Series Switches Huawei s5700

8/17/2019 Series Switches Huawei s5700

http://slidepdf.com/reader/full/series-switches-huawei-s5700 1/111

S1720&S2700&S3700&S5700&S6700&S7700&S970

0 Series Switches

Common Operation Guide

Issue 05

Date 2015-10-23

HUAWEI TECHNOLOGIES CO., LTD.



Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the

customer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,

and recommendations in this document are provided "AS IS" without warranties, guarantees or

representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://e.huawei.com

Issue 05 (2015-10-23) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

i

http://e.huawei.com/



About This Document

Intended Audience

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates an imminently hazardous situation

which, if not avoided, will result in death or

serious injury.

Indicates a potentially hazardous situation

which, if not avoided, could result in death

or serious injury.


which, if not avoided, may result in minor or moderate injury.


which, if not avoided, could result in

equipment damage, data loss, performance

deterioration, or unanticipated results.

NOTICE is used to address practices not

related to personal injury.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide About This Document



ii



Symbol Description

NOTE Calls attention to important information,

best practices and tips.

NOTE is used to address information notrelated to personal injury, equipment

damage, and environment deterioration.

Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of all

items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n

times.

# A line starting with the # sign is comments.

Interface Numbering Conventions

Interface numbers used in this manual are examples and may not exist on devices. In device

configuration, use the existing interface numbers on devices.

Security Conventions

l Password setting

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




iii



– When configuring a password, the cipher text is recommended. To ensure device

security, change the password periodically.

– When you configure a password in plain text that starts and ends with %^%#, %#

%#, %@%@ or @%@% (the password can be decrypted by the device), the

password is displayed in the same manner as the configured one in theconfiguration file. Do not use this setting.

– When you configure a password in cipher text, different features cannot use the

same cipher-text password. For example, the cipher-text password set for the AAA

feature cannot be used for other features.

l Encryption algorithm

Currently, the device uses the following encryption algorithms: 3DES, AES, RSA,

SHA1, SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and

MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or

lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital

signature scenarios) have a low security, which may bring security risks. If protocols

allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on

actual networking. The irreversible encryption algorithm must be used for the

administrator password, SHA2 is recommended.

l Personal data

Some personal data may be obtained or used during operation or fault location of your

purchased products, services, features, so you have an obligation to make privacy

policies and take measures according to the applicable law of the country to protect

personal data.

l The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual

are mentioned only to describe the product's function of communication error or failure

detection, and do not involve collection or processing of any personal information or communication data of users.

Declaration

This manual is only a reference for you to configure your devices. The contents in the manual,

such as web pages, command line syntax, and command outputs, are based on the device

conditions in the lab. The manual provides instructions for general scenarios, but do not cover

all usage scenarios of all product models. The contents in the manual may be different from

your actual device situations due to the differences in software versions, models, and

configuration files. The manual will not list every possible difference. You should configureyour devices according to actual situations.

The specifications provided in this manual are tested in lab environment (for example, the

tested device has been installed with a certain type of boards or only one protocol is run on

the device). Results may differ from the listed specifications when you attempt to obtain the

maximum values with multiple functions enabled on the device.

Change History

Updates between document issues are cumulative. Therefore, the latest document issuecontains all updates made in previous issues.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




iv



Changes in Issue 05 (2015-10-23)

This version has the following updates:

Some contents are modified according to updates in the product.



Some contents are modified according to updates in the product.



The following information is modified:

l 2.9 Using Basic ACL Rules to Control User Loginl 2.10 Backing Up the Configuration File

l 2.11 Restoring the Configuration File

l 2.12 Logging In to a Device Through STelnet



The matching software version V200R007C10 is added to the document.


Initial commercial release.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




v



Contents

About This Document.....................................................................................................................ii

1 Use the Quick Search Tool.......................................................................................................... 1

2 Common System Operations...................................................................................................... 2

2.1 Handling Loss of the Password for Console Port Login................................................................................................ 3

2.2 Handling Loss of the Password for Telnet Login...........................................................................................................4

2.3 Handling Loss of the Password for Web Login..............................................................................................................5

2.4 Handling BootROM Password Loss...............................................................................................................................5

2.5 Deleting the Device Configuration.................................................................................................................................6

2.6 Configuring a Local Telnet User.................................................................................................................................... 6

2.7 Setting a User Level....................................................................................................................................................... 7

2.8 Setting Screen Display....................................................................................................................................................7

2.9 Using Basic ACL Rules to Control User Login............................................................................................................. 7

2.10 Backing Up the Configuration File.............................................................................................................................. 82.11 Restoring the Configuration File.................................................................................................................................. 9

2.12 Logging In to a Device Through STelnet................................................................................................................... 11

3 Common Hardware Management Operations.......................................................................13

3.1 Active/Standby Switchover.......................................................................................................................................... 14

3.2 Setting Temperature Alarm Thresholds........................................................................................................................14

3.3 Setting Temperature Thresholds for Adjusting the Fan Speed.....................................................................................14

4 Common Mirroring Operations................................................................................................16

4.1 Configuring an Observing Port.....................................................................................................................................17

4.2 Configuring Port Mirroring.......................................................................................................................................... 17

4.3 Configuring Traffic Mirroring......................................................................................................................................18

4.4 Deleting the Mirroring Configuration.......................................................................................................................... 20

5 Common MAC Address Operations........................................................................................21

5.1 Displaying All MAC Address Entries.......................................................................................................................... 22

5.2 Displaying MAC Address Entries Learned by an Interface......................................................................................... 22

5.3 Displaying MAC Address Entries Learned in a VLAN...............................................................................................22

5.4 Displaying the System MAC Address..........................................................................................................................22

5.5 Displaying the MAC Address of an Interface.............................................................................................................. 23

5.6 Displaying the MAC Address of a VLANIF Interface.................................................................................................23

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide Contents



vi



5.7 Configuring a Static MAC Address..............................................................................................................................23

5.8 Configuring a Blackhole MAC Address...................................................................................................................... 24

5.9 Displaying and Setting the Aging Time of MAC Addresses........................................................................................24

5.10 Configuring Port Security...........................................................................................................................................24

6 Common Ethernet Interface Operations.................................................................................26

6.1 Configuring a Port Group.............................................................................................................................................27

6.2 Configuring Port Isolation............................................................................................................................................27

6.3 Configuring the Working Mode of a Combo Interface................................................................................................ 28

6.4 Configuring the Interface Rate..................................................................................................................................... 28

6.5 Configuring the Duplex Mode......................................................................................................................................29

6.6 Switching an Interface to Layer 3 Mode...................................................................................................................... 29

6.7 One-Click Configuration Deletion on an Interface...................................................................................................... 30

7 Common Link Aggregation Operations................................................................................. 317.1 Adding Member Interfaces to an Eth-Trunk in a Batch............................................................................................... 32

7.2 Deleting a Specified Member Interface from an Eth-Trunk.........................................................................................32

7.3 Deleting an Eth-Trunk.................................................................................................................................................. 32

7.4 Displaying the Eth-Trunk Configuration......................................................................................................................32

7.5 Displaying Information About Eth-Trunk Member Interfaces.....................................................................................34

7.6 Displaying the Numbers of Eth-Trunks and Member Interfaces Supported by the Device.........................................34

8 Common VLAN Operations......................................................................................................35

8.1 Creating VLANs in a Batch..........................................................................................................................................36

