source IP address carried

in the frame. New nodes can be deployed on the network without too much configuration.

The switch is able to add each new node to a corresponding VLAN based on the network

address of the node.

3. Configure a port to allow frames with specified VLAN IDs to pass through.

4. Configure the highest priority for IP subnet-based VLAN assignment.

5. Enable IP subnet-based VLAN assignment.





97



Data Preparation


l VLANs to which XGE 0/0/1 needs to be added in untagged mode: VLAN 100, VLAN 200,

and VLAN 300

l VLANs to which XGE 0/0/2, XGE 0/0/3, and XGE 0/0/4 need to be added in tagged mode

respectively: VLAN 100, VLAN 200, and VLAN 300

l Configuration data for IP subnet-based VLAN assignment, as shown in Table 3-9

Table 3-9 Configuration data for IP subnet-based VLAN assignment

VLAN ID IP SubnetIndex

Source IPAddress

Subnet Mask 802.1p Priority

100 1 192.168.1.2 255.255.255.0 2

200 1 192.168.2.2 255.255.255.0 3

300 1 192.168.3.2 255.255.255.0 4

Procedure

Step 1 Create VLANs.

# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.


[Quidway] vlan batch 100 200 300

Step 2 Configure interfaces.

# Set the link type of XGE 0/0/1 to hybrid and add it to VLAN 100, VLAN 200, and VLAN

300.


[Quidway-XGigabitEthernet0/0/1] port link-type hybrid

[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 100 200 300


# Add XGE 0/0/2 of the Switch to VLAN 100.


[Quidway-XGigabitEthernet0/0/2] port link-type trunk[Quidway-XGigabitEthernet0/0/2] port trunk allow-pass vlan 100










[Quidway-XGigabitEthernet0/0/4] port trunk allow-pass vlan 300[Quidway-XGigabitEthernet0/0/4] quit





98



# Enable the IP subnet-based VLAN function on XGE 0/0/1.


[Quidway-XGigabitEthernet0/0/1] ip-subnet-vlan enable


Step 3 Configure IP subnet-based VLAN assignment.

# Associate 192.168.1.2 to VLAN 100 and set the 802.1p priority of VLAN 100 to 2.

[Quidway] vlan 100

[Quidway-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2


# Associate 192.168.2.2 to VLAN 200 and set the 802.1p priority of VLAN 200 to 3.

[Quidway] vlan 200



# Associate IP subnet 192.168.3.2 to VLAN 100 and set the 802.1p priority of VLAN 300 to 4.

[Quidway] vlan 300




Run the display ip-subnet-vlan vlan all command on the Switch. The following information

is displayed:

[Quidway] display ip-subnet-vlan vlan all

----------------------------------------------------------------

Vlan Index IpAddress SubnetMask Priority

----------------------------------------------------------------

100 1 192.168.1.2 255.255.255.0 2

200 1 192.168.2.2 255.255.255.0 3

300 1 192.168.3.2 255.255.255.0 4

----------------------------------------------------------------

ip-subnet-vlan count: 3 total count: 3

----End

Configuration Files

l Configuration file of the Switch

#

sysname Quidway

#

vlan batch 100 200 300

#

vlan 100

ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2

#

vlan 200


#

vlan 300


#


port hybrid untagged vlan 100 200 300

ip-subnet-vlan enable

#



port trunk allow-pass vlan 100#





99






#



port trunk allow-pass vlan 300#

return

3.11.4 Example for Configuring Protocol-based VLAN Assignment

Protocol-based VLAN assignment reduces manual configuration workload and allows users to

easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN.


A company has multiple services including the IPTV, VoIP, and Internet access services. Each

service uses a unique protocol. It is required that services of the same type be transmitted in aVLAN and services of different types be transmitted in separate VLANs to facilitate

management and reduce manual VLAN configuration workload.

As shown in Figure 3-12, the Switch receives packets of multiple services that use different

protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in VLAN

20 use IPv6 to communicate with the servers. The Switch needs to assign VLANs to packets of

different services and transmit packets with different VLAN IDs to different servers.

Figure 3-12 Network diagram of protocol-based VLAN assignment

InternetVoice

Network

XGE0/0/1

XGE0/0/3XGE0/0/2

Switch

RouterA

IPv6IPv4

RouterB

VLAN10 VLAN20





100





1. Create VLANs and determine mappings between services and VLANs.

2. Associate protocols with VLANs.

The Switch assigns a VLAN ID to a frame based on the protocol or protocol suite to which

the frame belongs. As long as the protocols of user devices keep unchanged, users do not

need to be added to new VLANs regardless of whether their locations change, whether

network cards of PCs are changed, or whether users locate in the same network segment.

3. Configure a port to allow frames with specified VLAN IDs to pass through.

4. Associate ports with VLANs.

After receiving a frame associated with a specified protocol, the system automatically

assigns the VLAN ID associated with the protocol to the frame.

Data Preparation


l VLANs to which XGE0/0/1 of the Switch needs to be added in untagged mode: VLAN 10

and VLAN 20

l VLANs to which XGE0/0/2 and XGE0/0/3 of the Switch need to be added in tagged mode:

VLAN 10 and VLAN 20

l Protocol associated with each VLAN

– VLAN 10: IPv4

– VLAN 20: IPv6

Procedure


# Configure the Switch.


[Quidway] sysname Switch

[Switch] vlan batch 10 20

Step 2 Configure protocol-based VLANs.

# Associate IPv4 with VLAN 10.

[Switch] vlan 10

[Switch-vlan10] protocol-vlan ipv4

[Switch-vlan10] quit

# Associate IPv6 with VLAN 20.

[Switch] vlan 20

[Switch-vlan20] protocol-vlan ipv6

[Switch-vlan20] quit

Step 3 Associate interfaces with protocol-based VLANs.

# Associate XGE0/0/1 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5.

[Switch] interface xgigabitethernet 0/0/1[Switch-XGigabitEthernet0/0/1] protocol-vlan vlan 10 all priority 5





101



# Associate XGE0/0/1 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6.

[Switch-XGigabitEthernet0/0/1] protocol-vlan vlan 20 all priority 6


Step 4 Configure interfaces.

# Add XGE0/0/1 to VLAN 10 and VLAN 20 so that XGE0/0/1 allows packets of VLAN 10 and

VLAN 20 to pass through.


[Switch-XGigabitEthernet0/0/1] port link-type hybrid

[Switch-XGigabitEthernet0/0/1] port hybrid untagged vlan 10 20


# Add XGE0/0/2 to VLAN 10 so that XGE0/0/2 allows packets of VLAN 10 to pass through.


[Switch-XGigabitEthernet0/0/2] port link-type trunk

[Switch-XGigabitEthernet0/0/2] port trunk allow-pass vlan 10


# Add XGE0/0/3 to VLAN 20 so that XGE0/0/3 allows packets of VLAN 20 to pass through.


[Switch-XGigabitEthernet0/0/3] port link-type trunk

[Switch-XGigabitEthernet0/0/3] port trunk allow-pass vlan 20



After completing the configuration, run the display protocol-vlan interface all command, and

you can view the configuration of protocol-based VLANs on XGE0/0/1. For example:

<Switch> display protocol-vlan interface all

-------------------------------------------------------------------------------

Interface VLAN Index Protocol Type Priority-------------------------------------------------------------------------------

XGigabitEthernet0/0/1 10 0 ipv4 5

XGigabitEthernet0/0/1 20 0 ipv6 6

----End

Configuration Files


#

sysname Switch

#

vlan batch 10 20

#

vlan 10

protocol-vlan 0 ipv4

vlan 20

protocol-vlan 0 ipv6

#


port hybrid untagged vlan 10 20

protocol-vlan vlan 10 0 priority 5

protocol-vlan vlan 20 0 priority 6

#




#

interface XGigabitEthernet0/0/3 port link-type trunk





102




#

return

3.11.5 Example for Implementing Communication Between VLANs

by Using VLANIF InterfacesA Layer 3 switch can replace a router to implement communications between VLANs by using

VLANIF interfaces.


Departments of an enterprise are located on different network segments and use same services

such as Internet access and VoIP. Departments in different VLANs need to use the same service,

so communication between VLANs must be implemented.

As shown in Figure 3-13, department 1 and department 2 use the same service but belong to

different VLANs and are located on different network segments. Users in department 1 anddepartment 2 need to communicate with each other.

Figure 3-13 Communication between VLANs using VLANIF interfaces

SwitchA

Switch

XGE0/0/1

VLAN 10 VLAN 20

PC1

10.10.10.2/24 20.20.20.2/24

Department1

PC2

Department2

XGE0/0/1

XGE0/0/2 XGE0/0/3



1. Create VLANs on the switches for different departments.

2. Add Layer 2 interfaces to the VLANs so that packets of the VLANs can pass through the

Layer 2 interfaces.

3. On the Layer 3 switch, create VLANIF interfaces corresponding to the VLANs and

configure IP addresses for the VLANIF interfaces to implement Layer 3 communication.

NOTE

To implement communication between VLANs, hosts in each VLAN must use the IP address of thecorresponding VLANIF interface as gateway address.





103



Data Preparation


l XGE0/0/1 of the Switch needs to be added to VLAN 10 and VLAN 20.

l The IP address of VLANIF10 on the Switch is 10.10.10.1/24.

l The IP address of VLANIF20 on the Switch is 20.20.20.1/24.

l XGE0/0/1of SwitchA needs to be added to VLAN 10 and VLAN 20.

l XGE0/0/2 of SwitchA needs to be added to VLAN 10.

l XGE0/0/3 of SwitchA needs to be added to VLAN 20.

Procedure

Step 1 # Configure the Switch.

# Create VLANs.



# Add XGE0/0/1 to VLANs.



[Quidway-XGigabitEthernet0/0/1] port trunk allow-pass vlan 10 20


# Assign IP addresses to VLANIF interfaces.

[Quidway] interface vlanif 10

[Quidway-Vlanif10] ip address 10.10.10.1 24[Quidway-Vlanif10] quit


[Quidway-Vlanif20] ip address 20.20.20.1 24

[Quidway-Vlanif20] quit

Step 2 Configure SwitchA.

# Create VLANs.



# Add interfaces to VLANs.

[Quidway] interface xgigabitethernet 0/0/1[Quidway-XGigabitEthernet0/0/1] port link-type trunk

[Quidway-XGigabitEthernet0/0/1] port trunk allow-pass vlan 10 20



[Quidway-XGigabitEthernet0/0/2] port link-type access

[Quidway-XGigabitEthernet0/0/2] port default vlan 10


[Quidway] xgigabitethernet 0/0/3





On PC1 in VLAN 10, set the default gateway address to 10.10.10.1/24, which is the IP addressof VLANIF10.





104



On PC2 in VLAN 20, set the default gateway address to 20.20.20.1/24, which is the IP address

of VLANIF20.

After the preceding configurations are complete, PC1 in VLAN 10 and PC2 in VLAN 20 can

communicate.

----End

Configuration Files


#

sysname Quidway

#

vlan batch 10 20

#

interface Vlanif10

ip address 10.10.10.1 255.255.255.0

#

interface Vlanif20

ip address 20.20.20.1 255.255.255.0

#



port trunk allow-pass vlan 10 20

#

return

Configuration file of SwitchA

#

sysname Quidway

#

vlan batch 10 20

#interface XGigabitEthernet0/0/1



#



port default vlan 10

#




#

return

3.11.6 Example for Configuring VLAN AggregationThis part describes how to configure communication between VLANs with less IP addresses.


Assume that an enterprise has many departments and IP addresses of these departments are on

the same network segment, to improve the service security, IP address of employee users in

different departments are added to different VLANs. Employee users in different departments

need to communicate with each other.

As shown in Figure 3-14, IP addresses of the R&D department and test department belong to

different VLANs. It is required that employee users in different VLANs communicate with eachother.





105





# Configure XGE 0/0/2 as an access interface.















Step 2 Configure VLAN 2.# Create VLAN 2.

[Quidway] vlan 2

# Add XGE 0/0/1 and XGE 0/0/2 to VLAN 2.

[Quidway-vlan2] port xgigabitethernet 0/0/1 0/0/2


Step 3 Configure VLAN 3.

# Create VLAN 3.

[Quidway] vlan 3


[Quidway-vlan3] port xgigabitethernet 0/0/3 0/0/4


Step 4 Configure VLAN 4.

# Configure the super-VLAN.

[Quidway] vlan 4

[Quidway-vlan4] aggregate-vlan

[Quidway-vlan4] access-vlan 2 to 3

# Configure the VLANIF interface.


[Quidway-Vlanif4] ip address 100.1.1.12 255.255.255.0

[Quidway-Vlanif4] quit

Step 5 Configure the personal computers.

Configure the IP address for each personal computer and make them reside in the same network

segment with VLAN 4.

After the preceding configuration, the personal computers and the Switch can ping each other,

but the computers in VLAN 2 and the computers in VLAN 3 cannot ping each other.

Step 6 Configure proxy ARP.

[Quidway] interface vlanif 4 [Quidway-Vlanif4] arp-proxy inter-sub-vlan-proxy enable





107




After the preceding configuration, the computers in VLAN 2 and the computers in VLAN 3 can

ping each other.

----End

Configuration Files


#

sysname Quidway

#

vlan batch 2 to 4

#

vlan 4

aggregate-vlan

access-vlan 2 to 3

#interface Vlanif4

ip address 100.1.1.12 255.255.255.0

arp-proxy inter-sub-vlan-proxy enable

#



port default vlan 2

#



port default vlan 2

#



port default vlan 3



port default vlan 3

#

return

3.11.7 Example for Configuring the MUX VLAN

MUX VLAN isolates Layer 2 traffic of different interfaces in a VLAN. It allows some employee

users of an enterprise to communicate with each other and isolates some employee users from

each other.


In an enterprise network, all employees of the enterprise can access the enterprise's server. It is

required that some employees be able to communicate with each other, whereas some employees

not communicate with each other.

As shown in Figure 3-15, in an enterprise network, all employees of the enterprise can access

the enterprise's server. It is required that some employees be able to communicate with each

other, whereas some employees not communicate with each other.

For an enterprise with a large number of employees, each employee that is prohibited from

communicating with another needs to be added to a separate VLAN if the preceding scheme is

used. This wastes VLAN ID resources and imposes an additional configuration workload on thenetwork administrator.





108



Configuring a MUX VLAN on the switch connected to PCs helps to save VLAN ID resources,

reduce the configuration workload of the network administrator, and facilitate network

maintenance.

Figure 3-15 Typical networking of MUX VLAN configuration

VLAN3 VLAN4 VLAN2

HostAHostEHostDHostCHostB

XGE0/0/2XGE0/0/1

XGE0/0/3XGE0/0/4 XGE0/0/5

Switch



1. Configure the MUX VLAN.

2. Configure the group VLAN.

3. Configure the separate VLAN.

4. Add interfaces to the VLAN and enable the MUX VLAN function.

Data Preparation


l XGE 0/0/1 belongs to VLAN 2.



Procedure

Step 1 Configure the MUX VLAN.

# Create VLAN 2, VLAN 3, and VLAN 4.


[Quidway] vlan batch 2 3 4

[Quidway] quit

# Configure the MUX VLAN, subordinate VLAN, and interfaces.


[Quidway] vlan 2

[Quidway-vlan2] mux-vlan[Quidway-vlan2] subordinate group 3





109



[Quidway-vlan2] subordinate separate 4





[Quidway-XGigabitEthernet0/0/1] port mux-vlan enable

[Quidway-XGigabitEthernet0/0/1] quit[Quidway] interface xgigabitethernet 0/0/2





















Host A can ping Hosts B to E. Hosts B to E can also ping Host A.

Host B and Host C can ping each other.

Host D and Host E cannot ping each other.

Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or Host

C.

----End

Configuration Files


#

sysname Quidway

#

vlan batch 2 to 4

#

vlan 2

mux-vlan

subordinate group 3

subordinate separate 4

#



port default vlan 2


#



port default vlan 3


#

interface XGigabitEthernet0/0/3 port link-type access





110



port default vlan 3


#



port default vlan 4

port mux-vlan enable#



port default vlan 4


#

return

3.11.8 Example for Configuring a Voice VLAN in Auto Mode

In this example, voice traffic is transmitted by using a specific VLAN, namely, voice VLAN.

During a certain period, if a voice device becomes faulty or exits from the network, the interface

connected to the voice device will exit from the voice VLAN.


Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require

high quality of VoIP services; therefore, voice data flows must be transmitted with a high priority

to ensure the call quality.

As shown in Figure 3-16, after a voice VLAN is configured on the Switch, the Switch checks

whether a data flow received by XGigabitEthernet0/0/1 is a voice data flow based on the source

MAC address of the flow. If the data flow is a voice data flow, the Switch changes the priority

of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in a common

VLAN without changing the priority of the flow. XGigabitEthernet0/0/1 needs to be

automatically added to or deleted from the voice VLAN.





111



Figure 3-16 Networking diagram of configuring a voice VLAN in auto mode

Switch

LAN Switch

Internet

DHCP Server

HSI VoIP IPTV

XGE0/0/1



1. Create VLANs.

2. Configure the link type and default VLAN of the interface.

3. Enable the voice VLAN on the interface.

4. Set the mode of adding the interface to the voice VLAN to auto.

5. Set the OUI of the voice VLAN.

6. Set the aging time of the voice VLAN.

7. Set the working mode of the voice VLAN.

Data Preparation


l Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2

and VLAN 6

l OUI and mask: 0011-2200-0000 and ffff-ff00-0000

l Aging time of the voice VLAN: 100 minutes

l The default VLAN of XGigabitEthernet 0/0/1 is VLAN 6.





112



Procedure

Step 1 Create VLANs and configure the interface on the Switch.

# Create VLAN 2 and VLAN 6.



# Configure the link type and default VLAN of the interface.


[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 6

[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 6


Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.

[Quidway] interface xgigabitethernet 0/0/1[Quidway-XGigabitEthernet0/0/1] voice-vlan 2 enable

# Set the mode of adding the interface to the voice VLAN to auto.

[Quidway-XGigabitEthernet0/0/1] voice-vlan mode auto


# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

# Set the aging time of the voice VLAN.

[Quidway] voice-vlan aging-time 100

# Set the working mode of the voice VLAN.

[Quidway-XGigabitEthernet0/0/1] voice-vlan security enable


Run the display voice-vlan oui command to check whether the OUI of the voice VLAN is

correct.

<Quidway> display voice-vlan oui

---------------------------------------------------

OuiAddress Mask Description

---------------------------------------------------

0011-2200-0000 ffff-ff00-0000

Run the display voice-vlan 2 status command to check whether the mode of adding the interface

to the voice VLAN, working mode, and aging time of the voice VLAN are correct.

<Quidway> display voice-vlan 2 status

Voice VLAN Configurations:

---------------------------------------------------

Voice VLAN ID : 2

Voice VLAN status : Enable

Voice VLAN aging time : 100 (minutes)

Voice VLAN 8021p remark : 6

Voice VLAN dscp remark : 46

----------------------------------------------------------

Port Information:

-----------------------------------------------------------Port Add-Mode Security-Mode Legacy





113



-----------------------------------------------------------

XGigabitEthernet0/0/1 Auto Security Disable

----End

Configuration Files


#

sysname Quidway

#

vlan batch 2 6

#

voice-vlan aging-time 100

#

voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

#



port hybrid untagged vlan 6 voice-vlan 2 enable

#

return

3.11.9 Example for Configuring a Voice VLAN in Manual Mode

In manual voice VLAN mode, an interface must be added to the voice VLAN manually after

the voice VLAN function is enabled on the interface. The interface connected to a voice device

can forward voice data packets only after the interface is added to the voice VLAN manually.


Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users requirehigh quality of VoIP services; therefore, voice data flows must be transmitted with a high priority

to ensure the call quality.

As shown in Figure 3-17, after a voice VLAN is configured on the Switch, the Switch checks

whether a data flow received by XGigabitEthernet0/0/1 is a voice data flow based on the source

MAC address of the flow. If the data flow is a voice data flow, the Switch changes the priority

of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in a common

VLAN without changing the priority of the flow. XGigabitEthernet0/0/1 needs to be added to

or deleted from the voice VLAN manually.





114



Figure 3-17 Networking diagram of a voice VLAN in manual mode

Switch

LAN Switch

Internet

DHCP Server

HSI VoIP IPTV

XGE0/0/1



1. Create VLANs.

2. Configure the link type and default VLAN of the interface.

3. Enable the voice VLAN on the interface.

4. Set the mode of adding the interface to the voice VLAN to manual.

5. Set the OUI of the voice VLAN.

6. Set the working mode of the voice VLAN.

7. Add the interface to the voice VLAN.

Data Preparation


l Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2

and VLAN 6

l OUI and mask: 0011-2200-0000 and ffff-ff00-0000

l Default VLAN of XGigabitEthernet 0/0/1: VLAN 6





115



Procedure

Step 1 Create VLANs and configure the interface on the Switch.

# Create VLAN 2 and VLAN 6.



# Configure the link type and default VLAN of the interface.





Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.


[Quidway-XGigabitEthernet0/0/1] voice-vlan 2 enable

# Set the mode of adding the interface to the voice VLAN to manual and add the interface to the

voice VLAN.

[Quidway-XGigabitEthernet0/0/1] voice-vlan mode manual

[Quidway-XGigabitEthernet0/0/1] port hybrid tagged vlan 2


# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

# Set the working mode of the voice VLAN.

[Quidway-XGigabitEthernet0/0/1] voice-vlan security enable


Run the display voice-vlan oui command to check whether the OUI of the voice VLAN is

correct.

<Quidway> display voice-vlan oui

---------------------------------------------------

OuiAddress Mask Description

---------------------------------------------------

0011-2200-0000 ffff-ff00-0000

Run the display voice-vlan 2 status command to check whether the mode of adding the interface

to the voice VLAN, working mode, and aging time of the voice VLAN are correct.

<Quidway> display voice-vlan 2 status

Voice VLAN Configurations:

---------------------------------------------------

Voice VLAN ID : 2

Voice VLAN status : Enable

Voice VLAN aging time : 1440 (minutes)

Voice VLAN 8021p remark : 6

Voice VLAN dscp remark : 46

----------------------------------------------------------

Port Information:

-----------------------------------------------------------

Port Add-Mode Security-Mode Legacy

-----------------------------------------------------------

XGigabitEthernet0/0/1 Manual Security Disable

----End





116



Configuration Files


#

sysname Quidway

#

vlan batch 2 6

#

voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

#





voice-vlan 2 enable

voice-vlan mode manual

#

return





117



4 VLAN Mapping Configuration

About This Chapter

This chapter describes the basic knowledge, methods, and examples for configuring VLAN

mapping.

4.1 Introduction to VLAN Mapping

This section describes the concept of VLAN mapping.

4.2 VLAN Mapping Features Supported by the S6700

This section describes VLAN mapping features supported by the S6700.

4.3 Configuring VLAN Mapping of Single VLAN TagThis section describes how to configure VLAN mapping of single VLAN tag.

4.4 Configuring VLAN Mapping of Double VLAN Tags

This section describes how to configure mapping of double VLAN tags.

4.5 Configur ation Examples

This section provides several examples of VLAN mapping configuration.


Configuration Guide - Ethernet 4 VLAN Mapping Configuration



118



4.1 Introduction to VLAN Mapping

This section describes the concept of VLAN mapping.

VLAN Mapping is a process of mapping the customer VLAN to the carrier VLAN by replacing

the inner and outer VLAN tags of data frames. In this manner, VLAN aggregation is realized,

and services of customers can be transmitted according to the network planning of the carrier.

4.2 VLAN Mapping Features Supported by the S6700

This section describes VLAN mapping features supported by the S6700.

The S6700 supports the following VLAN mapping features:

l Single-tag VLAN mapping based on the interface and VLAN

l Double-tag VLAN mapping based on the interface and VLAN

l Single-tag VLAN mapping based on the interface, VLAN, and 802.1p priority

4.3 Configuring VLAN Mapping of Single VLAN Tag

This section describes how to configure VLAN mapping of single VLAN tag.



When two private networks in different VLANs communicate with each other through a public

network, the user packets may carry the C-VLAN tag when reaching the ISP network. You can

configure VLAN mapping on the edge device of the public network so that the VLANs of private

networks are separated from VLANs of the public network. This saves VLAN resources of the

public network.


Before configuring VLAN mapping, complete the following task:

l Configuring VLANs

Data Preparation

To configure VLAN mapping, you need the following data.

No. Data

1 VLAN ID before VLAN mapping

2 VLAN ID after VLAN mapping





119



4.3.2 Replacing a Single Tag

Context

Do as follows on the S6700 where you need to configure single-tag VLAN mapping.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:


The link type of the interface is set.

By default, the link type of an interface is hybrid.

Step 4 Run:

port trunk allow-pass vlan vlan-id

The interface is added to the VLAN specified by map-vlan.

Step 5 Run:

qinq vlan-translation enable

VLAN translation is enabled on the interface.

Step 6 Run:

port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3 [ remark-8021p

8021p-value ]

Single-tag VLAN mapping is configured on the interface.

NOTE

l VLAN mapping can only be configured on a trunk or hybrid interface, and the interface must be added

to the VLAN specified by map-vlan in tagged mode.

l If multiple VLANs are specified in vlan, the interface needs to be added to these VLANs in tagged

mode, and the VLAN specified by map-vlan cannot be a VLAN corresponding to a VLANIF interface.

l If VLAN mapping and DHCP are configured on the same interface, the interface must be added to the

original VLANs (VLANs before mapping) in tagged mode.

l Limiting MAC address learning on an interface may affect the N:1 VLAN mapping on the interface.

----End






120



Procedure

l Run the display vlan vlan-id command to check whether the interface is added to the

translated local VLAN.

l Run the display current-configuration command to display information about the VLAN

mapping of single VLAN tag on the interface.

Run the preceding command, and you can obtain the following information:

– The interface is added to the translated local VLAN.

– The information about the VLAN mapping is correct.

----End

4.4 Configuring VLAN Mapping of Double VLAN Tags

This section describes how to configure mapping of double VLAN tags.



When two private networks in different VLANs communicate with each other through a public

network, the user packets may carry one or two VLAN tags when arriving on the public network.

You can configure VLAN mapping of double VLAN tags on the edge device of the public

network so that the VLANs of private networks and public network can be separated. This savesVLAN resources of the public network. Compared with VLAN mapping of single VLAN tag,

this function is more flexible and used in a wider scope.


l Before configuring outer-tag VLAN mapping, configure VLANs.

Data Preparation

To configure double-tag VLAN mapping, you need the following data.

No. Data

1 Outer VLAN ID before VLAN mapping

2 Inner VLAN ID before VLAN mapping

3 Outer VLAN ID after VLAN mapping

4.4.2 Replacing the Outer VLAN Tag





121



Context

Do as follows on the S6700 where you need to replace the outer VLAN tags.


system-view


Step 2 Run:



Step 3 Run:


The link type of the interface is set to trunk.

Step 4 Run:

port trunk allow-pass vlan vlan-id

The interface is added to the VLAN whose ID will replace the outer VLAN tag of frames.

Step 5 Run:



Step 6 Run:

port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 [ to vlan-id3 ] map-vlan vlan-id4 [ remark-8021p 8021p-value ]

The outer VLAN tag is replaced.

NOTE

VLAN mapping can only be configured on a trunk or hybrid interface, and the interface must be added to

the VLAN specified by map-vlan in tagged mode.

----End


Procedure

l Run the display vlan vlan-id command to check whether the interface is added to the

translated local VLAN.

l Run the display current-configuration command to display information about the

mapping of double VLAN tags on the interface.

Run the preceding command, and you can obtain the following information:

– The interface is added to the translated local VLAN.

– The information about the VLAN mapping is correct.

----End





122




This section provides several examples of VLAN mapping configuration.

4.5.1 Example for Configuring Single-Tag VLAN Mapping


As shown in Figure 4-1, users in VLAN 6 need to communicate with users in VLAN 5 through

VLAN 10 on the network.

Figure 4-1 Networking diagram of single-tag VLAN mapping configurations

Network

VLAN10SwitchC SwitchD

SwitchBSwitchA

XGE0/0/1

XGE0/0/1

XGE0/0/3XGE0/0/2

VLAN6

172.16.0.1/16 172.16.0.2/16 172.16.0.3/16 172.16.0.5/16 172.16.0.6/16 172.16.0.7/16

VLAN5XGE0/0/1

XGE0/0/1

XGE0/0/2 XGE0/0/3



1. Create VLANs on SwitchA, SwitchB, SwitchC, and SwitchD.

2. Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs.

3. Configure single-tag VLAN ma pping on XGE 0/0/1 of SwitchA.

4. Configure single-tag VLAN mapping on XGE 0/0/1 of SwitchB.

Data Preparation






123



l VLAN to be created on SwitchA: VLAN 6

l VLAN to be created on SwitchB: VLAN 5

l VLAN to be created on SwitchC and SwitchD: VLAN 10

Procedure

Step 1 Create VLANs on the Switches.

# Create VLAN 6 on SwitchA.



[SwitchA] vlan 6

# Create VLAN 5 on SwitchB.



[SwitchB] vlan 5

# Create VLAN 10 on SwitchC.


[Quidway] sysname SwitchC

[SwitchC] vlan 10

# Create VLAN 10 on SwitchD.


[Quidway] sysname SwitchD

[SwitchD] vlan 10

Step 2 Add interfaces to VLANs.

# Add XGE 0/0/2 and XGE 0/0/3 of SwitchA to VLAN 6.


[SwitchA-XGigabitEthernet0/0/2] port link-type trunk

[SwitchA-XGigabitEthernet0/0/2] port trunk allow-pass vlan 6






# Add XGE 0/0/1 of SwitchA to VLAN 6.





# Add XGE 0/0/2 and XGE 0/0/3 of SwitchB to VLAN 5.


[SwitchB-XGigabitEthernet0/0/2] port link-type trunk

[SwitchB-XGigabitEthernet0/0/2] port trunk allow-pass vlan 5






# Add XGE 0/0/1 of SwitchB to VLAN 5.

[SwitchB] interface xgigabitethernet 0/0/1[SwitchB-XGigabitEthernet0/0/1] port link-type trunk





124





# Add XGE 0/0/1 of SwitchC to VLAN 10.

[SwitchC] interface xgigabitethernet 0/0/1

[SwitchC-XGigabitEthernet0/0/1] port link-type trunk[SwitchC-XGigabitEthernet0/0/1] port trunk allow-pass vlan 10

[SwitchC-XGigabitEthernet0/0/1] quit

# Add XGE 0/0/1 of SwitchD to VLAN 10.

[SwitchD] interface xgigabitethernet 0/0/1

[SwitchD-XGigabitEthernet0/0/1] port link-type trunk

[SwitchD-XGigabitEthernet0/0/1] port trunk allow-pass vlan 10

[SwitchD-XGigabitEthernet0/0/1] quit

Step 3 Configure single-tag VLAN mapping on the Switches.

# Configure single-tag VLAN mapping on XGE 0/0/1 of SwitchA.

[SwitchA-XGigabitEthernet0/0/1] qinq vlan-translation enable

[SwitchA-XGigabitEthernet0/0/1] port vlan-mapping vlan 10 map-vlan 6

# Configure single-tag VLAN mapping on XGE 0/0/1 of SwitchB.

[SwitchB-XGigabitEthernet0/0/1] qinq vlan-translation enable

[SwitchB-XGigabitEthernet0/0/1] port vlan-mapping vlan 10 map-vlan 5


The hosts in VLAN 6 and the hosts in VLAN 5 can ping each other.

----End

Configuration Filesl Configuration file of SwitchA

#

sysname SwitchA

#

vlan batch 6

#





port vlan-mapping vlan 10 map-vlan 6

#




#




#

return


#

sysname SwitchB

#

vlan batch 5

#


qinq vlan-translation enable port link-type trunk





125




port vlan-mapping vlan 10 map-vlan 5

#







#

return

l Configuration file of SwitchC

#

sysname SwitchC

#

vlan batch 10

#




#

return

l Configuration file of SwitchD

#

sysname SwitchD

#

vlan batch 10

#




#

return

4.5.2 Example for Configuring N:1 VLAN Mapping


As shown in Figure 4-2, users in VLAN 100 to VLAN 200 connect to the Internet through the

aggregate switch of the carrier, that is, the Switch.

After user devices are powered on, they send service request packets to the switch of the carrier.

After the user devices pass the authentication, services can be used.





126



Figure 4-2 Networking diagram for configuring N:1 VLAN mapping

XGE0/0/1Switch

…… ……

SwitchA

SwitchE

VLAN100~200

……

SwitchDSwitchCSwitchB

Internet



1. Configure the VLANs before and after mapping.

2. Add XGE 0/0/1 of the Switch to the VLANs before and after mapping in tagged mode.

3. Configure VLAN mapping on XGE 0/0/1 of the Switch.

Data preparationTo complete the configuration, you need the following data:

l VLANs before mapping: VLAN 100 to VLAN 200

l VLAN after mapping: VLAN 10

Procedure


# Create VLANs.

<Quidway> system-view[Quidway] vlan batch 10 100 to 200





127



# Add related XGE 0/0/1 to the VLANs.


[Quidway-XGigabitEthernet0/0/1] port hybrid tagged vlan 10 100 to 200

# Configure VLAN mapping on XGE 0/0/1.

[Quidway-XGigabitEthernet0/0/1] qinq vlan-translation enable

[Quidway-XGigabitEthernet0/0/1] port vlan-mapping vlan 100 to 200 map-vlan 10



Users in VLAN 100 to VLAN 200 can connect to the Internet through the Switch.

----End

Configuration Files


#

sysname Quidway

#

vlan batch 10 100 to 200

#



port hybrid tagged vlan 10 100 to 200

port vlan-mapping vlan 100 to 200 map-vlan 10

#

return





128



5 QinQ Configuration

About This Chapter

This chapter describes the basic knowledge, methods, and examples for configuring QinQ.

5.1 Concept of QinQ

This section describes the concept of QinQ.

5.2 QinQ Features Supported by the S6700

This section describes the QinQ features supported by the S6700.

5.3 Configuring QinQ on an Interface

This section describes how to configure the interface type, the protocol used by the outer VLANtag, and the interface-based QinQ.

5.4 Configuring Selective QinQ

This section describes how to configure the interface type, the outer VLAN ID, and selective

QinQ.

5.5 Configuring QinQ Stacking on a VLANIF Interface

To log in to a remote device to manage it, configure QinQ stacking on the VLANIF interface

corresponding to the management VLAN on the remote device.

5.6 Setting the Protocol Type in the Outer VLAN Tag

This section describes how to set the protocol type in the outer VLAN tag on an interface.


This section provides several configuration examples of QinQ.


Configuration Guide - Ethernet 5 QinQ Configuration



129



5.1 Concept of QinQ

This section describes the concept of QinQ.

The 802.1Q-in-802.1Q (QinQ) protocol is a Layer 2 tunneling protocol based on the IEEE

802.1Q technology. The frame transmitted on the public network has double 802.1Q tags. One

is a public tag and the other is a private tag. It is called the QinQ protocol.

The principle of QinQ is to encapsulate a private VLAN tag in a public VLAN tag; therefore, a

packet traverses the backbone network of the Internet service provider (ISP) carrying double

VLAN tags. By using the QinQ technology, the S6700 provides a simpler Layer 2 VPN tunnel

for users.

5.2 QinQ Features Supported by the S6700

This section describes the QinQ features supported by the S6700.

Selective QinQ

The S6700 supports selective QinQ, which is extended on the basis of QinQ. Selective QinQ

enables an interface to add the outer VLAN tags with different public VLAN IDs to frames

according to the private VLAN IDs in the inner VLAN tags. This can differentiate various types

of users.

The S6700 not only supports selective QinQ based on the interface and VLAN, but also supports

flow-based selective QinQ.

For the commands related to flow-based selective QinQ, see the Quidway S6700 Series Ethernet

Switches Command Reference - QoS .

Protocols Used by Outer VLAN Tags

The protocols applied to outer VLAN tags vary according to the vendors. To interwork with

non-Huawei devices, the S6700 supports the selective setting of the protocols used by the outer

VLAN tags.

5.3 Configuring QinQ on an Interface

This section describes how to configure the interface type, the protocol used by the outer VLAN

tag, and the interface-based QinQ.



To separate the private network from the public network and save VLAN resources, you can

configure double 802.1q tags on a QinQ interface provided by the S6700. The inner VLAN tag

of the private network is distributed for the internal network such as the intranet; the outer VLANtag of the public network is distributed for the external network such as the ISP's network. In





130



this way, a maximum of 4094 x 4094 VLAN tags are provided to enable transparent transmission

of the packets from different private network users with the same VLAN ID.


None

Data Preparation

To configure QinQ on the interface, you need the following data.

No. Data

1 Number of the QinQ interface

2 (Optional) Protocol used by the outer VLAN tag

3 Outer VLAN ID

5.3.2 Setting the Link Type of an Interface

Context

Do as follows on the S6700 to be configured with interface QinQ.


system-view


Step 2 Run:



Step 3 Run:

port link-type dot1q-tunnel

The link type of the interface is set to dot1q-tunnel.


Dot1q-tunnel interfaces do not support Layer 2 multicast.

----End

5.3.3 Specifying the Outer VLAN ID

Context

Do as follows on the S6700 to be configured with interface QinQ.





131



Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id

The VLAN is created.

Step 3 Run:

quit


Step 4 Run:



Step 5 Run:

port default vlan vlan-id

The VLAN ID (default VLAN) of the outer VLAN tag is set.

----End


Procedure

l Run the display current-configuration interface interface-type interface-number

command to display the QinQ configuration on the interface.

----End

5.4 Configuring Selective QinQ

This section describes how to configure the interface type, the outer VLAN ID, and selective

QinQ.



To enable users to communicate through the ISP network, user packets are added an outer VLAN

tag.


None





132



Data Preparation

To configure selective QinQ, you need the following data.

No. Data

1 Number of the interface to be configured with selective QinQ

2 Inner VLAN ID

3 Outer VLAN ID

5.4.2 Setting the Link Type of an Interface

Context

Do as follows on the S6700 to be configured with selective QinQ:

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

port link-type hybrid

The link type of the interface is set to hybrid.


----End

5.4.3 Adding an Outer VLAN Tag

Context

Do as follows on the S6700 where you need to configure selective QinQ.

Procedure

Step 1 Run:

system-view






133



Step 2 Run:



Step 3 Run: port hybrid untagged vlan vlan-id

The interface is added to the stacked VLAN in untagged mode.

The stacked outer VLAN must a VLAN existing on the S6700, but the VLANs before VLAN

stacking do not need to be created on the S6700.

----End

5.4.4 Configuring Selective QinQ

Context

Do as follows on the S6700 where you need to configure selective QinQ.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:



Step 4 Run:

port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3 [

remark-8021p 8021p-value ]

The selective QinQ is configured. The meanings of the parameters are as follows:

l vlan-id1 [ to vlan-id2 ] specifies the C-VLAN ID of the VLAN to which you need to add the

VLAN tag.

l stack-vlan vlan-id3 specifies the VLAN ID of the outer VLAN tag to be added.

l [ remark-8021p 8021p-value ] specifies the internal priority in the stacked outer VLAN tag.

NOTE

An interface learns the MAC address from the outer VLAN tag of a QinQ packet.

----End






134



Procedure


command to display the selective QinQ configuration on the interface.

----End

5.5 Configuring QinQ Stacking on a VLANIF Interface




Before configuring QinQ stacking on a VLANIF interface, familiarize yourself with the

applicable environment, complete the pre-configuration tasks, and obtain the data required for

the configuration. This will help you complete the configuration task quickly and accurately.


As shown in Figure 5-1, SwitchA is connected to SwitchB through a third-party network. The

management VLAN on SwitchB is the same as the VLAN for users connected to SwitchA. The

VLAN ID provided by the carrier, however, is different from the management VLAN ID.

Figure 5-1 Networking for QinQ stacking on a VLANIF interface

Internet

SwitchA

SwitchB

user1

user2

VLAN 10

IP 10

IP 10 20

Management VLAN 10

Interface VLANIF 10

To log in to SwitchB to manage it from SwitchA, you can configure QinQ stacking on the

VLANIF interface corresponding to the management VLAN on SwitchB.

After QinQ stacking is configured, data frames are processed as follows:

l Frames sent from SwitchA to SwitchB

The user-side interface of SwitchA, which is configured with QinQ, sends double-tagged

frames to the ISP network. The outer VLAN tag is assigned by the carrier so that the framescan be transparently transmitted across the ISP network to SwitchB.





135



When SwitchB receives double-tagged frames, it compares the VLAN tags of the frames

with the VLAN tags configured on the VLANIF interface. If the outer tag of the frames is

the same as the outer tag configured on the VLANIF interface, SwitchB removes the outer

tag and sends the frames to the IP layer for processing.

l Frames sent from SwitchB to SwitchAWhen the VLANIF interface of SwitchB receives data frames, SwitchB adds a VLAN tag

to the frames according to the QinQ stacking configuration. The new outer VLAN tag is

assigned by the carrier so that the double-tagged data frames can be transparently

transmitted to SwitchA across the ISP network. SwitchA removes the outer VLAN tag of

the frames and forwards the frames to users.


Before configuring QinQ stacking on a VLANIF interface, complete the following tasks:

lCreating VLANs

l Configuring the management VLAN

Data Preparations

To configure QinQ stacking on a VLANIF interface, you need the following data.

No. Data

1 VLAN IDs

5.5.2 Configuring QinQ Stacking on a VLANIF Interface



Procedure

Step 1 Run:

system-view


Step 2 Run:


The VLANIF interface corresponding to the management VLAN is created.

Before running this command, ensure that the management VLAN exists.

Step 3 Run:

qinq stacking vlan vlan-id

QinQ stacking is configured on the VLANIF interface.





136



NOTE

l When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interface

corresponds to the management VLAN. VLANIF interfaces corresponding to other VLANs do not

support QinQ stacking.

l To change the configured outer VLAN tag, run the undo qinq stacking vlan command to disable QinQstacking, and then run the qinq stacking vlan command to configure a new outer VLAN tag.

l The qinq stacking vlan command conflicts with the icmp host-unreachable send command.

Therefore, you must run the undo icmp host-unreachable send command before using the qinq

stacking vlan command.

----End


After QinQ stacking is configured on the VLANIF interface of the remote device, you can log

in to the remote device to manage it from the local device.

Prerequisite

The configurations of QinQ stacking on the VLANIF interface are complete.

Procedure

Step 1 Run the display vlan [ vlan-id [ verbose ] ] command to check whether the management VLAN

is configured correctly.

Step 2 Run the display this command in the VLANIF interface view to check whether QinQ stacking

is configured correctly.

----End

5.6 Setting the Protocol Type in the Outer VLAN Tag

This section describes how to set the protocol type in the outer VLAN tag on an interface.



To enable the S6700 to communicate with devices of other vendors, you need to set a protocol

type that can be identified by the peer device in the outer VLAN tag.


None.

Data Preparation

To set the protocol type in the outer VLAN tag, you need the following data.





137



No. Data

1 Interface number

2 Protocol type in the outer VLAN tag

5.6.2 Configuring the Type of an Interface

Context

Do as follows on the S6700 where you need to set the protocol type in the outer VLAN tag.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

port link-type { hybrid | trunk | access }

The interface type is configured.

By default, the interface type is hybrid.

----End

5.6.3 Setting the Protocol Type in the Outer VLAN Tag

Context

Do as follows on the S6700 where you need to set the protocol type in the outer VLAN tag.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:qinq protocol protocol-id





138



The protocol type of the outer VLAN tag is set.

The qinq protocol command cannot be used on a QinQ interface.

The qinq protocol command is used to identify incoming frames and add or change TPID for

outgoing frames.

By default, the protocol type in the outer VLAN tag is 0x8100.

NOTE

l To implement the connectivity between the devices of different vendors, the protocol type in the outer

VLAN tag must be identified by the peer device.

l The protocol IDs set by the qinq protocol command cannot be the same as well-known protocol IDs.

Otherwise, the interface cannot distinguish packets of these protocols. For example, protocol-id cannot

be set to 0x0806, which is the ARP protocol ID.

----End


Procedure

Step 1 Run the display current-configuration interface interface-type interface-number command to

display protocol type in the outer VLAN tag set on an interface.

----End

5.7 Configuration ExamplesThis section provides several configuration examples of QinQ.

5.7.1 Example for Configuring QinQ on Interfaces


As shown in Figure 5-2, there are two enterprises on the network, namely, Enterprise 1 and

Enterprise 2. Enterprise 1 has two office locations; Enterprise 2 has three office locations. The

office locations of the two enterprises access SwitchG or SwitchF of the ISP network. The

network of Enterprise 1 is divided into VLAN 1000 to VLAN 1500; the network of Enterprise

2 is divided into VLAN 2000 to VLAN 3000. It is required that employees in the same VLAN

can communicate with each other through the ISP network but the two enterprises are isolated

from each other.