8.2 Adding Interfaces to a VLAN in a Batch..................................................................................................................... 368.3 Restoring the Default VLAN Configuration of an Interface........................................................................................37

8.4 Deleting a VLAN or VLANs in a Batch...................................................................................................................... 37

8.5 Changing the Link Type of an Interface.......................................................................................................................37

9 Common QinQ Operations....................................................................................................... 40

9.1 Configuring Basic QinQ...............................................................................................................................................41

9.2 Configuring Selective QinQ......................................................................................................................................... 41

9.3 Configuring the Device to Add Double Tags to Untagged Packets............................................................................. 42

9.4 Deleting the Selective QinQ Configuration..................................................................................................................43

10 Common STP/RSTP Operations.............................................................................................44

10.1 Enabling STP/RSTP................................................................................................................................................... 45

10.2 Disabling STP/RSTP.................................................................................................................................................. 45

10.3 Configur ing Root Protection...................................................................................................................................... 45

10.4 Configur ing an Edge Port...........................................................................................................................................45

10.5 Changing the STP/RSTP Cost....................................................................................................................................45

10.6 Displaying the STP/RSTP Status............................................................................................................................... 46

10.7 Displaying the Root Bridge........................................................................................................................................46

11 Common DHCP Operations....................................................................................................47

11.1 Configur ing IP Addresses Not Dynamically Assigned.............................................................................................. 49

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




vii



11.2 Modifying the Lease...................................................................................................................................................49

11.3 Assigning Fixed IP Addresses to Clients....................................................................................................................50

11.4 Withdrawing the Fixed IP Addresses Assigned to Clients.........................................................................................50

11.5 Checking IP Addresses Used......................................................................................................................................51

11.6 Clearing Conflicting Addresses..................................................................................................................................51

11.7 Increasing the Address Pool Range............................................................................................................................ 52

11.8 Decreasing the Address Pool Range...........................................................................................................................53

11.9 Preventing a Device from Obtaining an IP Address from a Pseudo DHCP Server....................................................54

11.10 Disabling the DHCP Service.................................................................................................................................... 54

12 Common ARP Operations....................................................................................................... 55

12.1 Checking ARP entries................................................................................................................................................ 56

12.2 Updating ARP Entries................................................................................................................................................ 57

12.3 Setting the Aging Time of ARP Entries..................................................................................................................... 58

12.4 Configur ing Static ARP Entries................................................................................................................................. 58

12.5 Configur ing ARP Proxy............................................................................................................................................. 61

12.6 Shielding ARP Miss Alarms Based on Source IP Addresses.....................................................................................62

12.7 Configur ing Dynamic ARP Detection........................................................................................................................62

12.8 Configur ing ARP Gateway Anti-Collision.................................................................................................................63

13 Common ACL Operations....................................................................................................... 64

13.1 Deleting a Time Range............................................................................................................................................... 65

13.2 Deleting ACL and ACL6............................................................................................................................................65

13.3 Configur ing a Time-Based ACL Rule........................................................................................................................65

13.4 Configur ing a Packet Filtering Rule Based on the Source IP Address (Host Address)............................................. 66

13.5 Configur ing a Packet Filtering Rule Based on the Source IP Address Segment....................................................... 66

13.6 Configur ing a Packet Filtering Rule Based on the IP Fragment Information and Source IP Address Segment........66

13.7 Configur ing a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP Address (Host Address) and

Destination IP Address Segment........................................................................................................................................67

13.8 Configur ing a Packet Filtering Rule for TCP Protocol Packets Based on TCP Destination Port Number, Source IP

Address (Host Address), and Destination IP Address Segment.........................................................................................67

13.9 Configur ing a Packet Filtering Rule for TCP Packets Based on the Source IP Address Segment and TCP Flags....68

13.10 Configuring Packet Filtering Rules Based on the Source MAC Address, Destination MAC Address, and Layer 2

Protocol Types.................................................................................................................................................................... 69

13.11 Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and Inner VLAN IDs.............69

13.12 Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String Masks, and User-

Defined Char acter Strings.................................................................................................................................................. 70

14 Common QoS Operations........................................................................................................73

14.1 Configur ing Interface-based Rate Limiting on the S7700/S9700.............................................................................. 74

14.2 Configur ing Interface-based Rate Limiting on the S2700/S5700/S6700...................................................................74

14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700.......................................................75

14.4 Deleting the Interface-based Rate Limiting Configuration on the S2700/S5700/S6700........................................... 75

14.5 Using a Traffic Policy to Limit the Rate of Packets...................................................................................................75

14.6 Using a Traffic Policy to Filter Packets......................................................................................................................76

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




viii



14.7 Configuring Traffic Statistics in a Traffic Policy....................................................................................................... 77

15 Common IPSG Operations...................................................................................................... 80

15.1 Configuring IPSG Based on a Static Binding Table...................................................................................................81

15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table....................................................................8215.3 Deleting Static Binding Entries..................................................................................................................................83

16 Common AAA Operations...................................................................................................... 85

16.1 Configuring Authentication for Telnet Login Users (AAA Local Authentication)................................................... 86

16.2 Setting the User Level................................................................................................................................................ 86

16.3 Configuring the Global Default Domain.................................................................................................................... 87

17 Common NAC Operations...................................................................................................... 88

17.1 Configuring MAC Address Bypass Authentication................................................................................................... 89

17.2 Configuring the Guest VLAN Function.....................................................................................................................89

17.3 Configuring Layer 2 Transparent Transmission of 802.1x Authentication Packets...................................................90

18 Common VRRP Operations.................................................................................................... 91

18.1 Enabling the Master to Respond to Ping Packets Sent to a Virtual IP Address......................................................... 92

18.2 Configur ing Association Between VRRP and the Interface Status............................................................................92

18.3 Configur ing Association Between VRRP and BFD...................................................................................................92

18.4 Configur ing Association Between VRRP and NQA..................................................................................................92

18.5 Configur ing Association Between VRRP and Routing..............................................................................................93

18.6 Configur ing the VRRP Version Number....................................................................................................................93

18.7 Configur ing a Preemption Mode................................................................................................................................ 93

18.8 Configur ing the Mode in Which the Master Sends VRRP Advertisement Packets in a Super-VLAN..................... 93

18.9 Enabling MAC Address Triggered ARP Entry Update..............................................................................................94

19 Common SNMP Operations....................................................................................................95

19.1 Configur ing Access Control.......................................................................................................................................96

19.2 Setting the SNMP Version and Community Name.................................................................................................... 96

19.3 Configur ing User Group and User Name...................................................................................................................96

19.4 Configur ing the Device to Send Traps....................................................................................................................... 97

19.5 Deleting Community Name........................................................................................................................................98

20 Common OSPF Operations..................................................................................................... 99

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




ix



1 Use the Quick Search Tool

Switch Hardware Query Tool

This tool allows you to quickly query hardware information of switches. You do not need to

register a Huawei account before using this tool.

Switch Hardware Query Tool

Command Query Tool

This tool shows details about commands used on switches. You do not need to register a

Huawei account before using this tool.

Command Query Tool

Alarm Query Tool

This tool shows details about alarms used on switches. You do not need to register a Huawei

account befor e using this tool.

Alarm Query Tool

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 1 Use the Quick Search Tool



1

http://support.huawei.com/onlinetools/actool/mvc/web/queryalarm/initPage.do

http://support.huawei.com/onlinetools/actool/mvc/web/querycommand/initPage.do

http://support.huawei.com/onlinetools/actool/mvc/web/queryalarm/initPage.do

http://support.huawei.com/onlinetools/actool/mvc/web/querycommand/initPage.do

http://support.huawei.com/onlinetools/lpcmmt/en/



2 Common System Operations

About This Chapter

This chapter describes common system login and file management operations, providing

instructions on how to handle password loss, configure a local user, and set screen display.

2.1 Handling Loss of the Password for Console Port Login

2.2 Handling Loss of the Password for Telnet Login

2.3 Handling Loss of the Password for Web Login

2.4 Handling BootROM Password Loss

2.5 Deleting the Device Configuration

2.6 Configuring a Local Telnet User

2.7 Setting a User Level

2.8 Setting Screen Display

2.9 Using Basic ACL Rules to Control User Login

2.10 Backing Up the Configuration File

2.11 Restoring the Configuration File

2.12 Logging In to a Device Through STelnet

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 2 Common System Operations



2



2.1 Handling Loss of the Password for Console Port Login

If you forget the password for logging in through the console port, use either of the following

two methods to set a new password.

Logging In to the Switch Through STelnet or Telnet to Set a New Password

NOTICE

Telnet may bring security risks. You are advised to log in to the switch through STelnet V2.

Ensure that you have an STelnet/Telnet account and administrator rights. The following uses

the command lines and outputs of logging in to the device using STelnet as an example. After logging in to the switch through STelnet, perform the following configuration.

# Take password authentication as an example. Set the password to Huawei@123.

<HUAWEI> system-view[HUAWEI] user-interface console 0[HUAWEI-ui-console0] authentication-mode password [HUAWEI-ui-console0] set authentication password cipher Huawei@123[HUAWEI-ui-console0] return<HUAWEI> save

# Take AAA authentication as an example. Set the user name and password to admin123 and

Huawei@123 respectively.

<HUAWEI> system-view[HUAWEI] user-interface console 0[HUAWEI-ui-console0] authentication-mode aaa[HUAWEI-ui-console0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type terminal[HUAWEI-aaa] return<HUAWEI> save

Clearing the Lost Password Through the BootROM Menu

NOTE

If the switch has two MPUs, remove the standby MPU before performing the following operations.After performing the following operations, install the standby MPU and run the save command to ensure

the consistent configuration on the active and standby MPUs.

You can use the BootROM menu of the switch to clear the lost password for console port

login. After starting the switch, set a new password and save your configuration. Perform the

following steps.

1. Connect the terminal to the console port of the switch and restart the switch. When the

following message is displayed, press Ctrl+B immediately and enter the BootROM

password to enter the BootROM menu.

Information displayed on modular switches:

Press Ctrl+B to enter boot menu ... 1

Password: //Enter the BootROM password.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




3



Information displayed on fixed switches:

Press Ctrl+B or Ctrl+E to enter BootROM menu ... 2

password: //Enter the BootROM password.

NOTE

l Some models of fixed switches allow you to enter the BootROM menu by pressing Ctrl+E.

Perform operations as prompted on the screen.

l The default BootROM password of fixed switches is huawei in versions earlier than

V100R006C03 and [email protected] in V100R006C03 and later.

l The default BootROM password of modular switches is 9300 in V100R006 and earlier

versions, and [email protected] in versions after V100R006.

2. Select Clear password for console user on the BootROM menu to clear the password

for console port login.

3. Select Boot with default mode on the BootROM menu to start the switch as prompted.

NOTE

Do not select Reboot; otherwise, the password cannot be cleared.

4. After the switch is started, log in through the console port. Authentication is not required

when you log in. Set a password as prompted after login.

5. You can set an authentication mode and password for the console user interface

according to service requirements. The configuration is similar to that of Logging In to

the Switch Through STelnet or Telnet to Set a New Password, and is not provided

here.

2.2 Handling Loss of the Password for Telnet Login

If you forget the Telnet login password, log in to the switch through the console port and set anew password for Telnet login.

NOTE

The following uses the command lines of the S7700 in V200R006C00 as an example.

# Logging in to the device through the console port.

1. Connect the DB9 female connector of the console cable to the COM port on the PC, and

connect the R J45 connector to the console port on the device.

2. Start the terminal emulation software on the PC. Create a connection, select the

connected port, and set communication parameters.

–Baud rate : 9600

– Data bits : 8

– Stop bits : 1

– Parity : None

– Flow Control : None

3. Click Connect. Enter or configure the login password as prompted to log in to the switch.

# Take password authentication for VTY0 login as an example. Set the password to

Huawei@123.

<HUAWEI> system-view

[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] protocol inbound telnet //By default, switches in V200R006 and

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




4



earlier versions support Telnet, and switches in V200R007 and later versions

support SSH.[HUAWEI-ui-vty0] authentication-mode password [HUAWEI-ui-vty0] set authentication password cipher Huawei@123[HUAWEI-ui-vty0] user privilege level 15[HUAWEI-ui-vty0] return

<HUAWEI> save

# Take AAA authentication for VTY0 login as an example. Set the user name and password to

admin123 and Huawei@123 respectively.

<HUAWEI> system-view[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] protocol inbound telnet //By default, switches in V200R006 and

earlier versions support Telnet, and switches in V200R007 and later versionssupport SSH.

[HUAWEI-ui-vty0] authentication-mode aaa[HUAWEI-ui-vty0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type telnet

[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] return<HUAWEI> save

2.3 Handling Loss of the Password for Web Login

If you forget the web login password, log in to the switch through the console port, Telnet, or

STelnet, and set a new password for web login.

NOTICE

Telnet may bring security risks. You are advised to log in to the switch through the console

port or STelnet.

# Set the user name and password to admin123 and Huawei@123 respectively.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type http[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] return<HUAWEI> save

2.4 Handling BootROM Password Loss

If you forget the BootROM password, log in to the switch and run the reset boot password

command in the user view to restore the default BootROM password.

l The default BootROM password of fixed switches is huawei in versions earlier than

V100R006C03 and [email protected] in V100R006C03 and later.

l The default BootROM password of modular switches is 9300 in V100R006 and earlier

versions, and [email protected] in versions after V100R006.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




5



2.5 Deleting the Device Configuration

To clear the current configuration and restore factory settings of a device, run the reset saved-

configuration command to clear the configuration file for the next startup and then restart the

device. If you are prompted to save the configuration, select N indicating that the device will

not save the current configuration.

NOTICE

Exercise caution and follow the instructions of the technical support personnel when you run

this command.

<HUAWEI> reset saved-configurationWarning: The action will delete the saved configuration in the device.

The configuration will be erased to reconfigure. Continue? [Y/N]:yWarning: Now clearing the configuration in the device.Info: Succeeded in clearing the configuration in the device.

<HUAWEI> rebootInfo: The system is now comparing the configuration, please wait.

Warning: The configuration has been modified, and it will be saved to the nextstartup saved-configuration file flash:/vrpcfg.zip. Continue? [Y/N]:n //Select

"N" here.

Info: If want to reboot with saving diagnostic information, input 'N' and then

execute 'reboot save diagnostic-information'.System will reboot! Continue?[Y/N]:y

The command outputs on your device may be different from that provided in this example.

2.6 Configuring a Local Telnet User

# Take AAA authentication as an example. Set the user name and password to admin123 and

Huawei@123 respectively.

Ensure that the Telnet function has been enabled before performing this operation.

NOTE

The following uses the command lines of the S7700 in V200R006C00 as an example.