139





Procedure


# Create VLAN 10 and VLAN 20 on SwitchF.


[Quidway] sysname SwitchF

[SwitchF] vlan batch 10 20

# Create VLAN 20 on SwitchG.


[Quidway] sysname SwitchG

[SwitchG] vlan 20

Step 2 Configure the interfaces as QinQ interfaces.

# Configure XGE 0/0/1, XGE 0/0/2, and XGE 0/0/3 of SwitchF as QinQ interfaces. Set the

VLAN ID of the outer VLAN tag added by XGE 0/0/1 and XGE 0/0/3/ to VLAN 10; set the

VLAN ID of the outer VLAN tag added by XGE 0/0/2 to VLAN 20.[SwitchF] interface xgigabitethernet 0/0/1

[SwitchF-XGigabitEthernet0/0/1] port link-type dot1q-tunnel

[SwitchF-XGigabitEthernet0/0/1] port default vlan 10

[SwitchF-XGigabitEthernet0/0/1] quit

[SwitchF] interface xgigabitethernet 0/0/2




[SwitchF] interface xgigabitethernet 0/0/3




# Set XGE 0/0/1 and XGE 0/0/2 of SwitchG as QinQ interfaces; set the VLAN ID of the outer

VLAN tags added by XGE 0/0/1 and XGE 0/0/2/ to VLAN 20.

[SwitchG] interface xgigabitethernet 0/0/1

[SwitchG-XGigabitEthernet0/0/1] port link-type dot1q-tunnel

[SwitchG-XGigabitEthernet0/0/1] port default vlan 20

[SwitchG-XGigabitEthernet0/0/1] quit


[SwitchG-XGigabitEthernet0/0/2] port link-type dot1q-tunnel

[SwitchG-XGigabitEthernet0/0/2] port default vlan 20


Step 3 Configure other interfaces.

# Add XGE 0/0/4 of SwitchF to VLAN 20.

[SwitchF] interface xgigabitethernet 0/0/4[SwitchF-XGigabitEthernet0/0/4] port link-type trunk

[SwitchF-XGigabitEthernet0/0/4] port trunk allow-pass vlan 20


# Add XGE 0/0/3 of SwitchG to VLAN 20.


[SwitchG-XGigabitEthernet0/0/3] port link-type trunk

[SwitchG-XGigabitEthernet0/0/3] port trunk allow-pass vlan 20



Ping a remote host on the same VLAN in another office location of Enterprise 1 from a host of

Enterprise 1. If it can ping the remote host, hosts in different locations of Enterprise 1 cancommunicate with each other.





141



Ping a remote host on the same VLAN in another office location of Enterprise 2 from a host of

Enterprise 2. If it can ping the remote host, hosts in different locations of Enterprise 2 can

communicate with each other.

Ping a host of Enterprise 2 from a host in any office location of Enterprise 1. If it fails to ping

the host of Enterprise 2, the two enterprises are isolated from each other.

----End

Configuration Files

The following lists the configuration files of the Switch.

l Configuration file of SwitchF

#

sysname SwitchF

#

vlan batch 10 20




#




#




#




#

return

l Configuration file of SwitchG

#

sysname SwitchG

#

vlan batch 20

#




#



port default vlan 20#




#

return

5.7.2 Example for Configuring Selective QinQ





142




As shown in Figure 5-3, common Internet access users (using PCs) and IPTV users (using IPTV

terminals) connect to the carrier network through Switch A and Switch B and communicate with

each other through the carrier network.

It is required that packets of PCs and IPTV terminals are tagged VLAN 2 and VLAN 3 when

the packets are transmitted through the carrier network.

Figure 5-3 Networking for configuring selective QinQ

PC PCIPTV IPTV

NetworkXGE0/0/2 XGE0/0/2

XGE0/0/1 XGE0/0/1

Sw itchA Sw itchB

Configuration RoadmapThe configuration roadmap is as follows:

1. Create VLANs on Switch A and Switch B.

2. Configure types of interfaces on Switch A and Switch B, and add the interfaces to

corresponding VLANs.

3. Configure selective QinQ on interfaces of Switch A and Switch B.

Data Preparation


l VLANs that PCs belong to: VLAN 100 to VLAN 200

l VLANs that IPTV terminals belong to: VLAN 300 to VLAN 400

l VLAN tag that packets of PCs carry on the carrier network: VLAN 2

l VLAN tag that packets of IPTV terminals carry on the carrier network: VLAN 3

Procedure


# On Switch A, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets onthe carrier network.





143





[SwitchA] vlan batch 2 3

# On Switch B, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on

the carrier network.



[SwitchB] vlan batch 2 3

Step 2 Configure selective QinQ on interfaces of Switch A and Switch B.

# Configure XGE 0/0/1 of Switch A.


[SwitchA-XGigabitEthernet0/0/1] port link-type hybrid

[SwitchA-XGigabitEthernet0/0/1] port hybrid untagged vlan 2 3

[SwitchA-XGigabitEthernet0/0/1] qinq vlan-translation enable

[SwitchA-XGigabitEthernet0/0/1] port vlan-stacking vlan 100 to 200 stack-vlan 2

[SwitchA-XGigabitEthernet0/0/1] port vlan-stacking vlan 300 to 400 stack-vlan 3


# Configure XGE 0/0/1 of Switch B.


[SwitchB-XGigabitEthernet0/0/1] port link-type hybrid

[SwitchB-XGigabitEthernet0/0/1] port hybrid untagged vlan 2 3

[SwitchB-XGigabitEthernet0/0/1] qinq vlan-translation enable

[SwitchB-XGigabitEthernet0/0/1] port vlan-stacking vlan 100 to 200 stack-vlan 2

[SwitchB-XGigabitEthernet0/0/1] port vlan-stacking vlan 300 to 400 stack-vlan 3


Step 3 Configure other interfaces.

# Add XGE 0/0/2 of Switch A to VLAN 2 and VLAN 3.



[SwitchA-XGigabitEthernet0/0/2] port trunk allow-pass vlan 2 3


# Add XGE 0/0/2 of Switch B to VLAN 2 and VLAN 3.



[SwitchB-XGigabitEthernet0/0/2] port trunk allow-pass vlan 2 3



# View the configuration of each interface on Switch A.

<SwitchA> display current-configuration interface xgigabitethernet 0/0/1

#



port hybrid untagged vlan 2 to 3

port vlan-stacking vlan 100 to 200 stack-vlan 2


#

return

<SwitchA> display current-configuration interface xgigabitethernet 0/0/2

#




#return





144



# View the configuration of each interface on Switch B.

<SwitchB> display current-configuration interface xgigabitethernet 0/0/1

#



port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 to 200 stack-vlan 2


#

return

<SwitchB> display current-configuration interface xgigabitethernet 0/0/2

#




#

return

If Switch A and Switch B are configured correctly:

l PCs can communicate with each other through the carrier network.

l IPTV terminals can communicate with each other through the carrier network.

----End

Configuration Files

Only the configuration files of the Switches are provided:

l Configuration file of Switch A

#

sysname SwitchA

#

vlan batch 2 to 3

#






#




#

return

l Configuration file of Switch B#

sysname SwitchB

#

vlan batch 2 to 3

#






#




#return





145



5.7.3 Example for Configuring Selective QinQ with VLANMapping

Networking RequirementsAs shown in Figure 5-4, the Internet access, IPTV, and VoIP services are provided for users

through home gateways.

The corridor switches allocate VLANs to the services as follows:

l VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100

l Shared VLAN for the IPTV service: VLAN 1101

l Shared VLAN for the VoIP service: VLAN 1102

l Shared VLAN for home gateways: VLAN 1103

Each community switch is connected to 50 downstream corridor switches and maps the VLANIDs in the packets of the Internet access service from the corridor switches to VLAN 101 to

VLAN 150.

The aggregate switch of the carrier is connected to 50 downstream community switches and

adds outer VLAN IDs 21 to 70 to the packets sent from the community switches.

After user devices are powered on, they send service request packets to the switch of the carrier.

After the user devices pass the authentication, services can be used.

Figure 5-4 Networking for configuring selective QinQ

……

…… ……

…… …… ……

SwitchA

SwitchB

XGE0/0/1

XGE0/0/1

Internet

XGE0/0/2

…………

ME60

…………





146





1. Create VLANs on SwitchA and SwitchB.

2. Configure VLAN mapping on SwitchB and add XGE 0/0/1 and XGE 0/0/2 to the VLANs.

3. Configure selective QinQ on SwitchA and add XGE 0/0/1 to VLANs.

4. Add other downlink interfaces of SwitchA and SwitchB to the VLANs. The configurations

are similar to the configurations of their XGE 0/0/1 interfaces.

5. Configure other community switches. The configuration is similar to the configuration on

SwitchB.

Data preparation


l VLANs to which XGE 0/0/1 of SwitchB is added in tagged mode: VLAN 1000 to VLAN

1100, VLAN 1101, VLAN 1102, VLAN 1103, and VLAN 101

l VLANs to which XGE 0/0/2 of SwitchB is added in tagged mode: VLAN 101 to VLAN

150, VLAN 1101, VLAN 1102, and VLAN 1103

l VLANs to which XGE 0/0/1 of SwitchA is added in tagged mode: VLAN 1101, VLAN

1102, and VLAN 1103

l VLANs to which XGE 0/0/1 of SwitchA is added in untagged mode: VLAN 21

l Interface on SwitchB where VLAN mapping is configured: XGE 0/0/1

l Interface on SwitchA where selective QinQ is configured: XGE 0/0/1

Procedure

Step 1 # Configure SwitchA.

# Create VLANs.


[Quidway] vlan batch 21 to 70 1101 to 1103

# Add related XGE 0/0/1 to the VLANs.



[Quidway-XGigabitEthernet0/0/1] port hybrid tagged vlan 1101 to 1103


# Configure selective QinQ on XGE 0/0/1.



[Quidway-XGigabitEthernet0/0/1] port vlan-stacking vlan 101 to 150 stack-vlan 21


Step 2 # Configure SwitchB.

# Create VLANs.


[Quidway] vlan batch 101 to 150 1000 to 1103

# Add XGE 0/0/1 and XGE 0/0/2 to the VLANs.





147




[Quidway-XGigabitEthernet0/0/1] port hybrid tagged vlan 101 1000 to 1103



[Quidway-XGigabitEthernet0/0/2] port hybrid tagged vlan 101 to 150 1101 to 1103


# Configure VLAN mapping on XGE 0/0/1.



[Quidway-XGigabitEthernet0/0/1] port vlan-mapping vlan 1000 to 1100 map-vlan 101



The Internet access service, IPTV service, and VoIP service can be used.

----End

Configuration Files

Configuration file of SwitchA

#

sysname Quidway

#

vlan batch 21 to 70 1101 to 1103

#



port hybrid tagged vlan 1101 to 1103



#

return

Configuration file of SwitchB

#

sysname Quidway

#

vlan batch 101 to 150 1000 to 1103

#



port hybrid tagged vlan 101 1000 to 1103

port vlan-mapping vlan 1000 to 1100 map-vlan 101

#


port hybrid tagged vlan 101 to 150 1101 to 1103

#

return

5.7.4 Example for Configuring QinQ Stacking on the VLANIFInterface

In this networking, the management VLAN is deployed on the remote server and the VLAN ID

of Switch A is the same as the management VLAN ID. The VLAN ID provided by the carrier,

however, is different from the management VLAN ID. To remotely log in to the remote server

for managing VLAN services on Switch A, you can configure VLAN stacking according to this

example.





148




As shown in Figure 5-5, Switch A is connected to the remote server through the third-party

network. The management VLAN is deployed on the remote server and the VLAN ID that the

downstream user connected to Switch A belongs to is the same as the management VLAN ID.

The VLAN ID provided by the carrier, however, is different from the management VLAN ID.

Figure 5-5 Networking diagram for configuring QinQ stacking on the VLANIF interface

Internet

SwitchA

Server

XGE0/0/1

XG E0/0/2 XG E0/0/2

user1

VLAN 10

IP 10

IP 10 20

XGE0/0/1

XGE0/0/2

SwitchC

To remotely log in to the remote server for managing VLAN services on Switch A, you can

configure QinQ stacking on the VLANIF interface corresponding to the management VLAN on

Switch B.

NOTE

The VLANIF interface where QinQ stacking is configured must correspond to the management VLAN.

This is because other types of VLANs do not support QinQ stacking.



1. Configure QinQ on Switch A.

2. Do as follows on the remote server:

(1) Create VLAN 10 and configure VLAN 10 as the management VLAN.

(2) Create a VLANIF interface on VLAN 10.

(3) Configure QinQ stacking on the VLANIF interface.

Data Preparation


l Outer tag that Switch A adds to data frames

l Management VLAN ID on the remote server





149



Procedure

Step 1 Configure Switch C.

# Configure XGE 0/0/1 and XGE 0/0/2 to allow packets from VLAN 10 to pass through.



[SwitchC] vlan batch 10


[SwitchC-XGigabitEthernet0/0/1] port hybrid tagged vlan 10



[SwitchC-XGigabitEthernet0/0/2] port hybrid tagged vlan 10


Step 2 Configure Switch A.

# Configure QinQ so that the frames sent from Switch A to the remote server carry double tags.



[SwitchA] vlan batch 20


[SwitchA-XGigabitEthernet0/0/1] port vlan-stacking vlan 10 stack-vlan 20

[SwitchA-XGigabitEthernet0/0/1] port hybrid untagged vlan 20



[SwitchA-XGigabitEthernet0/0/2] port hybrid tagged vlan 20


Step 3 Configure the remote server.

# Configure XGE 0/0/2 to allow frames from VLAN 20 to pass through.


[Quidway] sysname Server[Server] vlan batch 10 20

[Server] interface xgigabitethernet 0/0/2

[Server-XGigabitEthernet0/0/2] port hybrid tagged vlan 20

[Server-XGigabitEthernet0/0/2] quit

# Configure QinQ stacking.

[Server] vlan 10

[Server-vlan10] management-vlan

[Server-vlan10] quit

[Server] interface vlanif 10

[Server-Vlanif10] undo icmp host-unreachable send

[Server-Vlanif10] qinq stacking vlan 20

[Server-Vlanif10] ip address 10.10.10.1 24

[Server-Vlanif10] quit

[Server] interface xgigabitethernet 0/0/2

[Server-XGigabitEthernet0/0/2] port hybrid tagged vlan 10 20


You can log in to the remote server for managing VLAN services on Switch A.

----End

Configuration Files


#

sysname SwitchA#





150



vlan batch 20

#

interface XGigabitEthernet 0/0/1


port vlan-stacking vlan 10 stack-vlan 20

#

interface XGigabitEthernet 0/0/2 port hybrid tagged vlan 20

#

return

l Configuration file of Switch C

#

sysname SwitchC

#

vlan batch 10

#



#



#

return

l Configuration file of the remote server

#

sysname Server

#

vlan batch 10 20

#

vlan 10

management-vlan

#

interface Vlanif10

ip address 10.10.10.1 255.255.255.0

undo icmp host-unreachable send

qinq stacking vlan 20#


port hybrid tagged vlan 10 20

#

return





151



6 GVRP Configuration

About This Chapter

This chapter describes basic concepts involved in GVRP, GVRP configuration procedures, and

concludes with a GVRP configuration example.

6.1 GVRP Overview

This section explains the concepts of Generic Attribute Registration Protocol (GARP) and GARP

VLAN Registration Protocol (GVRP), and how they relate to each another.

6.2 GVRP Features Supported by the S6700

This section describes the GVRP features supported by the S6700.

6.3 Configuring GVRP

This section describes how to configure the GVRP function.

6.4 Maintaining GVRP

This section describes how to clear the statistics about GARP.

6.5 Configur ation Examples

This section provides configuration examples of GVRP.


Configuration Guide - Ethernet 6 GVRP Configuration



152



6.1 GVRP Overview

This section explains the concepts of Generic Attribute Registration Protocol (GARP) and GARP

VLAN Registration Protocol (GVRP), and how they relate to each another.

GVRP

GVRP is an application of GARP that maintains and propagates VLAN registration information

to other devices.

GARP

GARP enables member switches on a LAN to distribute, transmit, and register information such

as VLAN information and multicast addresses with one another.

GARP is not an entity on a device. GARP-compliant entities are called GARP participants.

GVRP is a GARP application. When a GARP application runs on an interface, the interface is

considered a GARP participant.

l GARP messages and timers

– GARP messages

GARP members transmit VLAN registration information by exchanging GARP

messages. The three main GARP messages are Join, Leave, and LeaveAll.

– When a GARP participant expects other devices to register its attributes, it sends

Join messages to other devices. When the GARP participant receives a Join message

from another participant or is configured with attributes statically, it also sends Joinmessages to other devices for the devices to register the new attributes.

– When a GARP participant expects other devices to deregister its attributes, it sends

Leave messages to other devices. When the GARP participant receives a Leave

message from another participant or some of its attributes are deregistered statically,

it also sends Leave messages to other devices.

– When a GARP participant is enabled, the LeaveAll timer is started. When the

LeaveAll timer expires, the GARP participant sends LeaveAll messages to request

other GARP participants to deregister all the attributes of the sender. Then other

participants can re-register the attributes.

The Join, Leave, and LeaveAll messages are used to control registration and

deregistration of attributes.

Through GARP messages, all attributes that need to be registered are sent to all the

GARP-enabled devices on the same LAN.

– GARP timers

The intervals for sending GARP messages are controlled by GARP timers. GARP

defines four timers to control the intervals for sending GARP messages.

– Hold timer: When a GARP participant receives a registration message from another

participant, it does not send the registration message in a Join message to other

participants immediately. Instead, the participant starts the Hold timer. When the

Hold timer expires, the participant packs all the registration messages received

within this period in a Join message and sends the Join message to other participants.This saves bandwidth on the network.





153



– Join timer: To ensure reliable transmission of Join messages, a participant can send

each Join message twice. If the participant does not receive the response after

sending the Join message the first time, it sends the Join message again. The Join

timer specifies the interval between the two Join messages.

– Leave timer: When a GARP participant expects other participants to deregister itsattribute, it sends Leave messages to other participants. When another participant

receives the Leave message, it starts the Leave timer. If the participant does not

receive any Join message before the Leave timer expires, it deregisters the attributes

of the Leave message sender.

– LeaveAll timer: When a GARP participant is enabled, the LeaveAll timer is started.

When the LeaveAll timer expires, the GARP participant sends LeaveAll messages

to request other GARP participants to re-register all its attributes. Then the LeaveAll

timer restarts.

NOTE

l The GARP timers apply to all GARP participants (such as GVRP) on the same LAN.

l The Hold timer, Join timer, and Leave timer must be set individually on each interface,

whereas the LeaveAll timer is set globally and takes effect on all interfaces of a device.

l Devices on a network may have different settings of the LeaveAll timer. In this case, all the

devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of

a device expires, the device sends LeaveAll messages to other devices. After other devices

receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the

LeavelAll timer with the smallest value takes effect even if devices have different settings

of the LeaveAll timer.

l GARP operation process

Through GARP, the configuration information of a GARP member can be propagated on

the entire LAN. A GARP member may be a terminal workstation or a bridge. A GARP

member sends an attribute declaration or an attribute reclaim declaration to request other

GARP members to register or deregister its attributes. The GARP member can also register

or deregister attributes of other members when receiving attribute declarations or attribute

reclaim declarations from other members. When an interface receives an attribute

declaration, it registers the attribute. When the interface receives an attribute reclaim

declaration, the interface deregisters the attribute.

PDUs sent from a GARP participant use a multicast MAC address as the destination MAC

address. When a device receives a packet from a GARP participant, the device identifies

the packet according to the destination MAC address of the packet and sends the packet to

the corresponding GARP participant (such as GVRP).

l Format of a GARP packet

Figure 6-1 shows the format of a GARP packet.





154



Figure 6-1 Format of a GARP packet

DA SA length DSAP SSAP Ctrl PDU

Protocol ID Message 1 … Message N End Mark

Attribute Type Attribute List

Attribute 1 End Mark Attribute N…

Attribute Length Attribute Event Attribute Value

Ethernet Frame

GARP PDU structure

1

1

1

1

N

N

N

N3

2

2

3

Message structure

Attribute List structure

Attribute structure

The following table describes the fields in a GARP packet.

Field Description Value

Protocol ID Indicates the protocol ID. The value is 1.

Message Indicates the messages in

the packet. A message

consists of the Attribute

Type and Attribute Listfields.

-

Attribute Type Indicates the type of an

attribute, which is defined

by the GARP application.

The value is 0x01 for

GVRP, indicating that the

attribute value is a VLAN

ID.

Attribute List Indicates the attribute list,

which consists of multiple

attributes.

-

Attribute Indicates an attribute,

which consists of the

Attribute Length, Attribute

Event, and Attribute Value

fields.

-

Attribute Length Indicates the length of an

attribute.

The value ranges from 2 to

255, in bytes.





155



Field Description Value

Attribute Event Indicates the event that an

attribute describes. The

value can be:

l 0: LeaveAll event

l 1: JoinEmpty event

l 2: JoinIn event

l 3: LeaveEmpty event

l 4: LeaveIn event

l 5: Empty event

Attribute Value Indicates the value of an

attribute.

The value is a VLAN ID for

GVRP. This field is invalid

in a LeaveAll attribute.

End Mark Indicates the end of a

GARP PDU.

The value is 0x00.

6.2 GVRP Features Supported by the S6700This section describes the GVRP features supported by the S6700.

GVRP is an application of GARP. Based on the working mechanism of GARP, GVRP maintains

dynamic VLAN registration information in a device and propagates the registration information

to other devices.

After GVRP is enabled on the S6700, the S6700 can receive VLAN registration information

from other devices and dynamically update local VLAN registration information. VLANregistration information includes which VLAN members are on the VLAN and through which

interfaces their packets can be sent to the S6700. The S6700 can also send the local VLAN

registration information to other devices. By exchanging VLAN registration information, all the

devices on the same LAN have the same VLAN information. The VLAN registration

information transmitted through GVRP contains both static local registration information that

is manually configured and the dynamic registration information from other devices.

A GVRP interface supports three registration modes:

l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,

and transmit dynamic VLAN registration information and static VLAN registration

information.

l Fixed: In this mode, the GVRP interface is disabled from dynamically registering andderegistering VLANs and can transmit only the static registration information. If the

registration mode of a trunk interface is set to fixed, the interface allows only the manually

configured VLANs to pass even if it is configured to allow all the VLANs to pass.

l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and

deregistering VLANs and can transmit only information about VLAN 1. If the registration

mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 to pass even

if it is configured to allow all the VLANs to pass.

NOTE

The S6700 supports a maximum of 4094 dynamic VLANs.

The GVRP protocol can run only in the Common and Internal Spanning Tree (CIST) instance. The interface blocked by MSTP in the CIST instance cannot send or receive GVRP packets.





156



6.3 Configuring GVRP

This section describes how to configure the GVRP function.



On a complicated Layer 2 network, you can enable interfaces to dynamically join or leave

VLANs by configuring the GVRP function. This simplifies the configuration


Before configuring the GVRP function, complete the following task:

l Adding the GVRP interfaces to all VLANs

l Configuring the interface to send BPDUs to the CPU

Data Preparation

To configure the GVRP function, you need the following data.

No. Data

1 (Optional) Registration mode of GVRP interfaces

2 (Optional) Values of GARP timers

6.3.2 Enabling GVRP

Context

Do as follows on the S6700 to enable GVRP.

Procedure

Step 1 Run:

system-view


Step 2 Run:

gvrp

GVRP is enabled globally.

Step 3 Run:interface interface-type interface-number





157




Step 4 Run:


The link type of the interface is set to trunk.

Step 5 Run:

port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

The interface is added to the specified VLANs.

Step 6 Run:

gvrp

GVRP is enabled on the interface.

By default, GVRP is disabled globally and on each interface.

NOTE

l Before enabling GVRP on an interface, you must enable GVRP globally.

l Before enabling GVRP on an interface, you must set the link type of the interface to trunk.

----End

6.3.3 (Optional) Setting the Registration Mode of a GVRP Interface

Context

A GVRP interface supports three registration modes:

l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,

and transmit dynamic VLAN registration information and static VLAN registration

information.

l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and

deregistering VLANs and can transmit only the static registration information. If the

registration mode of a trunk interface is set to fixed, the interface allows only the manually

configured VLANs to pass even if it is configured to allow all the VLANs to pass.

l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and

deregistering VLANs and can transmit only information about VLAN 1. If the registration

mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 even if it

is configured to allow all the VLANs.

Do as follows on the S6700 to set the registration mode of interfaces.

Procedure

Step 1 Run:

system-view


Step 2 Run:







158



Step 3 Run:

gvrp registration { fixed | forbidden | normal }

The registration mode of the interface is set.

By default, the registration type of a GVRP interface is normal.

NOTE

Before setting the registration mode of an interface, you need to enable GVRP on the interface.

----End

6.3.4 (Optional) Setting the GARP Timers

Context

When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to request other GARP participants to

re-register all its attributes. Then the LeaveAll timer restarts.

Devices on a network may have different settings of the LeaveAll timer. In this case, all the

devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a

device expires, the device sends LeaveAll messages to other devices. After other devices receive

the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeavelAll timer

with the smallest value takes effect even if devices have different settings of the LeaveAll timer.

When using the garp timer command to set the GARP timers, pay attention to the following

points:

lThe undo garp timer command restores the default values of the GARP timers. If thedefault value of a timer is out of the valid range, the undo garp timer command does not

take effect.

l The value range of each timer changes with the values of the other timers. If a value you

set for a timer is not in the allowed range, you can change the value of the timer that

determines the value range of this timer.

l To restore the default values of all the GARP timers, restore the Hold timer to the default

value, and then restore the Join timer, Leave timer, and LeaveAll timer to the default values

in sequence.

NOTE

In actual application, it is recommended that you use the following values of the GVRP timers:l GARP Hold timer: 100 centiseconds (1 second)

l GARP Join timer: 600 centiseconds (6 seconds)

l GARP Leave timer: 3000 centiseconds (30 seconds)

l GARP LeaveAll timer: 12000 centiseconds (2 minutes)

When the number of dynamic VLANs increases, lengths of the GARP timers need to be increased.

Procedure

Step 1 Run:

system-view






159



Step 2 Run:

garp timer leaveall timer-value

The value of the LeaveAll timer is set.

The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).

Step 3 Run:



Step 4 Run:

garp timer { hold | join | leave } timer-value

The value of the Hold timer, Join timer, or Leave timer is set.

By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20

centiseconds, and the value of the Leave timer is 60 centiseconds.

----End


Procedure

l Run the display gvrp status command to view the status of global GVRP is enabled.

l Run the display gvrp statistics [ interface { interface-type interface-number [ to interface-

type interface-number ] }&<1-10> ] command to view the statistics about GVRP on aninterface.

l Run the display garp timer [ interface { interface-type interface-number [ to interface-

type interface-number ] }&<1-10> ] command to view the values of GARP timers.

----End

6.4 Maintaining GVRP

This section describes how to clear the statistics about GARP.

6.4.1 Clearing GARP Statistics

Context

CAUTION

GARP statistics cannot be restored after being cleared. Therefore, use this command with

caution.





160



Procedure

Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type

interface-number ] }&<1-10> ] command in the user view to clear statistics about GARP on the

specified interfaces.

----End


This section provides configuration examples of GVRP.

6.5.1 Example for Configuring GVRP


As shown in Figure 6-2, a branch of company A communicates with the headquarters through

Switch A and Switch B. To simplify the configuration, you need to enable GVRP on all switches

of company A and set the registration mode to normal on interfaces of these switches.

Company B communicates with company A through Switch B and Switch C. To configure

switches of company B to transmit packets of only VLANs of company B, you need to enable

GVRP on all switches of company B and set the registration mode to fixed on the interfaces

connected to switches of company A.

Figure 6-2 Networking for configuring GVRP

SwitchA

SwitchB

SwitchC

Branch of

company A

Company A

Company B

XGE0/0/1

XGE0/0/1 XGE0/0/2

XGE0/0/1

XGE0/0/2XGE0/0/2

Company A Company A



1. Enable GVRP globally.

2. Set the link type of interfaces to trunk.

3. Enable GVRP on interfaces.





161



4. Set the registration mode of interfaces.

Data Preparation


l VLANs allowed by interfaces of Switch A, Switch B, and Switch C: all VLANs

l Registration mode of interfaces of Switch A and Switch B: normal

l Registration modes of XGE 0/0/1 and XGE 0/0/2 of Switch C: fixed and normal

respectively

l VLANS of company B on Switch C: VLAN 101 to VLAN 200

Procedure

Step 1 Configure Switch A.

# Enable GVRP globally.<Quidway> system-view


[SwitchA] gvrp

# Set the link type of XGE 0/0/1 and XGE 0/0/2 to trunk and configure the interfaces to allow

all VLANs.



[SwitchA-XGigabitEthernet0/0/1] port trunk allow-pass vlan all




[SwitchA-XGigabitEthernet0/0/2] port trunk allow-pass vlan all


# Enable GVRP on the interfaces and set the registration modes of the interfaces.


[SwitchA-XGigabitEthernet0/0/1] gvrp

[SwitchA-XGigabitEthernet0/0/1] gvrp registration normal

[SwitchA-XGigabitEthernet0/0/1] bpdu enable



[SwitchA-XGigabitEthernet0/0/2] gvrp

[SwitchA-XGigabitEthernet0/0/2] gvrp registration normal



The configuration of Switch B is similar to the configuration of Switch A, and is not mentionedhere.

Step 2 Configure Switch C.

# Create VLAN 101 to VLAN 200.



[SwitchC] vlan batch 101 to 200

# Enable GVRP globally.

[SwitchC] gvrp

# Set the link type of XGE 0/0/1 and XGE 0/0/2 to trunk and configure the interfaces to allowall VLANs.





162




[SwitchC-XGigabitEthernet0/0/1] port link-type trunk

[SwitchC-XGigabitEthernet0/0/1] port trunk allow-pass vlan all




[SwitchC-XGigabitEthernet0/0/2] port trunk allow-pass vlan all[SwitchC-XGigabitEthernet0/0/2] quit

# Enable GVRP on the interfaces and set the registration modes of the interfaces.


[SwitchC-XGigabitEthernet0/0/1] gvrp

[SwitchC-XGigabitEthernet0/0/1] gvrp registration fixed

[SwitchC-XGigabitEthernet0/0/1] bpdu enable



[SwitchC-XGigabitEthernet0/0/2] gvrp

[SwitchC-XGigabitEthernet0/0/2] gvrp registration normal




After the configuration is complete, the branch of company A can communicate with the

headquarters, and users of company A in VLAN 101 to VLAN 200 can communicate with users

in company B.

Run the display gvrp status command on Switch A to check whether GVRP is enabled globally.

The following information is displayed:

<SwitchA> display gvrp status

GVRP is enabled

Run the display gvrp statistics command on Switch A to view statistics about GVRP on GVRP

interfaces, including the GVRP state of each interface, number of GVRP registration failures,source MAC address of the last GVRP PDU, and registration type of each interface.

<SwitchA> display gvrp statistics

GVRP statistics on port XGigabitEthernet0/0/1

GVRP status : Enabled

GVRP registrations failed : 0

GVRP last PDU origin : 0000-0000-0000

GVRP registration type : Normal

Verify the configurations of Switch B and Switch C in the same way.

----End

Configuration Filesl Configuration file of Switch A

#

sysname SwitchA

#

gvrp

#




gvrp

#



port trunk allow-pass vlan 2 to 4094 gvrp





163



#

return

l Configuration file of Switch B

#

sysname SwitchB

# gvrp

#




gvrp

#




gvrp

#

return

l Configuration file of Switch C

#

sysname SwitchC

#

vlan batch 101 to 200

#

gvrp

#




gvrp

gvrp registration fixed

#



port trunk allow-pass vlan 2 to 4094 gvrp

#

return





164



7 MAC Address Table Configuration

About This Chapter

This chapter provides the basics for MAC address table configuration, configuration procedure,

and configuration examples.

7.1 MAC Address Table Overview

This section describes the definition of the MAC address table, how MAC address entries are

generated, and how packets are forwarded based on the MAC address table.

7.2 MAC Address Features Supported by the S6700

This section describes the MAC address features supported by the S6700 and provides usage

scenarios of the features to help you complete configuration tasks quickly and accurately.

7.3 Configuring a Static MAC Address Entry

A static MAC address entry specifies an outbound interface for packets destined for a specified

MAC address. Static MAC address entries protect the S6700 from MAC address attacks.

7.4 Configuring a Blackhole MAC Address Entry

You can conf igure a blackhole MAC address entry so that the S6700 can discard packets with

the specified source or destination MAC address.

7.5 Setting the Aging Time of Dynamic MAC Address Entries

Dynamic MAC address entries are created by the S6700 and can be aged out. Setting a proper

aging time prevents sharp increase of MAC address entries.

7.6 Disabling MAC Address Learning

If a fixed device is connected to an interface, you can disable MAC address learning on the

interface. This prevents other devices from accessing the interface and improves device security.

7.7 Limiting the Number of Learned MAC Addresses

This section describes how to limit the number of MAC addresses learned on an interface or in

a VLAN.

7.8 Configuring Port Security

The port security function prevents devices with untrusted MAC addresses from accessing an

interface. This function is applicable to the networks that require high access security.

7.9 Configuring MAC Address Anti-FlappingThis section describes how to prevent MAC address flapping between interfaces.


Configuration Guide - Ethernet 7 MAC Address Table Configuration



165



7.10 Configuring MAC Address Flapping Detection

This section describes how to configure MAC address flapping detection.

7.11 Configuring the S6700 to Discard Packets with an All-0 MAC Address

You can configure the S6700 to discard packets with an all-0 source or destination MAC address.

7.12 Enabling MAC Address Triggered ARP Entry Update

The MAC address triggered ARP entry update function enables the S6700 to update the

corresponding ARP entry when the outbound interface in a MAC address entry changes.

7.13 Enabling Port Bridge

The port bridge function enables an interface to process packets in which the source and

destination MAC addresses are the same.


This section provides several examples for the configuration of the MAC address table.





166



7.1 MAC Address Table Overview

This section describes the definition of the MAC address table, how MAC address entries are

generated, and how packets are forwarded based on the MAC address table.

Definition

A MAC address table is maintained on theS6700. The MAC address table stores the MAC

addresses of other devices learned by the S6700, the VLAN IDs, and the outbound interfaces

that are used to send data. Before forwarding a data packet, the S6700 searches the MAC address

table based on the destination MAC address and the VLAN ID of the packet to find the outbound

interface quickly. This reduces the number of broadcast packets.

Creation of MAC Address Entries

MAC address entries can be created dynamically or manually.

l Automatic creation: MAC address entries are learned by the system automatically. The

MAC address table needs to be updated constantly because the network topology always

changes. The automatically created MAC address entries are not always valid. Each entry

has an aging time. If an entry is not updated within the aging time, it is deleted. If the entry

is updated before its aging time expires, the aging timer is reset.

l Manual creation: Automatically created MAC address entries cannot distinguish packets

of authorized users from attack packets. If a hacker sets the source MAC address of attack

packets to the MAC address of an authorized user and connects to another interface of the

S6700, the S6700 learns an incorrect MAC address entry. The packets that should be

forwarded to the authorized user are forwarded to the hacker. To improve interface security,you can manually create MAC address entries to bind MAC addresses of authorized users

to specified interfaces. This prevents hackers from intercepting data of authorized users.

Manually created MAC address entries take precedence over automatically created MAC

address entries.

Classification of MAC Address Entries

MAC address entries are classified into the following types:

l Dynamic MAC address entries that are learned by an interface after MAC address learning

is enabled.

l Static MAC address entries that are configured manually. Static MAC address entries take

precedence over dynamic MAC address entries.

l Blackhole MAC address entries that are the manually configured and used to discard data

frames with the specified source or destination MAC addresses. Blackhole MAC address

entries take precedence over dynamic MAC address entries.

Packet Forwarding Based on the MAC Address Table

The S6700 forwards packets based on the MAC address table in either of the following modes:

l Unicast mode: If the destination MAC address of a packet can be found in the MAC address

table, the S6700 forwards the packet through the outbound interface specified in thematching entry.





167



l Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC

address cannot be found in the MAC address table, the S6700 broadcasts the packet to all

the interfaces except the inbound interface of the packet.

7.2 MAC Address Features Supported by the S6700This section describes the MAC address features supported by the S6700 and provides usage

scenarios of the features to help you complete configuration tasks quickly and accurately.

You can configure the following MAC address features to improve device security and control

the number of entries in the MAC address table:

l Create static MAC address entries for MAC addresses of fixed upstream devices or trusted

user devices to improve communication security.

l Configure blackhole MAC address entries to protect the S6700 from attacks.

l Set a proper aging time for dynamic MAC addresses to prevent sharp increase of dynamic

MAC address entries.

You can use the following methods to improve security or meet special requirements:

l Disable MAC address learning. This method can be used on a network where the topology

seldom changes or forwarding paths are specified in static MAC address entries. This

method prevents users with unknown MAC addresses from accessing the network, protects

the network from MAC address attacks, and improves network security.

l Limit the number of MAC addresses that can be learned. This method can be used on an

insecure network to prevent untrusted users from connecting to the network.

l Enable port security. If a network requires high security, port security can be configured

on the interfaces connected to trusted devices. The port security function prevents devices

with untrusted MAC addresses from accessing these interfaces and improves devicesecurity.

l Configure MAC address anti-flapping. If an interface is connected to a trusted upstream

device or server, you can set a high MAC address learning priority for the interface. The

MAC address learned by the interface will not be overridden by an entry learned by another

interface. This protects the S6700 from MAC address attacks.

l Configure MAC address flapping detection. This function reduces impact of loops on the

S6700.

l Discard packets with an all-0 MAC address. A faulty device may send packets with an all-0

source or destination MAC address to the S6700. You can configure the S6700 to discard

such packets and send a trap to the network management system (NMS). You can locate

the faulty device according to the trap message.l Enable MAC address triggered ARP entry update. This function enables the S6700 to

update the corresponding ARP entry when the outbound interface in a MAC address entry

changes.

l Enable port bridge. This function enables an interface to process packets in which the source

and destination MAC addresses are the same. It can be configured on an S6700 connected

to a device without Layer 2 forwarding capability or an S6700 functioning as an access

device in a data center.

Disabling MAC Address Learning

When an S6700 enabled with MAC address learning receives an Ethernet frame, it records thesource MAC address and inbound interface of the Ethernet frame in a MAC address entry. When





168



receiving other Ethernet frames destined for this MAC address, the S6700 forwards the frames

through the corresponding outbound interface according to the MAC address entry. The MAC

address learning function reduces broadcast packets on a network.

After MAC address learning is disabled on an interface, the S6700 does not learn source MAC

addresses of packets received by the interface.

Limiting the Number of Learned MAC Addresses

The S6700 can limit the number of MAC addresses learned on an interfaceor a VLAN. When

the number of learned MAC address entries reaches the limit, the S6700 stops learning MAC

addresses. When the S6700 receives packets with unknown source MAC addresses, it generates

an alarm to alert you if it is configured to do so. This method controls the number of access users

flexibly and protects user devices and the network from MAC address attacks.

Port Security

The port security function changes MAC addresses learned by an interface to secure dynamic

MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses

from accessing an interface and improves device security.

Differences between secure dynamic MAC addresses and sticky MAC addresses are:

l Secure dynamic MAC addresses are learned after port security is enabled and will not be

aged out by default. You can set the aging time of secure dynamic MAC addresses so that

they can be aged out. Secure dynamic MAC addresses will be lost after the device restarts

and the device needs to learn the MAC addresses again.

l Sticky MAC addresses are learned after the sticky MAC function is enabled. Sticky MAC

addresses will not be aged out and will exist after the S6700 restarts.

MAC Address Anti-flapping

MAC address flapping occurs on a network when the network has a loop or is attacked. To

prevent MAC address flapping, you can set MAC address learning priorities for interfaces so

that MAC addresses can be learned by correct interfaces. When the same MAC address is learned

by interfaces with different priorities, the MAC address entry learned by the interface with the

highest priority overrides the MAC address entries learned by other interfaces. You can also

determine whether to allow MAC address flapping between interfaces with the same priority.

MAC Address Flapping Detection

MAC address flapping occurs on a network when the network has a loop or is attacked. The

S6700 can detect MAC address flapping and perform a specified action, for example, block the

interface, to minimize impact of MAC address flapping on the network. You can also configure

the S6700 only to send trap messages to the network management system when the S6700 detects

MAC address flapping.

7.3 Configuring a Static MAC Address Entry

A static MAC address entry specifies an outbound interface for packets destined for a specifiedMAC address. Static MAC address entries protect the S6700 from MAC address attacks.





169




You can configure a static MAC address entry if an interface is connected to an upstream device

or a server, as shown in Figure 7-1. Attackers may set the source MAC address of packets to

the server MAC address and send the packets to the Switch to intercept data of the server. To

protect the server and ensure communication between users and the server, you can configure a

static MAC address entry in which the destination MAC address is the server MAC address and

the outbound interface is the interface connected to the server.

Figure 7-1 Networking diagram of static MAC address entry configurations

Network Server

Switch

VLAN2

VLAN4LSW

PC1 PC2


None.

Data Preparation

To configure a static MAC address entry, you need the following data.

No. Data

1 Destination MAC address, destination outbound interface number and ID of the

VLAN which the outbound interface belongs to

Procedure

Step 1 Run:

system-view






170



Step 2 Run:

mac-address static mac-address interface-type interface-number vlan vlan-id1

A static MAC address entry is configured.

NOTE

Static MAC address entries take precedence over dynamic MAC address entries.

----End

Checking the Configuration

Run the display mac-address static [ vlan vlan-id | interface-type interface-number ] *

[ verbose ] command to view static MAC address entries.

7.4 Configuring a Blackhole MAC Address EntryYou can configure a blackhole MAC address entry so that the S6700 can discard packets with

the specified source or destination MAC address.


To protect user devices or network devices from MAC address attacks, you can configure

untrusted MAC addresses as blackhole MAC addresses. Packets with source or destination MAC

addresses matching the blackhole MAC address entries are discarded.


None.

Data Preparation

To configure a blackhole MAC address entry, you need the following data.

No. Data

1 Destination or source MAC address and ID of VLAN to which the outbound interface

belongs to

Procedure

Step 1 Run:

system-view


Step 2 Run:

mac-address blackhole mac-address [ vlan vlan-id ]

A blackhole MAC address entry is configured.

----End





171




Run the display mac-address blackhole [ vlan vlan-id ] [ verbose ] command to view blackhole

MAC address entries.

7.5 Setting the Aging Time of Dynamic MAC AddressEntries

Dynamic MAC address entries are created by the S6700 and can be aged out. Setting a proper

aging time prevents sharp increase of MAC address entries.


Dynamical MAC address entries are learned by the S6700 from source MAC addresses of

received packets. The system starts an aging timer for dynamic MAC address entry. If a dynamicMAC address entry is not updated within a certain period (twice the aging time), this entry is

deleted. If the entry is updated within this period, the aging timer of this entry is reset. A shorter

aging time enables the S6700 to respond to network topology changes more quickly.

The network topology changes frequently, and the S6700 will learn many MAC addresses. After

the aging time of dynamic MAC address entries is set, the S6700 can delete unneeded MAC

address entries to prevent sharp increase of MAC address entries.


None.

Data Preparation

To set the aging time of dynamic MAC address entries, you need the following data.

No. Data

1 Aging time


system-view


Step 2 Run:

mac-address aging-time aging-time

The aging time of dynamic MAC address entries is set.

By default, the aging time of dynamic MAC address entries is 300 seconds.

----End





172





No. Data

1 Interface type and number

2 VLAN ID

7.6.2 Disabling MAC Address Learning on an Interface

Disabling MAC address learning on an interface can improve security of the device connected

to the interface.

Context

When an S6700 enabled with MAC address learning receives an Ethernet frame, it records the

source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When

receiving other Ethernet frames destined for this MAC address, the S6700 forwards the frames

through the corresponding outbound interface according to the MAC address entry. The MAC

address learning function reduces broadcast packets on a network. After MAC address learning

is disabled on an interface, the S6700 does not learn source MAC addresses of packets received

by the interface.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

mac-address learning disable [ action { discard | forward } ]

MAC address learning is disabled on the interface.

By default, MAC address learning is enabled on an interface.

You can configure an action for the S6700 to perform when a packet with an unknown MAC

address is received on the interface. By default, the S6700 forwards such packets based on the

MAC address table. When the action is set to discard, the S6700 searches for the source MAC

address of the packet in the MAC address table. If the source MAC address is found in the MAC

address table, the S6700 forwards the packet according to the MAC address entry. If the source

MAC address is not found, the S6700 discards the packet.

NOTE

If you set the action to forward when disabling MAC address learning, untrusted terminals can still access

the network. This action only controls the number of learned MAC address entries.

----End





174



7.6.3 Disabling MAC Address Learning in a VLAN

Disabling MAC address learning in a VLAN can protect users in this VLAN from MAC address

attacks.

Context

After MAC address learning is disabled in a VLAN, the S6700 checks source MAC addresses

of packets received by interfaces in the VLAN. If the source MAC address of a packet is in the

MAC address table, the S6700 forwards the packet; otherwise, the S6700 broadcasts the packet.