<HUAWEI> system-view[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] protocol inbound telnet //By default, switches in V200R006 and

earlier versions support Telnet, and switches in V200R007 and later versionssupport SSH.

[HUAWEI-ui-vty0] authentication-mode aaa[HUAWEI-ui-vty0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type telnet[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] return<HUAWEI> save

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




6



2.7 Setting a User Level

When password authentication or none authentication is used, use the following method to set

a user level. Take the VTY user interface as an example.

<HUAWEI> system-view[HUAWEI] user-interface vty 0[HUAWEI-ui-vty0] user privilege level 15 //Set the user level to 15 for the VTY

0 user interface.

When AAA authentication is used, use the following methods (in descending order of

priorities) to set a user level. Take the VTY user interface as an example.

l Set a user level for a single user.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of

user1 to 15.

l Set a user level for all users in a domain.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] service-scheme sch1[HUAWEI-aaa-service-sch1] admin-user privilege level 15 //Set the user level

to 15.[HUAWEI-aaa-service-sch1] quit[HUAWEI-aaa] domain domain1[HUAWEI-aaa-domain-domain1] service-scheme sch1 //Bind the service scheme

sch1 to domain1.

l Set a user level for all users that log in through a specified user interface.

<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY user

interfaces to 15.[HUAWEI] user-interface vty 0 14 //Enter the VTY user interfaces VTY 0 toVTY 14.

[HUAWEI-ui-vty0-14] user privilege level 15 //Set the user level to 15 for

the VTY user interfaces VTY 0 to VTY 14.

2.8 Setting Screen Display

Run the screen-length screen-length [ temporary ] command in the user view or user

interface view to set the number of rows to be displayed on a screen. The parameter

temporary is mandatory when you run this command in the user view and specifies the

number of rows to be temporarily displayed on a terminal screen. The default number of rows

is 24.

In V200R005 and earlier versions, run the screen-width screen-length command in any view

to set the number of columns to be displayed on the screen. The default number of columns is

80. Each character is a column. In versions after V200R005, the number of columns displayed

on a terminal screen cannot be set using this command. The device automatically adjusts the

number of columns displayed on a terminal screen.

2.9 Using Basic ACL Rules to Control User Login

After logging in to a device using Telnet or STelnet, you can configure ACL rules to allow

only users with the specified IP addresses or on the specified network segments can log in tothe device.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




7





# Start the FTP server program.

Start the FTP server program on the PC. Specify the FTP working directory where the

configuration file is to be saved, and the IP address, port number, user name, and

password of the FTP server.

# Save the current configuration on the device.<HUAWEI> save

# Log in to the FTP server.

<HUAWEI> ftp 10.110.24.254Trying 10.110.24.254 ...

Press CTRL+K to abort

Connected to 10.110.24.254.220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user //

WFTPD is the local FTP server program.

User(10.135.86.164:(none)):admin123 //Enter the user name.331 Give me your password, please

Enter password: //Enter the password.

230 Logged in successfully

[ftp]

# Back up the configuration file of the device to the PC.

[ftp] put config.cfg200 Port command successful.

150 Opening data connection for config.cfg.226 File received ok

FTP: 1257 byte(s) sent in 0.03 second(s) 40.55Kbyte(s)/sec.

NOTE

l After the configuration file is transferred to the PC, check whether the size of the configuration

file on the PC is the same as that on the device. If not, an exception may occur during file

backup. Back up the configuration file again.

l To transfer the configuration file in a simpler way, configure the PC as the TFTP server and

the device as the TFTP client. The configuration procedure is similar to the procedure whenthe PC serves as an FTP server and the device serves as an FTP client, except that the user

name and password are not required for configuring the TFTP server. You only need to run the

tftp 10.110.24.254 put config.cfg command on the device.

l TFTP has no authentication or authorization mechanism, whereas FTP has authentication and

authorization mechanisms. TFTP and FTP both transfer data in plaintext mode, which bring

security risks and therefore apply to good-performance networks. If you have a high

requirement for network security, SFTP V2, SCP, or FTPS is recommended.

2.11 Restoring the Configuration File

When misconfigurations cause exceptions on a device, transfer the backup configuration file

to the device and specify the downloaded configuration file for the next startup. Assume that

the IP address of the PC that saves the configuration file is 10.110.24.254/24 and the device's

IP address is 10.136.23.5/24.

1. Transfer the backup configuration file to the device using FTP.

– When the device serves as an FTP server and the PC serves as an FTP client:

# Configure the FTP function for the device and information about an FTP user.

<HUAWEI> system-view[HUAWEI] ftp server enable[HUAWEI] aaa[HUAWEI-aaa] local-user admin1234 password irreversible-cipherHelloworld@6789

[HUAWEI-aaa] local-user admin1234 privilege level 15[HUAWEI-aaa] local-user admin1234 service-type ftp

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




9



[HUAWEI-aaa] local-user admin1234 ftp-directory cfcard:/[HUAWEI-aaa] quit[HUAWEI] quit

# Connect the PC to the device using FTP. Enter the user name admin1234 and

password Helloworld@6789 and set the file transfer mode to binary.

The following example assumes that the PC runs the Windows XP operating

system.

C:\Documents and Settings\Administrator> ftp 10.136.23.5Connected to 10.136.23.5.220 FTP service ready.

User (10.136.23.5:(none)): admin1234

331 Password required for admin1234.

Password:230 User logged in.

ftp> binary200 Type set to I.ftp>

# Upload the backup configuration file to the device.

ftp> put vrpcfg.zip200 Port command okay.

150 Opening BINARY mode data connection for vrpcfg.zip.226 Transfer complete.

ftp: 1257 bytes sent in 0.03 Seconds 40.55Kbytes/sec.

– When the PC serves as an FTP server and the device serves as an FTP client:

# Start the FTP server program.

Start the FTP server program on the PC. Specify the FTP working directory where

the configuration file is saved, and the IP address, port number, user name, and

password of the FTP server.

# Log in to the FTP server.

<HUAWEI> ftp 10.110.24.254Trying 10.110.24.254 ...

Press CTRL+K to abortConnected to 10.110.24.254.

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user /

WFTPD is the local FTP server program.

User(10.135.86.164:(none)):admin123 //Enter the user name.331 Give me your password, please

Enter password: //Enter the password.

230 Logged in successfully

[ftp]

# Download the backup configuration file to the device.

[ftp] get config.cfgWarning: The file config.cfg already exists. Overwrite it? [Y/N]:Y

//Overwrite the current configuration file on the device. To reserve thecurrent configuration file, enter N to stop the file upload. Change thename of the configuration file on the FTP server to different from that

on the device. Download the configuration file from the FTP server.200 Port command successful.

150 Opening data connection for config.cfg.

226 File sent ok

FTP: 1257 byte(s) received in 0.03 second(s) 40.55byte(s)/sec.[ftp] bye

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




10



NOTE

l After the configuration file is transferred to the device, check whether the size of the

configuration file on the PC is the same as that on the device. If not, an exception may

occur during file transfer. Transfer the file again.

l To transfer the configuration file in a simpler way, configure the PC as the TFTP server and the device as the TFTP client. The configuration procedure is similar to the

procedure when the PC serves as an FTP server and the device serves as an FTP client.

The only difference is that the user name and password are not required for configuring

the TFTP server. You only need to run the tftp 10.110.24.254 get config.cfg command

on the device.

l TFTP has no authentication or authorization mechanism, whereas FTP has

authentication and authorization mechanisms. TFTP and FTP both transfer data in

plaintext mode, which bring security risks and therefore apply to good-performance

networks. If you have a high requirement for network security, SFTP V2, SCP, or FTPS

is recommended.