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id


Step 3 Run:

mac-address learning disable

MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in a VLAN.

----End


After disabling MAC address learning on an interface or in a VLAN, use the following

commands to verify the configuration.

Procedure


command to view the current configuration of an interface.

l Run the display vlan command to check the VLAN configuration.

----End

7.7 Limiting the Number of Learned MAC AddressesThis section describes how to limit the number of MAC addresses learned on an interface or in

a VLAN.


Before limiting the number of learned MAC addresses, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.





175





7.7.2 Limiting the Number of MAC Addresses Learned on anInterface

A limit can be set for the number of MAC addresses learned on an interface to control the number

of access users on the interface. When the number of learned MAC addresses on the interface

reaches the limit, the S6700 stops learning MAC addresses on this interface. When the interface

receives packets with unknown source MAC addresses, it can be configured to generate an alarm.

This protects the network from MAC address attacks.

Context

The MAC address limiting rule applies to all MAC addresses, including trusted MAC addresses.

If a user from an enterprise or a family uses bogus MAC addresses to attack the network, users

in the enterprise or family are not allowed to access the network, but other users on the network

are not affected.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

mac-limit maximum max-num

The maximum number of MAC addresses learned on the interface is set.

By default, the number of MAC addresses learned on an interface is not limited.

Step 4 Run:

mac-limit alarm { disable | enable }

The S6700 is configured to (or not to) send a trap to the NMS when the number of learned MAC

addresses reaches the limit.

By default, the S6700 sends a trap to the NMS when the number of learned MAC addresses

reaches the limit.

----End

7.7.3 Limiting the Number of MAC Addresses Learned in a VLAN

A limit can be set for the number of MAC addresses learned in a VLAN to control the number

of users in the VLAN. When the number of learned MAC addresses in the VLAN reaches the

limit, the S6700 stops learning MAC addresses in this VLAN. When the interface receives

packets with unknown source MAC addresses, it can be configured to generate an alarm. This protects the network from MAC address attacks.





177



Context

The MAC address limiting rule applies to all MAC addresses, including trusted MAC addresses.

If a user from an enterprise or a family uses bogus MAC addresses to attack the network, users

in the enterprise or family are not allowed to access the network, but other users on the network

are not affected.

Procedure

Step 1 Run:

system-view


Step 2 Run:

vlan vlan-id


Step 3 Run:

mac-limit maximum max-num

The maximum number of MAC addresses learned in the VLAN is set.

By default, the number of MAC addresses learned in a VLAN is not limited.

Step 4 Run:

mac-limit alarm { disable | enable }

The S6700 is configured to (or not to) send a trap to the NMS when the number of learned MAC


By default, the S6700 sends a trap to the NMS when the number of learned MAC addresses

reaches the limit.

----End


After completing the configuration of MAC address limiting, use the following command to

verify the configuration.

Procedure

Step 1 Run the display mac-limit [ interface-type interface-number | vlan vlan-id ] command to view

the MAC address limiting rule.

----End

7.8 Configuring Port Security

The port security function prevents devices with untrusted MAC addresses from accessing an

interface. This function is applicable to the networks that require high access security.





178




The port security function changes MAC addresses learned by an interface to secure dynamic

MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses

from accessing an interface and improves device security.


If a network requires high access security, you can configure port security on specified interfaces.

MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky

MAC addresses. When the number of learned MAC addresses reaches the limit, the interface

does not learn new MAC addresses and allows only the devices with the learned MAC addresses

to communicate with the S6700. This prevents devices with untrusted MAC addresses from

accessing these interfaces, improving security of the S6700 and the network.


Before configuring port security on an interface, complete the following tasks:

l Disabling MAC address limiting on the interface

l Disabling MUX VLAN on the interface

l Disabling MAC address authentication on the interface

l Disabling 802.1x authentication on the interface

l Disabling MAC address security for DHCP snooping on the interface

Data Preparation

To configure port security on an interface, you need the following data.

No. Data

1 Secure dynamic MAC: interface type and number, limit on the number of learned

MAC addresses, action to perform when the limit is exceeded, and aging time of

secure dynamic MAC addresses

2 Sticky MAC: interface type and number, limit on the number of learned MAC

addresses, and action to perform when the limit is exceeded

7.8.2 Configuring the Secure Dynamic MAC Function on anInterface

After port security is enabled on an interface, MAC addresses learned by the interface change

to secure dynamic MAC addresses. When the number of secure dynamic MAC addresses reaches

the limit, the interface does not learn new MAC addresses and allows only the devices with the

learned MAC addresses to communicate with the S6700. You can configure a protection action

for the S6700 to perform when it receives a packet with a new source MAC address.





179



Context

By default, secure dynamic MAC addresses will not be aged out. You can set the aging time of

secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses

will be lost after the device restarts and the device needs to learn the MAC addresses again.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

port-security enable

Port security is enabled.

By default, port security is disabled on an interface.

NOTE

You can set the limit on the number of secure dynamic MAC addresses, aging time of secure dynamic

MAC addresses, and protection action only when port security is enabled.


port-security max-mac-num max-number

The limit on the number of secure dynamic MAC addresses is set.

By default, the limit on the number of secure dynamic MAC addresses is 1.


port-security protect-action { protect | restrict | shutdown }

The protection action is configured.

The default action is restrict.

l protect: discards packets with new source MAC addresses when the number of learned MAC

addresses reaches the limit.l restrict: discards packets with new source MAC addresses and sends a trap message when

the number of learned MAC addresses exceeds the limit.

l shutdown: shuts down the interface when the number of learned MAC addresses exceeds

the limit.


port-security aging-time time [ type { absolute | inactivity } ]

The aging time of secure dynamic MAC addresses is set.

By default, secure dynamic MAC addresses will not be aged out.

----End





180



7.8.3 Configuring the Sticky MAC Function on an Interface

After the sticky MAC function is enabled on an interface, MAC addresses learned by the

interface change to sticky MAC addresses. When the number of sticky MAC addresses reaches

the limit, the interface does not learn new MAC addresses and allows only the devices with thelearned MAC addresses to communicate with the S6700. You can configure a protection action

for the S6700 to perform when it receives a packet with a new source MAC address.

Context

The sticky MAC function changes MAC addresses learned by an interface to sticky MAC

addresses. Sticky MAC addresses will not be aged out and will exist after the S6700 restarts.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:


Port security is enabled.

By default, port security is disabled on an interface.

Step 4 Run:

port-security mac-address sticky

The sticky MAC function is enabled on the interface.

By default, the sticky MAC function is disabled on an interface.


port-security max-mac-num max-number

The limit on the number of sticky MAC addresses is set.

By default, the limit on the number of sticky MAC addresses is 1.


port-security protect-action { protect | restrict | shutdown }

The protection action is configured.

The default action is restrict.

l protect: discards packets with new source MAC addresses when the number of learned MAC


l

restrict: discards packets with new source MAC addresses and sends a trap message whenthe number of learned MAC addresses exceeds the limit.





181



l shutdown: shuts down the interface when the number of learned MAC addresses exceeds

the limit.


port-security mac-address sticky mac-address vlan vlan-id

A sticky MAC address entry is configured.

----End


After completing the configuration of port security, you can verify the configuration and view

secure dynamic MAC address entries or sticky MAC address entries.

Procedure


command to view the current configuration of an interface.

l Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ] *

[ verbose ] command to view sticky MAC address entries.

l Run the display mac-address security [ vlan vlan-id | interface-type interface-number ]* [ verbose ] command to view secure dynamic MAC address entries.

----End

7.9 Configuring MAC Address Anti-Flapping

This section describes how to prevent MAC address flapping between interfaces.


Before configuring MAC address anti-flapping, familiarize yourself with the applicable




As shown in Figure 7-4, an interface of the Switch is connected to a server. To prevent

unauthorized users from using the server MAC address to intercept data of the server, you canset a high MAC address learning priority on the interface. When the same MAC address is

learned by the server-side interface and other interfaces, the entry learned by the server-side

interface overrides the MAC address entries learned by other interfaces. Therefore, the Switch

will not learn MAC addresses of unauthorized users and only authorized users can access the

server and use network resources.





182



Figure 7-4 Networking diagram for MAC address anti-flapping

Switch

Server

MAC:11-22-33

MAC:11-22-33


None.

Data Preparation

To configure MAC address anti-flapping, you need the following data.

No. Data1 (Optional) MAC address learning priority of each interface

7.9.2 Setting the MAC Address Learning Priority of an Interface

To prevent MAC address flapping, set different MAC address learning priorities for interfaces.

When interfaces learn the same MAC address, the MAC address entry learned by the interface

with the highest priority overrides the MAC address entries learned by the other interfaces.

Context

Setting different MAC address learning priorities for interface prevents MAC address flapping.

If an attacker uses the MAC address of an unauthorized network device to connect to the

S6700 after the network device is powered off, the S6700 learns the bogus MAC address. After

the network device is powered on, the S6700 can learn the correct MAC address entry.

Procedure

Step 1 Run:

system-view






183





7.10 Configuring MAC Address Flapping Detection

This section describes how to configure MAC address flapping detection.


Before configuring MAC address flapping detection, familiarize yourself with the applicable




As shown in Figure 7-5, a loop occurs on the network, which will cause MAC address flapping.

After MAC address flapping detection is configured in a VLAN, the Switch checks all MACaddresses in the VLAN to detect MAC address flapping.

The Switch checks whether a MAC address moves from one interface to another in the VLAN.

If MAC address flapping occurs, it performs the configured action, for example, blocks the

interface to remove the loop. This function reduces MAC address flapping caused by loops and

broadcast storms. You can also configure the Switch only to send trap messages to the network

management system when the S6700 detects MAC address flapping.

Figure 7-5 Networking diagram for MAC address flapping detection

Switch


None.

Data Preparation

To configure MAC flapping detection, you need the following data.





185





unblocks the interface and starts detection. If MAC address flapping is detected again within 20

seconds, the system blocks the interface. This process repeats for a specified number of times.

If MAC address flapping persists, the interface is permanently blocked.

Procedure

Step 1 Run:

system-view


Step 2 Run:

reset loop-detect eth-loop vlan vlan-id { all | interface { interface-type

interface-number } | mac-address mac-address }

The specified interface or MAC address is unblocked.

Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loopcommand to check the blocked interface or MAC address.

----End


After configuring MAC address flapping detection, use the following commands to verify the

configuration and view information about permanent interfaces and MAC addresses.

Procedure

Step 1 Run the display loop-detect eth-loop [ vlan vlan-id ] command to check information aboutMAC address flapping detection on a VLAN.

----End

7.11 Configuring the S6700 to Discard Packets with an All-0MAC Address

You can configure the S6700 to discard packets with an all-0 source or destination MAC address.


A faulty network device may send packets with an all-0 source or destination MAC address to

the S6700. You can configure the S6700 to discard such packets and send a trap to the network

management system (NMS). You can locate the faulty device according to the trap message.


l Powering on the S6700 and ensuring that it functions properly

Data Preparation

None.





187



Procedure

Step 1 Run:

system-view


Step 2 Run:

drop illegal-mac enable

The S6700 is configured to discard packets with an all-0 MAC address.

By default, the S6700 does not discard packets with an all-0 MAC address.


drop illegal-mac alarm

The S6700 is configured to send a trap to the NMS when receiving packets with an all-0 MAC

address.

By default, the S6700 does not send a trap to the NMS when receiving packets with an all-0

MAC address.

NOTE

The S6700 sends only one trap after receiving packets with an all-0 MAC address. To enable the S6700 to

send a trap again, run the drop illegal-mac alarm command.

----End


Run the display current-configuration command to check whether the S6700 is configured to

discard the packets with an all-0 MAC address.

7.12 Enabling MAC Address Triggered ARP Entry Update

The MAC address triggered ARP entry update function enables the S6700 to update the

corresponding ARP entry when the outbound interface in a MAC address entry changes.


Each network device uses an IP address to communicate with other devices. On an Ethernet

network, a device sends and receives Ethernet data frames based on MAC addresses. The ARP

protocol maps IP addresses to MAC addresses. When a device communicates with a device on

a different network segment, it finds the MAC address and outbound interface of a packet

according to the corresponding ARP entry.

If a user host moves from one interface to another, the MAC address of the host is learned by

the new interface, so the outbound interface mapping the MAC address changes. The

corresponding ARP entry, however, is updated until the aging time expires. Before the ARP

entry aging time expires, the device sends data frames based on the original ARP entry. This

causes data frame loss. The MAC address triggered ARP entry update function enables the

S6700 to update the corresponding ARP entry when the outbound interface in a MAC addressentry changes.





188




None.

Data Preparation None.

Procedure

Step 1 Run:

system-view


Step 2 Run:

mac-address update arp

The MAC address triggered ARP entry update function is enabled.

By default, the S6700 does not update the corresponding ARP entry when the outbound interface

in a MAC address entry changes.

NOTE

l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when

the corresponding MAC address entries change.

l The mac-address update arp command does not take effect after ARP anti-spoofing is enabled by

using the arp anti-attack entry-check enable command.

l After the mac-address update arp command is run, the S6700 updates an ARP entry only if the

outbound interface in the corresponding MAC address entry changes.

----End


Run the display current-configuration command to check whether the MAC address triggered

ARP entry update function is enabled.

7.13 Enabling Port Bridge

The port bridge function enables an interface to process packets in which the source anddestination MAC addresses are the same.


The port bridge function is used in the following scenarios:

l The S6700 connects to a device that does not support Layer 2 forwarding. When users

connected to this device communicate with each other, user packets are sent to the S6700

and forwarded by the S6700. In this scenario, the port bridge function must be enabled.

l The S6700 is used as an access switch in a data center and is connected to servers. Each

server is configured with multiple virtual machines. The virtual machines need to transmitdata to each other. To improve the data transmission rate and server performance, enable





189



the port bridge functions on the interfaces connected to the servers so that the S6700

forwards data packets between the virtual machines.


None.

Data Preparation

None.

Background Information

By default, an interface does not forward frames whose source and destination MAC addresses

are both learned by this interface. When the interface receives such a frame, it discards the frame

as an invalid frame. After the port bridge function is enabled on the interface, the interface

forwards such a frame if the destination MAC address of the frame is in the MAC address table.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run: port bridge enable

The port bridge function is enabled.

By default, the port bridge function is disabled on an interface.

----End


Run the display current-configuration command to check whether the port bridge function is

enabled.

7.14 Configuration ExamplesThis section provides several examples for the configuration of the MAC address table.

7.14.1 Example for Configuring the MAC Address Table


As shown in Figure 7-6, the MAC address of the user host PC1 is 0002-0002-0002 and the MACaddress of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch





190



through the LSW. The LSW is connected to XGE 0/0/1 of the Switch. Interface XGE 0/0/1

belongs to VLAN 2. The MAC address of the server is 0004-0004-0004. The server is connected

to XGE 0/0/2 of the Switch. Interface XGE 0/0/2 belongs to VLAN 2.

l To prevent hackers from attacking the network with MAC addresses, you need to add a

static entry to the MAC table of the Switch for each user host. When sending packetsthrough XGE 0/0/1, the Switch changes the VLAN ID to VLAN 4 to which the LSW

belongs. In addition, you need to set the aging time of the dynamic entries in the MAC

address table to 500 seconds.

l To prevent hackers from forging the MAC address of the server and stealing user

information, you can configure the packet forwarding based on static MAC address entries

on the Switch.

Figure 7-6 Networking diagram for configuring the MAC address table

Network

Switch

Server

PC1 PC 2

MAC address: 2 -2 -2 MAC address: 3 -3 -3

VLAN4LSW

XGE0/0/1

XGE0/0/2

VLAN2

MAC address: 4-4-4



1. Create a VLAN and add interfaces to the VLAN.

2. Add static MAC address entries.

3. Set the aging time of dynamic MAC address entries.

Data Preparation


l MAC address of PC1: 0002-0002-0002

l MAC address of PC2: 0003-0003-0003

l MAC address of the server: 0004-0004-0004

l VLAN to which the Switch belongs: VLAN 2

l Interface connecting the Switch to the LSW: XGE 0/0/1

l Interface connecting the Switch to the server: XGE 0/0/2





191



l VLAN ID required to be changed to when the Switch sends packets through the outgoing

interface: VLAN 4

l Aging time of dynamic entries in the MAC address table of the Switch: 500 seconds

Procedure

Step 1 Add static MAC address entries.

# Create VLAN 2; add XGE 0/0/1 0/0/2 to VLAN 2; configure VLAN mapping on XGE 0/0/1.


[Quidway] vlan 2






[Quidway-XGigabitEthernet0/0/1] port vlan-mapping vlan 4 map-vlan 2


[Quidway] interface xgigabitethernet 0/0/2[Quidway-XGigabitEthernet0/0/2] port hybrid pvid vlan 2



# Configure static MAC address entries.

[Quidway] mac-address static 2-2-2 xgigabitethernet 0/0/1 vlan 2



Step 2 Set the aging time of dynamic MAC address entries.

[Quidway] mac-address aging-time 500


# Run the display mac-address static command in any view. You can check whether the static

MAC address entries are successfully added.

[Quidway] display mac-address static vlan 2

-------------------------------------------------------------------------------

MAC Address VLAN/VSI Learned-From Type

-------------------------------------------------------------------------------

0002-0002-0002 2/- XGE0/0/1 static

0003-0003-0003 2/- XGE0/0/1 static

0004-0004-0004 2/- XGE0/0/2 static

-------------------------------------------------------------------------------

Total items displayed = 3

# Run the display mac-address aging-time command in any view. You can check whether theaging time of dynamic entries is set successfully.

[Quidway] display mac-address aging-time

Aging time: 500 seconds

----End

Configuration Files


#

sysname Quidway

# vlan batch 2





192



#

mac-address aging-time 500

#




qinq vlan-translation enableport vlan-mapping vlan 4 map-vlan 2

#




#

mac-address static 0002-0002-0002 XGigabitEthernet0/0/1 vlan 2



#

return

7.14.2 Example for Configuring the Limitation on MAC Address

Learning Based on VLANs


As shown in Figure 7-7, user network 1 is connected to XGE 0/0/1 on the Switch through an

LSW. User network 2 is connected to XGE 0/0/2 on the Switch through another LSW. XGE

0/0/1 and XGE 0/0/2 belong to VLAN 2. To prevent MAC address attacks and control the number

of access users, you need to limit the MAC address learning in VLAN 2.

Figure 7-7 Networking diagram for configuring the limitation on MAC address learning based

on VLAN

Network

User

network 1

User

network 2VLAN 2

XGE0/0/1 XGE0/0/2

Switch

LSW LSW





193






2. Configure the limitation on MAC address learning based on VLANs.

Data Preparation


l VLAN to which the interfaces belong: VLAN 2

l User interfaces: XGE 0/0/1 and XGE 0/0/2

l Maximum number of learned MAC addresses: 100

ProcedureStep 1 Configure the limitation on MAC address learning.



[Quidway] vlan 2










# Configure the rule of limiting MAC address learning in VLAN 2: A maximum of 100 MAC

addresses can be learned; packets are still forwarded and an alarm is generated when the number

of learned MAC addresses reaches the limit, but new MAC addresses are not added to the MAC

address table.

[Quidway] vlan 2

[Quidway-vlan2] mac-limit maximum 100 alarm enable



# Run the display mac-limit command in any view. You can check whether the rule of limiting

MAC address learning is successfully configured.

<Quidway> display mac-limit

MAC Limit is enabled

Total MAC Limit rule count : 1

PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------

- 2 - 100 - forward enable

----End

Configuration Files






194



#

sysname Quidway

#

vlan batch 2

#

vlan 2

mac-limit maximum 100#




#




#

return

7.14.3 Example for Configuring Interface Security


As shown in Figure 7-8, a company wants to prevent the computers of non-employees from

accessing the intranet of the company to protect information security. To achieve this goal, the

company needs to enable the sticky MAC function on the interface connected to computers of

employees and set the maximum number of MAC addresses learned by the interface to be the

same as the number of trusted computers.

Figure 7-8 Networking diagram of interface security configuration

Switch

SwitchA

Internet

PC1 PC2 PC3

VLAN 10

XGE0/0/1







195



1. Create a VLAN and set the link type of the interface to trunk.

2. Enable the interface security function.

3. Enable the sticky MAC function on the interface.

4. Configure the security protection action on the interface.

5. Set the maximum number of MAC addresses that can be learned by the interface.

Data Preparation


l VLAN allowed by the interface

l Type and number of the interface connected to computers of employees

l Security protection action

l Maximum number of MAC addresses learned by the interface

Procedure

Step 1 Create a VLAN and set the link type of the interface to trunk.


[Quidway] vlan 10





Step 2 Configure the interface security function.

# Enable the interface security function.

[Quidway-XGigabitEthernet0/0/1] port-security enable

Enable the sticky MAC function.

[Quidway-XGigabitEthernet0/0/1] port-security mac-address sticky

# Configure the security protection action.

[Quidway-XGigabitEthernet0/0/1] port-security protect-action protect

# Set the maximum number of MAC addresses that can be learned by the interface.

[Quidway-XGigabitEthernet0/0/1] port-security max-mac-num 4

To enable the interface security function on other interfaces, repeat the preceding steps.Step 3 Verify the configuration.

If PC1 is replaced by another PC, this PC cannot access the intranet of the company.

----End

Configuration Files


#

sysname Quidway

# vlan batch 10





196



#





port-security protect-action protect

port-security mac-address sticky port-security max-mac-num 4

#

return

7.14.4 Example for Configuring MAC Address Anti-Flapping

The MAC address anti-flapping function protects servers of an enterprise or VIP customers from

attacks.


As shown in Figure 7-9, employees of an enterprise need to access the server connected to a

Switch interface. If an attacker uses the server MAC address as the source MAC address to send

packets to another interface, the server MAC address is learned on the interface. Employees

cannot access the server, and important data will be intercepted by the attacker.

MAC address anti-flapping can be configured to protect the server from attacks.

Figure 7-9 Networking diagram for MAC address anti-flapping

LSW

Server

XGE0/0/1

PC1

PC4

PC2 PC3

VLAN10

VLAN 10

Switch

XGE0/0/2

MAC:11-22-33

MAC:11-22-33








197



2. Configure MAC address anti-flapping on the server-side interface.

Data Preparation


l VLAN that the server-side and user-side interfaces belong to: VLAN 10

l Server-side interface: XGigabitEthernet0/0/1

l User-side interface: XGigabitEthernet0/0/2

l MAC address learning priority of the server-side interface: 2

Procedure

Step 1 Create a VLAN and add interfaces to the VLAN.

# Add XGigabitEthernet0/0/1 and XGigabitEthernet0/0/2 to VLAN 10.


[Quidway] vlan 10

[Quidway–vlan10] quit








Step 2 Configure MAC anti-flapping.

# Set the MAC address learning priority of XGigabitEthernet0/0/1 to 2.

[Quidway-XGigabitEthernet0/0/1] mac-learning priority 2


# Run the display current-configuration command in any view to check whether the MAC

address learning priority of XGigabitEthernet0/0/1 is set correctly.

<Quidway> display current-configuration

#




mac-learning priority 2

#

return

----End

Configuration Files


#

sysname Quidway

#

vlan batch 10

#



port hybrid untagged vlan 10 mac-learning priority 2





198



#




#

return





199



8 STP/RSTP Configuration

About This Chapter

The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents

replication and circular propagation of packets, provides multiple redundant paths for Virtual

LAN (VLAN) data traffic, and enables load balancing. The Rapid Spanning Tree Protocol

(RSTP) develops rapid convergence and introduces the edge port and its protection function

based on STP.

8.1 STP/RSTP Overview

STP is a management protocol on the data link layer. It is used to block redundant links on the

Layer 2 network and trim a network into a loop-free tree. RSTP is a refinement of STP andintroduces ra pid convergence of the network topology.

8.2 Configuring Basic STP/RSTP Functions

STP/RSTP is used to block redundant links on the Layer 2 network and trim a network into a

loop-free tree topology.

8.3 Configuring STP/RSTP Parameters on an Interface

A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence

is implemented for RSTP.

8.4 Configuring RSTP Protection Functions

RSTP protection functions are as follows, and you can configure one or more functions as

required.

8.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices

To supports STP/RSTP interoperability between Huawei devices and non-Huawei devices,

proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop

communication.

8.6 Maintaining STP/RSTP

STP/RSTP maintenance includes resetting STP/RSTP statistics.


This section shows typical usage scenarios of STP/RSTP by describing networking

requirements, configuration roadmap, and data preparation, and provides related configuration

files.


Configuration Guide - Ethernet 8 STP/RSTP Configuration



200



8.1 STP/RSTP Overview

STP is a management protocol on the data link layer. It is used to block redundant links on the

Layer 2 network and trim a network into a loop-free tree. RSTP is a refinement of STP and

introduces rapid convergence of the network topology.

8.1.1 STP/RSTP Overview



Introduction

On a complex network, loops are inevitable. With the requirement for network redundancy

backup, network designers tend to deploy multiple physical links between two devices, one of

which is the master and the others are the backup. Loops are likely or bound to occur in such a

situation.

Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the

network. Loops also cause flapping of MAC address tables and thus damages MAC address

entries.

The devices running STP discover loops on the network by exchanging information with each

other and trim the ring topology into a loop-free tree topology by blocking a certain interface.

In this manner, replication and circular propagation of packets are prevented on the network. In

addition, it is prevented that the processing performance of devices is degraded when

continuously processing repeated packets.

STP, however, converges the network topology slowly. In 2001, the IEEE published document

802.1w to introduce an evolution of the Spanning Tree Protocol: Rapid Spanning Tree Protocol

(RSTP). RSTP is developed based on STP but outperforms STP.

Concepts

l Root bridge

A tree topology must have a root. Therefore, the root bridge is introduced by STP/RSTP.

There is only one root bridge on the entire STP/RSTP-capable network. The root bridge is

the logical center but is unnecessarily the physical center of the entire network. The root

bridge may be served by another switching device along with the network topology change.

l ID

There are Bridge IDs (BIDs) and port IDs (PIDs).

– BID

IEEE 802.1D defines that a BID is composed of a 2-bit bridge priority and a bridge

MAC address. That is, BID (8 bits) = Bridge priority (2 bits) + Bridge MAC address (6

bits).

On the STP-capable network, the device with the smallest BID is selected as the root

bridge. The bridge priority that is allowed to be configured on a Huawei device ranges

from 0 to 61440. By default, the bridge priority is 32768.

– PID





201



A 16-bit PID is composed of a 4-bit port priority and a 12-bit port number.

The PID is used when the designated port needs to be selected. That is, when the root

path costs and the sender BIDs of two ports are the same, the port with a smaller PID

is selected as the designated port. As shown in Figure 8-1, the root path costs and sender

BIDs of port A and port B on S2 are the same. Port A has a smaller PID, and is thusselected as the designated port on the local segment. The port priority that can be

configured on a Huawei device ranges from 0 to 240, with the step 16. That is, the port

priority can be 0, 16, or 32. By default, the port priority is 128.

l Path cost

A path cost is port-specific, which is used by STP/RSTP as a reference to select a link.

STP/RSTP calculates the path cost to select the robust link and blocks redundant links to

trim the network into a loop-free tree topology.

On an STP/RSTP-capable network, the accumulative cost of the path from a certain port

to the root bridge is the sum of the costs of the segment paths into which the path is separated

by the ports on the transit bridges.

l Port roles

– STP-capable port

– Root port

The root port is the port that is nearest to the root bridge. The root port is determined

based on the path cost. Among all the ports where STP is enabled on the network

bridge, the port with the smallest root path cost is the root port. There is only one

root port on an STP-capable device, but there is no root port on the root bridge.

– Designated Port

The designated port on a switching device forwards bridge protocol data units

(BPDUs) to the downstream switching device. All ports on the root bridge are

designated ports. A designated port is selected on each network segment. The devicewhere the designated port resides is called the designated bridge on the network

segment.

– RSTP-capable port

Compared with STP, RSTP has two additional types of ports, namely, the alternate port

and backup port. More port roles are defined to simplify the knowledge and deployment

of STP.





202



Figure 8-1 Diagram of port roles

S2 S3

A

AB

A a

S2 S3

A

AB

A aBb

S1

Root bridge

S1

Root bridge

Root port

Designated port

Alternate port

Backup port

As shown in Figure 8-1, RSTP defines four port roles: root port, designated port,

alternate port, and backup port.

The functions of the root port and designated port are the same as those defined in STP.

The description of the alternate port and backup port is as follows:– From the perspective of configuration BPDU transmission:

– The alternate port is blocked after learning the configuration BPDUs sent by

other bridges.

– The backup port is blocked after learning the configuration BPDUs sent by itself.

– From the perspective of user traffic:

– The alternate port backs up the root port and provides an alternate path from the

designated bridge to the root bridge.

– The backup port backs up the designated port and provides an alternate path from

the root node to the leaf node.

After all ports are assigned roles, topology convergence is completed.





203



l Port status

– STP port state

Table 8-1 shows the port status of an STP-capable port.

Table 8-1 STP port state

Port state Purpose Description

Forwardin

g

The port in the Forwarding state

forwards not only user traffic but also

BPDUs.

Only the root port and

designated port can enter the

Forwarding state.

Learning When a port is in the Learning state, a

device creates a MAC address table

based on the received user traffic but

does not forward user traffic.

This is a transition state,

which is designed to prevent

temporary loops.

Listening When a port is in the Listening state, the

root bridge, root port, and designated

port are to be selected.

This is a transition state.

Blocking The port in the Blocking state receives

and forwards only BPDUs but does not

forward user traffic.

This is the final state of a

blocked port.

Disabled The port in the Disabled state forwards

neither BPDUs nor user traffic.

The port is Down.

– RSTP port stateTable 8-2 shows the port status of an RSTP-capable port.

Table 8-2 RSTP port state

Port state Description

Forwarding A port in the Forwarding state can send and receive BPDUs as

well as forward user traffic.

Learning This is a transition state. A port in the Learning state learns

MAC addresses from user traffic to construct a MAC address

table.In the Learning state, the port can send and receive BPDUs, but

cannot forward user traffic.

Discarding A port in the Discarding state can only receive BPDUs.





204



CAUTION

A Huawei datacom device is in MSTP mode by default. After a device experiences the

transition from the MSTP mode to the STP mode, an STP-capable port supports the same port states as those supported by an MSTP-capable port, including the Forwarding,

Learning, and Discarding states. For details, see Table 8-2.

l Three timers

– Hello Timer

Sets the interval at which BPDUs are sent.

– Forward Delay Timer

Sets the time spent in the Listening and Learning states.

– Max Age

Sets the maximum lifetime of a BPDU on the network. When the Max Age time expires,the connection to the root bridge fails.

Comparison between STP, RSTP, and MSTP

Table 8-3 shows the comparison between STP, RSTP, and MSTP.

Table 8-3 Comparison between STP, RSTP, and MSTP

Spanning TreeProtocol

Characteristics ApplicableEnvironment

Precautions

STP A loop-free tree is

generated. Thus, broadcast

storms are prevented and

redundancy is

implemented.

Irrespective of different

users or services, all

VLANs share one

spanning tree.

NOTE

l If the current

switching device

supports STP and

RSTP, RSTP is

recommended.

l If the current

switching device

supports STP or

RSTP, and MSTP,

MSTP is

recommended. See

MSTPConfiguration.

RSTP l A loop-free tree is

generated. Thus,

broadcast storms are

prevented and

redundancy is

implemented.l A feedback mechanism

is provided to confirm

topology convergence.

Thus, rapid

convergence is

implemented.





205



Spanning TreeProtocol

Characteristics ApplicableEnvironment

Precautions

MSTP l In an MSTP region, a

loop-free tree is

generated. Thus,


prevented and

redundancy is

implemented.

l A feedback mechanism

is provided to confirm


Thus, rapid

convergence is

implemented.

l MSTP implements

load balancing among

VLANs. Traffic in

different VLANs is

transmitted along

different paths.

User or service-specific

load balancing is

required. Traffic for

different VLANs is

forwarded through

different spanning

trees, which are

independent of each

other.

8.1.2 STP/RSTP Features Supported by the S6700

Before configuring STP/RSTP, familiarize yourself with the concepts of basic STP/RSTP

functions, topology convergence, STP/RSTP protection, and STP/RSTP interoperability

between Huawei devices and non-Huawei devices. This will help you complete the configuration

task quickly and accurately.


loop-free tree topology. The basic configuration roadmap of STP/RSTP is as follows:

1. Select a switching device (functioning as a root bridge) from switching devices for each

spanning tree. You can configure the priorities of the switching devices to preferentially

select a root bridge.

2. In each spanning tree, calculate the shortest paths from the other switching devices to theroot bridge, and select a root port for each non-root switching device. You can configure

the cost of the path from a switching device to the root bridge to preferentially select a root

port.

3. In each spanning tree, select a designated port for each connection according to the bridge

ID, the cost of path and port IDs. If the devices have the same bridge ID and the cost of

path, You can configure the port priorities to preferentially select a designated port.

STP/RSTP also supports the following features to meet requirements of special applications and

extended functions:

l A feedback mechanism is provided to confirm topology convergence. Thus, rapid

convergence is implemented.

l RSTP provides the following protection functions, as listed in Table 8-4.





206



l Supports STP/RSTP interoperability between Huawei devices and non-Huawei devices.

Proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop

communication.

Table 8-4 RSTP Protection Function

ProtectionFunction

Scenario Configuration Impact

BPDU

protection

An edge port changes to be

a non-edge port after

receiving a BPDU, which

triggers spanning tree

recalculation. If an attacker

keeps sending bogus

BPDUs to a switching

device, network flapping

occurs.

After BPDU protection is enabled on the

switching device, the switching device

shuts down the edge port if the edge port

receives an RST BPDU, and notifies the

NMS of the shutdown event. The attributes

of the edge port are not changed.

TC

protection

Generally, after receiving

TC BPDUs (packets for

advertising network

topology changes), a

switching device needs to

delete MAC entries and

ARP entries. Frequent

deletion operations will

exhaust CPU resources.

TC protection is used to suppress TC-

BPDUs. The number of times that TC-

BPDUs are processed by a switching

device within a given time period is

configurable. If the number of TC-BPDUs

that the switching device receives within a

given time exceeds the specified threshold,

the switching device handles TC-BPDUs

only for the specified number of times.

Excess TC-BPDUs are processed by the

switching device as a whole for once after the timer (that is, the specified time period)

expires. This protects the switching device

from frequently deleting MAC entries and

ARP entries, thus avoiding over-burdened.

Root

protection

Due to incorrect

configurations or

malicious attacks on the

network, a root bridge may

receive BPDUs with a

higher priority.

Consequently, thelegitimate root bridge is no

longer able to serve as the

root bridge, and the

network topology is

illegitimately changed,

triggering spanning tree

recalculation. This may

transfer traffic from high-

speed links to low-speed

links, causing traffic

congestion.

If a designated port is enabled with the root

protection function, the role of the port

cannot be changed. Once a designated port

that is enabled with root protection

receives RST BPDUs with a higher

priority, the port enters the Discarding state

and does not forward packets. If the portdoes not receive any RST BPDUs with a

higher priority before a period (generally

two Forward Delay periods) expires, the

port automatically enters the Forwarding

state.





207



ProtectionFunction


Loop

protection

A root port or an alternate

port will age if link

congestion or a one-way

link failure occurs. After

the root port ages, a

switching device may re-

select a root port

incorrectly and after the

alternate port ages, the port

enters the Forwarding

state. Loops may occur in

such a situation.

After loop protection is configured, if the

root port or alternate port does not receive

RST BPDUs from the upstream switching

device for a long time, the switching device

notifies the NMS that the port enters the

Discarding state. The blocked port remains

in the Blocked state and no longer forwards

packets. This prevents loops on the

network. The root port restores the

Forwarding state after receiving new

BPDUs.

8.2 Configuring Basic STP/RSTP Functions



STP/RSTP is commonly configured on a switching device to trim a ring network to a loop-free

network. STP/RSTP configurations on the switching device involve STP/RSTP working mode

configuration. If you need to interfere in the spanning tree calculation, the following methods

are available:

l Setting a priority for a switching device: The lower the numerical value, the higher the priority of the switching device and the more likely the switching device becomes a root

bridge; the higher the numerical value, the lower the priority of the switching device and

the less likely that the switching device becomes a root bridge.

l Setting a path cost for a port: With the same calculation method, the lower the numerical

value, the smaller the cost of the path from the port to the root bridge and the more likely

the port becomes a root port; the higher the numerical value, the larger the cost of the path

from the port to the root bridge and the less likely that the port becomes a root port.

l Setting a priority for a port: The lower the numerical value, the more likely the port becomes

a designated port; the higher the numerical value, the less likely that the port becomes a

designated port.


Before configuring basic STP/RSTP functions, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the required data. This will help





which is the master and the others are the backup. Loops are likely or bound to occur in such asituation.





208





entries.

STP/RSTP can be deployed on a network to eliminate loops. If a loop is detected, STP/RSTP

blocks one port to eliminate the loop.

As shown in Figure 8-2, Switch A, Switch B, Switch C, and Switch D form a ring network, and

STP/RSTP is enabled on the ring network to eliminate loops.

Figure 8-2 Diagram of a ring network

SwitchA

SwitchC

SwitchB

SwitchD

PC1 PC2

Network

Blocked port

Root

Bridge

NOTE

If the current switching device supports STP and RSTP, RSTP is recommended.


Before configuring basic STP/RSTP functions, complete the following task:

l Connecting interfaces and setting physical parameters for the interfaces to ensure that the

physical status of the interfaces is Up

Data Preparation

To configure basic STP/RSTP functions, you need the following data.





209



No. Data

1 (Optional) Priority of a switching device

2 (Optional) Priority of a port

3 (Optional) Path cost of a port

8.2.2 Configuring the STP/RSTP Mode

Before configuring basic STP/RSTP functions, you need to configure the working mode of a

switching device to STP/RSTP. RSTP is compatible with STP.

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp mode { stp | rstp }

The working mode of the switching device is configured as STP/RSTP.

By default, the working mode of the S6700 is MSTP.

----End

8.2.3 (Optional) Configuring Switching Device Priorities

The lower the numerical value is, the higher priority a switching device has and the more likely

the switching device will be selected as a root bridge.

Context

On an STP/RSTP-capable network, there is only one root bridge and it is the logic center of the

entire spanning tree. In root bridge selection, the switching device with high performance and

network hierarchy is generally selected as a root bridge; however, the priority of such a device

may be not that high. Thus setting a high priority for the switching device is necessary so thatthe device can function as a root bridge.

Other devices with low performance and network hierarchy are not fit to be a root bridge.

Therefore, set low priorities for these devices.

CAUTION

If an S6700 is configured as the root switch or secondary root switch, the priority of the

S6700 cannot be set. If you want to set the priority of the S6700, you must disable the root switch

or secondary root switch.





210



Procedure

Step 1 Run:

system-view


Step 2 Run:

stp priority priority

The priority of a switching device is configured.

The default priority value of a switching device is 32768.

NOTE

l To configure a switching device as a primary root bridge, you can run the stp root primary command

directly. The priority value of this switching device is 0.

l To configure a switching device as a secondary root bridge, run the stp root secondary command. The

priority value of this switching device is 4096.

A switching device cannot act as a primary root bridge and a secondary root bridge at the same time.

----End

8.2.4 (Optional) Setting the Path Cost for a Port

The STP/RSTP path cost determines root port selection. The port from which to the root port

costs the least is selected as the root port.

Context

A path cost is port-specific, which is used by STP/RSTP as a reference to select a link.

The range of the path cost value is determined by the calculation method. After the calculation

method is determined, you are recommended to set a relatively small path cost value for the port

at a high link rate.

Use the Huawei proprietory calculation method as an example. Different link rates correspond

to default path cost values of ports. For details, see Table 8-5.

Table 8-5 Mappings between link rates and path cost values

Link Rate Recommendedvalue

RecommendedValue Range

Value Range

10 Mbit/s 2000 200-20000 1-200000

100 Mbit/s 200 20-2000 1-200000

1 Gbit/s 20 2-200 1-200000

10 Gbit/s 2 2-20 1-200000

Over 10 Gbit/s 1 1-2 1-200000





211



On a network where loops occur, you are recommended to set a relatively large path cost for the

port at a low link rate. STP/RSTP puts the port with the large path cost in the Blocking state and

blocks the link where this port resides.


system-view


Step 2 Run:

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

A path cost calculation method is configured.

By default, the IEEE 802.1t standard method is used to calculate the default path cost.

All switching devices on a network must use the same calculation method for path costs.

Step 3 Run:



Step 4 Run:

stp cost cost

A path cost is set for the port.

l When the Huawei proprietory calculation method is used, cost ranges from 1 to 200000.

l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.

l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.

----End

8.2.5 (Optional) Configuring Port Priorities

The lower the numerical value, the more likely the port on a switching device becomes a

designated port; the higher the numerical value, the more likely the port is to be blocked.

Context

Whether a port on a switching device will be selected as a designated port is determined by its

priority. For details, see 8.1.1 STP/RSTP Overview.

If you expect to block a port on a switching device to eliminate loops, set the port priority value

to be larger than the default value when the devices have the same bridge ID and the cost of

path. This port will be blocked in designated port selection.

Procedure

Step 1 Run:

system-view






212



Step 2 Run:



Step 3 Run:stp port priority priority

The port priority is configured.

The default priority value of a port on a switching device is 128.

----End

8.2.6 Enabling STP/RSTP

After STP/RSTP is enabled, spanning trees are calculated.

Context

After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees

on the network. Configurations on the switching device, such as the switching device priority

and port priority, will affect spanning tree calculation. Any change of the configurations may

cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform

basic configurations on the switching device and its ports and enable STP/RSTP.

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp enable

STP/RSTP is enabled on the switching device.

By default, the STP/RSTP function is enabled on a S6700.

----End


After basic STP/RSTP functions are configured, you can view the information such as the port

role and port status to check whether the spanning tree calculation is correctly performed.

Prerequisite

All configurations of basic STP/RSTP functions are complete.

Procedure

l Run the display stp [ interface interface-typeinterface-number ] [ brief ] command to view

spanning-tree status and statistics.

----End





213



8.3 Configuring STP/RSTP Parameters on an Interface

A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence

is implemented for RSTP.

STP does not implement rapid convergence; however, STP parameters, such as the network

diameter, hello time, Max Age time, and Forward Delay time, may affect network convergence.

RSTP is a refinement of STP and implements rapid convergence. In addition to the preceding

parameters, such parameters as the type of the link where the port resides, rapid transition

mechanism, and maximum number of sent BPDUs port parameters also affect STP/RSTP


For the parameters of devices running STP/RSTP, see Table 8-6.

Table 8-6 Parameters affecting the STP/RSTP topology convergence

Parameter

ParameterDescription

Commands Description

System

parameter

network

diameter, timer

value (Hello

Time, Forward

Delay period,

Max Age time),

and timeout

period for

waiting for BPDUs from

the upstream (3

x hello time x

time factor)

l stp bridge-diameter

diameter

l stp timer hello hello-time

l stp timer forward-delay

forward-delay

l stp timer max-age max-age

l stp timer-factor factor

It is recommended that you

set the network diameter to

determine the timer value.

The switching device

automatically calculates

the Forward Delay period,

Hello time, and Max Age

time based on the network

diameter. Then, you canrun the stp timer-factor

factor command to set the

timeout period for waiting

for BPDUs from the

upstream (3 x hello time x

time factor).





214



Parameter



Port

parameter

Link type of a

port

l stp point-to-point { auto |

force-false | force-true }

A P2P link helps

implement the rapid

convergence.

l If the port works in full-

duplex mode, the link

where the port resides is

a P2P link.

l If the port works in

half-duplex mode, you

can forcibly switch the

link where the port

resides to a P2P link.

lIn other cases, you canenable the port to

automatically

determine whether to

connect to the P2P link.

Port transition

to the RSTP

mode

l stp mcheck On a switching device

running RSTP, if an

interface is connected to a

device running STP, the

interface automatically

transitions to the STP

mode.Enabling MCheck on the

interface is required When

the interface fail to

automatically transition to

the RSTP mode.

Maximum

number of

BPDUs sent by

the interface

within each

Hello time

l stp transmit-limit packet-

number

If the maximum number of

BPDUs sent by the

interface within each Hello

time is set properly, the rate

at which BPDUs are sent

can be restricted, which prevents RSTP from

consuming too many

bandwidths when network

flapping occurs.





215



Parameter



Edge ports l stp edged-port enable

l error-down auto-recoverycause cause-item interval

interval-value

The ports connecting to

terminals do not participate

in STP/RSTP calculation.

If a port is configured as an

edge port, the port does not

participate in STP/RSTP

calculation.

After BPDU protection is

configured on a switching

device, an edge port is shut

down when receiving

BPDUs. The port can be

configured to

automatically go Up after aspecific delay.


Before configuring parameters affecting STP/RSTP rapid convergence, familiarize yourself

with the applicable environment, complete the pre-configuration tasks, and obtain the required

data. This will help you complete the configuration task quickly and accurately.


On some specific networks, RSTP parameters will affect the speed of network convergence.

Configuring proper RSTP parameters is required.

NOTE

The default configurations of the parameters described in this section help implement RSTP rapid

convergence. Therefore, the configuration process and all involved procedures described in this section

are optional. You can perform some of the configurations as required.


Before configuring STP/RSTP parameters, complete the following task:

l Configuring basic STP/RSTP functions

Data Preparation

To configure STP/RSTP parameters, you need the following data.

No. Data

1 Network diameter

2 Hello time, forwarding delay time, maximum aging time, and timeout period for

waiting for BPDUs from the upstream (3 x hello time x time factor)

3 Link type of a port





216



No. Data

4 Whether a port is enabled with rapid transition mechanism

5 Whether a port needs to transition to the RSTP mode

6 Maximum number of sent BPDUs

7 Whether a port needs to be configured as an edge port

8 Whether auto recovery needs to be configured for an edge port being shut down

9 Whether a port needs to clear statistics of the spanning tree

10 Whether an edge port needs to be configured as a BPDU filter

8.3.2 Setting System Parameters

STP/RSTP parameters that may affect network convergence include the network diameter, hello

time, and timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor).

Therefore, STP/RSTP parameters need to be set properly to help implement rapid network

convergence.

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp bridge-diameter diameter

The network diameter is configured.

By default, the network diameter is 7.

l RSTP uses a single spanning tree instance on the entire network, which cannot prevent the

performance from deteriorating when the network scale grows. Therefore, the network

diameter cannot be larger than 7.

l It is recommended that you run the stp bridge-diameter diameter command to set the

network diameter. Then, the switching device calculates the optimal Forward Delay period,

Hello time, and Max Age period based on the set network diameter.

Step 3 Run:

stp timer-factor factor

The timeout period for waiting for BPDUs from the upstream of a switching device is set.

By default, the timeout period of a switching device is 9 times as long as the Hello time.

Step 4 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the

following operations:

l

Run the stp timer forward-delay forward-delay command to set the Forward Delay periodfor a switching device.





217



The default Forward Delay period of a switching device is 1500, in centiseconds.

l Run the stp timer hello hello-time command to set the Hello time for a switching device.

The default Hello time of a switching device is 200, in centiseconds.

l Run the stp timer max-age max-age command to set the Max Age period for a switching

device.

The default Max Age period of a switching device is 2000, in centiseconds.

NOTE

The values of the Hello time, Forward Delay period, and Max Age period must comply with the following

formulas. Otherwise, networking flapping occurs.

l 2 × (Forward Delay - 1.0 second) >= Max Age

l Max Age >= 2 × (Hello Time + 1.0 second)

----End

8.3.3 Setting Port ParametersPort parameters that may affect RSTP topology convergence include the link type and maximum

number of sent BPDUs. Proper port parameters help RSTP to implement rapid topology

convergence.

Procedure

Step 1 Run:

system-view


Step 2 Run:interface interface-type interface-number



stp point-to-point { auto | force-false | force-true }

The link type is configured for a port.

By default, a port automatically determines whether to connect to a P2P link. The P2P link

supports rapid network convergence.

l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this

case, force-true can be configured to implement rapid network convergence.

l If the Ethernet port works in half-duplex mode, you can configure stp point-to-point force-

true to forcibly set the link type to P2P to implement rapid network convergence.

Step 4 Run:

stp mcheck

MCheck is enabled.

On a switching device running RSTP, if a port is connected to a device running STP, the port

automatically transitions to the STP interoperable mode.

Enabling MCheck on the port is required because the port may fail to automatically transitionto the RSTP mode in the following situations:





218



l The switching device running STP is shut down or moved.

l The switching device running STP transitions to the RSTP mode.

NOTE

If you run the stp mcheck command in the system view, the MCheck operation is performed on all theinterfaces.

Step 5 Run:

stp transmit-limit packet-number

The maximum number of BPDUs sent by a port within each Hello time is set.

By default, the maximum number of BPDUs that a port sends within each Hello time is 147.


stp edged-port enable

The port is configured as an edge port.

If a device port is connected to a terminal, you can run this command to configure the port as

an edge port.

By default, the port is a non-edge port.

Step 7 Run:

quit



error-down auto-recovery cause cause-item interval interval-value

The auto recovery function on an edge port is configured. That is, enable the port in the error-

down state to automatically go Up, and set the delay for the transition from Down to Up.

There is no default value for the recovery time. Therefore, you must specify a delay when

configuring this command.

----End

Follow-up Procedure

When the topology of a spanning tree changes, the forwarding paths to associated VLANs are

changed. Then, ARP entries corresponding to those VLANs on the switching device need to be

updated. STP/RSTP processes ARP entries in either fast or normal mode.

l In fast mode, ARP entries to be updated are directly deleted.

l In normal mode, ARP entries to be updated are rapidly aged.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly

processes these aged entries. If the number of ARP aging probe attempts is not set to 0,

ARP implements aging probe for these ARP entries.

In either fast or normal mode, MAC entries are directly deleted.

You can run the stp converge { fast | normal } command in the system view to configure the

STP/RSTP convergence mode.

By default, the STP/RSTP convergence is configured as normal.





219



NOTE

The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,

causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.

8.3.4 Checking the ConfigurationYou can verify that the configurations take effect after configuring STP/RSTP parameters that

affect the topology convergence.

Prerequisite

The parameters that affect the topology convergence have been configured.

Procedure

lRun the display stp [ interface interface-type interface-number ] [ brief ] command toview spanning-tree status and statistics.

----End

8.4 Configuring RSTP Protection Functions

RSTP protection functions are as follows, and you can configure one or more functions as

required.

8.4.1 Establishing the Configuration TaskBefore configuring RSTP protection functions, familiarize yourself with the applicable




RSTP provides the following protection functions, as listed in Table 8-7.

Table 8-7 RSTP Protection Function

ProtectionFunction


BPDU

protection

An edge port changes to be a

non-edge port after




keeps sending bogus BPDUs

to a switching device,

network flapping occurs.


switching device, the switching device shuts

down the edge port if the edge port receives

an RST BPDU, and notifies the NMS of the

shutdown event. The attributes of the edge

port are not changed.





220



ProtectionFunction


TC protection Generally, after receiving


advertising network



delete MAC entries and ARP

entries. Frequent deletion

operations will exhaust CPU

resources.

TC protection is used to suppress TC-BPDUs.

The number of times that TC-BPDUs are

processed by a switching device within a

given time period is configurable. If the

number of TC-BPDUs that the switching

device receives within a given time exceeds

the specified threshold, the switching device

handles TC-BPDUs only for the specified

number of times. Excess TC-BPDUs are

processed by the switching device as a whole

for once after the timer (that is, the specified

time period) expires. This protects the

switching device from frequently deleting

MAC entries and ARP entries, thus avoidingover-burdened.

Root

protection

Due to incorrect

configurations or malicious

attacks on the network, a

root bridge may receive

BPDUs with a higher

priority. Consequently, the

legitimate root bridge is no


root bridge, and the network

topology is illegitimatelychanged, triggering

spanning tree recalculation.

This may transfer traffic

from high-speed links to

low-speed links, causing

traffic congestion.

If a designated port is enabled with the root

protection function, the role of the port cannot

be changed. Once a designated port that is

enabled with root protection receives RST

BPDUs with a higher priority, the port enters

the Discarding state and does not forward

packets. If the port does not receive any RST

BPDUs with a higher priority before a period

(generally two Forward Delay periods)

expires, the port automatically enters theForwarding state.

Loop

protection



congestion or a one-way link

failure occurs. After the root

port ages, a switching device

may re-select a root port



enters the Forwarding state.

Loops may occur in such a

situation.

After loop protection is configured, if the root

port or alternate port does not receive RST

BPDUs from the upstream switching device

for a long time, the switching device notifies

the NMS that the port enters the Discarding

state. The blocked port remains in the

Blocked state and no longer forwards packets.

This prevents loops on the network. The root

port restores the Forwarding state after

receiving new BPDUs.


Before configuring basic RSTP functions, complete the following task:





221



l Configuring basic RSTP functions

NOTE

Configuring an edge port on the switching device before configuring BPDU protection.

Data Preparation

To configure basic RSTP functions, you need the following data.

No. Data

1 Number of the port on which root protection is to be enabled

2 Number of the port on which loop protection is to be enabled

8.4.2 Configuring BPDU Protection on a Switching DeviceAfter BPDU protection is enabled on a switching device, the switching device shuts down an

edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.

Context

Edge ports are directly connected to user terminals and normally, the edge ports will not receive

BPDUs. Some attackers may send pseudo BPDUs to attach the switching device. If the edge

ports receive the BPDUs, the switching device automatically configures the edge ports as non-

edge ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU

protection can be used to protect switching devices against malicious attacks.

NOTE

Do as follows on a switching device having an edge port:

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp bpdu-protection

BPDU protection is enabled on the switching device.

By default, BPDU protection is not enabled on the switching device.

----End

Follow-up Procedure

To allow an edge port to automatically start after being shut down, you can run the error-down

auto-recovery cause cause-item interval interval-value command to configure the auto

recovery function and set the delay on the port. After the delay expires, the port automatically

goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following whensetting this parameter:





222



l The smaller the interval-value is set, the sooner the edge port becomes Up, and the more

frequently the edge port alternates between Up and Down.

l The larger the interval-value is set, the later the edge port becomes Up, and the longer the

service interruption lasts.

8.4.3 Configuring TC Protection on a Switching Device

After TC protection is enabled, you can set the number of times for a switching device to process

TC BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries

and ARP entries, thereby protecting switching devices.

Context

An attacker may send pseudo TC BPDUs to attack switching devices. Switching devices receive

a large number of TC BPDUs in a short time and delete entries frequently, which burdens system

processing and degrades network stability.

TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processed

by a switching device within a given time period is configurable. If the number of TC BPDUs

that the switching device receives within a given time exceeds the specified threshold, the

switching device handles TC BPDUs only for the specified number of times. Excess TC-BPDUs

are processed by the switching device as a whole for once after the specified time period expires.

This protects the switching device from frequently deleting MAC entries and ARP entries, thus

avoiding overburden.

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp tc-protection

TC protection is enabled for a switching device.

By default, TC protection is enabled on the switching device.

Step 3 Run:

stp tc-protection threshold threshold

The threshold of the number of times the switching device handles the received TC BPDUs and

updates forwarding entries within a given time is set.

NOTE

The value of the given time is consistent with the RSTP Hello time set by using the stp timer hello hello-

time command.

----End

8.4.4 Configuring Root Protection on a Port

The root protection function on a switching device protects a root bridge by preserving the roleof a designated port.





223



Context

Due to incorrect configurations or malicious attacks on the network, a root bridge may receive

BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve

as the root bridge, and the network topology is incorrectly changed, triggering spanning tree

recalculation. This also may cause the traffic that should be transmitted over high-speed links

to be transmitted over low-speed links, leading to network congestion. The root protection

function on a switching device is used to protect the root bridge by preserving the role of the

designated port.

NOTE

Root protection is configured on a designated port. Root protection takes effect only on a designated port.

Do as follows on the root bridge.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

stp root-protection

Root protection is configured on the switching device.

By default, root protection is disabled.

----End

8.4.5 Configuring Loop Protection on a Port

The loop protection function suppresses the loops caused by link congestion.

ContextOn a network running RSTP, a switching device maintains the root port status and status of

blocked ports by receiving BPDUs from an upstream switching device. If the switching device

cannot receive BPDUs from the upstream because of link congestion or unidirectional-link

failure, the switching device re-selects a root port. The original root port becomes a designated

port and the original blocked ports change to the Forwarding state. This may cause network

loops. To address such a problem, configure loop protection.

After loop protection is configured, if the root port or alternate port does not receive BPDUs

from the upstream switching device, the root port is blocked and the switching device notifies

the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state

and no longer forwards packets. This prevents loops on the network. The root port restores theForwarding state after receiving new BPDUs.





224



NOTE

An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to

configure loop protection on both the root port and the alternate port.

Do as follows on a root port and an alternate port on a switching device.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:stp loop-protection

Loop protection for the root port or the alternate port is configured on the switching device.

By default, loop protection is disabled.

----End


After RSTP protection functions are configured, you can verify that the configurations take

effect.

Prerequisite

All configurations of RSTP protection functions are complete.

Procedure

l Run the display stp [ interface interface-type interface-number ] [ brief ] command to

view the status of a spanning tree, including the status of protection functions on a switching

device

----End

8.5 Configuring STP/RSTP Interoperability BetweenHuawei Devices and Non-Huawei Devices

To supports STP/RSTP interoperability between Huawei devices and non-Huawei devices,

proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop

communication.


Before configuring STP/RSTP interoperability between Huawei devices and non-Huaweidevices, familiarize yourself with the applicable environment, complete the pre-configuration





225



tasks, and obtain the required data. This will help you complete the configuration task quickly

and accurately.


On a network running STP/RSTP, inconsistent protocol packet formats and BPDU keys may

lead to a communication failure. Configuring proper STP/RSTP parameters on Huawei devices

ensures interoperability between Huawei devices and non-Huawei devices.


Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei

devices, complete the following task:

l Configuring basic STP/RSTP functions

Data PreparationTo configure STP/RSTP interoperability between Huawei devices and non-Huawei devices, you

need the following data.

No. Data

1 BPDU format

8.5.2 Configuring the Proposal/Agreement Mechanism

To enable Huawei Datacom devices to communicate with non-Huawei devices, a proper rapid

transition mechanism needs to be configured on Huawei devices based on the Proposal/

Agreement mechanism on non-Huawei devices.

Context

The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching

devices currently support the following modes:

l Enhanced mode: The current interface counts a root port when it counts the synchronization

flag bit.

– An upstream device sends a Proposal message to a downstream device, requesting rapid

status transition. After receiving the message, the downstream device sets the port

connected to the upstream device to a root port and blocks all non-edge ports.

– The upstream device then sends an Agreement message to the downstream device. After

the downstream device receives the message, the root port transitions to the Forwarding

state.

– The downstream device responds the Proposal message with an Agreement message.

After receiving the message, the upstream device sets the port connected to the

downstream device as a designated port. The designated port then transitions to the

Forwarding state.

l

Common mode: The current interface ignores the root port when it counts thesynchronization flag bit.





226





connected to the upstream device to a root port and blocks all non-edge ports. The root

port then transitions to the Forwarding state.

– The downstream device responds the Proposal message with an Agreement message.After receiving the message, the upstream device sets the port connected to the

downstream device as a designated port. The designated port then transitions to the

Forwarding state.

When Huawei datacom devices are interworking with non-Huawei devices, select either mode

depending on the Proposal/Agreement mechanisms on non-Huawei devices.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

stp no-agreement-check

The common rapid transition mechanism is configured.

By default, the interface uses the enhanced rapid transition mechanism.

----End


After MSTP parameters are configured for the interoperability between Huawei devices and

non-Huawei devices, you can verify that the configurations take effect.

Prerequisite

Parameters have been configured to ensure MSTP interoperability between Huawei devices and

non-Huawei devices.

Procedure

l Run the display stp [ interface interface-type interface-number ] [ brief ] command to

view spanning-tree status.

----End

8.6 Maintaining STP/RSTP

STP/RSTP maintenance includes resetting STP/RSTP statistics.





227



8.6.1 Clearing STP/RSTP Statistics

You can run the reset commands to reset STP/RSTP statistics to 0.

Context

CAUTION

STP/RSTP statistics cannot be restored after you clear them. Therefore, exercise caution when

using the reset commands.

After you confirm that STP/RSTP statistics need to be cleared, run the following command in

the user view.

Procedure

Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear

spanning-tree statistics.

----End


This section shows typical usage scenarios of STP/RSTP by describing networkingrequirements, configuration roadmap, and data preparation, and provides related configuration

files.

8.7.1 Example for Configuring Basic STP Functions

This example shows how to configure basic STP functions.


On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of


situation.


network. Loops also cause flapping of MAC address tables and damages MAC address entries.

STP can be deployed on a network to eliminate loops by blocking some ports. On the network

shown in Figure 8-3, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover

loops on the network by exchanging information with each other, they trim the ring topology

into a loop-free tree topology by blocking a certain port. In this manner, replication and circular

propagation of packets are prevented on the network and the switching devices are released from processing duplicated packets, thereby improving their processing performance.





228



Figure 8-3 Networking diagram of configuring basic STP functions

PC1

SwitchAXGE0/0/2

XGE0/0/1

XGE0/0/1

XGE0/0/2

XGE0/0/3

XGE0/0/3XGE0/0/1

XGE0/0/3

Network

SwitchC SwitchB

STP

Blocked port

SwitchD

XGE0/0/1

XGE0/0/3

XGE0/0/2

PC2

XGE0/0/2

Root Bridge



1. Configure basic STP functions, including:

(1) Configure the STP mode for the ring network.

(2) Configure primary and secondary root bridges.

(3) Set path costs for ports to block certain ports.

(4) Enable STP to eliminate loops.NOTE

STP is not required on the interfaces connected to terminals because these interfaces do not

need to participate in STP calculation.

Data Preparation


l XGEInterface number, as shown in Figure 8-3

l Primary root bridge SwitchA and secondary root bridge SwitchD

l Path cost of a port to be blocked (20000 is used in this example)





229



Procedure

Step 1 Configure basic STP functions.

1. Configure the STP mode for the devices on the ring network.

# Configure the STP mode on SwitchA.



[SwitchA] stp mode stp

# Configure the STP mode on SwitchB.



[SwitchB] stp mode stp

# Configure the STP mode on SwitchC.



[SwitchC] stp mode stp

# Configure the STP mode on SwitchD.



[SwitchD] stp mode stp

2. Configure primary and secondary root bridges.

# Configure SwitchA as a primary root bridge.

[SwitchA] stp root primary

# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary

3. Set path costs for ports in each spanning tree to block certain ports.

NOTE

l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary

calculation method as an example to set the path costs of the ports to be blocked to 20000.

l All switching devices on a network must use the same path cost calculation method.

# Set the path cost of XGE0/0/1 on SwitchC to 20000.


[SwitchC-XGigabitEthernet0/0/1] stp cost 20000


4. Enable STP to eliminate loops.

l Disable STP on interfaces connected to PCs.

# Disable STP on XGE 0/0/2 on SwitchB.[SwitchB] interface xgigabitethernet 0/0/2

[SwitchB-XGigabitEthernet0/0/2] stp disable


# Disable STP on XGE 0/0/2 on SwitchC.


[SwitchC-XGigabitEthernet0/0/2] stp disable


l Enable STP globally.

# Enable STP globally on SwitchA.

[SwitchA] stp enable

# Enable STP globally on SwitchB.

[SwitchB] stp enable





230



# Enable STP globally on SwitchC.

[SwitchC] stp enable

# Enable STP globally on SwitchD.

[SwitchD] stp enable

l Enable BPDU on all the interfaces except the interfaces connected to terminals.

# Enable BPDU on XGE 0/0/1 and XGE 0/0/2 on SwitchA.







# Enable BPDU on XGE 0/0/1 and XGE 0/0/3 on SwitchB.


[SwitchB-XGigabitEthernet0/0/1] bpdu enable


[SwitchB] interface xgigabitethernet 0/0/3[SwitchB-XGigabitEthernet0/0/3] bpdu enable


# Enable BPDU on XGE 0/0/1 and XGE 0/0/3 on SwitchC.







# Enable BPDU on XGE 0/0/1 and XGE 0/0/2 on SwitchD.


[SwitchD-XGigabitEthernet0/0/1] bpdu enable

[SwitchD-XGigabitEthernet0/0/1] quit[SwitchD] interface xgigabitethernet 0/0/2




After the previous configurations, run the following commands to verify the configuration when

the network is stable:

# Run the display stp brief command on SwitchA to view the interface status and protection

type. The displayed information is as follows:

[SwitchA] display stp brief

MSTID Port Role STP State Protection 0 XGigabitEthernet0/0/1 DESI FORWARDING NONE

0 XGigabitEthernet0/0/2 DESI FORWARDING NONE

After SwitchA is configured as a root bridge, XGE 0/0/2 and XGE 0/0/1 connected to SwitchB

and SwitchD respectively are elected as designated ports in spanning tree calculation.

# Run the display stp interface xgigabitethernet 0/0/1 brief command on SwitchB to view

status of XGE 0/0/1. The displayed information is as follows:

[SwitchB] display stp interface xgigabitethernet 0/0/1 brief

MSTID Port Role STP State Protection


XGE 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwardingstate.





231



# Run the display stp brief command on SwitchC to view the interface status and protection


[SwitchC] display stp brief


0 XGigabitEthernet0/0/1 ALTE DISCARDING NONE

0 XGigabitEthernet0/0/3 ROOT FORWARDING NONE

XGE 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding

state.

XGE 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.

----End

Configuration Files


#

sysnameSwitchA

#

stp mode

stp

stp instance 0 root

primary

#

return


#

sysname

SwitchB

#

stp mode

stp

#


stp disable

#

return


#

sysname

SwitchC

#

stp mode

stp

#


stp instance 0 cost

20000

#


stp disable

#

return


#

sysname

SwitchD

#

stp mode

stpstp instance 0 root





232



secondary

#

return

8.7.2 Example for Configuring Basic RSTP Functions

This example describes how to configure basic RSTP functions.


On a complex network, loops often occur. To implement network redundancy backup, network

designers tend to deploy multiple physical links between two devices, one of which is the master

device and the others are backup devices. Loops are likely or bound to occur in such a situation.

Loops will cause broadcast storms, exhausting network resources and making the network break

down. Loops also cause flapping of MAC address tables and damage MAC address entries.

RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network

shown in Figure 8-4, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP detect

loops on the network by exchanging information with each other, they trim the ring topology

into a loop-free tree topology by blocking a certain port. In this manner, packets are not replicated

and looped on the network and switching devices do not need to process duplicate packets,

improving their processing performance.

Figure 8-4 Networking diagram of basic RSTP functions

PC1

SwitchAXGE0/0/2

XGE0/0/1

XGE0/0/1XGE0/0/2

XGE0/0/3

XGE0/0/3

XGE0/0/1

XGE0/0/3

Network

SwitchC SwitchB

RSTP

Blocked port

SwitchD

XGE0/0/1

XGE0/0/3

XGE0/0/2

PC2

XGE0/0/2

Root

Bridge





233





1. Configure basic RSTP functions, including:

(1) Configure the RSTP mode for the ring network.

(2) Configure primary and secondary root bridges.

(3) Set path costs for ports in each MSTI to block certain ports.

(4) Enable RSTP to eliminate loops.

NOTE

RSTP is not required on the interfaces connected to terminals because these interfaces do not

need to participate in RSTP calculation.

2. Configure RSTP protection functions, for example, root protection on a designated port of

a root bridge in each MSTI.

Data Preparation


l XGE interface number, as shown in Figure 8-4

l Primary root bridge SwitchA and secondary root bridge SwitchD

l Path cost of a port to be blocked (20000 is used in this example)

Procedure

Step 1 Configure basic RSTP functions.

1. Configure the RSTP mode for the devices on the ring network.

# Configure the RSTP mode on SwitchA.



[SwitchA] stp mode rstp

# Configure the RSTP mode on SwitchB.



[SwitchB] stp mode rstp

# Configure the RSTP mode on SwitchC.


[Quidway] sysname SwitchC[SwitchC] stp mode rstp

# Configure the RSTP mode on SwitchD.



[SwitchD] stp mode rstp

2. Configure primary and secondary root bridges.

# Configure SwitchA as a primary root bridge.

[SwitchA] stp root primary

# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary

3. Set path costs for ports to block certain ports.





234



NOTE

l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary

calculation method as an example to set the path costs of the ports to be blocked to 20000.

l All switching devices on a network must use the same path cost calculation method.

# Set the path cost of XGE0/0/1 on SwitchC to 20000.[SwitchC] interface xgigabitethernet 0/0/1

[SwitchC-XGigabitEthernet0/0/1] stp cost 20000


4. Enable RSTP to eliminate loops.

l Disable RSTP on interfaces connected to PCs.

# Disable RSTP on XGE 0/0/2 on SwitchB.


[SwitchB-XGigabitEthernet0/0/2] stp disable


# Disable RSTP on XGE 0/0/2 on SwitchC.

[SwitchC] interface xgigabitethernet 0/0/2[SwitchC-XGigabitEthernet0/0/2] stp disable


l Enable RSTP globally.

# Enable RSTP globally on SwitchA.


# Enable RSTP globally on SwitchB.


# Enable RSTP globally on SwitchC.


# Enable RSTP globally on SwitchD.


l Enable BPDU on all the interfaces except the interfaces connected to terminals.

# Enable BPDU on XGE 0/0/1 and XGE 0/0/2 on SwitchA.







# Enable BPDU on XGE 0/0/1 and XGE 0/0/3 on SwitchB.



[SwitchB-XGigabitEthernet0/0/1] quit[SwitchB] interface xgigabitethernet 0/0/3



# Enable BPDU on XGE 0/0/1 and XGE 0/0/3 on SwitchC.







# Enable BPDU on XGE 0/0/1 and XGE 0/0/2 on SwitchD.


[SwitchD-XGigabitEthernet0/0/1] bpdu enable[SwitchD-XGigabitEthernet0/0/1] quit





235






Step 2 Configure RSTP protection functions.

# Enable root protection on XGE 0/0/1 on SwitchA.


[SwitchA-XGigabitEthernet0/0/1] stp root-protection


# Enable root protection on XGE 0/0/2 on SwitchA.





After the previous configurations, run the following commands to verify the configuration when

the network is stable:

# Run the display stp brief command on SwitchA to view the interface status and protection


[SwitchA] display stp brief


0 XGigabitEthernet0/0/1 DESI FORWARDING ROOT


After SwitchA is configured as a root bridge, XGE 0/0/2 and XGE 0/0/1 connected to SwitchB

and SwitchD respectively are elected as designated ports in spanning tree calculation. The root

protection function is enabled on the designated ports.

# Run the display stp interface xgigabitethernet 0/0/1 brief command on SwitchB to viewstatus of XGE 0/0/1. The displayed information is as follows:

[SwitchB] display stp interface xgigabitethernet 0/0/1 brief



XGE 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding

state.

# Run the display stp brief command on SwitchC to view the interface status and protection


[SwitchC] display stp brief


0 XGigabitEthernet0/0/1 ALTE DISCARDING NONE 0 XGigabitEthernet0/0/3 ROOT FORWARDING NONE

XGE 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding

state.

XGE 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.

----End

Configuration Files


# sysname SwitchA





236



#

stp mode

rstp

stp instance 0 root

primary

#

interface XGigabitEthernet0/0/1stp root-

protection

#


stp root-

protection

#

return


#

sysname SwitchB

#

stp mode

rstp

#


stp disable

#

return


#

sysname SwitchC

#

stp mode

rstp

#


stp instance 0 cost

20000#


stp disable

#

return


#

sysname SwitchD

#

stp mode

rstp

stp instance 0 root

secondary

#return





237



9 MSTP Configuration

About This Chapter

The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.

It prevents re plication and circular propagation of packets, provides multiple redundant paths

for Virtual LAN (VLAN) data traffic, and enables load balancing.

9.1 MSTP Overview

MSTP enables multiple VLANs to be grouped into a spanning-tree instance, forming a VLAN

mapping table. Each instance has a spanning-tree topology independent of other spanning-tree

instances. This architecture provides multiple forwarding paths for data traffic and enables load

balancing.

9.2 Configuring Basic MSTP Functions

MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,

each of which has multiple spanning trees that are independent of each other. MSTP isolates

user traffic and service traffic, and load-balances VLAN traffic.

9.3 Configuring MSTP Multi-process

After an MSTP device binds its ports to different processes, the MSTP device performs the

MSTP calculation based on processes, and only relevant ports in each process take part in MSTP

calculation.

9.4 Configuring MSTP Parameters on an Interface

MSTP implements RSTP rapid convergence. To achieve rapid convergence, you need to

configure proper MSTP parameters.

9.5 Configuring MSTP Protection Functions

MSTP protection functions are as follows, and you can configure one or more functions as

required.

9.6 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices

To enable Huawei devices to interwork with non-Huawei devices, configure proper parameters

and functions, including the BPDU format, MSTP protocol packet format, and digest snooping

function, on the Huawei devices running MSTP.

9.7 Maintaining MSTP

MSTP maintenance includes resetting MSTP statistics.



Configuration Guide - Ethernet 9 MSTP Configuration



238



This section provides a configuration example of MSTP.





239



9.1 MSTP Overview

MSTP enables multiple VLANs to be grouped into a spanning-tree instance, forming a VLAN

mapping table. Each instance has a spanning-tree topology independent of other spanning-tree

instances. This architecture provides multiple forwarding paths for data traffic and enables load

balancing.

9.1.1 MSTP Introduction

The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree

Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables

rapid convergence and provides load balancing across redundant paths.

BackgroundSTP and RSTP are used in a LAN to prevent loops. The devices running STP/RSTP discover

loops on the network by exchanging information with each other and trim the ring topology into

a loop-free tree topology by blocking a certain interface. Replication and circular propagation

of packets are thus prevented on the network and the processing performance of devices is

improved by avoiding repeated packets on the network.

STP and RSTP both have a defect: All VLANs on a LAN use one spanning tree, and thus inter-

VLAN load balancing cannot be performed. Once a link is blocked, the link will no longer

transmit traffic, wasting bandwidth and causing a failure in forwarding certain VLAN packets.

To fix the defect of STP and RSTP, the IEEE released the 802.1s standard in 2002, defining

MSTP. MSTP compatible with STP and RSTP implements rapid convergence and providesmultiple paths to load balance VLAN traffic.

Table 9-1 shows the comparison between STP, RSTP, and MSTP.





240



Table 9-1 Comparison between STP, RSTP, and MSTP

Spanning TreeProtocols

Characteristics ApplicationScenarios

Precautions

STP A loop-free tree is generated.Thus, broadcast storms are

prevented and redundancy is

implemented.

Irrespective of different users or

services, all

VLANs share one

spanning tree.

NOTEl If the current

switching

device

supports

only STP,

STP is

recommende

d. For

details, see

STP/RSTP

Configurati

on.

l

If the currentswitching

device

supports

both STP

and RSTP,

RSTP is

recommende

d. For

details, see

STP/RSTP

Configurati

on.

l If the current

switchingdevice

supports

STP or

RSTP, and

MSTP,

MSTP is

recommende

d.

RSTP l A loop-free tree is

generated. Thus,


prevented and redundancy

is implemented.

l A feedback mechanism is

provided to confirm

topology convergence.Thus, rapid convergence

is implemented.

MSTP l A loop-free tree or some

loop-free trees are

generated. Thus,


prevented and redundancy

is implemented.

l A feedback mechanism is

provided to confirm


Thus, rapid convergence

is implemented.

l MSTP implements load

balancing among VLANs.

Traffic in different

VLANs is transmitted

along different paths.

User or service-

specific load

balancing is

required. Traffic

for different

VLANs is

forwarded

through different

spanning trees,which are

independent of

each other.

Introduction




situation.



entries.

MSTP, compatible with STP and RSTP, isolates service traffic and user traffic by using multiple

instances and provides multiple paths to load balance VLAN traffic.





241



If MSTP is deployed in the LAN shown in Figure 9-1, MSTIs are generated, as shown in Figure

9-1.

Figure 9-1 Multiple spanning trees in an MST region

SwitchA

SwitchESwitchB

SwitchC SwitchF

SwitchD

Host C Host A

Host DHost B

(VLAN3) (VLAN2)

(VLAN3)(VLAN2)

VLAN3VLAN2

VLAN2

VLAN2

VLAN3

VLAN2

VLAN3

VLAN3VLAN2 VLAN3

VLAN2VLAN3

MSTI2 (root switch: SwitchF)

MSTI1 (root switch: SwitchD) VLAN2 --> MSTI1

VLAN3 --> MSTI2

VLAN3

VLAN2

l MSTI 1 uses Switch D as the root switching device to forward packets of VLAN 2.

l MSTI 2 uses Switch F as the root switching device to forward packets of VLAN 3.

Devices within the same VLAN can communicate with each other and packets of different

VLANs are load-balanced along different paths.

Basic MSTP Concepts

l MST region

An MST region contains multiple switching devices and network segments between them.

The switching devices have the following characteristics:

– MSTP-enabled

– Same region name– Same VLAN-to-instance mapping

– Same MSTP revision number

A LAN can comprise several MST regions that are directly or indirectly connected.

Multiple switching devices can be grouped into an MST region by using MSTP

configuration commands.

As shown in Figure 9-2, the MST region D0 contains the switching devices S1, S2, S3,

and S4, and has three MSTIs.





242



Figure 9-2 MST region

D0

S1

other VLANs MSTI0

S2

S4

S3

VLAN1 MSTI1VLAN2,VLAN3 MSTI2

MSTI1root switch:S3

MSTI2root switch:S2

MSTI0 (IST)root switch:S1

AP1

Master Bridge

l VLAN mapping table

The VLAN mapping table is an attribute of the MST region. It describes mappings between

VLANs and MSTIs.

Figure 9-2 shows the mappings in the VLAN mapping table of the MST region D0:

– VLAN 1 is mapped to MSTI 1.

– VLAN 2 and VLAN 3 are mapped to MSTI 2.

– Other VLANs are mapped to MSTI 0.

l Regional root

Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.

In the region B0, C0, and D0 on the network shown in Figure 9-4, the switching devices

closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.

An MST region can contain multiple spanning trees, each called an MSTI. An MSTI

regional root is the root of the MSTI. On the network shown in Figure 9-3, each MSTI hasits own regional root.





243



Figure 9-3 MSTI

Root

VLAN10&20&30

V L AN 1 0 & 2 0

VLAN 20&30

VLAN

10&30

V L AN 3 0 VLAN

10&30 V L AN 2 0

VLAN 10

MST Region

Root

MSTI

corresponding toVLAN 10

RootMSTI


MSTI


MSTI linksMSTI links blocked by the protocol

MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,

but a VLAN can be mapped to only one MSTI.

l CIST root





244



Figure 9-4 MSTP network

CIST Root

A0

B0

C0

D0 Region Root

Region Root

Region Root

CST

IST

On the network shown in Figure 9-4, the CIST root is the root bridge of a CIST. The CIST

root is a device in A0.

l CST

A Common Spanning Tree (CST) connects all the MST regions on a switching network.

Each MST region can be considered a node. A CST is calculated by using STP or RSTP

based on all the nodes.

As shown in Figure 9-4, the MST regions are connected to form a CST.

l IST

An IST resides within an MST region.

An IST is a special MSTI with the MSTI ID of 0, called MSTI 0.

An IST is a segment of the CIST in an MST region.

As shown in Figure 9-4, the switching devices in an MST region are connected to form an

IST.

l CIST

A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching

network.

As shown in Figure 9-4, the ISTs and the CST form a complete spanning tree, that is, CIST.

l SST

A Single Spanning Tree (SST) is formed in either of the following situations:





245





PortRoles

Description

Master

port

A master port is on the shortest path connecting MST regions to the CIST

root.

BPDUs of an MST region are sent to the CIST root through the master port.

Master ports are special regional edge ports, functioning as root ports on

ISTs or CISTs and master ports in instances.

As shown in Figure 9-5, S1, S2, S3, and S4 form an MST region. AP1 on

S1, being the nearest port in the region to the CIST root, is the master port.

Regional

edge port

A regional edge port is located at the edge of an MST region and connects

to another MST region or an SST.

During MSTP calculation, the roles of a regional edge port in the MSTI and

the CIST instance are the same. If the regional edge port is the master port

in the CIST instance, it is the master port in all the MSTIs in the region.As shown in Figure 9-5, AP1, DP2, and DP3 in an MST region are directly

connected to other regions, and therefore they are all regional edge ports of

the MST region.

As shown in Figure 9-5, AP1 is a regional edge port and also a master port

in the CIST. Therefore, AP1 is the master port in every MSTI in the MST

region.

Edge

port

An edge port is located at the edge of an MST region and does not connect

to any switching device.

Generally, edge ports are directly connected to terminals.

As shown in Figure 9-5, BP3 is an edge port.

Figure 9-5 Port roles

S1

AP2

S2S3

AP3

CP2 CP3 BP2

CP1 BP1

Root bridge

Root port

Designated port

Alternate port

Backup port





247



l Port status

Table 9-3 lists the MSTP port status, which is the same as the RSTP port status.

Table 9-3 Port status

PortStatus

Description

Forwardi

ng

A port in the Forwarding state can send and receive BPDUs as well as


Learning This is a transition state. A port in the Learning state learns MAC addresses

from user traffic to construct a MAC address table.

In the Learning state, the port can send and receive BPDUs, but cannot


Discardi

ng

A port in the Discarding state can only receive BPDUs.

There is no necessary link between the port status and the port role. Table 9-4 lists the

relationships between port roles and port status.

Table 9-4 Relationships between port roles and port status

Port

Status

Root Port/

MasterPort

Designate

d Port

Regional

Edge Port

Alternate

Port

Backup

Port

Forwardi

ng

Yes Yes Yes No No

Learning Yes Yes Yes No No

Discardi

ng

Yes Yes Yes Yes Yes

Yes: The port supports this status.

No: The port does not support this status.

9.1.2 MSTP Features Supported by the S6700

Before configuring MSTP, familiarize yourself with the concepts of basic MSTP functions,

topology convergence, MSTP protection, MSTP multi-process, and MSTP interoperability

between Huawei devices and non-Huawei devices. This will help you complete the configuration

task quickly and accurately.

MSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-

free tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into differentinstances to load-balance VLAN traffic. The basic configuration roadmap of MSTP is as follows:





248



1. In a ring network, divide regions and create different instances for regions.

2. Select a switching device functioning as a root bridge from switching devices for each

instance.

3. In each instance, calculate the shortest paths from the other switching devices to the root

bridge, and select a root port for each non-root switching device.

4. In each instance, select a designated port for each connection according to port IDs.

According to current networking, master ports and backup ports may be involved. For details,

see 9.1.1 MSTP Introduction.

MSTP also supports the following features to meet requirements of special applications and

extended functions:

l Supports the Proposal/Agreement mechanism to implement rapid convergence.

l Supports protection functions as listed in Table 9-5.

l Supports MSTP multi-process in the scenario where MSTP and STP/RSTP are used

together. MSTP multi-process implements independent spanning tree calculation for everyaccess rings.

l Supports MSTP interoperability between Huawei devices and non-Huawei devices. Proper

parameters are required on Huawei devices running MSTP to ensure nonstop

communication.

Table 9-5 MSTP protection

MSTPProtection


BPDU

protection


non-edge port after receiving a BPDU, which







switching device, the switching device shutsdown the edge port if the edge port receives






advertising network


switching device needs todelete MAC entries and ARP



resources.



processed by a switching device within a

given time period is configurable. If the

number of TC-BPDUs that the switchingdevice receives within the given time exceeds



number of times. Excessive TC-BPDUs are


for once after the timeout period expires. This

protects the switching device from frequently

deleting MAC entries and ARP entries, thus

avoiding over-burden.





249



MSTPProtection


Root

protection

Due to incorrect




BPDUs with a higher





topology is illegitimately

changed, triggering



from high-speed links tolow-speed links, causing

traffic congestion.

To address this issue, the root protection

function can be configured to protect the root

bridge by preserving the role of the

designated port. With this function, when the

designated port receives RST BPDUs with a

higher priority, the port enters the Discarding

state and does not forward the BPDUs. If the

port does not receive any RST BPDUs with a

higher priority for a certain period (double the

Forward Delay), the port transitions to the

Forwarding state.

Loop

protection









enters the Forwarding state.Loops may occur in such a

situation.

The loop protection function can be used to

prevent such network loops. If the root port

or alternate port cannot receive RST BPDUs

from the upstream switching device, the root

port is blocked and the switching device


Discarding state. The blocked port remains in

the Blocked state and no longer forwards

packets. This prevents loops on the network.The root port restores the Forwarding state

after new RST BPDUs are received.

Share-link

protection

In the scenario where a

switching device is dual-

homed to a network, when

the share link of multiple

processes fails, loops may

occur.

Share-link protection can address such a

problem. This function forcibly changes the

working mode of the local switching device

to RSTP. Share-link protection needs to be

used together with root protection to avoid

network loops.

MSTP Multi-process

l Background

As shown in Figure 9-6, SwitchA, SwitchB, and SwitchC are connected through Layer 2

links, and are all enabled with MSTP. The CEs on the rings support only STP/RSTP.

Multiple access rings exist and these rings access the MST region by using different

interfaces on SwitchA and SwitchB.





250



Figure 9-6 Networking diagram of MSTP multi-process

SwitchA SwitchB

SwitchC

PE1 PE2

CE

CE

CE CE

CE

CE

Instance1:VLAN2~100

Instance2:VLAN101~200

Process 1

Process 2

Process 3


Ring2

Ring1 Ring3

On the network shown in Figure 9-6, multiple Layer 2 rings, Ring 1, Ring 2, and Ring 3

exists. STP must be enabled on these rings to prevent loops. SwitchA and SwitchB are

connected to multiple access rings and these rings are isolated from each other and do not

need intercommunication. STP then will not calculate out one spanning tree for all these

access rings. Instead, STP on each access ring calculates the trees independently.

MSTP supports multiple spanning tree instances (MSTIs) only when all devices support

MSTP and the devices are configured with the same MST region. In the networking, the

CEs connected to switching devices, however, support only STP/RSTP. According to

MSTP, switching devices consider that they are in different regions with CEs after receiving

STP/RSTP messages sent from the CEs. Therefore, only one spanning tree is calculated

for the ring formed by switching devices and CEs and the access rings are not independent

of each other.

In this case, MSTP multi-process can be used. Multiple MSTP processes can be configured

on SwitchA and SwitchB. Each MSTP process has the same function and supports MSTIs.Each MSTP process corresponds to one access ring.

After MSTP multi-process is enabled, each MSTP process can manage some interfaces on

a device. That is, Layer 2 interfaces on the device are divided and managed by multiple

MSTP processes. Each MSTP process runs the standard MSTP.

NOTE

CEs that support MSTP can also be configured with MSTP multi-process.

After a device properly starts, there is a default MSTP process with the ID 0. MSTP configurations

in the system view and interface view both belong to this process.

l Share link

As shown in Figure 9-6, the link between SwitchA and SwitchB is a Layer 2 link runningMSTP. The share link between SwitchA and SwitchB is different from the links connecting





251



switching devices to CEs. The ports on the share link need to participate in the calculation

for multiple access rings and MSTP processes. This allows SwitchA and SwitchB to

identify from which MST BPDUs are sent.

In addition, a port on the share link participates in the calculation for multiple MSTP

processes, and obtains different status. As a result, the port cannot determine its status.To prevent this situation, it is defined that a port on a share link always adopts its status in

MSTP process 0 when participating in the calculation for multiple MSTP processes.

NOTE

The S6700 does not support the Per-VLAN Spanning Tree (PVST) protocol and cannot process PVST

packets. You can configure the S6700 to transparently transmit PVST packets. For details, see 11 Layer

2 Protocol Transparent Transmission Configuration.

9.2 Configuring Basic MSTP Functions

MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,each of which has multiple spanning trees that are independent of each other. MSTP isolates

user traffic and service traffic, and load-balances VLAN traffic.

MSTP is commonly configured on a switching device to trim a ring network to a loop-free

network. MSTP configurations on the switching device involve MSTP working mode

configuration and MST region configuration and activation. If you need to interfere in the

spanning tree calculation, the following methods are available:

l Setting a priority for a switching device in an MSTI: The lower the numerical value, the

higher the priority of the switching device and the more likely the switching device becomes

a root bridge; the higher the numerical value, the lower the priority of the switching device

and the less likely that the switching device becomes a root bridge.

l Setting a path cost for a port in an MSTI: With the same calculation method, the lower the

numerical value, the smaller the cost of the path from the port to the root bridge and the

more likely the port becomes a root port; the higher the numerical value, the larger the cost

of the path from the port to the root bridge and the less likely that the port becomes a root

port.

l Setting a priority for a port in an MSTI: The lower the numerical value, the more likely the

port becomes a designated port; the higher the numerical value, the less likely that the port

becomes a designated port.


Before configuring basic MSTP functions, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This will help you complete

the configuration task quickly and accurately.





situation.


network. Loops also cause flapping of MAC address tables and thus damages MAC addressentries.





252



MSTP can be deployed on a network to eliminate loops. If a loop is detected, MSTP blocks one

or more ports to eliminate the loop. In addition, MSTIs can be configured to load-balance VLAN

traffic.

As shown in Figure 9-7, Switches A, B, C, and D all support MSTP. It is required to create

MSTI 1 and MSTI 2, configure a root bridge for each MSTI, and set the ports to be blocked toload-balance traffic of VLANs 1 to 10 and VLANs 11 to 20 among different paths.