2. Specify the backup configuration file for the next startup.

<HUAWEI> startup saved-configuration config.cfg

<HUAWEI> display startupMainBoard:

Configured startup system software: cfcard:/device_software.cc

Startup system software: cfcard:/device_software.cc Next startup system software: cfcard:/device_software.cc

Startup saved-configuration file: cfcard:/config_old.cfg //

Current configuration file name.

Next startup saved-configuration file: cfcard:/config.cfg //Name ofthe configuration file for the next startup.

Startup paf file: default

Next startup paf file: default

Startup license file: default Next startup license file: default

Startup patch package: NULL

Next startup patch package: NULL

<HUAWEI> reboot //Restart the device.

Info: The system is now comparing the configuration, please wait.

Warning: The configuration has been modified, and it will be saved to thenext startup saved-configuration file cfcard:/config.cfg. Continue? [Y/

N]: N //Enter N to prevent the device configuration from being saved in thebackup configuration file.

Now saving the current configuration to the slot 13.Save the configuration successfully.

Info: If want to reboot with saving diagnostic information, input 'N' and

then execute 'reboot save diagnostic-information'.

System will reboot! Continue?[Y/N]:Y //Enter Y to restart the device.

2.12 Logging In to a Device Through STelnet

AAA authentication is used as an example. Set the user name to admin123 and password to

Huawei@123.

# Generate a local key pair on the server.

<HUAWEI> system-view[HUAWEI] dsa local-key-pair createInfo: The key name will be: HUAWEI_Host_DSA.

Info: The key modulus can be any one of the following : 512, 1024, 2048.

Info: If the key modulus is greater than 512, it may take a few minutes.Please input the modulus [default=2048]:

Info: Generating keys...

Info: Succeeded in creating the DSA host keys.

# Configure VTY user interfaces on the device.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




11



[HUAWEI] user-interface vty 0 4[HUAWEI-ui-vty0-4] authentication-mode aaa[HUAWEI-ui-vty0-4] protocol inbound ssh[HUAWEI-ui-vty0-4] quit

NOTICE

If the protocol supported by VTY user interfaces 0 to 4 is changed from Telnet to SSH, users

cannot log in to the device using Telnet after logout. In this case, configure VTY user

interfaces 0 to 4 to support all protocols first. Configure STelnet and then run the protocol

inbound ssh command to configure VTY user interfaces 0 to 4 to support SSH.

# Create an SSH user named admin123 and configure the password authentication mode

for the user.

[HUAWEI] aaa[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123[HUAWEI-aaa] local-user admin123 service-type ssh[HUAWEI-aaa] local-user admin123 privilege level 15[HUAWEI-aaa] quit[HUAWEI] ssh user admin123 authentication-type password

# Enable the STelnet service.

[HUAWEI] stelnet server enable

# Configure the STelnet service type for the user admin123.

[HUAWEI] ssh user admin123 service-type stelnet

# Log in to the device using the third-party software (such as PuTTY). Enter the device IP

address, select SSH, and enter the user name and password to log in to the device throughSTelnet.

To verify the STelnet login, run the ssh client first-time enable and stelnet 127.0.0.1

commands in system view to log in to the device. If the login page is displayed, the

configuration succeeds. If the login page is not displayed, the configuration fails.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




12



3 Common Hardware Management

Operations

About This Chapter

This chapter describes common hardware management operations.

3.1 Active/Standby Switchover

3.2 Setting Temperature Alarm Thresholds

3.3 Setting Temperature Thresholds for Adjusting the Fan Speed

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 3 Common Hardware Management Operations



13



3.1 Active/Standby Switchover

In a stack containing multiple fixed switches, you can manually switch the master and

standby switches during software upgrade or system maintenance. After the active/standby

switchover is complete, the original master switch joins the stack after restarting, and the

original standby switch becomes the new master switch.

During software upgrade or system maintenance, you can manually perform an active/standby

switchover on MPUs. After the active/standby switchover is performed, the running active

MPU restarts. The standby MPU becomes the new active MPU.

# To perform an active/standby switchover in the system, run the following commands.

<HUAWEI> system-view[HUAWEI] slave switchover enable[HUAWEI] slave switchoverWarning: This operation will switch the slave board to the master board.Continue? [Y/N]:y

3.2 Setting Temperature Alarm Thresholds

The ambient temperature and device running time affect the device temperature. A higher

ambient temperature and a longer device running time indicate a higher temperature of the

device. When the device temperature exceeds the specified range, the device service life and

performance are reduced. To prevent the device from overheating, set temperature alarm

thresholds for the device. When the device temperature exceeds the specified range, the

device sends an alarm to the NMS to alert the administrator. The administrator should then

can take measures to lower the temperature.

NOTE

Only fixed switches support the configuration of temperature alarm thresholds.

# To set the lower temperature alarm threshold to 20°C and upper temperature alarm threshold

to 45°C on a device with slot ID 0, run the following commands:

<HUAWEI> system-view[HUAWEI] temperature threshold slot 0 lower-limit 20 upper-limit 45

3.3 Setting Temperature Thresholds for Adjusting the FanSpeed

By default, the device uses fixed temperature thresholds to increase and decrease the fan

speed. The fan speed increases when the device temperature exceeds the upper threshold and

decreases when the device temperature falls below the lower threshold. If you want to keep

the device working at a lower temperature, set lower fixed temperature thresholds. When the

device temperature reaches the lowered threshold for increasing the fan speed, the fan speed

will increase. The fan speed will not decrease until the device temperature falls below the

lower threshold for lowering the fan speed.

To view the original temperature thresholds and the adjusted thresholds, run the display fanspeed-adjust threshold minus command.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




14



# To reduce temperature thresholds for adjusting the fan speed by 10°C, run the following

commands.

<HUAWEI> system-view[HUAWEI] set fan speed-adjust threshold minus 10Info: Succeeded in setting the fan speed-adjust threshold.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




15



4 Common Mirroring Operations

About This Chapter

This chapter describes common mirroring operations.

4.1 Configuring an Observing Port

4.2 Configuring Port Mirroring

4.3 Configuring Traffic Mirroring

4.4 Deleting the Mirroring Configuration

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 4 Common Mirroring Operations



16



4.1 Configuring an Observing Port

A physical port must be configured as an observing port before the mirroring function is

configured. You can configure a single observing port or multiple observing ports in a batch.

Observing ports configured in a batch are added to an observing port group. After a mirrored

port is configured, the mirrored port is bound to the observing port group. Therefore, such

batch configuration is usually performed in 1:N mirroring to simplify the configuration.

Configuring a Single Observing Port

l Configure a local observing port, which directly connects to a monitoring device.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1

l Configure a Layer 2 remote observing port, which forwards mirroring packets to a

monitoring device across a Layer 2 network.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 vlan 10

l Configure a Layer 3 remote observing port, which forwards mirroring packets to a

monitoring device across a Layer 3 network. (Only S7700/S9700 support the

configuration of a Layer 3 remote observing port.)

<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 destination-ip10.1.1.1 source-ip 10.2.2.2

Configure Observing Ports in a Batch (only in V200R005 and Later Versions)

l Configure local observing ports in a batch, which directly connect to monitoring devices.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 togigabitEthernet 1/0/3

l Configure Layer 2 remote observing ports, which forward mirroring packets to

monitoring devices across a Layer 2 network.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 togigabitEthernet 1/0/3 vlan 10

l Layer 3 remote observing ports cannot be configured in a batch.