Figure 9-7 Networking diagram of configuring basic MSTP functions

SwitchA

SwitchC

SwitchB

SwitchD

PC1 PC2

Root Switch:SwitchA

Root Switch:SwitchB

MSTI1:

MSTI2:

Blocked port

Blocked port

MST Region

Network

VLAN1~10

VLAN11~20

MSTI1

MSTI2





253



NOTE

If the current device supports MSTP, configuring MSTP is recommended.


Before configuring basic MSTP functions, complete the following task:


physical status of the interfaces is Up

l Configuring VLAN features of the ports

Data Preparation

To configure basic MSTP functions, you need the following data.

No. Data

1 MSTP working mode

2 MST region name, VLAN-to-instance mapping, and MSTP revision number

3 (Optional) ID of an MSTI

4 (Optional) Priority of a switching device in an MSTI

5 (Optional) Priority of a port in an MSTI

6 (Optional) Path cost of a port in an MSTI

9.2.2 Configuring the MSTP Mode

Before configuring basic MSTP functions, you need to configure the working mode of a

switching device to MSTP. MSTP is compatible with STP and RSTP.

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp mode mstp

The working mode of the switching device is configured as MSTP. By default, the working

mode is MSTP.

STP and MSTP cannot recognize packets of each other but MSTP and RSTP can. If a switching

device is configured to work in MSTP mode and is connected to some switching devices running

STP, the switching device automatically transits the working mode of the interfaces connected

to the switching devices running STP to STP and other interfaces still run MSTP. This enables

devices running different spanning tree protocols to interwork with each other.

----End





254



9.2.3 Configuring and Activating an MST Region

MSTP divides a switching network into multiple MST regions. After an MST region name,

VLAN-to-instance mappings, and an MSTP revision number are configured, activating the MST

region is necessary. After this step is done, MST region configuration is complete.

Context

An MST region contains multiple switching devices and network segments between them. These

switching devices are directly connected and have the same region name, same VLAN-to-

instance mapping, same configuration revision number after MSTP is enabled. One switching

network can have multiple MST regions and multiple switching devices can be grouped into

one MST region by using MSTP configuration commands.

CAUTION

Two switching devices belong to the same MST region when they have the same:

l Name of the MST region

l Mapping between VLANs and MSTIs

l Revision level of the MST region

Do as follows on a switching device that needs to join an MST region:


system-view


Step 2 Run:

stp region-configuration

The MST region view is displayed.

Step 3 Run:

region-name name

The name of an MST region is configured.

By default, the MST region name is the MAC address of the management network interface on

the MPU of the switching device.

Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.

l Run the instance instance-id vlan { vlan-id [ to vlan-id ] }&<1-10> command to configure

VLAN-to-instance mappings.

l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping

assignment based on a default algorithm.

By default, all VLANs in an MST region are mapped to MSTI 0.





255



NOTE

l The instance instance-id vlan { vlan-id [ to vlan-id ] }&<1-10> command is recommended because

VLAN-to-instance mapping assignments cannot meet actual mapping requirements.

l In the command, vlan-mapping modulo indicates that the formula (VLAN ID-1)%modulo+1 is used.

In the formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of modulo. This formula is used to map a VLAN to the corresponding MSTI. The calculation result of

the formula is ID of the mapping MSTI.


revision-level level

The MSTP revision number is set.

By default, the MSTP revision number is 0.

If the revision number of the MST region is not 0, this step is necessary.

NOTE

The change of related MST region configurations (especially change of the VLAN mapping table) causes

the recalculation of spanning trees and the route flapping in a network. Therefore, after an MST region

name, VLAN-to-instance mappings, and an MSTP revision number is configured, activating the MST

region is necessary. You can run the check region-configuration command in the MST region view to check

whether region configurations are correct. After confirming that region configurations are correct, run the

active region-configuration command to activate MST region configurations.

Step 6 Run:

active region-configuration

MST region configurations are activated so that the configured region name, VLAN-to-instance

mappings, and revision number can take effect.

If this step is not done, the preceding configurations cannot take effect.

If you have changed MST region configurations on the switching device after MSTP starts, run

the active region-configuration command to activate the MST region so that the changed

configurations can take effect.

----End

9.2.4 (Optional) Setting a Priority for a Switching Device in an MSTI

The lower the numerical value is, the higher priority a switching device has and the more likely

the switching device will be selected as a root bridge.

Context

In an MSTI, there is only one root bridge and it is the logic center of the MSTI. In root bridge

selection, the switching device with high performance and network hierarchy is generally

selected as a root bridge; however, the priority of such a device may be not that high. Thus setting

a high priority for the switching device is necessary so that the device can function as a root

bridge.

Other devices with low performance and network hierarchy are not fit to be a root bridge.

Therefore, set low priorities for these devices.





256



CAUTION

If an S6700 is configured as the root switch or secondary root switch, the priority of the

S6700 cannot be set. If you want to set the priority of the S6700, you must disable the root switchor secondary root switch.

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp [ instance instance-id ] priority priority

A priority is set for the switching device in an MSTI.

The default priority value of the switching device is 32768.

If the instance is not designated, a priority is set for the switching device in MSTI0.

NOTE

l To configure a switching device as a primary root bridge, you can run the stp [ instance instance-id ]

root primary command directly. The priority value of this switching device is 0.

l To configure a switching device as a secondary root bridge, run the stp [ instance instance-id ] root

secondary command. The priority value of this switching device is 4096.

In an MSTI, a switching device cannot act as a primary root bridge and a secondary root bridge at thesame time.

----End

9.2.5 (Optional) Setting a Path Cost of a Port in an MSTI

The MSTP path cost determines root port selection in an MSTI. The port with the lowest path

cost to the root bridge is selected as a root port.

Context

A path cost is port-specific, which is used by MSTP as a reference to select a link.

Path costs of a port are an important basis for calculating spanning trees. If you set different path

costs for a port in different MSTIs, you can make VLAN traffic be transmitted along different

physical links and thus carry out VLAN load balancing.

On a network where loops occur, you are recommended to set a relatively large path cost for the

port at a low link rate. MSTP puts the port with the large path cost in the Blocking state and

blocks the link where this port resides.

Procedure






257




Step 2 Run:

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

A path cost calculation method is configured.

By default, the IEEE 802.1t standard method is used to calculate the default path cost.

All switching devices on a network must use the same path cost calculation method.

Step 3 Run:



Step 4 Run:

stp instance instance-id cost cost

A path cost is set for the port in the current MSTI.l When the Huawei proprietory calculation method is used, cost ranges from 1 to 200000.

l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.

l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.

----End

9.2.6 (Optional) Setting a Port Priority in an MSTI

The lower the numerical value, the more likely the port on a switching device becomes a

designated port; the higher the numerical value, the more likely the port is to be blocked.

Context

In spanning tree calculation, priorities of ports on switching devices in MSTIs determine

designated port selection.

If you expect to block a port on a switching device in an MSTI to eliminate loops, set the port

priority value to be larger than the default value. This port will be blocked in designated port

selection.

Procedure



Step 2 Run:



Step 3 Run:

stp instance instance-id port priority priority

A port priority is set in an MSTI.

By default, the port priority is 128.





258



The value range of the priority is from 0 to 240, with the step 16. That is, the port priority can

be 0, 16, or 32.

----End

9.2.7 Enabling MSTP

After basic MSTP functions are configured on a switching device, enabling the MSTP function

is required so that MSTP can work properly.

Context

After MSTP is enabled on a ring network, MSTP immediately calculates spanning trees on the

network. Configurations on the switching device, such as, the switching device priority and port

priority, will affect spanning tree calculation. Any change of the configurations may cause

network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic

configurations on the switching device and its ports and enable MSTP.

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp enable

MSTP is enabled on the switching device.

By default, the MSTP function is enabled on a S6700.

----End


After basic MSTP functions are configured, verify that the configurations take effect.

Prerequisite

All configurations of basic MSTP functions are complete.

Procedure

l Run the display stp [ instance instance-id ][ interface { interface-type interface-

number } ] [ brief ] command to view spanning-tree status and statistics.

l Run the display stp region-configuration command to view configurations of activated

MST regions.

l Run the display stp region-configuration [ digest ] command to view the digest

configurations of activated MST regions.

----End





259



9.3 Configuring MSTP Multi-process

After an MSTP device binds its ports to different processes, the MSTP device performs the

MSTP calculation based on processes, and only relevant ports in each process take part in MSTP

calculation.


Before configuring MSTP multi-process, familiarize yourself with the applicable environment,

complete the pre-configuration tasks, and obtain the required data. This will help you complete

the configuration task quickly and accurately.


On the networking with both Layer 2 single-access rings and multi-access rings deployed,

switching devices bear both Layer 2 and Layer 3 services. To enable different rings to bear

different services, deploy MSTP multi-process. Spanning trees of different processes are

calculated independently and do not affect each other.

As shown in Figure 9-8, Switches A, B, and C are connected through Layer 2 links, and are all

enabled with MSTP. The CEs on the on rings support only STP/RSTP. Multiple access rings

exist and these rings access the MSTP region through different interfaces on Switches A and B.

Figure 9-8 Networking diagram of MSTP multi-process

SwitchA SwitchB

SwitchC

PE1 PE2

CE

CE

CE CE

CE

CE

Instance1:VLAN2~100


Process 1

Process 2

Process 3


Ring2

Ring1 Ring3





260




Before configuring MSTP multi-process, complete the following task:

l Configuring basic MSTP functions

Data Preparation

To configure MSTP multi-process, you need the following data.

No. Data

1 IDs of MSTP processes

2 Priority of a switching device in an MSTI

9.3.2 Creating an MSTP Process

A process ID uniquely identifies an MSTP multi-process. After an MSTP device binds its ports

to different processes, the MSTP device performs the MSTP calculation based on processes, and

only relevant ports in each process take part in MSTP calculation.

Context

Do as follows on the devices connected to access rings:

Procedure

Step 1 Run:

system-view


Step 2 Run:

stp process process-id

An MSTP process is created and the MSTP process view is displayed.

Step 3 Run:stp mode mstp

A working mode is configured for the MSTP process.

The default mode is MSTP.

NOTE

l After a device starts, there is a default MSTP process with the ID 0. MSTP configurations in the system

view and interface view belong to this process. The default working mode of this process is MSTP.

l To add an interface to an MSTP process with the ID of non-zero, run the stp process command and

then the stp binding process command.

----End





261



9.3.3 Adding an Interface to an MSTP Process - Access Links

The links connecting MSTP devices and access rings are called access links. After being added

to MSTP processes, interfaces on the access links can participate in MSTP calculation.

Context


Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

stp binding process process-id

The current interface is added to the MSTP process.

----End

9.3.4 Adding an Interface to an MSTP Process - Share Link

The link shared by multiple access rings are called a share link. The interfaces on the share link need to participate in MSTP calculation in multiple access rings in different MSTP processes.

After being added to MSTP processes, interfaces on the access links can participate in MSTP

calculation.

Context


Procedure

Step 1 Run:

system-view


Step 2 Run:



The interface specified in this command must be an interface on the share link between the

devices configured with MSTP multi-process but not the interfaces that connect an access ring

and a device.

Step 3 Run:stp binding process process-id [ to process-id ] link-share





262



The interface is added to multiple MSTP processes to complete MSTP calculation.

NOTE

For a process with share links, you must run the stp enable command globally. For an interface that is

added to the process in link-share mode, you must run the stp enable command in the interface view.

----End

9.3.5 Configuring Priorities and Root Protection in MSTP Multi-process

You can configure priorities and root protection in MSTP multi-process to protect links over

access rings.

Context

To prevent loops over the access ring after the share links fails, configure priorities and root protection in MSTP multi-process.

Root protection is configured on the access interface of a device with second highest priority.

l For detailed configuration of priorities in MSTP multi-process, see 9.2.4 (Optional)

Setting a Priority for a Switching Device in an MSTI.

l For detailed configuration of root protection in MSTP multi-process, see 9.5.4 Configuring

Root Protection on an Interface.

NOTE

The MSTP priority of a downstream device must be lower than that of a UPE.

9.3.6 Configuring TC Notification in MSTP Multi-process

After the TC notification function is configured for MSTP multi-process, the current MSTP

process can notify the MSTIs in other specified MSTP processes to refresh MAC address entries

and ARP entries after receiving a TC-BPDU. Nonstop services are ensured.

Context


Procedure

Step 1 Run:

system-view


Step 2 Run:


The view of the created MSTP process is displayed.

Step 3 Run:

stp tc-notify process 0

TC notification is enabled in the MSTP process.





263



After the stp tc-notify process 0 command is run, the current MSTP process notifies the MSTIs

in MSTP process 0 to update MAC entries and ARP entries after receiving a TC-BPDU. This

prevents services from being interrupted.

----End


After MSTP multi-process is configured, check whether the configurations take effect.

Prerequisite

All configurations of MSTP multi-process are complete.

Procedure

Step 1 Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-type

interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and statistics.

----End

9.4 Configuring MSTP Parameters on an Interface

MSTP implements RSTP rapid convergence. To achieve rapid convergence, you need to

configure proper MSTP parameters.


Before configuring basic MSTP parameters, familiarize yourself with the applicable




In some specific networks, MSTP parameters will affect the speed of network convergence.

Configuring proper MSTP parameters is required.

NOTE

The default parameters also can be used to complete MSTP rapid convergence. Therefore, the configuration

procedures and steps in this command task are all optional.


Before configuring MSTP parameters, complete the following task:


Data Preparation

To configure MSTP parameters, you need the following data.





264



No. Data

1 Network diameter

2 Hello time, forwarding delay time, maximum aging time, and timeout period for

waiting for BPDUs from the upstream (3 x hello time x time factor)

3 Maximum hop count in an MST region

4 Link type of a port

5 Whether to Rapid transition mechanism

6 Whether to transition to the RSTP mode

7 Maximum number of sent BPDUs

8 Whether a port needs to be configured as an edge port

9 Whether auto recovery needs to be configured for an edge port being shut down

10 Whether a port needs to clear statistics of the spanning tree

11 Whether an edge port needs to be configured as a BPDU filter

9.4.2 Configuring System Parameters

MSTP parameters that may affect network convergence include the network diameter, hello

time, and timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor).

Configure proper MSTP parameters to implement rapid network convergence.

Procedure

Step 1 Run:

system-view




The MSTP process view is displayed.

NOTE

This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you

perform configurations in the MSTP process 0, skip is step.

Step 3 Run:

stp bridge-diameter diameter

The network diameter is configured.

By default, the network diameter is 7.





265



l RSTP uses a single spanning tree instance on the entire network, which cannot prevent the

performance from deteriorating when the network scale grows. Therefore, the network

diameter cannot be larger than 7.

l It is recommended that you run the stp bridge-diameter diameter command to set the

network diameter. Then, the switching device calculates the optimal Forward Delay period,Hello time, and Max Age period based on the set network diameter.

Step 4 Run:

stp timer-factor factor

The timeout period for waiting for BPDUs from the upstream of a switching device is set.

By default, the timeout period of a switching device is 9 times as long as the Hello time.

Step 5 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the

following operations:

lRun the stp timer forward-delay forward-delay command to set the Forward Delay periodfor a switching device.

The default Forward Delay period of a switching device is 1500, in centiseconds.

l Run the stp timer hello hello-time command to set the Hello time for a switching device.

The default Hello time of a switching device is 200, in centiseconds.

l Run the stp timer max-age max-age command to set the Max Age period for a switching

device.

The default Max Age period of a switching device is 2000, in centiseconds.

NOTE

The values of the Hello time, Forward Delay period, and Max Age period must comply with the followingformulas. Otherwise, networking flapping occurs.

l 2 × (Forward Delay - 1.0 second) >= Max Age

l Max Age >= 2 × (Hello Time + 1.0 second)

Step 6 Run:

stp max-hops hop

The maximum hop count is set for the MST region.

By default, the maximum hop count of the MST region is 20.

Step 7 Run:stp mcheck

MCheck is enabled.

On a switching device running MSTP, if an interface is connected to a device running STP, the

interface automatically transitions to the STP mode.

Enabling MCheck on the interface is required because the interface may fail to automatically

transition to the MSTP mode in the following situations:


l The switching device running STP transitions to the MSTP mode.





266



NOTE

If you run the stp mcheck command in the system view, the MCheck operation is performed on all the

interfaces.

----End

9.4.3 Configuring Port Parameters

Port parameters that may affect MSTP topology convergence include the link type and maximum

number of sent BPDUs. Configure proper port parameters to implement rapid topology

convergence.

Procedure

Step 1 Run:

system-view


Step 2 Run:




stp point-to-point { auto | force-false | force-true }

The link type is configured for a port.

By default, a port automatically determines whether to connect to a P2P link. The P2P link

supports rapid network convergence.

l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this

case, force-true can be configured to implement rapid network convergence.

l If the Ethernet port works in half-duplex mode, you can configure stp point-to-point force-

true to forcibly set the link type to P2P to implement rapid network convergence.

Step 4 Run:

stp mcheck

MCheck is enabled.

On a switching device running MSTP, if an interface is connected to a device running STP, theinterface automatically transitions to the STP mode.

Enabling MCheck on the interface is required because the interface may fail to automatically

transition to the MSTP mode in the following situations:


l The switching device running STP transitions to the MSTP mode.

Step 5 Run:

stp transmit-limit packet-number

The maximum number of BPDUs sent by a port within each Hello time is set.

By default, the maximum number of BPDUs that a port sends within each Hello time is 147.





267





The port is configured as an edge port.

If a device port is connected to a terminal, you can run this command to configure the port asan edge port.

By default, the port is a non-edge port.

Step 7 Run:

quit



error-down auto-recovery cause cause-item interval interval-value

The auto recovery function on an edge port is configured. That is, enable the port in the error-down state to automatically go Up, and set the delay for the transition from Down to Up.

There is no default value for the recovery time. Therefore, you must specify a delay when

configuring this command.

----End

Follow-up Procedure

When the topology of a spanning tree changes, the forwarding paths to associated VLANs are

changed. Then, ARP entries corresponding to those VLANs on the switching device need to be

updated. MSTP processes ARP entries in either fast or normal mode.

l In fast mode, ARP entries to be updated are directly deleted.

l In normal mode, ARP entries to be updated are rapidly aged.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly

processes these aged entries. If the number of ARP aging probe attempts is not set to 0,

ARP implements aging probe for these ARP entries.

In either fast or normal mode, MAC entries are directly deleted.

You can run the stp converge { fast | normal } command in the system view to configure the

MSTP convergence mode.

By default, the MSTP convergence is configured as normal.

NOTE

The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,

causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.


After MSTP parameters are configured, check whether the configurations take effect.

Prerequisite

The configurations of MSTP parameters are complete.





268



Procedure

l Run the display stp [ instance instance-id ] [ interface { interface-type interface-


----End

9.5 Configuring MSTP Protection Functions

MSTP protection functions are as follows, and you can configure one or more functions as

required.


Before configuring MSTP protection functions, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.


MSTP provides the following protection functions, as listed in Table 9-6.

Table 9-6 MSTP protection

MSTPProtection


BPDU

protection


non-edge port after








switching device, the switching device shuts

down the edge port if the edge port receives






advertising network topology changes), a


delete MAC entries and ARP



resources.



processed by a switching device within agiven time period is configurable. If the

number of TC-BPDUs that the switching

device receives within the given time exceeds



number of times. Excessive TC-BPDUs are


for once after the timeout period expires. This

protects the switching device from frequently

deleting MAC entries and ARP entries, thus

avoiding over-burden.





269



MSTPProtection


Root

protection

Due to incorrect




BPDUs with a higher





topology is illegitimately

changed, triggering



from high-speed links tolow-speed links, causing

traffic congestion.

To address this issue, the root protection

function can be configured to protect the root

bridge by preserving the role of the

designated port. With this function, when the

designated port receives RST BPDUs with a

higher priority, the port enters the Discarding

state and does not forward the BPDUs. If the

port does not receive any RST BPDUs with a

higher priority for a certain period (double the

Forward Delay), the port transitions to the

Forwarding state.

Loop

protection









enters the Forwarding state.Loops may occur in such a

situation.

The loop protection function can be used to

prevent such network loops. If the root port

or alternate port cannot receive RST BPDUs

from the upstream switching device, the root

port is blocked and the switching device


Discarding state. The blocked port remains in

the Blocked state and no longer forwards

packets. This prevents loops on the network.The root port restores the Forwarding state

after new RST BPDUs are received.

Share-link

protection

In the scenario where a

switching device is dual-

homed to a network, when

the share link of multiple

processes fails, loops may

occur.

Share-link protection can address such a

problem. This function forcibly changes the

working mode of the local switching device

to RSTP. Share-link protection needs to be

used together with root protection to avoid

network loops.

NOTE

l After a device normally starts, there is a default MSTP process with the ID 0. MSTP configurations in

the system view and interface view both belong to this process.

l For more information about MSTP multi-process configuration, see 9.3 Configuring MSTP Multi-

process.


Before configuring MSTP protection functions on a switching device, complete the following

task:






270





9.5.3 Configuring TC Protection on a Switching Device

After TC protection is enabled, you can set the number of times for an MSTP process to process

TC-BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries

and ARP entries, thereby protecting switching devices.

Context

An attacker may send pseudo TC-BPDUs to attack switching devices. Switching devices receive

a large number of TC BPDUs in a short time and delete entries frequently, which burdens system

processing and degrades network stability.

TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are

processed by a switching device within a given time period is configurable. If the number of

TC-BPDUs that the switching device receives within a given time exceeds the specified

threshold, the switching device handles TC-BPDUs only for the specified number of times.

Excessive TC-BPDUs are processed by the switching device as a whole for once after the timer (that is, the specified time period) expires. This protects the switching device from frequently

deleting MAC entries and ARP entries, thus avoiding over-burdened.

Procedure

Step 1 Run:

system-view





NOTE

This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you

perform configurations in the MSTP process 0, skip is step.

Step 3 Run:

stp tc-protection

TC protection is enabled for the MSTP process.

By default, TC protection is enabled on the switching device.

Step 4 Run:

stp tc-protection threshold threshold

The threshold of the number of times the MSTP process handles the received TC-BPDUs and

updates forwarding entries within a given time is set.

NOTE

The value of the given time is consistent with the MSTP Hello time set by using the stp timer hello hello-

time command.

----End





272



9.5.4 Configuring Root Protection on an Interface

The root protection function on a switching device protects a root bridge by preserving the role

of a designated port.

Context

Due to incorrect configurations or malicious attacks on the network, a root bridge may receive

BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve

as the root bridge, and the network topology is illegitimately changed, triggering spanning tree

recalculation. This also may cause the traffic that should be transmitted over high-speed links

to be transmitted over low-speed links, leading to network congestion. The root protection

function on a switching device is used to protect the root bridge by preserving the role of the

designated port.

NOTE

Root protection is configured on a designated port. It takes effect only when being configured on the port

that functions as a designated port on all MSTIs. If root protection is configured on other types of ports, it

does not take effect.

Do as follows on a root bridge in an MST region:

Procedure

Step 1 Run:

system-view


Step 2 Run:





The port is bound to an MSTP process.

NOTE

This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID.

If the interface belongs to process 0, skip this step.

Step 4 Run:

stp root-protection

Root protection is configured on the switching device.

By default, root protection is disabled.

----End

9.5.5 Configuring Loop Protection on an Interface

The loop protection function suppresses the loops caused by link congestion.





273



Context

On a network running MSTP, a switching device maintains the root port status and status of

blocked ports by receiving BPDUs from an upstream switching device. If the switching device

cannot receive BPDUs from the upstream because of link congestion or unidirectional-link

failure, the switching device re-selects a root port. The original root port becomes a designated

port and the original blocked ports change to the Forwarding state. This may cause network

loops. To address such a problem, configure loop protection.

After loop protection is configured, if the root port or alternate port does not receive BPDUs

from the upstream switching device, the root port is blocked and the switching device notifies

the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state

and no longer forwards packets. This prevents loops on the network. The root port restores the

Forwarding state after receiving new BPDUs.

NOTE

An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to

configure loop protection on both the root port and the alternate port.

Do as follows on a root port and an alternate port on a switching device in an MST region:

Procedure

Step 1 Run:

system-view


Step 2 Run:





The port is bound to an MSTP process.

NOTE

This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID.

If the interface belongs to process 0, skip this step.

Step 4 Run:

stp loop-protection

Loop protection for the root port is configured on the switching device.

By default, loop protection is disabled.

----End

9.5.6 Configuring Share-Link Protection on a Switching Device

The share-link protection function on a switching device helps automatically transition to theRSTP working mode. It can also be used together with root protection to avoid network loops.





274



Context

Share-link protection is used in the scenario where a switching device is dual homed to a network.

When a share link fails, share-link protection forcibly changes the working mode of a local

switching device to RSTP. This function can also be used together with root protection to avoidnetwork loops.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

stp link-share-protection

Share-link protection is enabled.

----End


After MSTP protection functions are configured, check whether the configurations take effect.

Prerequisite

All configurations of MSTP protection functions are complete.

Procedure



----End

9.6 Configuring MSTP Interoperability Between HuaweiDevices and Non-Huawei DevicesTo enable Huawei devices to interwork with non-Huawei devices, configure proper parameters

and functions, including the BPDU format, MSTP protocol packet format, and digest snooping

function, on the Huawei devices running MSTP.


Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,

familiarize yourself with the applicable environment, complete the pre-configuration tasks, and

obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.





275




On an MSTP network, inconsistent protocol packet formats and BPDU keys may lead to a

communication failure. Configuring proper MSTP parameters on Huawei devices ensures

interoperability between Huawei devices and non-Huawei devices.


Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,

complete the following task:


Data Preparation

To configure MSTP interoperability between Huawei devices and non-Huawei devices, you

need the following data.

No. Data

1 BPDU format

2 MSTP protocol packet format

9.6.2 Configuring a Proposal/Agreement Mechanism

To enable Huawei Datacom devices to communicate with non-Huawei devices, configure a

proper rapid transition mechanism on Huawei devices according to the Proposal/Agreementmechanism on non-Huawei devices.

Context

The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching

devices currently support the following modes:

l Enhanced mode: The current interface counts a root port when it computes the

synchronization flag bit.



connected to the upstream device as a root port and blocks all non-edge ports.

– The upstream device then sends an Agreement message to the downstream device. After

the downstream device receives the message, the root port transitions to the Forwarding

state.

– The downstream device then responds to the Proposal message with an Agreement

message. After receiving the message, the upstream device sets the port connected to

the downstream device as a designated port, and the designated port transitions to the

Forwarding state.

l Common mode: The current interface ignores the root port when it computes the

synchronization flag bit.

–

An upstream device sends a Proposal message to a downstream device, requesting rapidstatus transition. After receiving the message, the downstream device sets the port





276



connected to the upstream device as a root port and blocks all non-edge ports. The root

port then transitions to the Forwarding state.

– The downstream device responds to the Proposal message with an Agreement message.

After receiving the message, the upstream device sets the port connected to the

downstream device as a designated port. The designated port then transitions to theForwarding state.

When Huawei Datacom devices are interworking with non-Huawei devices, select either mode

depending on the Proposal/Agreement mechanism on non-Huawei devices.

Procedure

Step 1 Run:

system-view


Step 2 Run:





The interface is bound to an MSTP process.

NOTE

This step binds an interface to an MSTP process with a non-zero ID. If the interface belongs to process 0,skip this step.

Step 4 Run:

stp no-agreement-check

The common rapid transition mechanism is configured.

By default, the interface uses the enhanced rapid transition mechanism.

----End

9.6.3 Configuring the MSTP Protocol Packet Format on an InterfaceMSTP protocol packets can be transmitted in auto, dot1s, or legacy mode. The default mode is

auto.

Context

MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy

(proprietary protocol packets). The auto mode is introduced to allow an interface to automatically

use the format of MSTP protocol packets sent from the remote interface. In this manner, the two

interfaces use the same MSTP protocol packet format.

Do as follows on a switching device in an MST region:





277



Procedure

Step 1 Run:

system-view


Step 2 Run:






NOTE

This step binds an interface to an MSTP process with a non-zero ID. If the interface belongs to process 0,skip this step.

Step 4 Run:

stp compliance { auto | dot1s | legacy }

The MSTP protocol packet format is configured on the interface.

The auto mode is used by default.

NOTE

If the format of MSTP packets is set to dot1s on one end and legacy on the other end, the negotiation fails.

----End

9.6.4 Enabling the Digest Snooping Function

When a Huawei device is connected to a non-Huawei device, if the region names, revision

numbers, and VLAN-to-instance mappings configured on the two devices are consistent but the

BPDU keys are different, the two devices cannot communicate. To address this problem, enable

the digest snooping function on the Huawei device.

Context

Do as follows on a switching device in an MST region:

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 (Optional) Run:stp binding process process-id





278




NOTE

This step binds an interface to an MSTP process with a non-zero ID. If the interface belongs to process 0,

skip this step.

Step 4 Run:

stp config-digest-snoop

The digest snooping function is enabled.

----End


After MSTP parameters are configured for the interoperability between Huawei devices and

non-Huawei devices, check whether the configurations take effect.

Prerequisite

All the configurations for the interoperability between Huawei devices and non-Huawei devices

are complete.

Procedure



----End

9.7 Maintaining MSTP

MSTP maintenance includes resetting MSTP statistics.

9.7.1 Clearing MSTP Statistics

You can run the reset commands to reset MSTP statistics to 0.

Context

CAUTION

MSTP statistics cannot be restored after you clear them. Therefore, exercise caution when using

the reset commands.

After you confirm that MSTP statistics need to be cleared, run the following command in the

user view.





279





6. On SwitchC and SwitchD, connect XGE 0/0/1 to a PC and configure XGE 0/0/1 as an edge

port. Enable BPDU protection on SwitchC and SwitchD.

7. Configure the Switches to calculate the path cost by using the algorithm of Huawei.

Data Preparation


l Region that SwitchA and SwitchC belong to: RG1

l Region that SwitchB and SwitchD belong to: RG2

l Numbers of the XGE interfaces, as shown in Figure 9-9

l VLAN IDs: 1-20

Procedure

Step 1 Configure SwitchA.

# Configure the MST region on SwitchA.

<SwitchA> system-view

[SwitchA] stp region-configuration

[SwitchA-mst-region] region-name RG1

[SwitchA-mst-region] instance 1 vlan 1 to 10

# Activate the configuration of the MST region.

[SwitchA-mst-region] active region-configuration

[SwitchA-mst-region] quit

# Set the priority of SwitchA in MSTI0 to 0 to ensure that SwitchA functions as the CIST root.

[SwitchA] stp instance 0 priority 0

# Set the priority of SwitchA in MSTI1 to 1 to ensure that SwitchA functions as the regional

root of MSTI1.

[SwitchA] stp instance 1 priority 0

# Configure SwitchA to use Huawei private algorithm to calculate the path cost.

[SwitchA] stp pathcost-standard legacy

# Create VLANs 2 to 20.

[SwitchA] vlan batch 2 to 20

# Add XGE 0/0/2 to the VLANs.

[SwitchA] interface XGigabitEthernet 0/0/2


[SwitchA-XGigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20









# Enable root protection on the XGE 0/0/1.





281






# Enable root protection on the XGE 0/0/2.

[SwitchA] interface XGigabitEthernet 0/0/2[SwitchA-XGigabitEthernet0/0/2] stp root-protection


# Enable MSTP.


Step 2 Configure SwitchB.

# Configure the MST region on SwitchB.

[SwitchB] stp region-configuration

[SwitchB-mst-region] region-name RG2

[SwitchB-mst-region] instance 1 vlan 1 to 10


[SwitchB-mst-region] active region-configuration

[SwitchB-mst-region] quit

# Set the priority of SwitchB in MSTI0 to 4096 to ensure that SwitchB functions as the CIST

root.

[SwitchB] stp instance 0 priority 4096

# Configure SwitchB to use Huawei private algorithm to calculate the path cost.

[SwitchB] stp pathcost-standard legacy

# Create VLANs 2 to 20.[SwitchB] vlan batch 2 to 20


[SwitchB] interface XGigabitEthernet 0/0/1


[SwitchB-XGigabitEthernet0/0/1] port trunk allow-pass vlan 1 to 20




[SwitchB] interface XGigabitEthernet 0/0/2


[SwitchB-XGigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20[SwitchB-XGigabitEthernet0/0/2] bpdu enable


# Enable MSTP.


Step 3 Configure SwitchC.

# Configure the MST region on SwitchC.

[SwitchC] stp region-configuration

[SwitchC-mst-region] region-name RG1

[SwitchC-mst-region] instance 1 vlan 1 to 10






282



[SwitchC-mst-region] active region-configuration

[SwitchC-mst-region] quit

# Configure SwitchC to use Huawei private algorithm to calculate the path cost.

[SwitchC] stp pathcost-standard legacy

# Enable BPDU protection.

[SwitchC] stp bpdu-protection


[SwitchC] vlan batch 2 to 20


[SwitchC] interface XGigabitEthernet 0/0/2


[SwitchC-XGigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20






[SwitchC-XGigabitEthernet0/0/3] port trunk allow-pass vlan 1 to 20



# Configure XGE 0/0/1 as an edge port.


[SwitchC-XGigabitEthernet0/0/1] stp edged-port enable

[SwitchC-XGigabitEthernet0/0/1] port hybrid pvid vlan 20

[SwitchC-XGigabitEthernet0/0/1] port hybrid untagged vlan 20

[SwitchC-XGigabitEthernet0/0/1]quit

# Enable MSTP.


Step 4 Configure SwitchD.

# Configure the MST region on SwitchD.

[SwitchD] stp region-configuration

[SwitchD-mst-region] region-name RG2

[SwitchD-mst-region] instance 1 vlan 1 to 10


[SwitchD-mst-region] active region-configuration[SwitchD-mst-region] quit

# Set the priority of SwitchD in MSTI1 to 0 to ensure that SwitchD functions as the regional

root of MSTI1.

[SwitchD] stp instance 1 priority 0

# Configure SwitchD to use Huawei private algorithm to calculate the path cost.

[SwitchD] stp pathcost-standard legacy

# Enable BPDU protection.

[SwitchD] stp bpdu-protection






283



[SwitchD] vlan batch 2 to 20


[SwitchD] interface XGigabitEthernet 0/0/2


[SwitchD-XGigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20[SwitchD-XGigabitEthernet0/0/2] bpdu enable





[SwitchD-XGigabitEthernet0/0/3] port trunk allow-pass vlan 1 to 20



# Configure XGE 0/0/1 as an edge port.


[SwitchD-XGigabitEthernet0/0/1] stp edged-port enable

[SwitchD-XGigabitEthernet0/0/1] port hybrid pvid vlan 10[SwitchD-XGigabitEthernet0/0/1] port hybrid untagged vlan 10


# Enable MSTP.



After the preceding configurations are complete and the network topology becomes stable,

perform the following operations to verify the configuration.

# Run the display stp brief command on SwitchA to view the status and protection type on the

interfaces. The displayed information is as follows:

<SwitchA> display stp brief






The priority of SwitchA is the highest in the CIST; therefore, SwitchA is elected as the CIST

root and regional root of RG1. XGE 0/0/2 and XGE 0/0/1 of SwitchA are designated ports in

the CIST.

The priority of SwitchA in MSTI1 is the highest in RG1; therefore, SwitchA is elected as the

regional root of SwitchA. XGE 0/0/2 and XGE 0/0/1 of SwitchA are designated ports in MSTI1.

# Run the display stp interface brief commands on SwitchC. The displayed information is as

follows:

<SwitchC> display stp interface XGigabitEthernet 0/0/3 brief




<SwitchC> display stp interface XGigabitEthernet 0/0/2 brief




XGE 0/0/3 of SwitchC is the root port in the CIST and MSTI1. XGE 0/0/2 of SwitchC is a

designated port in the CIST and MSTI1.

# Run the display stp brief command on SwitchB. The displayed information is as follows:





284



<SwitchB> display stp brief





1 XGigabitEthernet0/0/2 MAST FORWARDING NONE

The priority of SwitchB in the CIST is lower than that of SwitchA; therefore, XGE 0/0/2 of

SwitchB functions as the root port in the CIST. SwitchA and SwitchB belong to different regions;

therefore, XGE 0/0/2 of SwitchB functions as the master port in MSTI1. In MSTI1, the priority

of SwitchB is lower than that of SwitchD; therefore, XGE 0/0/1 of SwitchB functions as the root

port. The priority of SwitchB in the CIST is higher than that of SwitchB; therefore, XGE 0/0/1

of SwitchB functions as the designated port in the CIST.

# Run the display stp interface brief commands on SwitchD. The displayed information is as

follows:

<SwitchD> display stp interface XGigabitEthernet 0/0/3 brief



1 XGigabitEthernet0/0/3 DESI FORWARDING NONE<SwitchD> display stp interface XGigabitEthernet 0/0/2 brief




On SwitchD, XGE 0/0/2 functions as the alternate port in the CIST. SwitchD and SwitchC are

in different regions; therefore, XGE 0/0/2 of SwitchD also functions as the alternate port in

MSTI1.

XGE 0/0/3 of SwitchD is the root port in the CIST. The priority of SwitchD is higher than that

of SwitchB in MSTI1; therefore, XGE 0/0/3 also functions as the designated port in MSTI1.

----End

Configuration Files


#

sysname SwitchA

#

vlan batch 2 to 20

#

stp instance 0 priority 0


stp pathcost-standard legacy


region-name RG1

instance 1 vlan 1 to 10


#




stp root-protection

#




stp root-protection

#

return


# sysname SwitchB





285



#

vlan batch 2 to 20

#




region-name RG2 instance 1 vlan 1 to 10


#




#




#

return


#

sysname SwitchC

#

vlan batch 2 to 20

#

stp bpdu-protection



region-name RG1



#








#




#

return


#

sysname SwitchD

#

vlan batch 2 to 20

#


stp bpdu-protection



region-name RG2



#





#


port link-type trunk port trunk allow-pass vlan 2 to 20





286



#




#

Return

9.8.2 Example for Configuring MSTP Multi-Process for Layer 2Single-Access Rings and Layer 2 Multi-Access Rings

MSTP multi-process enables different Layer 2 access rings to transmit different services.


On the network with both Layer 2 single-access rings and multi-access rings deployed, switching

devices transmit both Layer 2 and Layer 3 services. To enable different rings to transmit different

services, configure MSTP multi-process. Spanning trees of different processes are calculated

independently.

As shown in Figure 9-10, both Layer 2 single-access rings and dual-access rings are deployed

and switches A and B carry both Layer 2 and Layer 3 services. Switches A and B connected to

dual-access rings are also connected to a single-access ring.

NOTE

In the ring where MSTP multi-process is configured, you are advised not to block the interface directly

connected to the root protection-enabled designated port.

Figure 9-10 Networking for MSTP multi-process for Layer 2 single-access rings and multi-

access rings

SwitchA SwitchB

SwitchC

PE1 PE2

CE

CE

CE CE

CE

CE

XGE0/0/5 XGE0/0/5

XGE0/0/1 XGE0/0/1XGE0/0/4 XGE0/0/4

XGE0/0/3 XGE0/0/3XGE0/0/2 XGE0/0/2

Instance1:VLAN2~100


Region name:RG1

Process 1

Process 2

Process 3


Network





287





1. Configure basic MSTP functions, add devices to MST regions, and create MSTIs.

NOTE

l Each ring can belong to only one region.

l Each CE can join only one ring.

2. Configure multiple MSTP processes, including:

(1) Create multiple MSTP processes and add interfaces to relevant processes.

(2) Configure a share-link.

3. Configure MSTP protection functions, including:

l Configure priorities of MSTP processes and enable root protection.l Configure share-link protection.

4. Configure the Layer 2 forwarding function on devices.

Data Preparation


l Name of an MST region and names of MSTIs

l VLAN IDs

l IDs of MSTP processes

Procedure

Step 1 Configure basic MSTP functions, add devices to an MST region, and create MSTIs.

1. Configure MST regions and create MSTIs.

# Configure an MST region and create MSTIs on Switch A.



[SwitchA] stp region-configuration

[SwitchA-mst-region] region-name RG1



[SwitchA-mst-region] instance 3 vlan 201 to 300[SwitchA-mst-region] active region-configuration

[SwitchA-mst-region] quit

# Configure an MST region and create MSTIs on Switch B.



[SwitchB] stp region-configuration

[SwitchB-mst-region] region-name RG1




[SwitchB-mst-region] active region-configuration

[SwitchB-mst-region] quit

2. Enable MSTP.

# Configure Switch A.





288




# Configure Switch B.


Step 2 Configure multiple MSTP processes.

1. Create multiple MSTP processes and add interfaces to relevant processes.

# Create MSTP processes 1 and 2 on Switch A.

[SwitchA] stp process 1

[SwitchA-mst-process-1] quit


[SwitchA-mst-process-2] quit

# Create MSTP processes 2 and 3 on Switch B.

[SwitchB] stp process 2

[SwitchB-mst-process-2] quit


[SwitchB-mst-process-3] quit

# Add XGE 0/0/3 and XGE 0/0/4 on Switch A to MSTP process 1 and XGE 0/0/2 to MSTP

process 2.



[SwitchA-XGigabitEthernet0/0/4] stp binding process 1










# Add XGE 0/0/3 and XGE 0/0/4 on Switch B to MSTP process 3 and XGE 0/0/2 to MSTP

process 2.



[SwitchB-XGigabitEthernet0/0/4] stp binding process 3










2. Configure a share-link.


[SwitchA] interface xgigabitethernet0/0/1


[SwitchA-XGigabitEthernet0/0/1] stp binding process 2 link-share



[SwitchB] interface xgigabitethernet0/0/1


[SwitchB-XGigabitEthernet0/0/1] stp binding process 2 link-share


3. Enable the MSTP function in MSTP multi-process.







289



[SwitchA-stp-process-1] stp enable

[SwitchA-stp-process-1] quit


[SwitchA-stp-process-2] stp enable


# Configure Switch B.[SwitchB] stp process 3

[SwitchB-stp-process-3] stp enable

[SwitchB-stp-process-3] quit


[SwitchB-stp-process-2] stp enable


Step 3 Configure MSTP protection functions.

l Configure priorities of MSTP processes and enable root protection.



[SwitchA-stp-process-1] stp instance 0 root primary












[SwitchB-stp-process-3] stp instance 0 root primary

[SwitchB-stp-process-3] stp instance 3 root primary



[SwitchB-stp-process-2] stp instance 0 root secondary[SwitchB-stp-process-2] stp instance 2 root secondary



[SwitchB-XGigabitEthernet0/0/2] stp root-protection


NOTE

l In each ring, the priority of the MSTP process on the downstream CE must be lower than the priority

of the MSTP process on the switching device.

l For switches A and B on the dual-access ring, you are recommended to configure them as the

primary root bridges of different MSTIs.

l Configure share-link protection.



[SwitchA-stp-process-2] stp link-share-protection




[SwitchB-stp-process-2] stp link-share-protection


Step 4 Create VLANs and add interfaces to VLANs.

# Create VLANs 2 to 200 on Switch A. Add XGE 0/0/3 and XGE 0/0/4 to VLANs 2 to 100, and

add XGE 0/0/1 and XGE 0/0/2 to VLANs 101 to 200.

[SwitchA] vlan batch 2 to 200





290









[SwitchA-XGigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 100[SwitchA-XGigabitEthernet0/0/4] quit









# Create VLANs 101 to 300 on Switch B. Add XGE 0/0/3 and XGE 0/0/4 to VLANs 201 to

300, and add XGE 0/0/1 and XGE 0/0/2 to VLANs 101 to 200.

[SwitchB] vlan batch 101 to 300

[SwitchB] interface xgigabitethernet 0/0/3[SwitchB-XGigabitEthernet0/0/3] port link-type trunk














[SwitchB-XGigabitEthernet0/0/2]quit


l Run the display stp interface brief command on Switch A, and you can view the following

information:

# XGE 0/0/4 is a designated port in the CIST of MSTP process 1 and in MSTI 1.

[SwitchA] display stp process 1 interface GiabitEthernet 0/0/4 brief





[SwitchA] display stp process 2 interface giabitethernet 0/0/2 brief




l Run the display stp interface brief command on Switch B, and you can view the following

information:


[SwitchB] display stp process 3 interface giabitethernet 0/0/4 brief





[SwitchB] display stp process 2 interface giabitethernet 0/0/2 brief MSTID Port Role STP State Protection





291





----End

Configuration FilesOnly the MSTP-related configuration files are listed.


#

sysname

SwitchA

#

vlan batch 2 to

300

#

stp region-

configuration

region-name

RG1

instance 1 vlan 2 to

100


200


300

active region-

configuration

#

stp process

1

stp instance 0 root

primary

stp instance 1 rootprimary

stp

enable

stp process

2

stp instance 0 root

primary

stp instance 2 root

primary

stp link-share-

protection

stp

enable

#

interface

XGigabitEthernet0/0/1


port trunk allow-pass vlan 101 to

200

stp binding process 2 link-share

#

interface




200

stp binding process

2

stp root-

protection






292





100

stp binding process

1

#

interface XGigabitEthernet0/0/4port link-type trunk


100

stp binding process 1

#

return

l Configuration file of Switch B

#

sysname

SwitchB

#

vlan batch 2 to

300

#

stp region-

configuration

region-name

RG1


100


200


300

active region-

configuration

#

stp process

2

stp instance 0 rootsecondary

stp instance 2 root

secondary

stp link-share-

protection

stp

enable

stp process

3

stp instance 0 root

primary

stp instance 3 root

primary

stp

enable

#




200

stp binding process 2 link-

share

#




200

stp binding process

2

stp root-

protection#





293






300

stp binding process

3




300

stp binding process

3

#

return





294



10 SEP Configuration

About This Chapter

As a link layer protocol dedicated to Ethernet rings, SEP blocks redundant links on a network

to prevent logical loops.

10.1 SEP Overview

The Smart Ethernet Protection (SEP) protocol is a dedicated link layer protocol for use on

Ethernet rings. It boasts the high convergence speed, supports diverse topologies, and is able to

display the network topology on any device.

10.2 Configuring Basic SEP Functions

When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the

Ethernet. When a link fault occurs on a ring network running SEP, SEP can immediately restore

the communication links between the nodes.

10.3 Specifying an Interface to Block

By default, the blocked interface is one of the last two interfaces that complete neighbor

negotiation. Sometimes, the negotiated blocked interface, however, may not be the expected

one. An inter face can be selected to block as required.

10.4 Configuring SEP Multi-Instance

SEP multi-instance allows two SEP segments to be configured on a physical ring network. After

different protected instances are configured for the SEP segments and VLANs are mapped to

specified protected instances, load balancing and link backup can be implemented for servicetraffic.

10.5 Configuring the Topology Change Notification Function

The function of advertising topology changes is configured on the device connecting a lower-

level network to an upper-level network. With this function, the device can notify the remote

device of topology changes of the lower-level and upper-level networks. After being notified of

these topology changes, all the devices on the network where the remote device resides delete

associated MAC addresses and ARP entry in time and relearn the MAC address of the remote

device. This ensures nonstop traffic forwarding.

10.6 Maintaining SEP

This section describes the commands for maintaining SEP, including the commands for clearing

SEP statistics.


Configuration Guide - Ethernet 10 SEP Configuration



295




This section describes the networking requirements, configuration roadmap, and data

preparation for a typical SEP application and provides the configuration examples.





296



10.1 SEP Overview

The Smart Ethernet Protection (SEP) protocol is a dedicated link layer protocol for use on

Ethernet rings. It boasts the high convergence speed, supports diverse topologies, and is able to

display the network topology on any device.

10.1.1 SEP Overview

SEP supports open-ring, closed-ring, single-ring, and multi-ring topologies and meets the

requirements of various topologies for redundant protection.

Introduction

Generally, redundant links are used on an Ethernet switching network to provide link backup

and enhance network reliability. The use of redundant links, however, may produce loops,causing broadcast storms and rendering the MAC address table unstable. As a result, the

communication quality deteriorates, and communication services may even be interrupted.

To solve the loop problem, Huawei datacom devices support the ring network protocols shown

in Table 10-1.

Table 10-1 Ring Network Protocol

Ring NetworkProtocol

Advantage Disadvantag e

DeploymentScenario

STP/RSTP/

MSTP

The Spanning Tree Protocol

(STP), Rapid Spanning Tree

Protocol (RSTP), and Multi-

Spanning Tree Protocol

(MSTP) are standard protocols

for breaking loops on Ethernet

networks. They are mature and

widely applied. Huawei

devices running one of them

can communicate with non-

Huawei devices.

The network

convergence

time is at the

second level,

which cannot

meet the

requirements

of some real-

time services.

The

convergence

time isaffected by the

network

topology.

They are applicable to

Layer 2 networks that

have a low requirement

on convergence time.





297





DeploymentScenario

RRPP The Rapid Ring Protection

Protocol (RRPP) is a private

protocol of Huawei. It features

short convergence time (less

than 50 ms) and supports load

balancing for different types of

traffic.

l A Huawei

device

running

RRPP

cannot

communic

ate with

any non-

Huawei

device.

l RRPP has

a high

requirement on

network

topologies.

Logical

topologies

need to be

configured

for a

physical

topology,

and

primaryrings and

sub-rings

need to be

defined for

these

logical

topologies.

Therefore,

RRPP is

not

applicable

to complex

networks.

It is applicable to single

rings, tangent rings, and

intersecting rings that

have a high requirement

on the convergence

time.





298





DeploymentScenario

SEP l SEP is a private protocol of

Huawei. It boasts short

convergence time (less

than 50 ms). Huawei

devices running SEP can

communicate with non-

huawei devices running

other types of ring

protocols.

l SEP supports various types

of networking modes. For

example, a network

running SEP cancommunicate with a

network running STP,

RSTP, MSTP, or RRPP.

SEP supports all topologies

and the display of network

topologies.

The blocked interface,

therefore, can be quickly

located. When a fault

occurs, SEP can quickly

locate the fault, improvingnetwork maintainability.

l SEP supports various

policies for specifying an

interface to block. This

allows the implementation

of traffic load balancing.

l The

devices on

a SEP-

enabled

network

must be

Huawei

datacom

devices.

l On a SEP

network,

after

network convergen

ce, a

specified

interface is

blocked to

prevent

data traffic

from

passing

through the

interface,

even if thelink where

the

interface

resides is a

direct link.

It is applicable to Layer

2 networks that have a

high requirement on

convergence time.

Definitions

The SEP protocol is a dedicated link layer protocol for use on Ethernet ring networks. A SEPsegment is the basic unit of the protocol. A SEP segment is composed of multiple interconnected

Layer 2 switching devices that are configured with the same SEP segment ID and control VLAN

ID.

Only two interfaces on a Layer 2 switching device can be added to the same SEP segment. In a

SEP segment, loops can be prevented by starting a protection mechanism to selectively block

certain interfaces and eliminate Ethernet redundant links. When a fault occurs on a ring network,

a device running SEP can quickly unblock the blocked interface to perform link switching. This

maintains normal communication between nodes on the ring network.

Figure 10-1 shows a typical SEP application. CE1 is connected to NPEs through a closed-ring

formed by switches. A VRRP backup group is deployed on the NPEs. Initially, the status of NPE1 is master and the status of NPE2 is backup. When the link between NPE1 and LSW5 or





299



a node on the link becomes faulty (it is assumed that the link between LSW1 and LSW5 becomes

faulty), the following situations occur:

l If SEP is not deployed on the closed-ring, CE1 still forwards traffic along the original path,

causing traffic interruption.

l If SEP is deployed on the closed-ring, the blocked interface on LSW5 becomes unblockedand enters the forwarding state. In addition, it sends Link Status Advertisements (LSAs)

to instruct other nodes on the SEP segment to refresh their LSA databases. CE1 sends traffic

along the backup link LSW5->LSW2->LSW4->LSW3->NPE1. This ensures proper traffic

transmission.





300







As shown in Table 10-2, edge interfaces are further classified into primary edge interfaces,

secondary edge interfaces, no-neighbor primary edge interfaces, and no-neighbor

secondary edge interfaces.

NOTE

Normally, an edge interface and a no-neighbor edge interface belong to different SEP segments.

Table 10-2 Interface roles

Interfaceroles

Sub-role Description DeploymentScenario

Common

port

- In a SEP segment, all interfaces except

edge interfaces and the blocked

interface are common interfaces.

A common interface monitors the

status of its directly connected SEP

link and notifies its neighboring

interface of link status changes in

time. The neighboring interface

constantly floods the notification

message to other interfaces in the SEP

segment until the message reaches the

primary edge interface. The primary

edge interface then processes the

message.

-

Edge port Primary

Edge Port

A SEP segment has only one primary

edge interface. It can either be

configured or be elected.

The primary edge interface initiates

blocked-interface preemption,

terminates packets, and sends packets

about topology changes to other

networks.

Open ring

network

Closed ring

network

Multiple-ring

networking

Hybrid SEP

+RRPP ring

networkingSecondary

edge port

A SEP segment has only one

secondary edge interface. It can either

be configured or be elected.

A secondary edge interface terminates

packets, and sends topology changenotification messages to other

networks.





303



Interfaceroles


No-

neighbor

primary

edge port

The interface at the most marginal

edge of a SEP segment is a no-

neighbor primary edge interface, as

shown in Figure 10-2. It is configured

by users.

A no-neighbor primary interface

initiates blocked-interface

preemption, terminates packets, and

sends topology change notification

messages to other networks.

No-neighbor primary edge interfaces

are used to interconnect Huawei

devices and non-Huawei devices or

devices that do not support SEP.

Hybrid SEP

+MSTP ring

networking

No-

neighbor

secondary

edge port

A no-neighbor secondary edge

interface terminates packets and sends

topology change notification

messages to other networks.

No-neighbor secondary edge

interfaces are used to interconnect

non-Huawei devices and devices that

do not support SEP.

l Blocked interface

In a SEP segment, an interface is blocked to prevent loops.

If you do not specify the interface as a blocked interface, any interface in a SEP segment

may be blocked. Only one interface is blocked in a SEP segment that works properly.

l Status of SEP-enabled interfaces

Table 10-3 shows the status of SEP-enabled interfaces in a SEP segment.

Table 10-3 Interface status

Interface

Status

Description

Forwarding An interface in the forwarding state can forward user traffic, and receive

and send SEP packets.

Discarding An interface in the discarding state only receives and sends SEP packets.

The interface status does not depend on the interface role. An interface may be in forwarding

or discarding state regardless of its role.





304



The process of breaking a loop by using SEP

1. After a SEP segment is created, the interfaces on each node of the ring network are added

to the SEP segment, and a role is configured for each interface.

2. The neighbor negotiation mechanism is started after the interfaces are added to the SEP

segment. One of the last two interfaces that complete neighbor negotiation becomes a

blocked interface.

3. The blocked interface sends LSAs to instruct other nodes in the SEP segment to update

their LSA databases.

The blocked interface does not allow data packets but SEP protocol packets to pass through.

4. After receiving the LSAs, the nodes update their LSA databases, and then determine

forwarding paths. The loop is successfully broken.

Typical SEP Topologies

l Open ring network

Figure 10-3 Networking diagram for an open ring running SEP

VLAN/VPLS

LSW1

LSW2

LSW3

LSW4

LSW5

CE

PE-AGG1 PE-AGG2

NPE1 NPE2

IP/MPLS Core

SEP

Segment

A c c e s

s

A g g r e g a t i o n

C o r e

Block Port

Primary Edge Node

Secondary Edge Node

VRRP+peer BFD





305



As shown in Figure 10-3, the networking consists of the access layer, aggregation layer,

and core layer. The CE is dual-homed to the upstream Layer 2 network through LSW1 to

LSW5. LSW1 to LSW5 form an open ring network. The open ring network is deployed at

the access layer to implement Layer 2 transparent transmission of unicast and multicast packets. SEP runs at the access layer to implement link redundancy.

On a closed ring network, an edge interface is deployed on each of the two edge devices.

l Closed ring network

Figure 10-4 Networking diagram for a closed ring running SEP

LSW1

LSW2

LSW3

LSW4

LSW5

CE1

NPE1 NPE2

IP/MPLS Core

CE2 CE3

SEP

Segment

A c c e s s

A g g

r e g a t i o n

C o r e

Block Port

Primary Edge Node

Secondary Edge Node

VRRP+peer BFD

As shown in Figure 10-4, the CEs are dual-homed to the upstream Layer 2 network through

LSW1 to LSW5. The edge devices LSW1 and LSW5 are directly connected to each other.

LSW1 to LSW5 form a closed ring network. The closed ring network is deployed at the

aggregation layer to aggregate unicast and multicast services. SEP runs at the aggregation

layer to implement link redundancy.

On a closed ring network, two edge interfaces are deployed on one edge device.

l Multiple-ring networking





306



Figure 10-5 Networking diagram for multiple rings running SEP

LSW1

LSW2LSW3

LSW4

LSW5

Block Port

NPE1 NPE2

IP/MPLS Core

SEP

Segment 1

LSW6

LSW7

LSW8

LSW10 LSW11

LSW12

LSW13LSW14

LSW9

A c c e s s


C o r e

S E P

S e g m

e n t 2

S E P

S e g m

e n t 3

SEP

Segment 4

SEP

Segment 5

VRRP+peer BFD

As shown in Figure 10-5, LSW1 to LSW14 form multiple rings. LSW1 to LSW5 are at

the aggregation layer, and LSW6 to LSW14 are at the access layer. Layer 2 services are

transparently transmitted at the access layer and the aggregation layer. SEP runs at the

aggregation layer and access layer to implement link redundancy. If the topology of a SEPsegment at the access layer changes, a node in the SEP segment sends a Flush-FDB packet

to instruct the other nodes in the SEP segment to refresh their MAC address forwarding

tables and ARP tables. The edge devices in the SEP segment send TC packets to notify

devices at the upper layer that the topology of the SEP segment has changed.

In multi-ring networking, topology change notification among ring networks needs to be

configured.

l Hybrid networking

– Hybrid SEP+MSTP ring networking





307





Figure 10-7 Networking diagram for hybrid rings running SEP+RRPP

LSW1 LSW2

LSW3

Block Port

NPE1 NPE2

IP/MPLS Core

A c c e s s SEP

Segment

RRPP A g g r e g a t i o n

C

o r e

PE1 PE2

PE4PE3

Primary Edge Node

Secondary Edge Node

VRRP+peer BFD

As shown in Figure 10-7, PE1, PE2 and LSW1 to LSW3 form a SEP segment to access

an RRPP ring. The networking is called hybrid SEP+RRPP ring networking. PE1, PE2

and LSW1 to LSW3 are at the access layer to transparently transmit Layer 2 unicast

and multicast packets. SEP runs at the access layer to implement link redundancy. If

the topology of the SEP segment at the access layer changes, a node in the SEP segment

sends a Flush-FDB packet to instruct the other nodes in the SEP segment to refresh their MAC forwarding tables and ARP tables. PE1 and PE2 in the SEP segment send TC

packets to notify devices at the upper-layer that the topology of the SEP segment has

changed.

In hybrid SEP+RRPP ring networking, the SEP networks need to report topology

changes to RRPP networks on the edge devices of SEP networks.

NOTE

The basic SEP configurations in the preceding topologies are the same, except for the locations and

configurations of the primary edge interface, no-neighbor primary edge interface, secondary edge interface,

and no-neighbor secondary edge interface. For details about these interfaces, see Table 10-2.





309



10.1.2 SEP Features Supported by the S6700

This section describes SEP features supported by the S6700 from the perspective of SEP

configuration logic. Familiarizing yourself with SEP configuration logic helps you complete

configuration tasks quickly and efficiently.

SEP configuration roadmap is as follows:

1. After basic SEP functions are configured on devices, the devices start the SEP negotiation.

One of the last two interfaces that complete neighbor negotiation is blocked to eliminate

redundant links.

NOTE

When logging in to nodes on a SEP semi-ring through Telnet to configure them, note the following

points:

l VLANIF interfaces and their IP address need to be configured, because these nodes are Layer 2

devices. The VLANs to which these VLANIF interfaces correspond must be mapped to the SEP

protection instance.l Basic SEP functions need to be configured from the node at one end of the semi-ring to the node

at the other end of the semi-ring.

2. In some cases, however, the blocked interface obtained through the SEP calculation may

not be the one you expect to be blocked. You can specify an interface to block as needed.

3. To implement load balancing and make efficient use of bandwidth, protected instances

need to be deployed on a network running SEP and mappings between protected instances

and VLANs need to be worked out.

4. A SEP network usually needs to work together with another network deployed with other

features. To ensure network reliability, if the topology of either of the networks changes,

the other network must be able to detect the topology change and take measures to

implement reliable data transmission. Therefore, the topology change notification functionneeds to be enabled on the network running SEP.

Specifying an Interface to Block

In general, a blocked interface is one of the last two interfaces that complete neighbor negotiation.

In some cases, however, the negotiated blocked interface may not be the one you expect to be

blocked. You specify an interface to block as needed. The designated blocking does not,

however, become effective immediately. A preemption mechanism allows a designated interface

to be blocked instead of a previously blocked interface.

l Interface blocking mode

You can configure an interface blocking mode in order to specify the location of a blockedinterface. Table 10-4 lists interface blocking modes.

Table 10-4 Interface blocking mode

Interface Blocking Mode

Description

Specifying the interface

with the highest priority

as the blocked interface

Is applicable to a large-scale network.

After fault recovery, the interface with the highest priority in

a SEP segment is designated as the blocked interface. In this

mode, the priorities of the interfaces on the SEP segment need

to be set in advanced.





310




Description


in the middle of a SEP

segment as the blocked

interface

Is applicable to a network where traffic is symmetrically

distributed.

After fault recovery, the interface in the middle of a SEP

segment is designated as the blocked interface.

Specifying the blocked

interface based on the

configured hop count

Is applicable to a small-scale network.

After fault recovery, a specified interface can be blocked

based on the hop count. A network planner needs to be

familiar with the topology of the entire SEP segment and the

number of hops from the blocked interface to the primary-

edge interface.


interface based on thedevice name and

interface name


After fault recovery, a specified interface can be blocked based on the device name and the interface name. A network

planner needs to be familiar with the names of devices and

interfaces on the entire SEP segment and ensures that each

device name is unique.

l Preemption

After the interface blocking mode is specified, whether the specified interface will be

blocked is determined by the preemption mode. Table 10-5 lists the preemption modes.

Table 10-5 Preemption mode

PreemptionMode

Advantage Disadvantage

Non-preemption

mode

SEP is in the non-

preemption mode by

default.

In this mode, blocking

an interface does not

disconnect any link in a

SEP segment.

The blocked interface is one of the last

two interfaces that complete neighbor

negotiation.

Preemp

tion

mode

Delaye

d

preemp

tion

Each time a fault is

rectified, the system

automatically

completes preemption

and ensures that the

specified interface is

blocked.

l Related commands need to be used to

specify the delayed preemption mode

in advance. The preemption delay

does not have a default value, and

therefore related commands must be

used to set the preemption delay.

l After delayed preemption is

configured successfully, a fault needs

to be simulated to ensure that the

specified interface is blocked.





311



PreemptionMode


Manual

preemp

tion

Whether the specified

interface will be

blocked can be

controlled manually.

l The manual preemption mode needs

to be specified in advance.

l After related faults are rectified and

the preemption action is taken,

manual preemption does not take

effect.

Manual preemption needs to be

configured so that the specified

interface is blocked after the next

fault is rectified. This increases the

maintenance workload.

NOTE

In preemption mode, blocking an interface temporarily disconnects a link in a SEP segment.

SEP Multi-Instance

As shown in Figure 10-8, in regular SEP networking, a physical ring network can be configured

with only one SEP segment in which only one interface can be blocked. If an interface in the

SEP segment in the complete state is blocked, all user data is transmitted only along the path

where the primary edge interface is located. The path where the secondary edge interface is

located is idle, which leads to a waste of bandwidth.





312



Figure 10-8 Networking diagram for SEP multi-instance

LSW1

LSW2 LSW4

LSW3

NPE1 NPE2

IP/MPLS Core

CE2CE1

SEPSegment1

Block Port

Primary Edge NodeSecondary Edge Node

VRRP+peer BFD

VLAN 100~200 VLAN 201~400

C o r e

A g g r

e g a t i o n

A c c e s s

group 2:Master

group 1:Backupgroup 1:Master

group 2:Backup

SEP multi-instance allows two SEP segments to be configured on one physical ring network.

All devices, interface roles, and control VLANs in each SEP segment must be configured by

conforming to basic SEP configurations principles. Each SEP segment has one blocked interface.

Each blocked interface detects whether the physical ring network is complete. The blocked

interfaces in the two SEP segments are independent of each other.

A physical ring network can be configured with one or two SEP segments. Each SEP segment

needs to be configured with a protected instance and each protected instance represents a VLAN

range. The topology calculated by a SEP segment is valid only for that SEP segment.

After different protected instances are configured for SEP segments and the mapping between

protected instances and VLANs is set, a blocked interface is valid only for the VLANs protected

by the SEP segment where the blocked interface resides. Data traffic of different VLANs can

be transmitted along different paths. This implements traffic load balancing and link backup.





313




LSW1

LSW2 LSW4

LSW3

NPE1 NPE2

IP/MPLS Core

CE2CE1

SEPSegment2

Block Port

Primary Edge NodeSecondary Edge Node

VRRP+peer BFD

Instance1:

VLAN 100~200

Instance2:VLAN 201~400

C o r e

A g g r

e g a t i o n

A c c e s s

group 2:Master


group 2:Backup

SEP Segment1 P1P2

As shown in Figure 10-9, the SEP multi-instance ring network that consists of LSW1 to LSW4

has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the blocked

interface in SEP segment 2.

l Protected instance 1 is configured in SEP segment 1 to protect the data of VLAN 100 to

VLAN 200. The data is transmitted along path LSW1->LSW2->NPE1. As the blockedinterface in SEP segment 2, P2 blocks only the data of VLAN 201 to VLAN 400.

l Protected instance 2 is configured in SEP segment 2 to protect the data of VLAN 201 to

VLAN 400. The data is transmitted along path LSW3->LSW4->NPE2. As the blocked

interface in SEP segment 1, P1 blocks only the data of VLAN 100 to VLAN 200.

In the case of a node or a link failure, each SEP segment calculates its own topology

independently, and the nodes in each SEP segment update their LSA databases.

SEP Topology Change Notification

Table 10-6 lists the situations in which the topology of a SEP segment changes.





314



Table 10-6 SEP topology changes

SEP TopologyChange

Description

Topologychange caused

by an interface

fault

If an interface on a device in a complete SEP segment becomes faulty, thetopology of the SEP segment changes.

An interface fault can be a link fault or a neighboring interface fault.

Topology

change caused

by a fault being

rectified and the

preemption

function taking

effect

One or more faults occur in the SEP segment. When the last fault is rectified

and the blocked interface is preempted, the topology is considered

changed.

Table 10-7 list the situations in which topology changes are reported.

Table 10-7 SEP topology change notification

SEPTopologyChangeNotification

Scenario Description Solution

Topologychange

notification

from a lower-

layer network

to an upper-

layer network

Networking where aSEP network is

connected to an

upper-layer network

running other

features such as

SEP, STP, RRPP

and SmartLink

l If the blocked interface in alower-layer SEP network is

manually changed, the topology

of the SEP segment changes.

Because the upper-layer

network cannot detect the

topology change, traffic is

interrupted.

l If an interface in a lower-layer

SEP network becomes faulty,

the topology of the SEP segment

changes but the upper-layer


change. As a result, traffic is

interrupted.

Configurethe SEP

topology

change

notification

function.





315



SEPTopologyChangeNotification


Networking

scenario where a

host is connected to

a SEP network by

using a SmartLink

group

During an active/standby

switchover of member interfaces in

the SmartLink group, the host sends

a SmartLink Flush packet to notify

the connected devices in the SEP

segment of the switchover.

If the connected devices in the SEP

segment cannot identify the

SmartLink Flush packet (that is, if

these connected devices in the SEP

segment cannot detect any topology

change of the lower-layer network),traffic will be interrupted.

Enable the

edge devices

in the SEP

segment to

process

SmartLink

Flush

packets.

10.2 Configuring Basic SEP FunctionsWhen there is no faulty link on a ring network running SEP, SEP can eliminate loops on the

Ethernet. When a link fault occurs on a ring network running SEP, SEP can immediately restore

the communication links between the nodes.


Before configuring basic SEP functions, familiarize yourself with the applicable environment,

complete the pre-configuration tasks, and obtain the required data. This can help you complete

the configuration task quickly and efficiently.


Generally, redundant links are used to connect an Ethernet switching network to an upper-layer

network to provide link backup and enhance network reliability. The use of redundant links,

however, may produce loops, causing broadcast storms and rendering the MAC address table

unstable. As a result, the communication quality deteriorates, and communication services may

even be interrupted. SEP can be deployed on the ring network to block redundant links and

unblock them if a link fault occurs.


Before configuring basic SEP functions, complete the following tasks:

l Establishing the ring networking

l Ensuring that the devices are powered on correctly and operate properly

Data Preparation

To configure basic SEP functions, you need the following data.





316



No. Data

1 SEP segment ID

2 ID of the control VLAN in the SEP segment

3 Role of each interface added to the SEP segment

10.2.2 Configuring an SEP Segment

SEP takes an SEP segment as a basic unit. An SEP segment is composed of multiple

interconnected Layer 2 switching devices configured with the same SEP segment ID and the

same control VLAN ID.

Procedure

Step 1 Run:

system-view


Step 2 Run:

sep segment segment-id

An SEP segment is created and the view of the SEP segment is displayed.

Before deleting a created SEP segment, you need to check whether there is any interface added

to the SEP segment. If there is an interface added to the SEP segment, run the undo sepsegment segment-id command in the interface view to delete the interface from the SEP segment.

Otherwise, the SEP segment cannot be deleted.

----End

10.2.3 Configuring a Control VLAN

In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets,

enhancing the security of SEP. Each SEP segment must be configured with a control VLAN.

After being added to a SEP segment configured with a control VLAN, an interface is added to

the control VLAN automatically.

Context

NOTE

On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be

added to the control VLAN of the SEP segment. Otherwise, a loop will be caused on the network.

Procedure

Step 1 Run:

system-view






317



Step 2 Run:


A SEP segment is created and the view of the SEP segment is displayed.

Step 3 Run:control-vlan vlan-id

The control VLAN of the SEP segment is configured for transmitting SEP packets.

The control VLAN specified by vlan-id must be newly created and must not have been used by

RRPP or used in port trunk, default, mapping, or stacking mode.

l Different SEP segments can use the same control VLAN.

l If there is an interface added to the SEP segment, you cannot directly delete the control VLAN

of the SEP segment. To delete the control VLAN, run the undo sep segment segment-id

command in the interface view to delete the interface from the SEP segment, and then run

the undo control-vlan command to delete the control VLAN.l If there is no interface added to the SEP segment, you can run the control-vlan vlan-id

command for multiple times. Only the latest configuration takes effect.

l After the control VLAN is created successfully, the command used to create a common

VLAN will be displayed in the configuration file.

Each SEP segment must be configured with a control VLAN. After an interface is added to

a SEP segment configured with a control VLAN, the interface will be automatically added

to the control VLAN.

– If the interface type is Trunk, in the configuration file, the port trunk allow-pass vlan

command is displayed in the view of the interface added to the SEP segment.

– If the interface type is Hybrid, in the configuration file, the port hybrid tagged vlancommand is displayed in the view of the interface added to the SEP segment.

----End

10.2.4 Creating a Protected Instance

Interfaces can be added to an SEP segment only after the SEP segment is configured with

protected instances.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }

A protected instance is created in a SEP segment.





318



By default, no protected instance is configured in a SEP segment.

----End

10.2.5 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface

To ensure the normal forwarding of SEP packets in a SEP segment, add Layer 2 interfaces to

the SEP segment and configure different roles for the interfaces.

Context

After an interface is added to SEP segment, the interface sets its interface role to the primary

edge interface if the interface has the right to participate in the election of the primary edge

interface. Then, the interface periodically sends a primary edge interface-election packet without

waiting for the success of neighbor negotiation.

The primary edge interface-election packet contains the role of the interface (primary edge

interface, secondary edge interface, or common interface), the bridge MAC address of the

interface, interface ID, and the status of the topology database.

Table 10-8 lists interface roles.

Table 10-8 Interface roles

Interfaceroles


Common port - In a SEP segment, all interfaces except

edge interfaces and the blocked interface

are common interfaces.

A common interface monitors the status

of its directly connected SEP link and

notifies its neighboring interface of link

status changes in time. The neighboring

interface constantly floods the

notification message to other interfaces

in the SEP segment until the message

reaches the primary edge interface. The

primary edge interface then processesthe message.

-

Edge port Primary

Edge Port

A SEP segment has only one primary



The primary edge interface initiates

blocked-interface preemption,

terminates packets, and sends packets

about topology changes to other

networks.

Open ring

network

Closed ring

network

Multiple-ring

networking

Hybrid SEP

+RRPP ring

networking





319



Interfaceroles


Secondary

edge port

A SEP segment has only one secondary



A secondary edge interface terminates

packets, and sends topology change

notification messages to other networks.

No-

neighbor

primary

edge port

The interface at the most marginal edge

of a SEP segment is a no-neighbor

primary edge interface, as shown in

Figure 10-2. It is configured by users.

A no-neighbor primary interface

initiates blocked-interface preemption,

terminates packets, and sends topologychange notification messages to other

networks.

No-neighbor primary edge interfaces are

used to interconnect Huawei devices and

non-Huawei devices or devices that do

not support SEP.

Hybrid SEP

+MSTP ring

networking

No-

neighbor

secondary

edge port

A no-neighbor secondary edge interface

terminates packets and sends topology

change notification messages to other

networks.

No-neighbor secondary edge interfaces

are used to interconnect non-Huawei

devices and devices that do not support

SEP.

NOTE

Normally, an edge interface and a no-neighbor edge interface belong to different SEP segments.

Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the interface.

Before adding an interface to a SEP segment,configure a protected instance or a range of protectedinstances .

Procedure

Step 1 Run:

system-view


Step 2 Run:


The view of an Ethernet interface added to the SEP segment is displayed.





320



Step 3 Run:

stp disable

STP is disabled on the interface.

Step 4 Run:sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]

The Ethernet interface is added to a specified SEP segment and a role is configured for it.

NOTE

An interface can be added to only two SEP segments.

----End


After basic SEP functions are configured, you can view the information such as the names and

roles of interfaces added to an SEP segment, status of the interfaces on neighbors, and forwardingstatus of the local interface.

Prerequisite

The configurations of basic SEP functions are complete.

Procedure

l Run the display sep interface [ interface-type interface-number | segment segment-id ]

[ verbose ] command to check the information about interfaces that reside on the device

and are added to a specified SEP segment.

l Run the display sep topology [ segment segment-id ] [ verbose ] command to check thetopology status of a specified SEP segment.

----End

10.3 Specifying an Interface to Block

By default, the blocked interface is one of the last two interfaces that complete neighbor

negotiation. Sometimes, the negotiated blocked interface, however, may not be the expected

one. An interface can be selected to block as required.


Before specifying an interface to block, familiarize yourself with the applicable environment,

complete the pre-configuration tasks, and obtain the required data. This can help you complete



In general, a blocked interface is one of the last two interfaces that complete neighbor negotiation.

In some cases, however, the negotiated blocked interface may not be the one you expect to be

blocked. You specify an interface to block as needed. The designated blocking does not,

however, become effective immediately. A preemption mechanism allows a designated interfaceto be blocked instead of a previously blocked interface.





321




Before specifying an interface to block, complete the following task:

l Configuring Basic SEP Functions

Data Preparation

To specify an interface to block, you need the following data.

No. Data

1 Interface blocking mode

2 SEP preemption mode

10.3.2 Setting an Interface Blocking Mode

Each interface in a SEP segment may become a blocked interface. You can specify an interface

to block by configuring an interface blocking mode.

Context

In a SEP segment, an interface is blocked to prevent loops.

You can configure an interface blocking mode in order to specify the location of a blockedinterface. Table 10-9 lists interface blocking modes.

Table 10-9 Interface blocking mode


Description


with the highest priority

as the blocked interface

Is applicable to a large-scale network.

After fault recovery, the interface with the highest priority in a

SEP segment is designated as the blocked interface. In this mode,

the priorities of the interfaces on the SEP segment need to be set

in advanced.


in the middle of a SEP

segment as the blocked

interface

Is applicable to a network where traffic is symmetrically

distributed.

After fault recovery, the interface in the middle of a SEP segment

is designated as the blocked interface.



configured hop count


After fault recovery, a specified interface can be blocked based

on the hop count. A network planner needs to be familiar with

the topology of the entire SEP segment and the number of hops

from the blocked interface to the primary-edge interface.





322




Description



device name and interface

name


After fault recovery, a specified interface can be blocked basedon the device name and the interface name. A network planner

needs to be familiar with the names of devices and interfaces on

the entire SEP segment and ensures that each device name is

unique.

Do as follows on the device where the primary edge interface or the no-neighbor primary edge

interface is located:

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

block port { optimal | middle | hop hop-id | sysname sysname interface interface-

type interface-number }

An interface blocking mode is set.

By default, one of the interfaces at both ends of the last link that is set up or the last link that

recovers from a fault is blocked.

l optimal specifies the interface with the highest priority as the blocked interface.

l middle specifies the interface in the middle of the SEP segment as the blocked interface.

l hop specifies the interface that is hop-id hops away from the primary edge interface as the

blocked interface.If hop-id is set to 1, it indicates that the blocked interface is the primary edge interface. If

hop-id is set to 2, it indicates that the blocked interface is the neighboring interface of the

primary edge interface. The hop count increases along with the number of downstream

neighbors of the primary edge interface.

l sysname+interface specifies the name of the device where the interface to be blocked

resides.

For information on how to select an interface blocking mode, see the preceding table.

----End





323



Follow-up Procedure

If the interface that has the highest priority is specified to block, run the sep segment segment-

id priority priority command in the view of the interface to be blocked to increase its priority.

When a fault is rectified, the specified interface will be blocked.

The default priority of an interface added to a SEP segment is 64. The priority value of an

interface is an integer ranging from 1 to 128. The greater the priority value, the higher the priority.

10.3.3 Configuring the Preemption Mode

The SEP preemption mode is classified into delay preemption and manual preemption.

Context

After the interface blocking mode is specified, whether the specified interface will be blocked

is determined by the preemption mode. Table 10-10 lists the preemption modes.

Table 10-10 Preemption mode

PreemptionMode


Non-preemption

mode

SEP is in the non-

preemption mode by

default.

In this mode, blocking an

interface does not

disconnect any link in a

SEP segment.

The blocked interface is one of the last two

interfaces that complete neighbor

negotiation.

Preempt

ion

mode

Delayed

preempt

ion

Each time a fault is

rectified, the system

automatically completes

preemption and ensures

that the specified

interface is blocked.

l Related commands need to be used to

specify the delayed preemption mode in

advance. The preemption delay does not

have a default value, and therefore

related commands must be used to set

the preemption delay.

l After delayed preemption is configured

successfully, a fault needs to be

simulated to ensure that the specified

interface is blocked.

Manual

preempt

ion

Whether the specified

interface will be blocked

can be controlled

manually.

l The manual preemption mode needs to

be specified in advance.

l After related faults are rectified and the

preemption action is taken, manual

preemption does not take effect.

Manual preemption needs to be

configured so that the specified

interface is blocked after the next fault

is rectified. This increases the

maintenance workload.





324



The following conditions must be met to trigger preemption:

l The topology of the SEP segment must be normal.

l The primary edge interface or no-neighbor primary edge interface has been elected in the

SEP segment.

l The function of flexibly specifying a blocked interface is enabled on the device where the

primary edge interface or no-neighbor primary edge interface resides.

Do as follows on the Layer 2 switching device where the primary edge interface or the no-

neighbour primary edge interface is elected.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

preempt { manual | delay seconds }

The preemption mode is configured on the primary edge interface.

By default, the primary edge interface is not configured with the preemption mode, that is, the

non-preemption mode is adopted.

----End


After specifying an interface to block, you can view information about a specified blocked

interface.

Prerequisite

The configurations of specifying an interface to block are complete.

Procedurel Run the display sep topology [ segment segment-id ] [ verbose ] command to check the

topology status of a specified SEP segment.

----End

10.4 Configuring SEP Multi-Instance

SEP multi-instance allows two SEP segments to be configured on a physical ring network. After

different protected instances are configured for the SEP segments and VLANs are mapped to

specified protected instances, load balancing and link backup can be implemented for service

traffic.





325




Before configuring SEP multi-instance, familiarize yourself with the applicable environment,

complete the pre-configuration tasks, and obtain the required data. This will help you complete



in regular SEP networking, a physical ring network can be configured with only one SEP segment

in which only one interface can be blocked. If an interface in the SEP segment in the complete

state is blocked, all user data is transmitted only along the path where the primary edge interface

is located. The path where the secondary edge interface is located is idle, which leads to a waste

of bandwidth.


LSW1

LSW2 LSW4

LSW3

NPE1 NPE2

IP/MPLS Core

CE2CE1

SEP

Segment2

Block Port

Primary Edge Node

Secondary Edge Node

VRRP+peer BFD

Instance1:

VLAN 100~200

Instance2:VLAN 201~400

C o r e

A g g r e g a t i o

n

A c c e s s

group 2:Master


group 2:Backup

SEP Segment1 P1P2

To solve the problem of bandwidth waste and to implement traffic load balancing and link

backup, multi-instance can be deployed in the SEP network and mappings between protected

instances and user VLANs need to be set, as shown in Figure 10-10. Data traffic of differentVLANs can be transmitted along different paths.





326



NOTE

Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring network.


Before configuring SEP multi-instance, complete the following tasks:


l Specifying an Interface to Block

Data Preparation

To configure SEP multi-instance, you need the following data.

No. Data

1 ID of a protected instance in a SEP segment

2 ID of a VLAN mapped to a protected instance

10.4.2 Configuring and Activating Mappings Between ProtectedInstances and VLANs

A physical ring network can be configured with one or two SEP segments. To ensure proper

traffic transmission, each SEP segment needs to be configured with a protected instance. After

mappings between protected instances and specified VLANs are configured, load balancing andlink backup can be implemented.

Context

After mappings between protected instances and VLANs are configured, the mappings need to

be activated to implement load balancing and link backup.

Procedure

Step 1 Run:

system-view


Step 2 Run:


The MST region view is displayed.

Step 3 Run:

instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>

Mappings between protected instances and VLANs are configured.

The value of instance-id specified in this command must be consistent with that of instance-id specified in the protected-instance command.





327



Step 4 Run:


Mappings between protected instances and VLANs are activated.

After mappings between protected instances and VLANs take effect, topology changes of a SEPsegment affect only corresponding VLANs. This ensures reliable transmission of user data.

----End


After configuring SEP multi-instance on a ring network, you can view the blocked interface in

each SEP segment.

Prerequisite

The configurations of SEP multi-instance are complete.

Procedure

l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the

topology status of a specified SEP segment.

----End

10.5 Configuring the Topology Change NotificationFunction

The function of advertising topology changes is configured on the device connecting a lower-

level network to an upper-level network. With this function, the device can notify the remote

device of topology changes of the lower-level and upper-level networks. After being notified of

these topology changes, all the devices on the network where the remote device resides delete

associated MAC addresses and ARP entry in time and relearn the MAC address of the remote

device. This ensures nonstop traffic forwarding.


Before configuring the topology change notification function, familiarize yourself with the

applicable environment, complete the pre-configuration tasks, and obtain the required data. Thiswill help you complete the configuration task quickly and efficiently.


Currently, the S6700 can report topology changes in two modes, as shown in Table 10-11. You

can select a mode as needed.





328



Table 10-11 SEP topology change notification

SEPTopologyChange

Notification


Topology

change

notification

from a lower-

layer network

to an upper-

layer network

Networking where a

SEP network is

connected to an

upper-layer network

running other

features such as

SEP, STP, RRPP

and SmartLink

l If the blocked interface in a

lower-layer SEP network is

manually changed, the topology

of the SEP segment changes.

Because the upper-layer


topology change, traffic is

interrupted.

l If an interface in a lower-layer

SEP network becomes faulty,

the topology of the SEP segment

changes but the upper-layer


change. As a result, traffic is

interrupted.

Configure

the SEP

topology

change

notification

function.

Networking

scenario where a

host is connected to

a SEP network by

using a SmartLink

group

During an active/standby

switchover of member interfaces in

the SmartLink group, the host sends

a SmartLink Flush packet to notify

the connected devices in the SEP

segment of the switchover.

If the connected devices in the SEP

segment cannot identify the

SmartLink Flush packet (that is, if

these connected devices in the SEP

segment cannot detect any topology

change of the lower-layer network),

traffic will be interrupted.

Enable the

edge devices

in the SEP

segment to

process

SmartLink

Flush

packets.


Before configuring the topology change notification function, complete the following tasks:


l Specifying an Interface to Block

Data Preparation

To configure the topology change notification function, you need the following data.

No. Data

1 SEP segment ID





329



No. Data

2 Mode of reporting topology changes

10.5.2 Reporting Topology Changes of a Lower-Layer Network -SEP Topology Change Notification

SEP runs at the access layer. To help an upper-layer network to detect whether the topology of

the network at the access layer changes, configure the SEP topology change notification function

on the device connecting the lower-layer network to the upper-layer network.

Context

If the topology of a specified SEP segment changes but the topology change is not reported tothe upper-layer network in time, the MAC address tables of the devices on the upper-layer

network retain the MAC address entries generated before the topology of the lower-layer

network changes. As a result, user traffic is interrupted. To ensure nonstop traffic forwarding,

configure the device on the lower-layer network to report topology changes to the upper-layer

network. The objects that are notified of topology changes can be specified as needed.

NOTE

Currently, topology changes of a SEP segment can be reported to other SEP segments, STP networks,

RRPP networks and SmartLink networks

After receiving a packet indicating topology changes of a lower-layer network, a device on an

upper-layer network sends TC packets locally to instruct the other devices on this network to

clear associated MAC addresses and relearn MAC addresses after the topology of the lower-

layer network changes. This ensures nonstop traffic forwarding.

Procedure

Step 1 Run:

system-view


Step 2 Run:sep segment segment-id


Step 3 Run:

tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp | rrpp | smart-

link send-packet vlan vlan-id }

The topology change of a specified SEP segment is reported to another SEP segment or a network

running other ring protocols such as STP or RRPP.

By default, the topology change of a SEP segment is not reported.

----End





330



Follow-up Procedure

In the networking scenario where three or more SEP ring networks exist, when a TC notification

packet is sent through multiple links, the upper-layer network will receive it multiple times. This

reduces the efficiency for processing packets on the upper-layer network. Therefore, TC

notification packets need to be suppressed. Suppressing TC notification packets frees the upper-

layer network from processing multiple duplicate packets and protects the devices in the SEP

segment against TC notification packet attacks.

Run the tc-protection interval interval-value command in the SEP-segment view to set the

interval for suppressing TC notification packets.

By default, the interval for suppressing TC notification packets is 2s, and three TC notification

packets with different source addresses are processed within 2s.

NOTE

l

In the networking scenario where three or more SEP ring networks exist, this command must be run.If this command is not run, the default interval for suppressing TC notification packets is used.

l A longer interval ensures stable SEP operating but deteriorates the convergence performance.

10.5.3 Reporting Topology Changes of a Lower-Layer Network -Enabling the Edge Devices in a SEP Segment to Process SmartLinkFlush Packets

In the networking where a host is connected to a SEP network by using a SmartLink group , if

the active/standby switchover of member interfaces in the SmartLink group occurs, the host

sends SmartLink Flush packets to inform the edge devices in the SEP segment of the switchover.

Therefore, the edge devices in the SEP segment must be able to process SmartLink Flush packets.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

deal smart-link-flush

An edge device in a SEP segment is enabled to process SmartLink Flush packets.

After receiving a SmartLink Flush packet, the edge device in a SEP segment floods FLUSH-

FDB packets to notify the other devices in the SEP segment of topology changes.

By default, no device in a SEP segment is enabled to process SmartLink Flush packets.

----End





331




After configuring the topology change notification function, you can view the objects that are

notified of topology changes.

Prerequisite

The configurations of the topology change notification function are complete.

Procedure

l Run the display sep interface verbose command to check the configuration of reporting

changes in the lower-layer network topology.

l Run the display this command in the OAM management view to check the configuration

of reporting changes in the upper-layer network topology.

----End

10.6 Maintaining SEP

This section describes the commands for maintaining SEP, including the commands for clearing

SEP statistics.

10.6.1 Clearing SEP Statistics

You can run the reset command to reset the SEP statistics before recollecting SEP statistics.

Context

CAUTION

SEP statistics cannot be restored after being cleared. Therefore, perform the action with caution.

Procedure

Step 1 Run the reset sep interface interface-type interface-number statistics command in the user view

to clear SEP statistics.

----End

10.6.2 Debugging SEP

When a fault occurs during the running of SEP, run the following debugging command in the

user view to display the debugging information and locate the fault.





332



Context

CAUTION



Procedure

Step 1 Run the debugging sep { all | common | error | machine | message | pdu [ [ epa | lsa | nbr |

preempt ] [ transmit | receive ] ] } [ segment segment-id | interface interface-type interface-

number ] command in the user view to debug SEP.

----End


This section describes the networking requirements, configuration roadmap, and data

preparation for a typical SEP application and provides the configuration examples.

10.7.1 Example for Configuring SEP on a Closed Ring Network

In the closed ring networking, CE1 is dual homed to a Layer 2 network through multiple Layer

2 switching devices. The two edge devices connected to the upper-layer Layer 2 network are

directly connected to each other. The closed ring network is deployed at the aggregation layer to implement Layer 2 transparent transmission of unicast and multicast packets. SEP runs at the

aggregation layer to implement link redundancy.








As shown in Figure 10-11, Layer 2 switching devices LSW1 to LSW5 form a ring network,

which is connected to the core network. SEP runs at the aggregation layer. When the ring network

is normal, SEP blocks the redundant Ethernet links. When a link on the ring fails, SEP can

quickly restore communication between the nodes on the ring.