4.2 Configuring Port Mirroring

Configuring 1:1 Port Mirroring

You can copy packets on a mirrored port to an observing port. For example, copy incoming

packets (received packets) on mirrored port GE2/0/1 to observing port GE1/0/1. GE1/0/1 is

directly connected to a monitoring device.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1[HUAWEI] interface gigabitethernet 2/0/1

[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




17



Configuring 1:N Port Mirroring

You can copy packets on one mirrored port to N observing ports. For example, copy incoming

packets (received packets) on mirrored port GE2/0/1 to observing ports GE1/0/1 through

GE1/0/3. These observing ports are directly connected to monitoring devices.

l Configure observing ports one by one.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1[HUAWEI] observe-port 2 interface gigabitethernet 1/0/2[HUAWEI] observe-port 3 interface gigabitethernet 1/0/3[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 2 inbound [HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 3 inbound

l Configure observing ports in a batch (only in V200R005 and later versions).

<HUAWEI> system-view[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 togigabitEthernet 1/0/3

[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound

Configuring N:1 Port Mirroring

You can copy packets on N mirrored ports to one observing port. For example, copy incoming

packets (received packets) on mirrored ports GE2/0/1 through GE2/0/3 to observing port

GE1/0/1. GE1/0/1 is directly connected to a monitoring device.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/1] quit

[HUAWEI] interface gigabitethernet 2/0/2[HUAWEI-GigabitEthernet2/0/2] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/2] quit[HUAWEI] interface gigabitethernet 2/0/3[HUAWEI-GigabitEthernet2/0/3] port-mirroring to observe-port 1 inbound [HUAWEI-GigabitEthernet2/0/3] quit

Related Content

Support Community

Mirroring an Effective Network Monitoring Tool (Working Mechanism and

Configuration)

Mirroring an Effective Network Monitoring Tool (Specifications)

Videos

How to Configure Port Mirroring

4.3 Configuring Traffic Mirroring

Traffic mirroring is a feature that copies a specified type of packets received and sent by

devices, ports, or VLANs to observing ports connected to monitoring devices. Monitoring

devices monitor only the specified type of packets.

Traffic mirroring can be configured based on ACLs and Modular Quality of ServiceCommand-Line Interface (MQC) (complex traffic classification). ACL-based traffic mirroring

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




18

http://support.huawei.com/ecommunity/bbs/10262083.html



http://support.huawei.com/ecommunity/bbs/10259906.html?p=1#p0









is easy to configure but supports fewer packets types than MQC-based traffic mirroring and

supports only inbound traffic mirroring. MQC-based traffic mirroring is complex to configure

but supports more packet types and the inbound, outbound traffic mirroring.

Implementing traffic mirroring using ACLs1. 4.1 Configuring an Observing Port. For example, configure a local observing port

GE1/0/1 that is directly connected to a monitoring device.


2. Create an ACL. For example, create a Layer 2 ACL to match packets with 802.1p

priority 6.

[HUAWEI] acl 4001[HUAWEI-acl-L2-4001] rule permit 8021p 6[HUAWEI-acl-L2-4001] quit

3. Configure traffic mirroring. For example:

–Copy packets with 802.1p priority 6 in the inbound direction of all the ports on thedevice to observing port GE1/0/1.

[HUAWEI] traffic-mirror inbound acl 4001 to observe-port 1

– Copy packets with 802.1p priority 6 in the inbound direction of all the ports in

VLAN 10 to observing port GE1/0/1.

[HUAWEI] traffic-mirror vlan 10 inbound acl 4001 to observe-port 1

– Copy packets with 802.1p priority 6 in the inbound direction of GE2/0/1 to

observing port GE1/0/1.

[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] traffic-mirror inbound acl 4001 to observe- port 1

Implementing Traffic Mirroring Using Complex Traffic Classification

1. 4.1 Configuring an Observing Port. For example, configure a local observing port

GE1/0/1 that is directly connected to a monitoring device.


2. Create a traffic classifier. For example, create a traffic classifier c1 to match packets with

802.1p priority 6.

[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match 8021p 6[HUAWEI-classifier-c1] quit

3. Create a traffic behavior with the mirroring action. For example, create a traffic behavior

b1 and set the action to traffic mirroring.

[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] mirroring to observe-port 1[HUAWEI-behavior-b1] quit

4. Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic

policy. For example, create a traffic policy p1 and bind the traffic classifier and traffic

behavior to the traffic policy.

[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit

5. Apply the traffic policy. For example:

–

Copy packets with 802.1p priority 6 in the inbound direction of all the ports on thedevice to observing port GE1/0/1.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




19



[HUAWEI] traffic-policy p1 global inbound

– Copy packets with 802.1p priority 6 in the inbound direction of all the ports in

VLAN 10 to observing port GE1/0/1.

[HUAWEI] vlan 10[HUAWEI-vlan10] traffic-policy p1 inbound

– Copy packets with 802.1p priority 6 in the inbound direction of GE2/0/1 to

observing port GE1/0/1.

[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] traffic-policy p1 inbound

4.4 Deleting the Mirroring Configuration

If you want to delete the mirroring configuration after using the mirroring function, you can

perform the following operations:

1. Run the display current-configuration command to check the current mirroring

configuration. For example, you can view the following mirroring configuration.

<HUAWEI> display current-configuration#

vlan batch 10 20 30#

observe-port 2 interface GigabitEthernet1/0/1 ...

...#

interface GigabitEthernet1/0/1

#

interface GigabitEthernet1/0/2 ...

...

#interface GigabitEthernet2/0/1

port-mirroring to observe-port 2 inbound #

... ...

2. Run the undo port-mirroring command on the mirrored port to delete the binding

between the observing port and mirrored port and restore the mirrored port as a common

port. For example, restore GE2/0/1 in step 1 to a common port.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 2/0/1[HUAWEI-GigabitEthernet2/0/1] undo port-mirroring to observe-port 2 inbound [HUAWEI-GigabitEthernet2/0/1] quit

3. Run the undo observe-port command in the system view to delete the observing port.

For example, delete the observing port in step 1 and restore GE1/0/1 to a common port.

[HUAWEI] undo observe-port 2

You can delete the observing port only after deleting the binding between the observing

port and mirrored port.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




20



5 Common MAC Address Operations

About This Chapter

This chapter describes common MAC address operations.

5.1 Displaying All MAC Address Entries

5.2 Displaying MAC Address Entries Learned by an Interface

5.3 Displaying MAC Address Entries Learned in a VLAN

5.4 Displaying the System MAC Address

5.5 Displaying the MAC Address of an Interface

5.6 Displaying the MAC Address of a VLANIF Interface

5.7 Configuring a Static MAC Address

5.8 Configuring a Blackhole MAC Address

5.9 Displaying and Setting the Aging Time of MAC Addresses

5.10 Configuring Port Security

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 5 Common MAC Address Operations



21



5.1 Displaying All MAC Address Entries

# Run the display mac-address command to check all MAC address entries.

<HUAWEI> display mac-address-------------------------------------------------------------------------------

MAC Address VLAN/VSI Learned-From Type-------------------------------------------------------------------------------

0000-0000-0002 10/- - blackhole

0000-0000-0003 300/- GE1/0/3 static

0026-6e5c-feac 3000/- Eth-Trunk2 dynamic0000-c116-0201 -/test Eth-Trunk3 dynamic

-------------------------------------------------------------------------------Total items displayed = 4

5.2 Displaying MAC Address Entries Learned by anInterface

# Run the display mac-address dynamic gigabitethernet1/0/1 command to check MAC

address entries learned by GE1/0/1.