333



Figure 10-11 Networking diagram of a closed ring SEP network

Block Port

Primary EdXGE

Node

LSW1

LSW2

LSW3

LSW4

LSW5

SEP

Segment1

XGE0/0/1

XGE0/0/1

XGE0/0/1 XGE0/0/1

XGE0/0/2

XGE0/0/1

XGE0/0/2

XGE0/0/2

Secondary EdXGE

Node

IP/MPLS Core

XGE0/0/2 XGE0/0/2

XGE0/0/3

XGE0/0/3

XGE0/0/3XGE0/0/1

CE1

VLAN

100

A c c e s s


C o r e



1. Configure basic SEP functions.

(1) Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control

VLAN of SEP segment 1.

(2) Add all devices on the ring to SEP segment 1, and configure the roles of XGE0/0/1

and XGE0/0/3 of LSW1 in SEP segment 1.

(3) On the device where the primary edge port is located, specify that the port with the

highest priority will be blocked.





334



(4) Set priorities of the ports in the SEP segment.

Set the highest priority for XGE0/0/2 of LSW3 and retain the default priority of the

other ports so that XGE0/0/2 of LSW3 will be blocked.

(5) Configure delayed preemption on the device where the primary edge port is located.

2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.

Data Preparation


l SEP segment ID

l Control VLAN of the SEP segment

l Port roles in the SEP segment

l Preemption mode

l Method of selecting the port to block l Priorities of the ports in the SEP segment

Procedure

Step 1 Configure basic SEP functions.

1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN

of SEP segment 1.

# Configure LSW1.<Quidway> system-view

[Quidway] sysname LSW1

[LSW1] sep segment 1[LSW1-sep-segment1] control-vlan 10

[LSW1-sep-segment1] protected-instance all

[LSW1-sep-segment1] quit



[LSW2] sep segment 1

[LSW2-sep-segment1] control-vlan 10





















335





NOTE

l The control VLAN must be a VLAN that has not been created or used, but the configuration file

automatically displays the command for creating the VLAN.l Each SEP segment must be configured with a control VLAN. After an interface is added to the

SEP segment configured with a control VLAN, the interface is added to the control VLAN

automatically. The configuration file displays port hybrid tagged vlan under this interface.

2. Add all devices on the ring to SEP segment 1 and configure port roles on the devices.

NOTE

By default, STP is enabled on a Layer 2 interface. Before adding an interface to the SEP segment,

disable STP on the interface.

# On LSW1, configure XGE0/0/1 as the primary edge port and XGE0/0/3 as the secondary

edge port.

[LSW1] interface xgigabitethernet 0/0/1

[LSW1-XGigabitEthernet0/0/1] stp disable[LSW1-XGigabitEthernet0/0/1] sep segment 1 edge primary

[LSW1-XGigabitEthernet0/0/1] quit


[LSW1-XGigabitEthernet0/0/3] stp disable

[LSW1-XGigabitEthernet0/0/3] sep segment 1 edge secondary


# Configure LSW2.[LSW2] interface xgigabitethernet 0/0/1


[LSW2-XGigabitEthernet0/0/1] sep segment 1






















# Configure LSW5.









3. Specify a port to block.





336



# On LSW1 where the primary edge port is located, specify that the port with the highest

priority is blocked.


[LSW1-sep-segment1] block port optimal

4. Set the priority of XGE0/0/2 on LSW3.[LSW3] interface xgigabitethernet 0/0/2

[LSW3-XGigabitEthernet0/0/2] sep segment 1 priority 128


5. Configure the preemption mode.

# Configure the delayed preemption mode on LSW1.

[LSW1-sep-segment1] preempt delay 30


NOTE

l You must set the preemption delay when delayed preemption is adopted because there is no

default delay time.

lAfter all the faulty ports recover, the edge ports no longer receive fault notification packets. If the primary edge port does not receive any fault notification packet, it starts the delay timer.

When the delay timer expires, nodes in the SEP segment start blocked port preemption.

To implement delayed preemption in this example, you need to simulate a port fault and then

rectify the fault. For example:

Run the shutdown command on XGE0/0/2 of LSW2 to simulate a port fault, and then run the

undo shutdown command on XGE0/0/2 to rectify the fault.

Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.

For details about the configuration, see the configuration files.


l Run the shutdown command on XGE0/0/1 of LSW3 to simulate a port fault, and then runthe display sep interface command on LSW3 to check whether XGE0/0/2 of LSW3 switches

from the Discarding state to the Forwarding state.

<LSW3> display sep interface xgigabitethernet 0/0/2

SEP segment 1

----------------------------------------------------------------

Interface Port Role Neighbor Status Port Status

----------------------------------------------------------------

XGE0/0/2 common up forwarding

----End

Configuration Files

l Configuration file of LSW1

#

sysname LSW1

#


#

sep segment 1

control-vlan 10

block port optimal

preempt delay 30

protected-instance 0 to 48

#



stp disable sep segment 1 edge primary





337



#





#

interface XGigabitEthernet0/0/3 port hybrid tagged vlan 10 100 200

stp disable

sep segment 1 edge secondary

#

return


#

sysname LSW2

#

vlan batch 10 100

#

sep segment 1

control-vlan 10


#



stp disable

sep segment 1

#



stp disable

sep segment 1

#

return


#

sysname LSW3#

vlan batch 10 100

#

sep segment 1

control-vlan 10


#



stp disable

sep segment 1

#



stp disable

sep segment 1

sep segment 1 priority 128

#



#

return


#

sysname LSW4

#

vlan batch 10 100

#

sep segment 1

control-vlan 10 protected-instance 0 to 48





338



#



stp disable

sep segment 1

#

interface XGigabitEthernet0/0/2 port hybrid tagged vlan 10 100

stp disable

sep segment 1

#

return


#

sysname LSW5

#


#

sep segment 1

control-vlan 10


#



stp disable

sep segment 1

#





#


port hybrid tagged vlan 10 100 200

stp disable

sep segment 1

#return

l Configuration file of CE1

#

sysname CE1

#

vlan batch 100

#



#

return

10.7.2 Example for Configuring SEP on a Multi-ring NetworkIn multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed

at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to

implement link redundancy.






even be interrupted. SEP can be deployed on the ring network to block redundant links andunblock them if a link fault occurs.





339



As shown in Figure 10-12, multiple Layer 2 switching devices form ring networks at the access

layer and aggregation layer. The ring network at the aggregation layer is connected to the core

layer. SEP runs at the access layer and aggregation layer. When the ring network is normal, SEP

blocks the redundant Ethernet links. When a link on the ring fails, SEP can quickly restore

communication between nodes on the ring.





340



Figure 10-12 Networking diagram of a multi-ring SEP network

Block Port

Primary EdXGE Node

Secondary EdXGE Node

IP/MPLS Core

XGE0/0/2

C o r e

LSW1

LSW2

LSW3

LSW4

LSW5

SEP Segment

1

LSW6

LSW7

LSW8

LSW10

LSW11

LSW9

A c c e s s


S E P

S e g m

e n t 2

S E P S e g m

e n t

3

CE2

VLAN

200

XGE0/0/2

XGE0/0/1

CE1

VLAN

100

XGE0/0/1

XGE0/0/3

XGE0/0/2

XGE0/0/3

XGE0/0/1XGE0/0/1

XGE0/0/2X G

E 0 / 0 / 3

XGE0/0/1

XGE0/0/2

XGE0/0/1 XGE0/0/2XGE0/0/1

XGE0/0/2

XGE0/0/1

XGE0/0/1

XGE0/0/3

XGE0/0/1

XGE0/0/3

XGE0/0/1

XGE0/0/2XGE0/0/1XGE0/0/2

XGE0/0/4

XGE0/0/1XGE0/0/2

XGE0/0/3

Control VLAN 10

Control VLAN 20

Control VLAN 30





341






(1) Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30

as their control VLANs.

l Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the

control VLAN of SEP segment 1.

l Configure SEP segment 2 on LSW2, LSW3, and LSW6 to LSW8, and configure

VLAN 20 as the control VLAN of SEP segment 2.

l Configure SEP segment 3 on LSW3, LSW4, and LSW9 to LSW11, and configure

VLAN 30 as the control VLAN of SEP segment 3.

(2) Add devices on the rings to the SEP segments and configure port roles on the edge

devices of the SEP segments.

l On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEP

segment 1. Configure the roles of XGE0/0/1 and XGE0/0/3 of LSW1 in SEP

segment 1.

l Add XGE0/0/2 of LSW2, XGE0/0/1 and XGE0/0/2 of LSW6 to LSW8, and

XGE0/0/2 of LSW3 to SEP segment 2. Configure the roles of XGE0/0/2 of LSW2


l Add XGE0/0/1 of LSW3, XGE0/0/1 and XGE0/0/2 of LSW9 to LSW11, and

XGE0/0/1 of LSW4 to SEP segment 3. Configure the roles of XGE0/0/1 of LSW2


(3) Specify the port to block on the device where the primary edge port is located.

l In SEP segment 1, specify that the port with the highest priority will be blocked.l In SEP segment 2, specify the device name and port name to block the specified

port.

l In SEP segment 3, specify that the blocked port be selected according to the

configured hop counts of ports.

(4) Configure the preemption mode on the device where the primary edge port is located.

Configure delayed preemption in SEP segment 1 and manual preemption in SEP

segment 2 and SEP segment 3.

(5) Configure the topology change notification function on the edge devices between SEP

segments, namely, LSW2, LSW3, and LSW4.

2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.

Data Preparation


l SEP segment ID



l Preemption mode

l Method of selecting the port to block

l Priorities of the ports in the SEP segment





342



Procedure


1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their

control VLANs, as shown in Figure 10-12.







# Configure LSW2.











# Configure LSW3.















# Configure LSW4.








[LSW4-sep-segment3] control-vlan 30[LSW4-sep-segment3] protected-instance all








# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to LSW5

except for the control VLANs of different SEP segments.






343



NOTE


automatically displays the command for creating the VLAN.

l Each SEP segment must be configured with a control VLAN. After an interface is added to the

SEP segment configured with a control VLAN, the interface is added to the control VLANautomatically. The configuration file displays port hybrid tagged vlan under this interface.

2. Add devices on the rings to the SEP segments and configure port roles according to Figure

10-12.

NOTE

By default, STP is enabled on a Layer 2 interface. Before adding an interface to the SEP segment,

disable STP on the interface.

# On LSW1, configure XGE0/0/1 as the primary edge port and XGE0/0/3 as the secondary

edge port.



[LSW1-XGigabitEthernet0/0/1] sep segment 1 edge primary[LSW1-XGigabitEthernet0/0/1] quit





# Configure LSW2.











[LSW2-XGigabitEthernet0/0/2] sep segment 2 edge primary


# Configure LSW3.










[LSW3-XGigabitEthernet0/0/2] stp disable[LSW3-XGigabitEthernet0/0/2] sep segment 2 edge secondary






# Configure LSW4.







[LSW4-XGigabitEthernet0/0/3] sep segment 1[LSW4-XGigabitEthernet0/0/3] quit





344







# Configure LSW5.

[LSW5] interface xgigabitethernet 0/0/1[LSW5-XGigabitEthernet0/0/1] stp disable







# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to LSW5

except for the port roles.


3. Specify the port to block.# On LSW1 where the primary edge port of SEP segment 1 is located, specify that the port

with the highest priority be blocked.


[LSW1-sep-segment1] block port optimal


# On LSW3, set the priority of XGE0/0/4 to 128, which is the highest priority among the

ports so that XGE0/0/4 will be blocked.


[LSW3-XGigabitEthernet0/0/4] sep segment 1 priority 128


Use the default priority for the other ports in SEP segment 1.

# On LSW2 where the primary edge port of SPE segment 2 is located, specify the device

name and port name so that the specified port will be blocked.

Before specifying the port to block, you can use the display sep topology command to

view the current topology information and obtain information about all the ports in the

topology. Then you can select the device name and port name.


[LSW2-sep-segment2] block port sysname LSW7 interface xgigabitethernet 0/0/1


# On LSW4 where the primary edge port of SEP segment 3 is located, specify that the

blocked port be selected according to the configured hop counts of ports.


[LSW4-sep-segment3] block port hop 5[LSW4-sep-segment3] quit

NOTE

SEP sets the hop count of the primary edge port to 1 and the hop count of the secondary edge port

to 2. Hop counts of other ports increase at a step of 1 in the downstream direction of the primary port.


# Configure the delayed preemption mode on LSW1.







345



NOTE

l You must set the preemption delay when delayed preemption is adopted because there is no

default delay time.

l After all the faulty ports recover, the edge ports no longer receive fault notification packets. If

the primary edge port does not receive any fault notification packet, it starts the delay timer.When the delay timer expires, nodes in the SEP segment start blocked port preemption.

To implement delayed preemption in this example, you need to simulate a port fault and then

rectify the fault. For example:

Run the shutdown command on XGE0/0/2 of LSW2 to simulate a port fault, and then run the

undo shutdown command on XGE0/0/2 to rectify the fault.

# Configure the manual preemption mode on LSW2.


[LSW2-sep-segment2] preempt manual



[LSW4-sep-segment3] preempt manual

5. Configure the topology change notification function.

# Configure SEP segment 2 to notify SEP segment 1 of topology changes.

# Configure LSW2.


[LSW2-sep-segment2] tc-notify segment 1


# Configure LSW3.




# Configure SEP segment 3 to notify SEP segment 1 of topology changes.

# Configure LSW3.




# Configure LSW4.




NOTE

The topology change notification function is configured on edge devices between SEP segments so

that the upper-layer network can be notified of topology changes on the lower-layer network.

Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.



After completing the preceding configurations, do as follows to verify the configuration. LSW1

is taken as an example.

l Run the shutdown command on XGE0/0/1 of LSW2 to simulate a port fault, and then run

the display sep interface command on LSW3 to check whether XGE0/0/4 of LSW3 switches


<LSW3> display sep interface xgigabitethernet 0/0/4

SEP segment 1----------------------------------------------------------------





346




----------------------------------------------------------------


----End

Configuration Files


#

sysname LSW1

#

vlan batch 10 100 200 300

#

sep segment 1

control-vlan 10

block port optimal

preempt delay 30


#

interface XGigabitEthernet0/0/1 port hybrid tagged vlan 10 100 200

stp disable

sep segment 1 edge primary

#





#


port hybrid tagged vlan 10 100 200 300

stp disable


#

return


#

sysname LSW2

#

vlan batch 10 20 100 200

#

sep segment 1

control-vlan 10


sep segment 2

control-vlan 20

block port sysname LSW7 interface XGigabitEthernet0/0/1

tc-notify segment 1


#



stp disable

sep segment 1

#



stp disable


#



stp disable

sep segment 1

#return





347







stp disable

sep segment 1

#

return


#

sysname LSW5

#

vlan batch 10 100 200 300

#

sep segment 1

control-vlan 10


#



stp disable

sep segment 1

#





#


port hybrid tagged vlan 10 100 200 300

stp disable

sep segment 1

#

return


#

sysname LSW6

# vlan batch 20 200

#

sep segment 2

control-vlan 20


#



stp disable

sep segment 2

#



stp disable

sep segment 2

#

return


#

sysname LSW7

#

vlan batch 20 200

#

sep segment 2

control-vlan 20


#



stp disable sep segment 2





349



#



stp disable

sep segment 2

#

interface XGigabitEthernet0/0/3 port hybrid tagged vlan 200

#

return


#

sysname LSW8

#

vlan batch 20 200

#

sep segment 2

control-vlan 20


#



stp disable

sep segment 2

#



stp disable

sep segment 2

#

return


#

sysname LSW9

#

vlan batch 30 100#

sep segment 3

control-vlan 30


#



stp disable

sep segment 3

#



stp disable

sep segment 3

#

return


#

sysname LSW10

#

vlan batch 30 100

#

sep segment 3

control-vlan 30


#



stp disable

sep segment 3#





350





stp disable

sep segment 3

#


port hybrid tagged vlan 100#

return


#

sysname LSW11

#

vlan batch 30 100

#

sep segment 3

control-vlan 30


#



stp disable

sep segment 3

#



stp disable

sep segment 3

#

return


#

sysname CE1

#

vlan batch 100



#

return


#

sysname CE2

#

vlan batch 200

#



#

return

10.7.3 Example for Configuring SEP on a Hybrid-ring Network

In the networking of this configuration example, the two devices where the access layer and the

aggregation layer are intersected do not support SEP. You can configure SEP at the access layer

to implement redundancy protection switching and configure the function of advertising

topology changes on an edge device in a SEP segment. This helps an upper-layer network to

detect topology changes of a lower-layer network in time.


Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links,





351







NOTE

In this example, devices at the aggregation layer run the MSTP protocol.

As shown in Figure 10-13, multiple Layer 2 switching devices form a ring at the access layer,

and multiple Layer 3 devices form a ring at the aggregation layer, which is connected to the core

layer. In this case, SEP needs to run at the access layer to implement the following functions:

l When there is no faulty link on the ring network, SEP helps to eliminate loops.

l When a link fault occurs on the ring network, SEP helps to rapidly restore the

communication between nodes.

l The function of advertising topology changes should be configured on an edge device in a

SEP segment. This helps an upper-layer network to detect topology changes of a lower-layer network in time.

After receiving a message indicating topology changes of a lower-layer network, a device on an

upper-layer network sends TC packets locally to instruct the other devices to clear associated

MAC addresses and relearn MAC addresses after the topology of the lower-layer network

changes. This ensures nonstop traffic forwarding.





352



Figure 10-13 Networking diagram of a hybrid-ring SEP network

LSW1 LSW2

LSW3

Block Port(SEP)

IP/MPLS Core

A c c e s s

SEP

Segment1

A g g

r e g a t i o n

C o r e

PE1 PE2

PE4PE3

No-neighbor Primary EdXGE Node

No-neighbor Secondary EdXGE

Node

Do not Support SEPXGE0/0/1 XGE0/0/1

XGE0/0/1XGE0/0/1

XGE0/0/1

XGE0/0/1XGE0/0/1

XGE0/0/2XGE0/0/2

XGE0/0/2

XGE0/0/2

XGE0/0/2

XGE0/0/2

XGE0/0/3

XGE0/0/3 XGE0/0/3XGE0/0/2

VLAN100

XGE0/0/3

XGE0/0/1

Block Port(MSTP)

CE

MSTP




(1) Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control

VLAN of SEP segment 1.

(2) Add LSW1 to LSW3 to SEP segment 1 and configure port roles on the edge devicesof the SEP segment, namely, LSW1 and LSW2.





353



NOTE

PE1 and PE2 do not support the SEP protocol; therefore, the ports of LSW1 and LSW2

connected to the PEs must be no-neighbor edge ports.

(3) On the device where the no-neighbor primary edge port is located, specify the port in

the middle of the SEP segment as the port to block.

(4) Configure manual preemption.

(5) Configure the topology change notification function so that the upper-layer network

running MSTP can be notified of topology changes in the SEP segment.

2. Configure basic MSTP functions.

(1) Add PE1 to PE4 to an MST region RG1.

(2) Create VLANs on PE1 to PE4 and add interfaces on the STP ring to the VLANs.

(3) Configure PE3 as the root bridge and PE4 as the backup root bridge.

3. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW3.

Data Preparation


l SEP segment ID



l Preemption mode

l Method of selecting the port to block

lMST region name, MSTI ID, and priorities of the PEs in the region

Procedure


1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN

of SEP segment 1.





[LSW1-sep-segment1] protected-instance all[LSW1-sep-segment1] quit











[LSW3-sep-segment1] protected-instance all[LSW3-sep-segment1] quit





354



NOTE


automatically displays the command for creating the VLAN.

l Each SEP segment must be configured with a control VLAN. After an interface is added to the

SEP segment configured with a control VLAN, the interface is added to the control VLANautomatically. The configuration file displays port hybrid tagged vlan under this interface.

2. Add LSW1 to LSW3 to SEP segment 1 and configure port roles.

# Configure LSW1.


[LSW1-XGigabitEthernet0/0/1] sep segment 1 edge no-neighbor primary






# Configure LSW2.


[LSW2-XGigabitEthernet0/0/1] sep segment 1 edge no-neighbor secondary






# Configure LSW3.









3. Specify the port to block.

# On LSW1 where the no-neighbor primary edge port of SEP segment 1 is located, specify

the port in the middle of the SEP segment as the port to block.


[LSW1-sep-segment1] block port middle



[LSW1-sep-segment1] preempt maunal

5. Configure the topology change notification function.

# Configure SEP segment 1 to notify the MSTP network of topology changes.

# Configure LSW1.

[LSW1-sep-segment1] tc-notify stp


# Configure LSW2.


[LSW2-sep-segment1] tc-notify stp


After completing the preceding configurations, do as follows to verify the configuration. LSW1

is taken as an example.

l

Run the display sep topology command on LSW1 to view detailed topology information of the SEP segment.





355



The topology information shows that XGE0/0/2 of LSW3 is in Discarding state, and the other

ports are in Forwarding state.

<LSW1> display sep topology

SEP segment 1

----------------------------------------------------------------

System Name Port Name Port Role Port Status----------------------------------------------------------------

LSW1 XGE0/0/1 *primary forwarding

LSW1 XGE0/0/2 common forwarding


LSW3 XGE0/0/2 common discarding


LSW2 XGE0/0/2 *secondary forwarding

Step 2 Configure basic MSTP functions.

1. Configure an MST region

# Configure PE1.


[Quidway] sysname PE1[PE1] stp region-configuration

[PE1-mst-region] region-name RG1

[PE1-mst-region] active region-configuration

[PE1-mst-region] quit

# Configure PE2.


[Quidway] sysname PE2

[PE2] stp region-configuration




# Configure PE3.







# Configure PE4.







2. Create VLANs and add interfaces to VLANs.# On PE1, create VLAN 100 and add XGE0/0/1, XGE0/0/2, and XGE0/0/3 to VLAN 100.

[PE1] vlan 100

[PE1-vlan100] quit

[PE1] interface xgigabitethernet 0/0/1

[PE1-XGigabitEthernet0/0/1] port hybrid tagged vlan 100

[PE1-XGigabitEthernet0/0/1] quit







# On PE2, PE3, and PE4, create VLAN 100 and add XGE0/0/1, XGE0/0/2, and XGE0/0/3to VLAN 100.





356



The configurations of PE2, PE3, and PE3 are similar to the configuration of PE1, and are

not mentioned here. For details about the configuration, see the configuration files.

3. Enable MSTP.

# Configure PE1.

[PE1] stp enable

# Configure PE2.

[PE2] stp enable

# Configure PE3.

[PE3] stp enable

# Configure PE4.

[PE4] stp enable

4. Configure PE3 as the root bridge and PE4 as the backup root bridge.

# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.

[PE3] stp instance 0 priority 0

[PE3] stp root primary

# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup root

bridge.

[PE4] stp instance 0 priority 4096

[PE4] stp root secondary

After the configuration, run the display stp brief command on PE2 to check whether XGE0/0/3

is blocked.

<PE4> display stp brief





Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.



After the configurations are complete and network become stable, run the following commands

to verify the configuration. LSW1 is taken as an example.

l Run the shutdown command on XGE0/0/1 of LSW2 to simulate a port fault, and then run

the display sep interface command on LSW3 to check whether XGE0/0/2 of LSW3 switches


<LSW3> display sep interface xgigabitethernet 0/0/2SEP segment 1

----------------------------------------------------------------


----------------------------------------------------------------


----End

Configuration Files


#

sysname LSW1

# vlan batch 10 100





357



#

sep segment 1

control-vlan 10

block port middle

tc-notify stp




stp disable

sep segment 1 no-neighbor edge primary

#



stp disable

sep segment 1

#

return


#

sysname LSW2

#

vlan batch 10 100

#

sep segment 1

control-vlan 10

tc-notify stp


#



stp disable

sep segment 1

#



stp disable sep segment 1 no-neighbor edge secondary

#

return


#

sysname LSW3

#

vlan batch 10 100

#

sep segment 1

control-vlan 10


#



stp disable

sep segment 1

#



stp disable

sep segment 1

#


port hybrid tagged vlan vlan 100

#

return

l Configuration file of PE1

# sysname PE1





358



#

vlan batch 100

#

stp enable

#


region-name RG1 active region-configuration

#



#



#



#

return


#

sysname PE2

#

vlan batch 100

#

stp enable

#


region-name RG1


#



#





#

return


#

sysname PE3

#

vlan batch 100 200

#

stp instance 0 root primary

stp enable

#

stp region-configuration region-name RG1


#



#



#





#

return





359




#

sysname PE4

#

vlan batch 100 200

#

stp instance 0 root secondary

stp enable

#


region-name RG1


#



#



#



port hybrid tagged vlan 100 port hybrid untagged vlan 200

#

return


#

sysname CE1

#

vlan batch 100

#



#

return

10.7.4 Example for Configuring a Hybrid SEP+RRPP Ring Network(Reporting the Topology Changes of a Lower-Layer Network)

In the networking of this configuration example, you can configure SEP at the access layer to

implement redundancy protection switching and configure the function of advertising topology

changes on an edge device in a SEP segment. This helps an upper-layer network to detect

topology changes of a lower-layer network in time.


Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links,









360



Figure 10-14 Networking diagram for hybrid rings running SEP+RRPP

LSW1 LSW2

LSW3

Block Port(SEP)

NPE1 NPE2

Network

A c c e s

s

SEP

Segment1

RRPP A g

g r e g a t i o n

PE1 PE2

PE4PE3

Primary Edge Node

Secondary Edge Node

XGE0/0/1 XGE0/0/1

XGE0/0/1XGE0/0/1

XGE0/0/1

XGE0/0/1XGE0/0/1

XGE0/0/2XGE0/0/2

XGE0/0/2

XGE0/0/2

XGE0/0/2

XGE0/0/2

XGE0/0/3

XGE0/0/3 XGE0/0/3XGE0/0/2

VLAN100

XGE0/0/3

XGE0/0/1

Block Port(RRPP)

CE

As shown in Figure 10-14, Multiple Layer 2 switching devices at the access layer and

aggregation layer form a ring network to access the core layer. RRPP has been configured at the

aggregation layer to eliminate loops. In this case, SEP needs to run at the access layer to

implement the following functions:

l When there is no faulty link on the ring network, SEP helps to eliminate loops.

l When a link fault occurs on the ring network, SEP helps to rapidly restore the

communication between nodes.

l The function of advertising topology changes should be configured on an edge device in a

SEP segment. This helps an upper-layer network to detect topology changes of a lower-layer network in time.





361



After receiving a message indicating topology changes of a lower-layer network, a device

on an upper-layer network sends TC packets locally to instruct the other devices to clear

associated MAC addresses and relearn MAC addresses after the topology of the lower-

layer network changes. This ensures nonstop traffic forwarding.




(1) Configure the segment with the ID of 1 and the control VLAN with the ID of 10 on

PE1, PE2 and LSW1 to LSW3.

(2) Add PE1, PE2 and LSW1 to LSW3 to a SEP segment, and configure the roles of the

interfaces that reside on PE1 and PE2 and are added to SEP segment.

(3) Set an interface blocking mode on a primary edge interface to specify an interface to

block.

(4) Configure the SEP preemption mode to ensure that the user-defined blocked interface

takes effect when a fault is cleared.

(5) Configure the function of advertising the topology change of a SEP segment so that

the topology change of the local SEP segment can be advertised to the upper-layer

network where RRPP is enabled.

2. Configure basic RRPP functions.

(1) Add PE1 to PE4 to a rrpp domain with the ID of 1, create a control VLAN with the

ID of 5 on PE1 to PE4, and configure a protected VLAN.

(2) Configure PE1 as the master node and PE2 to PE4 as the transmit node of the major

ring, and configure the primary interface and secondary interface of the nodes.

(3) Create a VLAN on PE1 to PE4, and then add the interfaces on the RRPP ring network

to the VLAN.

3. Configure a VLAN on PE3 and PE4 to transmit VRRP packets and BFD packets.

Data Preparation

To complete the configuration, you need the following data.

l SEP segment ID, control VLAN ID, roles of interfaces added to the SEP segment, interface

blocking mode, and SEP preemption mode.

l RRPP domain ID, RRPP ring ID and control VLAN ID.

Procedure


1. Configure a SEP segment with the ID being 1 and a control VLAN with the ID being 10.

# Configure PE1.



[PE1] sep segment 1

[PE1-sep-segment1] control-vlan 10

[PE1-sep-segment1] protected-instance all

[PE1-sep-segment1] quit

# Configure PE2.





362





[PE2] sep segment 1

[PE2-sep-segment1] control-vlan 10

[PE2-sep-segment1] protected-instance all




















2. Add PE1, PE2 and LSW1 to LSW3 to Segment1 and configure roles of interfaces.

NOTE

By default, STP is enabled on a interface. Before adding an interface to a SEP segment, disable STP

on the interface.

# Configure PE1.


[PE1-XGigabitEthernet0/0/1] stp disable

[PE1-XGigabitEthernet0/0/1] sep segment 1 edge primary


# Configure LSW1.


[LSW1-XGigabitEthernet0/0/1] sep segment 1 edge no-neighbor primary






# Configure LSW2.

[LSW2] interface xgigabitethernet 0/0/1[LSW2-XGigabitEthernet0/0/1] sep segment 1 edge no-neighbor secondary






# Configure LSW3.












363



# Configure PE2.



[PE2-XGigabitEthernet0/0/1] sep segment 1 edge secondary


After completing the preceding configurations, run the display sep topology command onPE1 to view the topology of the SEP segment. You can see that the blocked interface is

one of the last two interfaces that complete neighbor negotiation.

[PE1] display sep topology

SEP segment 1

-----------------------------------------------------------------

System Name Port Name Port Role Port Status

-----------------------------------------------------------------

PE1 XGE0/0/1 primary forwarding






LSW2 XGE0/0/1 common forwardingPE2 XGE0/0/1 secondary discarding

3. Set an interface blocking mode.

# In Segment1, block the interface in the middle of the SEP segment on PE1 where the

primary edge interface resides.

[PE1] sep segment 1

[PE1-sep-segment1] block port middle

4. Set the preemption mode.

# In Segment1, set the preemption mode on PE1 where the primary edge interface resides

to manual preemption.

[PE1-sep-segment1] preempt maunal

5. Advertise SEP topology changes.

# In Segment1, advertise the topology change to RRPP.

# Configure PE1.

[PE1-sep-segment1] tc-notify rrpp


# Configure PE2.

[PE2] sep segment 1

[PE2-sep-segment1] tc-notify rrpp


After the preceding configurations are successful, perform the following operations to verify the

configurations. Take PE1 as an example.

l Run the display sep topology command on PE1 to view the information about the topology

of the SEP segment.

The command output shows that the forwarding status of XGE 0/0/2 on LSW3 is

discarding and the forwarding status of the other interfaces is forwarding.

[PE1] display sep topology

SEP segment 1

-----------------------------------------------------------------


-----------------------------------------------------------------

PE1 XGE0/0/1 primary forwarding



LSW3 XGE0/0/2 common discardingLSW3 XGE0/0/1 common forwarding





364





PE2 XGE0/0/1 secondary forwarding

l Run the display sep interface verbose command on PE1 to view the detailed information

about the interfaces added to the SEP segment.

[PE1] display sep interface verbose

SEP segment 1

Control-vlan :10

Preempt Delay Timer :0

TC-Notify Propagate to :rrpp

----------------------------------------------------------------

Interface :XGE0/0/1

Port Role :Config = primary / Active = primary

Port Priority :64

Port Status :forwarding

Neighbor Status :up

Neighbor Port :LSW1 - XGE0/0/1 (00e0-0829-7c00.0000)

NBR TLV rx :2124 tx :2126

LSP INFO TLV rx :2939 tx :135

LSP ACK TLV rx :113 tx :768

PREEMPT REQ TLV rx :0 tx :3PREEMPT ACK TLV rx :3 tx :0

TC Notify rx :5 tx :3

EPA rx :363 tx :397

Step 2 Configure basic RRPP functions.

1. Add PE1 to PE4 to a rrpp domain with the ID of 1, create a control VLAN with the ID of

5 on PE1 to PE4, and configure a protected VLAN.

# Configure PE1.



[PE1] rrpp domain 1

[PE1-rrpp-domain-region1] control-vlan 100

[PE1-rrpp-domain-region1] protected-vlan reference-instance all

# Configure PE2.



[PE2] rrpp domain 1



# Configure PE3.



[PE3] rrpp domain 1



# Configure PE4.



[PE4] rrpp domain 1



2. Create a VLAN and add interfaces on the ring network to the VLAN.

# Create VLAN 100 on PE1, and then add XGE 0/0/1, XGE 0/0/2, and XGE 0/0/3 to VLAN

100.

[PE1] vlan 100

[PE1-vlan100] quit


[PE1-XGigabitEthernet0/0/1] stp disable[PE1-XGigabitEthernet0/0/1] port link-type trunk





365



[PE1-XGigabitEthernet0/0/1] port trunk allow-pass vlan 100




[PE1-XGigabitEthernet0/0/2] port link-type trunk


[PE1-XGigabitEthernet0/0/2] quit[PE1] interface xgigabitethernet 0/0/3





# Create VLAN 100 on PE2, and then add XGE 0/0/1, XGE 0/0/2, and XGE 0/0/3 to VLAN

100.

[PE2] vlan 100

[PE2-vlan100] quit





[PE2-XGigabitEthernet0/0/1] quit[PE2] interface xgigabitethernet 0/0/2










# Create VLAN 100 on PE3, and then add XGE 0/0/1 and XGE 0/0/2 to VLAN 100.

[PE3] vlan 100

[PE3-vlan100] quit











# Create VLAN 100 on PE4, and then add XGE 0/0/1 and XGE 0/0/2 to VLAN 100.

[PE4] vlan 100

[PE4-vlan100] quit



[PE4-XGigabitEthernet0/0/1] port link-type trunk[PE4-XGigabitEthernet0/0/1] port trunk allow-pass vlan 100







3. Configure PE1 as the master node and PE2 to PE4 as the transmit node of the major ring,

and configure the primary interface and secondary interface of the nodes.

# Configure PE1.

[PE1] rrpp domain 1

[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port

gigabitEthernet0/0/2 secondary-port gigabitEthernet0/0/3 level 0[PE1-rrpp-domain-region1] ring 1 enable





366



# Configure PE2.

[PE2] rrpp domain 1

[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port

gigabitEthernet0/0/2 secondary-port gigabitEthernet0/0/3 level 0

[PE2-rrpp-domain-region1] ring 1 enable

# Configure PE3.[PE3] rrpp domain 1




# Configure PE4.

[PE4] rrpp domain 1




4. Enable RRPP.

# Configure PE1.

[PE1] rrpp enable

# Configure PE2.

[PE2] rrpp enable

# Configure PE3.

[PE3] rrpp enable

# Configure PE4.

[PE4] rrpp enable

After completing the preceding configurations, run the display rrpp brief or display rrpp

verbose domain command on PE1 to check the RRPP configuration.[PE1] display rrpp brief

Abbreviations for Switch Node Mode :M - Master , T - Transit , E - Edge , A - Assistant-Edge

RRPP Protocol Status: Enable

RRPP Working Mode: HW

RRPP Linkup Delay Timer: 0 sec (0 sec default)

Number of RRPP Domains: 1

Domain Index : 1

Control VLAN : major 5 sub 6

Protected VLAN : Reference Instance 1

Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)

Ring Ring Node Primary/Common Secondary/Edge Is

ID Level Mode Port Port Enabled

----------------------------------------------------------------------------

1 0 M XGigabitEthernet0/0/2 XGigabitEthernet0/0/3 Yes

You can view that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major control VLAN,

VLAN 6 is the sub-control VLAN, Instance1 is the protected VLAN, and PE1 is the master node

in major ring 1 with the primary interface and secondary interface respectively as

XGigabitEthernet 0/0/2 and XGigabitEthernet 0/0/3.

[PE1] display rrpp verbose domain 1

Domain Index : 1

Control VLAN : major 5 sub 6

Protected VLAN : Reference Instance 1

Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)

RRPP Ring : 1

Ring Level : 0

Node Mode : MasterRing State : Complete





367



Is Enabled : Enable Is Active: Yes

Primary port : XGigabitEthernet0/0/2 Port status: UP

Secondary port : XGigabitEthernet0/0/3 Port status: BLOCKED

You can view that in domain 1, VLAN 5 is the major control VLAN, VLAN 6 is the sub-control

VLAN, Instance1 is the protected VLAN, and PE1 is the master node in major ring 1 with the

primary interface and secondary interface respectively as XGigabitEthernet 0/0/2 and

XGigabitEthernet 0/0/3, and the node status is Complete.

Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3 and PE1 to PE4.

The configuration details are not mentioned here. For details, see configuration files in this

example.


After the previous configurations, run the following commands to verify the configuration after

the network is stable. Take LSW1 as an example.

lRun the shutdown command on XGE 0/0/1 on LSW2 to simulate an interface fault, and thenrun the display sep interface command on LSW3 to check whether the status of XGE 0/0/2

changes from blocked to forwarding.

[LSW3] display sep interface xgigabitethernet 0/0/2

SEP segment 1

----------------------------------------------------------------


----------------------------------------------------------------


----End

Configuration Files

l Configuration file of LSW1#

sysname LSW1

#

vlan batch 10 100

#

sep segment 1

control-vlan 10


#




stp disable

sep segment 1

#




stp disable

sep segment 1

#

return


#

sysname LSW2#





368



vlan batch 10 100

#

sep segment 1

control-vlan 10


#




stp disable

sep segment 1

#




stp disable

sep segment 1

#

return


#

sysname LSW3

#

vlan batch 10 100

#

sep segment 1

control-vlan 10


#


port link-type trunk port trunk allow-pass vlan 10 100

stp disable

sep segment 1

#




stp disable

sep segment 1

#




#

return


#

sysname PE1

#

vlan batch 5 to 6 100

#

rrpp enable

#


instance 1 vlan 5 to 6 100

active region-configuration#





369



rrpp domain 1

control-vlan 5

protected-vlan reference-instance 1

ring 1 node-mode master primary-port XGigabitEthernet 0/0/2 secondary-port

XGigabitEthernet 0/0/3 level 0

ring 1 enable

#sep segment 1

control-vlan 10

block port middle

tc-notify rrpp


#




stp disable


#



port trunk allow-pass vlan 5 to 6 100

stp disable

#




stp disable

#

return

l

Configuration file of PE2#

sysname PE2

#

vlan batch 5 to 6 100

#

rrpp enable

#




#

rrpp domain 1

control-vlan 5


ring 1 node-mode transit primary-port XGigabitEthernet 0/0/2 secondary-port


ring 1 enable

#

sep segment 1

control-vlan 10

tc-notify rrpp


#




stp disable







370





stp disable

#




stp disable

#

return


#

sysname PE3

#

vlan batch 5 to 6 100 200

#

rrpp enable

#




#

rrpp domain 1

control-vlan 5




ring 1 enable

#


port link-type trunk port trunk allow-pass vlan 100

stp disable

#



port trunk allow-pass vlan 5 to 6 100 200

stp disable

#




#

return


#

sysname PE4

#

vlan batch 5 to 6 100 200

#

rrpp enable

#




#

rrpp domain 1 control-vlan 5





371






ring 1 enable

#




stp disable

#



port trunk allow-pass vlan 5 to 6 100 200

stp disable

#




#

return


#

sysname CE1

#

vlan batch 100

#




#

return

10.7.5 Example for Configuring SEP Multi-Instance on a ClosedRing Network

On a closed ring network, two SEP segments are configured to process different VLAN services,

implement load balancing, and provide link backup.


In common SEP networking, a physical ring can be configured with only one SEP segment in

which only one interface can be blocked. If an interface in the SEP segment in the complete stateis blocked, all user data is transmitted only along the path where the primary edge interface is

located. The path where the secondary edge interface is located is idle, which leads to a waste

of bandwidth.

To solve the problem of bandwidth waste and to implement traffic load balancing, Huawei

develops SEP multi-instance.





372



Figure 10-15 Networking diagram for configuring SEP multi-instance on a closed ring network

A

c c e s s

A g g r e g a

t i o n

C o r e

IP/MPLS Core

XGE0/0/2

NPE1 NPE2

XGE0/0/2

LSW1

LSW2 LSW3

LSW4

SEP Segment2

XGE0/0/1XGE0/0/1

X G E 0 /

0 / 2

XGE0/0/1

X G E 0 / 0 / 2

X G E 0 /

0 / 3 X G E 0 / 0 / 3

XGE0/0/3

XGE0/0/1

Block Port

Primary EdXGE

NodeSecondary EdXGE

Node

XGE0/0/3

XGE0/0/1

XGE0/0/1P1P2

Instance1:VLAN

100~300

Instance2:VLAN

301~500

CE1 CE2

SEP Segment1

As shown in Figure 10-15, a ring network comprising Layer 2 switches LSW1 to LSW5 is

connected to a core network. SEP runs at the aggregation layer. SEP multi-instance is configured

on LSW1 to LSW4. This allows two SEP segments to solve the problem of bandwidth waste,

implement load balancing, and provide link backup.



1. Create two SEP segments and one control VLAN on LSW1 to LSW4.





373



Different SEP segments can use the same control VLAN.

2. Configure SEP protected instances, and set mappings between SEP protected instances and

user VLANs to ensure that topology changes affect only corresponding VLANs.

3. Add all the devices on the ring network to the SEP segments, and configure XGE 0/0/1 as

the primary edge interface and XGE 0/0/3 as the secondary edge interface on LSW1.

4. Enable the function of specifying an interface to block on the device where the primary

edge interface resides.

5. Configure the SEP preemption mode to ensure that the specified blocked interface takes

effect when a fault is rectified.

6. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.

Data Preparation


l ID of each SEP segment

l ID of a control VLAN

l role of each interface added to each SEP segment

l mode of blocking an interface

l preemption mode

l ID of each SEP protection instance

Procedure


l Configure a SEP segment with the ID of 1 and a control VLAN with the ID of 10.








[LSW2] sep segment1













l Configure a SEP segment with the ID of 2 and a control VLAN with the ID of 10.

# Configure LSW1.[LSW1] sep segment 2





374





# Configure LSW2.[LSW2] sep segment2









NOTE

l The control VLAN must be a new one.

l The command used to create a common VLAN is automatically displayed in a configuration file.

l Each SEP segment must be configured with a control VLAN. After being added to a SEP segmentconfigured with a control VLAN, an interface is added to the control VLAN automatically.

Step 2 Configure SEP protected instances, and then configure mappings between SEP protected

instances and user VLANs.

# Configure LSW1.[LSW1] vlan batch 100 to 500


[LSW1-sep-segment1] protected-instance 1



[LSW1-sep-segment2] protected-instance 2


[LSW1] stp region-configuration

[LSW1-mst-region] instance 1 vlan 100 to 300

[LSW1-mst-region] instance 2 vlan 301 to 500

[LSW1-mst-region] active region-configuration

[LSW1-mst-region] quit

The configurations of LSW2 to LSW4 are similar to those of LSW1, and are not provided here.

For details, see configuration files in this configuration example.

Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.

NOTE

By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable

STP on the interface.

# On LSW1, configure XGE 0/0/1 as the primary edge interface and XGE 0/0/3 as the secondaryedge interface.











# Configure LSW2.

[LSW2] interface xgigabitethernet 0/0/1[LSW2-XGigabitEthernet0/0/1] stp disable





375






























After completing the preceding configurations, run the display sep topology command on

LSW1 to view the topology of each SEP segment. You can see that the blocked interface is one

of the last two interfaces that complete neighbor negotiation.[LSW1] display sep topology

SEP segment 1

-----------------------------------------------------------------


-----------------------------------------------------------------

LSW1 XGE0/0/1 primary forwarding







LSW1 XGE0/0/3 secondary discarding

SEP segment 2-----------------------------------------------------------------


-----------------------------------------------------------------








LSW1 XGE0/0/3 secondary discarding

Step 4 Specify an interface to block.

# Configure delayed preemption and the mode of blocking an interface to be based on the devicename and interface name on LSW1 where the primary edge interface is located.





376









[LSW1-sep-segment2] preempt delay 15[LSW1-sep-segment2] quit

NOTE

l In this configuration example, an interface fault needs to be simulated and then rectified to implement

delayed preemption. To ensure that delayed preemption takes effect on the two SEP segments, simulate

an interface fault in the two SEP segment. For example:

l In SEP segment 1, run the shutdown command on XGE 0/0/1 of LSW2 to simulate an interface

fault. Then, run the undo shutdown command on XGE 0/0/1 to simulate interface fault recovery.

l In SEP segment 2, run the shutdown command on XGE 0/0/1 of LSW3 to simulate an interface

fault. Then, run the undo shutdown command on XGE 0/0/1 to simulate interface fault recovery.

After completing the preceding operations, view SEP topologies. Use the display on LSW1 as

an example.

Run the display sep topology command on LSW1. You can view information about the topology

of each SEP segment.