<HUAWEI> display mac-address dynamic gigabitethernet1/0/1-------------------------------------------------------------------------------

MAC Address VLAN/VSI Learned-From Type

-------------------------------------------------------------------------------

0000-0000-0003 300/- GE1/0/1 dynamic0026-6e5c-feac 3000/- GE1/0/1 dynamic

-------------------------------------------------------------------------------

Total items displayed = 2

5.3 Displaying MAC Address Entries Learned in a VLAN

# Run the display mac-address dynamic vlan 10 command to check the MAC address entry

learned in VLAN 10.

<HUAWEI> display mac-address dynamic vlan 10-------------------------------------------------------------------------------MAC Address VLAN/VSI Learned-From Type

-------------------------------------------------------------------------------

0000-0000-0003 10/- GE1/0/1 dynamic

0026-6e5c-feac 10/- GE1/0/2 dynamic

-------------------------------------------------------------------------------

Total items displayed = 2

5.4 Displaying the System MAC Address

The MAC address of a Layer 2 interface and the device's MAC address are the same. You can

run the following commands to check the device's MAC address.

l Run the display interface gigabitethernet1/0/1 command. In the command output,

00e0-f74b-6d00 refers to the device's MAC address.<HUAWEI> display interface gigabitethernet1/0/1

GigabitEthernet1/0/1 current state :UP

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




22



Line protocol current state :

UPDescription:

Switch Port, Link-type :

access(configured),

PVID : 103, TPID : 8100(Hex), The Maximum Frame Length is9216

IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-f74b-6d00......

l In V200R002 and later versions, run the display bridge mac-address command to

check the device's MAC address.<HUAWEI> display bridge mac-addressSystem bridge MAC address: 00e0-f74b-6d00

5.5 Displaying the MAC Address of an Interface

Run the display interface gigabitethernet1/0/1 command. In the command output, 00e0-f74b-6d00 refers to the interface's MAC address. The MAC address of a Layer 2 interface and

the device's MAC address are the same.

<HUAWEI> display interface gigabitethernet1/0/1GigabitEthernet1/0/1 current state : UP

Line protocol current state : UP

Description:

Switch Port, Link-type : access(configured),PVID : 103, TPID : 8100(Hex), The Maximum Frame Length is 9216

IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-f74b-6d00......

5.6 Displaying the MAC Address of a VLANIF Interface# Run the display interface vlanif10 command. In the command output, 00e0-0987-7891

refers to the VLANIF interface's MAC address.

<HUAWEI> display interface vlanif10Vlanif10 current state : DOWN

Line protocol current state : DOWN

Description:

Route Port,The Maximum Transmit Unit is 1500Internet Address is 172.10.1.2/24

IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-0987-7891 Current system time: 2014-08-14 16:40:09+08:00

Input bandwidth utilization : --

Output bandwidth utilization : --

5.7 Configuring a Static MAC Address

Configure the MAC address of the fixed upstream device or trusted user host connected to the

switch as the static MAC address to ensure secure communication.

<HUAWEI> system-view[HUAWEI] vlan 10 //Create VLAN 10.[HUAWEI-vlan10] quit[HUAWEI] interface GigabitEthernet1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type access[HUAWEI-GigabitEthernet1/0/1] port default vlan 10 //Add an interface to VLAN 10.

[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] mac-address static 0000-0012-0034 GigabitEthernet1/0/1 vlan 10 //Create

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




23



a static MAC address and bind the MAC address of 0000-0012-0034 to the

GigabitEthernet1/0/1.

NOTE

The interface bound to the MAC address must belong to the specified VLAN and the VLAN must have

been created.

5.8 Configuring a Blackhole MAC Address

To prevent a hacker from using a MAC address to attack a user device or network, configure

the MAC address of an untrusted user as the blackhole MAC address. The switch then

discards the received packets with the source or destination MAC address as the blackhole

MAC address.

The switch provides two blackhole MAC address modes: global and VLAN-based blackhole

MAC addresses.

l In the system view, configure the MAC address of 0000-0012-0034 as a global blackholeMAC address.<HUAWEI> system-view[HUAWEI] mac-address blackhole 0000-0012-0034

l In the system view, configure the MAC address of 0000-0012-0035 as the blackhole

MAC address in VLAN 10.<HUAWEI> system-view[HUAWEI] mac-address blackhole 0000-0012-0035 vlan 10

5.9 Displaying and Setting the Aging Time of MAC

Addresses# In the system view, run the mac-address aging-time 600 command to set the aging time of

dynamic MAC addresses to 600s. By default, the aging time is 300s.<HUAWEI> system-view[HUAWEI] mac-address aging-time 600

# In any view, run the display mac-address aging-time command to view the aging time of

dynamic MAC addresses.<HUAWEI> display mac-address aging-time Aging time: 300 second(s)

5.10 Configuring Port SecurityPort security implements dynamic binding. After the maximum number of MAC addresses

that can be learned by an interface is set, other non-trusted hosts cannot use the local interface

to communicate with the switch, thereby improving the device and network security.

# Configure port security on the gigabitethernet1/0/1.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port-security enable

# Set the maximum number of MAC addresses that can be learned by the gigabitethernet1/0/1

to 5.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




24



[HUAWEI-GigabitEthernet1/0/1] port-security enable[HUAWEI-GigabitEthernet1/0/1] port-security max-mac-num 5

NOTE

Before setting the maximum number of MAC addresses that can be learned by an interface, ensure that

the interface has been enabled with port security.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




25



6 Common Ethernet Interface Operations

About This Chapter

This chapter describes common Ethernet interface operations.

6.1 Configuring a Port Group

6.2 Configuring Port Isolation

6.3 Configuring the Working Mode of a Combo Interface

6.4 Configuring the Interface Rate

6.5 Configuring the Duplex Mode

6.6 Switching an Interface to Layer 3 Mode

6.7 One-Click Configuration Deletion on an Interface

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 6 Common Ethernet Interface Operations



26



6.1 Configuring a Port Group

Configuring a Temporary Port Group

# Run the port-group group-member command to add GE1/0/9 to GE1/0/15 to a temporary

port group.<HUAWEI> system-view[HUAWEI] port-group group-member gigabitethernet 1/0/9 to gigabitethernet 1/0/15[HUAWEI-port-group]

# Run the interface range command to add GE1/0/16 to GE1/0/20 to a temporary port group.

(The interface range command is supported by only V200R003C00 and later versions.)<HUAWEI> system-view[HUAWEI] interface range gigabitethernet 1/0/16 to gigabitethernet 1/0/20[HUAWEI-port-group]

Configuring a Permanent Port Group

# Run the port-group command to add GE1/0/1 to GE1/0/8 to permanent port group

portgroup1.<HUAWEI> system-view[HUAWEI] port-group portgroup1[HUAWEI-port-group-portgroup1] group-member gigabitethernet 1/0/1 togigabitethernet 1/0/8

6.2 Configuring Port Isolation

Configuring a Port Isolation Group

# Configure port isolation on GE1/0/1 and GE1/0/2 to implement Layer 2 isolation and Layer

3 interworking on the two interfaces.<HUAWEI> system-view[HUAWEI] port-isolate mode l2[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port-isolate enable group 1[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] port-isolate enable group 1[HUAWEI-GigabitEthernet1/0/2] quit