[LSW1] display sep topology

SEP segment 1

-----------------------------------------------------------------


-----------------------------------------------------------------








LSW1 XGE0/0/3 secondary forwarding

SEP segment 2

-----------------------------------------------------------------


-----------------------------------------------------------------








LSW1 XGE0/0/3 secondary forwarding

From the preceding command output, you can see:

l On LSW3 in SEP segment 1, XGE 0/0/1 is in the discarding state, and the other interfaces

are in the forwarding state.

l On LSW2 in SEP segment 2, XGE 0/0/1 is in the discarding state, and the other interfaces

are in the forwarding state.

Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.

The configuration details are not provided here. For details, see configuration files in this

example.






377



Simulate a fault, and then check whether the status of the blocked interface changes from blocked

to forwarding.

Run the shutdown command on XGE 0/0/1 of LSW2 to simulate an interface fault.

Run the display sep interface command on LSW3 to check whether the status of XGE0/0/1 inSEP segment 1 changes from blocked to forwarding.

[LSW3] display sep interface xgigabitethernet 0/0/1

SEP segment 1

----------------------------------------------------------------


----------------------------------------------------------------


SEP segment 2

----------------------------------------------------------------


----------------------------------------------------------------


The preceding command output shows that the status of XGE 0/0/1 changes from blocked toforwarding and the forwarding path change in SEP segment 1 does not affect the forwarding

path in SEP segment 2.

----End

Configuration Files


#

sysname LSW1

#

vlan batch 10 100 to 500#





#

sep segment 1

control-vlan 10


preempt delay 15

protected-instance 1

sep segment 2

control-vlan 10


preempt delay 15


#



port trunk allow-pass vlan 10 100 to 500

stp disable



#




stp disable



#return





378




#

sysname LSW2

#


# stp region-configuration




#

sep segment 1

control-vlan 10


sep segment 2

control-vlan 10


#




stp disable sep segment 1

sep segment 2

#




stp disable

sep segment 1

sep segment 2

#




#

return


#

sysname LSW3

#


#





#

sep segment 1

control-vlan 10


sep segment 2

control-vlan 10


#




stp disable

sep segment 1

sep segment 2

#




stp disable

sep segment 1 sep segment 2





379



#




#

return


#

sysname LSW4

#

vlan batch 10 60 100 to 500

#





#

sep segment 1

control-vlan 10


sep segment 2

control-vlan 10


#




stp disable

sep segment 1

sep segment 2

#




stp disable

sep segment 1

sep segment 2#

return


#

sysname CE1

#


#




#

return


#

sysname CE2

#


#




#

return





380





This section provides examples for configuring interface, VLAN, and QinQ based Layer 2

protocol transparent transmission.


Configuration Guide - Ethernet 11 Layer 2 Protocol Transparent Transmission Configuration



382



11.1 Overview of Layer 2 Protocol TransparentTransmission

This section describes the concept of Layer 2 protocol transparent transmission.

Background

In certain network environments, packets of Layer 2 protocols such as MSTP, HGMP, and LACP

need to be transmitted between user networks across the backbone network to complete

calculation of the protocols.

As shown in Figure 11-1, user network 1 and user network 2 run Layer 2 protocols, for example,

MSTP. Layer 2 protocol packets of user network 1 must traverse the backbone network to reach

user network 2 so that the spanning tree can be calculated. Packets of a Layer 2 protocol usuallyuse the same destination MAC address. For example, MSTP packets are BPDUs that use 0180-

C200-0000 as the destination MAC address. Therefore, when the BPDUs reach a PE on the

backbone network, the PE cannot identify whether the BPDUs are sent from a user network or

the backbone network. As a result, the PE sends the BPDUs to the CPU for spanning tree

calculation.

In this case, the spanning tree is calculated between the devices of user network 1 and PE1, and

the devices of user network 2 are not involved in the calculation. Therefore, BPDUs of user

network 1 cannot be sent to user network 2 through the backbone network.

Figure 11-1 Transparent transmission of Layer 2 protocol packets on an ISP network

ISP

network

User network1

User network2

CE1 CE2

PE1 PE2

Layer 2 protocol transparent transmission can solve this problem.

To transparently transmit Layer 2 protocol packets on the backbone network, the followingrequirements must be met:





383



l Each site on a user network can receive Layer 2 protocol packets from other sites.

l Layer 2 protocol packets sent from a user network are not processed by CPUs of devices

on the backbone network.

l Layer 2 protocol packets of different user networks are separated from each other.

A Layer 2 protocol packet is transparently transmitted as follows:

l A user-side device on the backbone network replaces the multicast destination MAC

address of Layer 2 protocol packets with a specified multicast MAC address.

l Devices on the backbone network determine whether to add an outer VLAN tag to the

packet according to the transparent transmission mode.

l The egress device on the backbone network restores the original multicast destination MAC

address of the packet according to the mappings between multicast destination MAC

addresses and Layer 2 protocols. The egress device also determines whether to remove the

outer VLAN tag, and then forwards the packet to the user network.

11.2 Layer 2 Protocol Transparent Transmission FeaturesSupported by the S6700

This section describes the Layer 2 protocol transparent transmission features supported by the

S6700.

Based on application scenarios, the S6700 supports the following Layer 2 protocol transparent

transmission features:

l Interface-based Layer 2 protocol transparent transmission

l VLAN-based Layer 2 protocol transparent transmission

l QinQ-based Layer 2 protocol transparent transmission

Currently, the S6700 can transparently transmit packets of the following Layer 2 protocols:

l Spanning Tree Protocol (STP)

l Link Aggregation Control Protocol (LACP)

l Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)

l Link Layer Discovery Protocol (LLDP)

l Generic VLAN Registration Protocol (GVRP)

l Generic Multicast Registration Protocol (GMRP)

l HUAWEI Group Management Protocol (HGMP)

l VLAN Trunking Protocol (VTP)

l Unidirectional Link Detection (UDLD)

l Port Aggregation Protocol (PAGP)

l Cisco Discovery Protocol (CDP)

l Per VLAN Spanning Tree Plus (PVST+)

l Shared Spanning Tree Protocol (SSTP)

l Dynamic Trunking Protocol (DTP)

l User-defined protocols





384





VLAN-based Layer 2 Protocol Transparent Transmission

Figure 11-3 Networking of VLAN-based Layer 2 protocol transparent transmission

CE-VLAN 200

CE-VLAN 100

LAN-B

MSTP

ISP NetworkPE 1

PE 3

PE 2

LAN-A

MSTP

LAN-B

MSTP

LAN-B

MSTP

LAN-A

MSTP

CE-VLAN 100

BPDU Tunnel

CE-VLAN 200

CE-VLAN 100

Trunk

100-200Trunk

100-200

A PE generally functions as an aggregation device. As shown in Figure 11-3, the aggregation

interface on PE1 can receive BPDUs from LAN-A and LAN-B. To differentiate BPDUs from

the two LANs, BPDUs sent from CEs to PEs must have VLAN tags. In Figure 11-3, packets

sent from LAN-A contain VLAN 200 and packets sent from LAN-B contain VLAN 100.

Packets of certain Layer 2 protocols such as STP, RSTP, and MSTP are untagged. When

receiving Layer 2 protocol packets with VLAN tags, PEs consider the packets invalid and discard

them. In this case, you can configure VLAN-based Layer 2 protocol transparent transmissionon PEs so that Layer 2 protocol packets can traverse the backbone network through Layer 2

tunnels.

Similar to interface-based Layer 2 protocol transparent transmission, you can use either of the

following methods to implement VLAN-based Layer 2 protocol transparent transmission:

l Replace the original multicast MAC address of Layer 2 protocol packets from user networks

with a specified multicast MAC address.

NOTE

This method is applicable to all Layer 2 protocols.

1. Configure devices on user networks to send Layer 2 protocol packets with the specifiedVLAN IDs to the backbone network.





386



2. Enable PEs to identify Layer 2 protocol packets with the specified VLAN IDs and

allow these packets to pass.

3. PEs replace the standard multicast destination MAC address of Layer 2 protocol

packets with a specified multicast MAC address according to the mappings between

multicast destination MAC addresses and Layer 2 protocols.4. Internal nodes on the backbone network forward the packets across the backbone

network as common Layer 2 packets.

5. The egress device of the backbone network restores the original destination MAC

address of the packets according to the mappings between multicast destination MAC

addresses and Layer 2 protocols, and then forwards the packets to user networks.

QinQ-based Layer 2 Protocol Transparent Transmission

l QinQ overview

The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. The QinQ

technology improves utilization of VLANs by adding another 802.1Q tag to a packet. Inthis manner, services on a private VLAN can be transparently transmitted to the public

network. A packet transmitted on the backbone network is called a QinQ packet because

it has two 802.1Q tags (a public tag and a private tag), that is, 802.1Q-in-802.1Q.

Figure 11-4 shows the format of a QinQ packet. Compared with an 802.1Q packet, a QinQ

packet contains an additional tag following the source address (SA) field. This tag is called

an outer tag or a public tag and contains the VLAN ID of the public network. The inner tag

is known as the private tag and contains the VLAN ID of the private network.

NOTE

The QinQ function configured on a Layer 2 interface is called VLAN stacking.

Figure 11-4 802.1Q encapsulation and QinQ encapsulation

DA

ETYPE2 Bytes

TAG2 Bytes

LEN/ETYPE2 Bytes

DATA46 Byte~1500 Bytes

DA6 Bytes

SA6 Bytes

ETYPE2 Bytes

TAG2 Bytes

DATA46 Byte~1500 Bytes

FCS4 Bytes

ETYPE2 Bytes

TAG2 Bytes

CFI VLAN ID0x8100 Priority

802.1Q Encapsulation

QinQ

Encapsulation

SA6 Bytes

FCSLEN/ETYPE2 Bytes6 Bytes 4 Bytes

l QinQ-based Layer 2 protocol transparent transmission





387



Figure 11-5 Networking of QinQ-based Layer 2 protocol transparent transmission

CE-VLAN 200

ISP NetworkPE 1 PE 2

LAN-AMSTP

LAN-BMSTP LAN-BMSTP

LAN-A

MSTP

CE-VLAN 100

PE-VLAN20:CE-VLAN 100~199

PE-VLAN30:CE-VLAN 200~299

CE-VLAN 200

CE-VLAN 100

BPDU Tunnel

BPDU Tunnel

When a great number of user networks are connected to the backbone network, considerable

VLAN IDs of the ISP are required if packets are transparently transmitted based on VLANs.In this case, BPDUs can be forwarded in QinQ mode on the backbone network.

As shown in Figure 11-5, QinQ-based Layer 2 protocol transparent transmission is

configured on aggregation interfaces of PEs. Packets from different user networks are

encapsulated in different outer VLAN tags. QinQ-based Layer 2 protocol transparent

transmission is implemented as follows:

1. Configure devices on user networks to send Layer 2 protocol packets with the specified

VLAN IDs to the backbone network.

2. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the ingress

device on the backbone network.

3. Configure PEs to add different outer VLAN tags (public VLAN IDs) to packetsaccording to customer VLAN IDs.

4. PEs select different Layer 2 tunnels according to outer VLAN tags of packets. Then

the Layer 2 protocol packets are forwarded by internal nodes on the backbone network

as common Layer 2 packets.

5. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the egress

device on the backbone network.

6. The egress device removes outer VLAN tags of the packets and forwards the packets

to user networks according to customer VLAN IDs.

As shown in Figure 11-5, PEs add outer VLAN 20 to Layer 2 protocol packets of VLAN

100 to VLAN 199 and add outer VLAN 30 to Layer 2 protocol packets of VLAN 200 toVLAN 299, and then forward the packets to other devices on the backbone network. In this





388





Context

When non-standard Layer 2 protocol packets with a certain multicast destination address need

to be transparently transmitted on the backbone network, you can define characteristic

information about the Layer 2 protocol.

Do as follows on PEs.

Procedure

Step 1 Run:

system-view


Step 2 Run:

l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac

[ encape-type { { ethernetii | snap } protocol-type protocol-type | llc dsap dsap-

value ssap ssap-value } ] group-mac { group-mac | default-group-mac }

The characteristic information about the Layer 2 protocol is defined, including the protocol

name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets,

and MAC address that replaces the destination MAC address.

When defining characteristic information about a Layer 2 protocol, do not use the following

multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets:

l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F

l Destination MAC address of Smart Link packets: 010F-E200-0004

l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD

l Common multicast MAC addresses that have been used on the device

----End

11.3.3 Configuring the Transparent Transmission Mode of Layer 2Protocol Packets

Context

Layer 2 protocol transparent transmission is implemented by replacing the original multicast

MAC address of Layer 2 protocol packets from user networks with a specified multicast MACaddress.

Procedure



1. Run:

system-view


2. Run:l2protocol-tunnel protocol-type group-mac group-mac





390



The original multicast destination MAC address of Layer 2 protocol packets is

replaced with a specified multicast MAC address.

NOTE


When configuring Layer 2 protocol transparent transmission, do not use the following multicast

MAC addresses to replace the destination MAC address of Layer 2 protocol packets:





----End

11.3.4 Enabling Layer 2 Protocol Transparent Transmission on an

Interface

Context

Do as follows on PEs according to the type of Layer 2 protocol packets to be transparently

transmitted.

Procedure

Step 1 Run:

system-view


Step 2 Run:


The user-side interface view is displayed.

Step 3 Run:

port hybrid pvid vlan vlan-id

The default VLAN of the interface is configured.

Step 4 Run:

port hybrid untagged vlan vlan-id

The interface is added to the default VLAN in untagged mode.

Step 5 Run:

port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The interface is added to the specified VLANs in tagged mode.

NOTE

The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from

user networks.

Step 6 Run:

l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }enable





391



Layer 2 protocol transparent transmission is enabled on the interface.

NOTE

l For details on how to add an interface to VLANs, see the VLAN configuration in the S6700

Configuration Guide- Ethernet .

l Before specifying a user-defined protocol in the l2protocol-tunnel command, run the l2protocol-

tunnel user-defined-protocol command to define characteristic information about the Layer 2

protocol. STP packets have a default MAC address for replacing the original destination MAC address.

For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the

destination MAC address. For details, see l2protocol-tunnel group-mac.

l The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same protocol type

on the same interface; otherwise, the configurations conflict.

----End

11.3.5 Checking Configuration

Context

Configurations of interface-based Layer 2 protocol transparent transmission are complete.

Procedure

l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-

protocol protocol-name } command to check information about transparent transmission

of specified or all Layer 2 protocol packets.

----End

11.4 Configuring VLAN-based Layer 2 Protocol TransparentTransmission

When each interface of devices on the backbone network is connected to multiple user networks

and Layer 2 protocol packets sent from user network contain VLAN tags, you can configure

VLAN-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets are

transparently transmitted on the backbone network.




and Layer 2 protocol packets sent from user networks contain VLAN tags, you can configure

VLAN-based Layer 2 protocol transparent transmission. In this way, Layer 2 protocol packets

from user networks are transmitted to destination user networks through different Layer 2 tunnels

on the backbone network to implement calculation of Layer 2 protocols.


Before configuring VLAN-based Layer 2 protocol transparent transmission, complete thefollowing tasks:





392



l Connecting interfaces correctly

l Enabling the interfaces to send BPDUs to the CPU by using the bpdu enable command

Data Preparation

To configure VLAN-based Layer 2 protocol transparent transmission, you need the following

data.

No. Data

1 Name of the user-defined protocol

2 Destination MAC address of Layer 2 protocol packets and multicast MAC address

that replaces the destination MAC address

3 Names of user-side interfaces on PEs and VLANs allowed by user-side interfaces

11.4.2 (Optional) Defining Characteristic Information About aLayer 2 Protocol

Context

When non-standard Layer 2 protocol packets with a certain multicast destination address need

to be transparently transmitted on the backbone network, you can define characteristic

information about the Layer 2 protocol.

Do as follows on PEs.

Procedure

Step 1 Run:

system-view


Step 2 Run:

l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac [ encape-type { { ethernetii | snap } protocol-type protocol-type | llc dsap dsap-














393




----End

11.4.3 Configuring the Transparent Transmission Mode of Layer 2Protocol Packets

Context


MAC address of Layer 2 protocol packets from user networks with a specified multicast MAC

address.

Procedure

lReplace the original multicast MAC address of Layer 2 protocol packets from user networkswith a specified multicast MAC address.

1. Run:

system-view


2. Run:

l2protocol-tunnel protocol-type group-mac group-mac



NOTE








----End

11.4.4 Enabling VLAN-based Layer 2 Protocol TransparentTransmission on an Interface

Context


transmitted.

Procedure






394




Step 2 Run:



Step 3 Run:

port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The interface is added to the specified VLANs in tagged mode.

NOTE

The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from

user networks.

Step 4 Run:

l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }

{ vlan low-id [ to high-id ] } &<1-10>

VLAN-based Layer 2 protocol transparent transmission is enabled on the interface.

NOTE

l For details on how to add an interface to VLANs in tagged mode, see the VLAN configuration in the

S6700 Configuration Guide- Ethernet .

l Before specifying a user-defined protocol in the l2protocol-tunnel vlan command, run the l2protocol-





l The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type


----End


Context

Configurations of Layer 2 protocol transparent transmission are complete.

Procedure

l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-protocol protocol-name } command to check information about transparent transmission


----End

11.5 Configuring QinQ-based Layer 2 Protocol TransparentTransmission


and Layer 2 protocol packets sent from user network contain VLAN tags, you can configureQinQ-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets can be





395





Procedure

Step 1 Run:

system-view


Step 2 Run:

l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac

[ encape-type { { ethernetii | snap } protocol-type protocol-type | llc dsap dsap-











----End

11.5.3 Configuring the Transparent Transmission Mode of Layer 2

Protocol Packets

Context


MAC address of Layer 2 protocol packets from user networks with a specified multicast MAC

address.

Procedure



1. Run:

system-view


2. Run:

l2protocol-tunnel protocol-type group-mac group-mac







397



NOTE







----End

11.5.4 Enabling QinQ-based Layer 2 Transparent Transmission onan Interface

Context


transmitted.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The interface is added to the specified VLANs in untagged mode.

Step 4 Run:



Step 5 Run:

port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3

The interface is configured to add an outer VLAN tag to the Layer 2 protocol packets.

Step 6 Run:

l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }

{ vlan low-id [ to high-id ] } &<1-10>

VLAN-based Layer 2 protocol transparent transmission is enabled on the interface.





398



NOTE

l The outer VLAN tag (vlan-id3) specified in step 5 must be included in the VLAN range specified in

step 6.

l For details on how to add an interface to VLANs in untagged mode, see the VLAN configuration in

the S6700 Configuration Guide- Ethernet .

l Before specifying a user-defined protocol in the l2protocol-tunnel vlan command, run the l2protocol-





l The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type


----End


Context

Configurations of Layer 2 protocol transparent transmission are complete.

Procedure

l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-

protocol protocol-name } command to check information about transparent transmission


----End

11.6 Maintaining Layer 2 Protocol TransparentTransmission

This section describes how to debug Layer 2 protocol transparent transmission.

11.6.1 Debugging Layer 2 Protocol Transparent Transmission

Context

CAUTION



When a fault occurs during Layer 2 protocol transparent transmission, run the following

debugging command in the user view to locate the fault.





399



Procedure

l Run the debugging l2protocol-tunnel [ msg | error | event ] command in the user view

to enable Layer 2 protocol transparent transmission.

----End

11.7 Configuration ExamplesThis section provides examples for configuring interface, VLAN, and QinQ based Layer 2

protocol transparent transmission.

11.7.1 Example for Configuring Interface-based Layer 2 ProtocolTransparent Transmission


As shown in Figure 11-6, CEs on user networks communicate with each other through PEs and

STP runs on user networks; therefore, STP packets sent from CEs must be transmitted through

the backbone network between PEs. Each PE interface is connected to only one CE and receives

STP packets from the CE. In this scenario, configure interface-based Layer 2 protocol transparent

transmission.

In this example, PEs on the backbone network transparently transmit STP packets sent from CEs

by replacing the original multicast destination MAC address of STP packets with a specified

MAC address. By default, the destination MAC address of STP packets is 0180-C200-0000.

Figure 11-6 Networking of interface-based Layer 2 protocol transparent transmission

CE4

CE1

CE3

CE2

XGE 0/0/1

PE1 PE2

XGE 0/0/2

XGE 0/0/1

XGE 0/0/2

VLAN100

XGE 0/0/1

XGE0/0/1

XGE 0/0/1

XGE 0/0/1

XGE 0/0/3

XGE0/0/3

VLAN100

VLAN200VLAN200





400





1. Configure STP on CEs.

2. Add user-side interfaces of PEs to the specified VLANs.

3. Configure interface-based Layer 2 protocol transparent transmission on PEs.

4. Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200

to pass.

Data Preparation


l IDs of VLANs that user-side interfaces of PEs belong to

l IDs of VLANs allowed by network-side interfaces of PEs

Procedure

Step 1 Enable STP on CEs and PEs.

# Configure CE1.


[Quidway] sysname CE1

[CE1] vlan 100

[CE1-vlan100] quit

[CE1] stp enable

[CE1] interface xgigabitethernet 0/0/1

[CE1-XGigabitEthernet0/0/1] port hybrid pvid vlan 100

[CE1-XGigabitEthernet0/0/1] port hybrid untagged vlan 100[CE1-XGigabitEthernet0/0/1] bpdu enable

# Configure CE2.



[CE2] vlan 100

[CE2-vlan100] quit

[CE2] stp enable



[CE2-XGigabitEthernet0/0/1] port hybrid untagged vlan 100

[CE2-XGigabitEthernet0/0/1] bpdu enable

# Configure CE3.<Quidway> system-view


[CE3] vlan 200

[CE3-vlan200] quit

[CE3] stp enable





# Configure CE4.



[CE4] vlan 200[CE4-vlan200] quit





401



[CE4] stp enable





# Configure PE1.



[PE1]

# Configure PE2.



[PE2]

Step 2 On PE1 and PE2, add XGE 0/0/1 to VLAN 100, add XGE 0/0/2 to VLAN 200, and enable Layer

2 protocol transparent transmission.

# Configure PE1.

[PE1] vlan 100

[PE1-vlan100] quit

[PE1] interface XGigabitEthernet 0/0/1

[PE1-XGigabitEthernet0/0/1] port hybrid pvid vlan 100

[PE1-XGigabitEthernet0/0/1] port hybrid untagged vlan 100

[PE1-XGigabitEthernet0/0/1] l2protocol-tunnel stp enable

[PE1-XGigabitEthernet0/0/1] bpdu enable


[PE1] vlan 200

[PE1-vlan200] quit




[PE1-XGigabitEthernet0/0/2] l2protocol-tunnel stp enable[PE1-XGigabitEthernet0/0/2] bpdu enable


# Configure PE2.

[PE2] vlan 100

[PE2-vlan100] quit







[PE2] vlan 200

[PE2-vlan200] quit[PE2] interface XGigabitEthernet 0/0/2






Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.

# Configure PE1.

[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011

# Configure PE2.






402



Step 4 On PE1 and PE2, configure network-side interface XGE 0/0/3 to allow packets of VLAN 100

and VLAN 200 to pass.

# Configure PE1.


[PE1-XGigabitEthernet0/0/3] port hybrid tagged vlan 100 200


# Configure PE2.





After the configuration, run the display l2protocol-tunnel group-mac command, and you can

view the protocol type or name, original destination MAC address, new destination MAC

address, and priority of Layer 2 protocol packets to be transparently transmitted.

Take the display on PE1 as an example.

<PE1> display l2protocol-tunnel group-mac stp

Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri

-----------------------------------------------------------------------------

stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0

ssap 0x42

Run the display stp command on CE1 and CE2 to view the root in the MST region. You can

find that a spanning tree is calculated between CE1 and CE2. XGE 0/0/1 of CE1 is a root port,

and CE 0/0/1 of CE2 is a designated port.

<CE1> display stp

-------[CIST Global Info] [Mode MSTP] -------

CIST Bridge :32768.00e0-fc9f-3257Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20

CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999

CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0

CIST RootPortId :128.82

BPDU-Protection :disabled

TC or TCN received :6

TC count per hello :6

STP Converge Mode :Normal

Time since last TC received :0 days 2h:24m:36s

----[Port1(XGigabitEthernet0/0/1)] [FORWARDING] ----

Port Protocol :enabled

Port Role :Root Port

Port Priority :128

Port Cost(Dot1T ) :Config=auto / Active=200000000

Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82

Port Edged :Config=disabled / Active=disabled

Point-to-point :Config=auto / Active=true

Transit Limit :147 packets/hello-time

Protection Type :None

Port Stp Mode :MSTP

Port Protocol Type :Config=auto / Active= dot1s

BPDU Encapsulation :Config=stp / Active=stp

PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20

TC or TCN send :0


BPDU Sent :6

TCN: 0, Config: 0, RST: 0, MST: 6

BPDU Received :4351


<CE2> display stp

-------[CIST Global Info] [Mode MSTP] -------CIST Bridge :32768.00e0-fc9a-4315





403



Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20


CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0




TC count per hello :3STP Converge Mode :Normal


----[Port1(XGigabitEthernet0/0/1)] [FORWARDING] ----


Port Role :Designated Port

Port Priority :128







Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :4534


BPDU Received :6





<CE3> display stp

-------[CIST Global Info][ Mode MSTP]-------

CIST Bridge :32768.000b-0967-58a0Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20

CIST Root/ERPC :32768.000b-0952-f13e / 199999

CIST RegRoot/IRPC :32768.000b-0967-58a0 / 0







----[Port1(XGigabitEthernet0/0/1)][ FORWARDING]----



Port Priority :128


Desg. Bridge/Port :32768.000b-0952-f13e / 128.82





Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :114


BPDU Received :885


<CE4> display stp

-------[CIST Global Info][Mode MSTP]-------CIST Bridge :32768.000b-0952-f13e





404




CIST Root/ERPC :32768.000b-0952-f13e / 0

CIST RegRoot/IRPC :32768.000b-0952-f13e / 0




TC count per hello :4STP Converge Mode :Normal


----[Port1(XGigabitEthernet0/0/1)][FORWARDING]----



Port Priority :128


Desg. Bridge/Port :32768.000b-0952-f13e / 128.82





Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :1834


BPDU Received :1


----End

Configuration Files


#

sysname CE1

#

vlan batch 100

#




#

return


#

sysname CE2

#

vlan batch 100




#

return


#

sysname CE3

#

vlan batch 200

#



port hybrid untagged vlan 200#





405



return


#

sysname CE4

#

vlan batch 200#




#

return


#

sysname PE1

#

vlan batch 100 200

#

l2protocol-tunnel stp group-mac 0100-5e00-0011




l2protocol-tunnel stp enable

#





#



#

return

l Configuration file of PE2#

sysname PE2

#

vlan batch 100 200

#


#





#



port hybrid untagged vlan 200 l2protocol-tunnel stp enable

#



#

return

11.7.2 Example for Configuring VLAN-based Layer 2 ProtocolTransparent Transmission





406




As shown in Figure 11-7, CEs on user networks communicate with each other through PEs and

STP runs on user networks; therefore, STP packets sent from CEs must be transmitted through

the backbone network between PEs. Each PE interface is an aggregation interface. PEs identify

STP packets from different user networks according to VLAN tags of STP packets. In this

scenario, configure VLAN-based Layer 2 protocol transparent transmission to ensure that:

l All the devices in VLAN 100 participate in calculation of a spanning tree.


In this example, PEs transparently transmit STP packets sent from user networks by replacing

the original multicast destination MAC address of STP packets with a specified multicast MAC

address. By default, the destination MAC address of STP packets is 0180-C200-0000.

Figure 11-7 Networking of VLAN-based Layer 2 protocol transparent transmission

VLAN 100 VLAN 200

XGE0/0/1

CE1 CE2

XGE0/0/1

VLAN 100 VLAN 200

CE3 CE4

PE1 PE2

XGE0/0/1

XGE0/0/1

XGE0/0/1

XGE0/0/1

P

XGE0/0/1 XGE0/0/2XGE0/0/2 XGE0/0/2XGE0/0/3 XGE0/0/3



1. Enable STP on the CEs.

2. Configure CEs to send STP packets with specified VLAN tags to PEs.

3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs.

4. Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200

to pass.

5. Configure the Layer 2 forwarding function on the P device so that packets sent from PEs

can be transmitted on the backbone network.

Data Preparation


l VLAN tags in STP packets sent from CEs to PEs

l IDs of the VLANs that interfaces of PEs and CEs belong to





407



Procedure


# Configure CE1.

[CE1] stp enable

# Configure CE2.

[CE2] stp enable

# Configure CE3.

[CE3] stp enable

# Configure CE4.

[CE4] stp enable

Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs and configure CE3

and CE4 to send STP packets with VLAN tag 200 to PEs.

# Configure CE1.

[CE1] vlan 100

[CE1-vlan100] quit


[CE1-XGigabitEthernet0/0/1] port hybrid tagged vlan 100

[CE1-XGigabitEthernet0/0/1] stp bpdu vlan 100


# Configure CE2.

[CE2] vlan 100

[CE2-vlan100] quit

[CE2] interface xgigabitethernet 0/0/1[CE2-XGigabitEthernet0/0/1] port hybrid tagged vlan 100



# Configure CE3.

[CE3] vlan 200

[CE3-vlan200] quit





# Configure CE4.

[CE4] vlan 200[CE4-vlan200] quit





Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the P device.

# Configure PE1.

[PE1] vlan 100

[PE1-vlan100] quit

[PE1] vlan 200

[PE1-vlan200] quit

[PE1] interface xgigabitethernet 0/0/1[PE1-XGigabitEthernet0/0/1] port hybrid tagged vlan 100 200





408






[PE1-XGigabitEthernet0/0/2] l2protocol-tunnel stp vlan 100



[PE1] interface xgigabitethernet 0/0/3[PE1-XGigabitEthernet0/0/3] port hybrid tagged vlan 200




# Configure PE2.

[PE2] vlan 100

[PE2-vlan100] quit

[PE2] vlan 200

[PE2-vlan200] quit















# Configure PE1.


# Configure PE2.


Step 5 Configure the Layer 2 forwarding function on the P device and configure it to allow packets of

VLAN 100 and VLAN 200 to pass.

[P] vlan 100

[P-vlan100] quit

[P] vlan 200

[P-vlan200] quit

[P] interface xgigabitethernet 0/0/1

[P-XGigabitEthernet0/0/1] port hybrid tagged vlan 100 200

[P-XGigabitEthernet0/0/1] quit

[P] interface xgigabitethernet 0/0/2

[P-XGigabitEthernet0/0/2] port hybrid tagged vlan 100 200

[P-XGigabitEthernet0/0/2] quit


After the configuration, run the display l2protocol-tunnel group-mac command. You can view

the protocol type or name, original destination MAC address, new destination MAC address,

and priority of Layer 2 protocol packets to be transparently transmitted.

Take the ouput on PE1 as an example.



-----------------------------------------------------------------------------

stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0ssap 0x42





409






<CE1> display stp

-------[CIST Global Info][ Mode MSTP]-------CIST Bridge :32768.000b-09f0-1b91


CIST Root/ERPC :32768.000b-09d4-b66c / 199999

CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0










Port Priority :128


Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled




Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :237


BPDU Received :9607


<CE2> display stp-------[CIST Global Info][Mode MSTP]-------

CIST Bridge :32768.000b-09d4-b66c



CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0










Port Priority :128

Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82





Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :7095


BPDU Received :2






410






<CE3> display stp

-------[CIST Global Info][ Mode MSTP]-------CIST Bridge :32768.00e0-fc9f-3257













Port Priority :128


Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled




Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :238


BPDU Received :9745


<CE4> display stp-------[CIST Global Info][ Mode MSTP]-------

CIST Bridge :32768.00e0-fc9a-4315













Port Priority :128

Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82





Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :7171


BPDU Received :2





411




----End

Configuration Files


#

sysname CE1

#

vlan batch 100

#



stp bpdu vlan 100

#

return


#

sysname CE2#

vlan batch 100

#



stp bpdu vlan 100

#

return


#

sysname CE3

#

vlan batch 200



stp bpdu vlan 200

#

return


#

sysname CE4

#

vlan batch 200

#



stp bpdu vlan 200

#

Return


#

sysname PE1

#

vlan batch 100 200

#


#



#


port hybrid tagged vlan 100 l2protocol-tunnel stp vlan 100





412



#



l2protocol-tunnel stp vlan 200

#

return

l Configuration file of P

#

sysname P

#

vlan batch 100 200

#



#



#

return


#

sysname PE2

#

vlan batch 100 200

#


#



#




#


port hybrid tagged vlan 200 l2protocol-tunnel stp vlan 200

#

return

11.7.3 Example for Configuring QinQ-based Layer 2 ProtocolTransparent Transmission


As shown in Figure 11-8, CEs on user networks communicate with each other through PEs.

STP runs on user networks. CE1 and CE2 send STP packets with VLAN tag 100 to PEs; CE3and CE4 send STP packets with VLAN tag 200 to PEs. In this scenario, configure QinQ-based

Layer 2 protocol transparent transmission to ensure that:



To save VLAN IDs on the public network, configure VLAN stacking on PEs to add outer VLAN

tag 10 to STP packets with VLAN tag 100 and VLAN tag 200. Then STP packets contain double

tags and are transparently transmitted on the backbone network.

In this example, PEs transparently transmit STP packets sent from user networks by replacing

the original multicast destination MAC address of STP packets with a specified multicast MACaddress. By default, the destination MAC address of STP packets is 0180-C200-0000.





413



Figure 11-8 Networking of QinQ-based Layer 2 protocol transparent transmission

VLAN100 VLAN100

VLAN200VLAN200

CE1 CE2

CE3 CE4

PE1 PE2

XGE0/0/1

XGE0/0/1

XGE0/0/2

XGE0/0/3

XGE0/0/1

XGE0/0/1

XGE0/0/2

XGE0/0/3

XGE0/0/1

XGE0/0/1



1. Enable STP on the CEs.

2. Configure CEs to send STP packets with specified VLAN tags to PEs.

3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs.

4. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP

packets sent from CEs.

Data Preparation


l VLAN tags in STP packets sent from CEs to PEs

l Outer VLAN tag that PEs add to STP packets

l IDs of the VLANs that interfaces of PEs and CEs belong to

Procedure


# Configure CE1.

[CE1] stp enable

# Configure CE2.

[CE2] stp enable

# Configure CE3.

[CE3] stp enable





414



# Configure CE4.

[CE4] stp enable

Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs and configure CE3

and CE4 to send STP packets with VLAN tag 200 to PEs.

# Configure CE1.

[CE1] vlan 100

[CE1-vlan100] quit





[CE1-XGigabitEthernet0/0/1] quit

# Configure CE2.

[CE2] vlan 100

[CE2-vlan100] quit

[CE2] interface xgigabitethernet 0/0/1[CE2-XGigabitEthernet0/0/1] port hybrid tagged vlan 100




# Configure CE3.

[CE3] vlan 200

[CE3-vlan200] quit






# Configure CE4.

[CE4] vlan 200

[CE4-vlan200] quit






Step 3 Configure QinQ-based transparent transmission on PEs so that PEs add outer VLAN tag 10 to

STP packets with VLAN tag 100 and VLAN tag 200.

# Configure PE1.

[PE1] vlan 10

[PE1-Vlan10] quit





[PE1-XGigabitEthernet0/0/2] qinq vlan-translation enable


[PE1-XGigabitEthernet0/0/2] port vlan-stacking vlan 100 stack-vlan 10







[PE1-XGigabitEthernet0/0/3] port vlan-stacking vlan 200 stack-vlan 10[PE1-XGigabitEthernet0/0/3] l2protocol-tunnel stp vlan 10





415





# Configure PE2.

[PE2] vlan 10

[PE2-Vlan10] quit[PE2] interface xgigabitethernet 0/0/1


















# Configure PE1.


# Configure PE2.



After the configuration, run the display l2protocol-tunnel group-mac command. You can view

the protocol type or name, original destination MAC address, new destination MAC address,

and priority of Layer 2 protocol packets to be transparently transmitted.

Take the output on PE1 as an example.



-----------------------------------------------------------------------------

stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0

ssap 0x42




<CE1> display stp

-------[CIST Global Info][Mode MSTP]-------

CIST Bridge :32768.000b-09f0-1b91



CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0








Port Protocol :enabled Port Role :Root Port





416



Port Priority :128


Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82




Protection Type :None Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :237


BPDU Received :9607


<CE2> display stp


CIST Bridge :32768.000b-09d4-b66c



CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0










Port Priority :128


Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82



Transit Limit :147 packets/hello-time Protection Type :None

Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :7095


BPDU Received :2





<CE3> display stp


CIST Bridge :32768.00e0-fc9f-3257











Port Protocol :enabled Port Role :Root Port





417



Port Priority :128






Protection Type :None Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :238


BPDU Received :9745


<CE4> display stp


CIST Bridge :32768.00e0-fc9a-4315













Port Priority :128





Transit Limit :147 packets/hello-time Protection Type :None

Port Stp Mode :MSTP




TC or TCN send :0


BPDU Sent :7171


BPDU Received :2


Run the display vlan command on PEs to view the QinQ configuration.

Take the output on PE1 as an example.

<PE1> display vlan 10 verbose

* : Management-VLAN

---------------------

VLAN ID : 10

VLAN Type : Common

Description : VLAN 0010

Status : Enable

Broadcast : Enable

MAC Learning : Enable

Statistics : Disable

Property : Default

VLAN State : Up

----------------

Tagged Port: XGigabitEthernet0/0/1----------------





418



QinQ-stack Port: XGigabitEthernet0/0/2


----End

Configuration Filesl Configuration file of CE1

#

sysname CE1

#

vlan batch 100

#



stp bpdu vlan 100

#

return


# sysname CE2

#

vlan batch 100

#



stp bpdu vlan 100

#

return


#

sysname CE3

#

vlan batch 200#



stp bpdu vlan 200

#

return


#

sysname CE4

#

vlan batch 200

#



stp bpdu vlan 200

#

return


#

sysname PE1

#

vlan batch 10

#


#



#

interface XGigabitEthernet0/0/2 qinq vlan-translation enable





419






#



port hybrid untagged vlan 10 port vlan-stacking vlan 200 stack-vlan 10


#

return


#

sysname PE2

#

vlan batch 10

#


#



#






#






#

return





420





12.1 Loopback Detection OverviewThis section describes the concept of loopback detection.

When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are

repeatedly transmitted on the network. This wastes network resources or even causes service

interruption on the entire network. To protect the network, certain actions should be taken on

the interface where the loop occurs, and the administrator need to check the network connection

and configuration to solve the problem soon. Therefore, a mechanism is required on a Layer 2

network to detect loops and notify the administrator.

Loopback detection is such a mechanism. It sends detection packets from an interface at intervals

and checks whether the packets are sent back to the interface. When this occurs, there is a

loopback on the interface. When detecting a loopback, the system sends a trap to the network

management system to notify the administrator. The system also blocks the interface, disables

MAC address learning on the interface, or shuts down the interface to minimize the impact onthe network.

12.2 Configuring Loopback Detection

This section describes how to configure the loopback detection function.


Before configuring loopback detection, familiarize yourself with the applicable environment,




Figure 12-1 and Figure 12-2 show the application of loopback detection.

A loopback occurs on an interface usually because optical fibers are connected incorrectly, the

optical modem fails, or the interface is damaged by high voltage. As shown in Figure 12-1, a

cable is incorrectly connected on the device connected to the Switch. As a result, packets sent

from an interface of the Switch are sent back to the interface. This may cause traffic forwarding

errors or MAC address flapping on the same interface.

Figure 12-1 Loopback detection application 1

Switch

TX RX


Configuration Guide - Ethernet 12 Loopback Detection Configuration



422



As shown in Figure 12-2, loops may occur on the network connected to an Switch interface.

When a loop occurs, packets sent from the interface are sent back to this interface.

Figure 12-2 Loopback detection application 2

Switch

You can configure loopback detection on the interface in the preceding scenarios. When a

loopback is detected on the interface, the Switch performs certain actions, for example, blocks

the interface. Only users connected to this interface are affected, and other users can still

communicate. When the Switch detects that the loopback has been removed, it recovers

communication on the interface.

NOTE

l Loopback detection cannot prevent loops on the entire network. It only detects loops on a single node.

l A large number of packets are sent during loopback detection, occupying CPU resources; therefore,

disable loopback detection if it is not required.


Before configuring loopback detection, complete the following task:


physical layer status of the interfaces is Up

Data Preparation

To configure loopback detection, you need the following data.

No. Data

1 Interface number

2 VLAN IDs in detection packets

3 (Optional) Action performed when a loopback is detected

4 (Optional) Interface recovery time after a loop is detected





423



No. Data

5 (Optional) Loopback detection interval for sending detection packets

12.2.2 Enabling Loopback Detection

An interface sends detection packets to detect loopbacks only after loopback detection is enabled

on the interface.

Context

You can enable loopback detection on all interfaces at one time in the system view or enable it

on a single interface in the interface view.

Procedurel Enabling loopback detection on all interfaces

1. Run:

system-view


2. Run:

loopback-detect enable

Loopback detection is enabled on all interfaces.

By default, loopback detection is disabled on an interface.

TIP

You can use this method to simplify configuration when most interfaces need to perform

loopback detection.

l Enabling loopback detection on a single interface

1. Run:

system-view


2. Run:


The interface view is displayed.3. Run:

loopback-detect enable

Loopback detection is enabled on the interface.

NOTE

Loopback detection cannot be configured on an Eth-Trunk or its member interfaces.

----End

12.2.3 Specifying VLAN IDs of Loopback Detection Packets

You can specify one or more VLAN IDs for loopback detection packets.





424



Context

By default, the system sends untagged detection packets after loopback detection is enabled on

interface. If the interface has been added to a VLAN in tagged mode, the untagged detection

packets are discarded on the link, and the interface cannot receive loopback packets. To solve

the problem, you can configure the VLAN ID for detection packets.

After VLAN IDs are specified, the interface sends an untagged detection packet and multiple

detection packets with the specified VLAN tags. Each interface can send detection packets with

a maximum of eight VLAN IDs.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

loopback-detect packet vlan vlan-id

A VLAN ID is specified for loopback detection packets.

By default, detection packets do not have a VLAN ID. You can specify a maximum of eight

VLAN IDs for loopback detection packets.

NOTE

Before running the loopback-detect packet vlan vlan-id command, ensure that:

l The specified VLAN exists.

l The interface has been added to the specified VLAN in tagged mode.

----End

12.2.4 (Optional) Configuring an Action to Perform After aLoopback Is Detected

When a loopback is detected on an interface, the system sets the interface status to loopback and

sends a trap, blocks the interface, disables MAC address learning on the interface, or shuts downthe interface as configured.

Context

After loopback detection is enabled on an interface, the interface periodically sends detection

packets and checks whether loopback packets are received. You can configure the Switch to

take an action to minimize impact on the system and the entire network when a loopback is

detected.

Procedure

Step 1 Run:





425



system-view


Step 2 Run:



Step 3 Run:

loopback-detect action { block | nolearn | shutdown | trap }

The action that will be performed after a loopback is detected on the interface is configured.

The default action is block .

When a loopback is detected on an interface, the system performs any of the following actions:

l block : blocks the interface. After the interface is blocked, it is isolated from other interfacesand does not forward received data packets to other interfaces.

l nolearn: disables MAC address learning on the interface. When a loopback is detected on

the interface, the interface stops learning MAC addresses.

l shutdown: shuts down the interface.

l trap: only sends a trap.

----End

12.2.5 (Optional) Setting the Interface Recovery Time After a Loop

Is Removed

Context

Perform the following steps on the S6700 that needs to perform loopback detection.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

loopback-detect recovery-time recovery-time

The interface recovery time after a loop is removed is set.

The default recovery time is three times the loopback detection interval.





426



NOTE

l It is recommended that the recovery time be at least three times the interval for sending loopback

detection packets. If the interval for sending loopback detection packets is very short, set the recovery

time to be at least 10 seconds longer than the interval.

l An interface cannot recover automatically after it is shut down. You must manually recover the interface by using the undo shutdown command.

----End

12.2.6 (Optional) Setting the Interval for Sending LoopbackDetection Packets on an Interface

Context

An interface sends loopback detection packets at intervals to check whether a loopback existsor whether the existing loopback has been removed.

Procedure

Step 1 Run:

system-view


Step 2 Run:

loopback-detect packet-interval packet-interval-time

The interval for sending loopback detection packets is set.

By default, the interval for sending loopback detection packets is 5s.

----End


Procedure

l Run the display loopback-detect command to check the loopback detection configuration

and status of loopback detection enabled interfaces.

----End


This section provides a loopback detection configuration example.

12.3.1 Example for Configuring Loopback Detection





427




As shown in Figure 12-3, if there is a loop on the network connected to XGE 0/0/1, broadcast

storms will occur on the Switch or even the entire network. To detect loops on the network

quickly, you can enable loopback detection on this interface.

Figure 12-3 Loopback detection network diagram

Switch

XGE0/0/1



1. Enable loopback detection on the interface.

2. Specify the VLAN ID of loopback detection packets.

3. Configure loopback detection parameters.



Documents

Configuration Guide - Ethernet(V100R006C00_01).pdf