# Configure port isolation on GE1/0/10 to GE1/0/20 to implement Layer 2 and Layer 3

isolation on these interfaces.<HUAWEI> system-view[HUAWEI] port-isolate mode all[HUAWEI] port-group portgroup1[HUAWEI-port-group-portgroup1] group-member gigabitethernet 1/0/10 togigabitethernet 1/0/20[HUAWEI-port-group-portgroup1] port-isolate enable group 2

NOTE

All S series chassis switches support Layer 2 and Layer 3 isolation. S series box switches support Layer

2 and Layer 3 isolation excluding the S2700SI and S2700EI in V100R006C05 and the S1720, S2720,

S2750EI, S5700LI, S5710-X-LI, S5710-C-LI and S5700S-LI in V200R001 and later versions.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




27



Configuring Unidirectional Isolation

# Configure unidirectional isolation to isolate GE1/0/5 from GE1/0/6, GE1/0/7, and GE1/0/8

unidirectionally. This configuration ensures that Layer 2 data packets from GE1/0/5 cannot

reach GE1/0/6, GE1/0/7, and GE1/0/8.<HUAWEI> system-view[HUAWEI] port-isolate mode l2[HUAWEI] interface gigabitethernet 1/0/5[HUAWEI-GigabitEthernet1/0/5] am isolate gigabitethernet 1/0/6 to 1/0/8

6.3 Configuring the Working Mode of a Combo Interface

# Configure GE1/0/1 to work in electrical mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] combo-port copper

To configure the working mode of a combo interface, run the combo-port { auto | copper |

fiber } command in the combo interface view.

l When the auto mode is specified, the system checks whether the combo optical interface

has an optical module installed, and selects the interface working mode as follows:

– When the electrical interface is not connected, the combo interface works as an

optical interface if the combo optical interface has an optical module installed.

– When the electrical interface is connected using a network cable and the combo

interface is Up, the combo interface works as an electrical interface even if the

combo optical interface has an optical module installed. However, the combo

interface works as an optical interface after the device restarts.

– When the electrical interface is connected using a network cable and the combo

interface is Down, the combo interface works as an optical interface if the combooptical interface has an optical module installed.

In summary, when the auto mode is specified and the combo optical interface has an

optical module installed, the combo interface works as an optical interface after the

device restarts.

l You can forcibly specify the working mode of the combo interface based on the peer

interface type. If the local combo electrical interface is connected to a peer electrical

interface, configure the combo interface to work in copper mode. If the local combo

optical interface is connected to a peer optical interface, configure the combo interface to

work in fiber mode.

6.4 Configuring the Interface Rate

Manually Configuring the Interface Rate in Auto-Negotiation Mode

# Set the negotiation rate to 100 Mbit/s for Ethernet interface GE1/0/1 working in auto-

negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] negotiation auto[HUAWEI-GigabitEthernet1/0/1] auto speed 100

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




28



NOTE

GE optical interfaces do not support manually configuring the interface rate in auto-negotiation mode,

except the GE optical interface that has an GE copper module installed.

Configuring the Interface Rate in Non-Auto-Negotiation Mode# Set the negotiation rate to 100 Mbit/s for Ethernet interface GE1/0/1 working in non-auto-

negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo negotiation auto[HUAWEI-GigabitEthernet1/0/1] speed 100

6.5 Configuring the Duplex Mode

Configuring the Duplex Mode for an Interface in Auto-Negotiation Mode# Set the duplex mode to full-duplex for Ethernet electrical interface GE1/0/1 working in

auto-negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] negotiation auto[HUAWEI-GigabitEthernet1/0/1] auto duplex full

Configuring the Duplex Mode for an Interface in Non-Auto-Negotiation Mode

# Set the duplex mode to half-duplex for Ethernet electrical interface GE1/0/1 working in

non-auto-negotiation mode.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo negotiation auto[HUAWEI-GigabitEthernet1/0/1] duplex half

NOTE

Physical service interfaces of the S5710HI, S6700EI, S5720HI, S5720EI and S6720EI do not support

the duplex mode configuration.

Physical service interfaces of the X1E series cards on a modular switch do not support the duplex mode

configuration.

6.6 Switching an Interface to Layer 3 Mode

# Change the working mode of GE1/0/1 from Layer 2 mode to Layer 3 mode.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo portswitch[HUAWEI-GigabitEthernet1/0/1] ip address 10.10.10.10 255.255.255.0

To switch an interface to Layer 3 mode, run the undo portswitch command in the interface

view.

By default, an Ethernet interface works in Layer 2 mode.

When you run this command on an interface, the mode switching configuration takes effect

when only attribute configurations (such as shutdown and description configurations) existon the interface. If service configurations (such as the port link-type trunk configuration)

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




29



exist on the interface, you need to clear all service configurations before running this

command.

Since V200R003, interfaces on the S5700EI, S5700HI, S5710EI, S5710HI, S5720EI,

S5720HI, S6700EI, S6720EI, S7700, and S9700 support switching between Layer 2 and

Layer 3 modes.

For switches in V200R005C00 and later versions, after running the undo portswitch

command to switch an Ethernet interface to Layer 3 mode, you can assign an IP address to the

interface.

6.7 One-Click Configuration Deletion on an Interface

# Run the clear configuration interface command in the system view to delete

configurations on GE1/0/1.


[HUAWEI] clear configuration interface gigabitethernet 1/0/1Warning: All configurations of the interface will be cleared, and its state willbe shutdown. Continue? [Y/N] :yInfo: Total 5 command(s) executed, 5 successful, 0 failed.

# Run the clear configuration this command in the interface view to delete configurations on

GE1/0/1.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] clear configuration thisWarning: All configurations of the interface will be cleared, and its state will

be shutdown. Continue? [Y/N] :yInfo: Total 3 command(s) executed, 3 successful, 0 failed.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




30



7 Common Link Aggregation Operations

About This Chapter

This chapter describes common Ethernet link aggregation operations.

7.1 Adding Member Interfaces to an Eth-Trunk in a Batch

7.2 Deleting a Specified Member Interface from an Eth-Trunk

7.3 Deleting an Eth-Trunk

7.4 Displaying the Eth-Trunk Configuration

7.5 Displaying Information About Eth-Trunk Member Interfaces

7.6 Displaying the Numbers of Eth-Trunks and Member Interfaces Supported by the Device

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 7 Common Link Aggregation Operations



31



7.1 Adding Member Interfaces to an Eth-Trunk in a Batch

# Add GigabitEthernet1/0/1 to GigabitEthernet1/0/5 to Eth-Trunk 1.

<HUAWEI> system-view[HUAWEI] interface eth-trunk 1[HUAWEI-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/5

7.2 Deleting a Specified Member Interface from an Eth-Trunk

You can use either of the following methods to delete a specified member interface from an

Eth-Trunk:

lRun the undo trunkport interface-type { interface-number1 [ to interface-number2 ] }&<1-8> command in the Eth-Trunk view to delete a specified member interface from an

Eth-Trunk.

<HUAWEI> system-view[HUAWEI] interface eth-trunk 1[HUAWEI-Eth-Trunk1] undo trunkport gigabitethernet 1/0/1

l Run the undo eth-trunk command in the member interface view to delete a specified

member interface from an Eth-Trunk.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo eth-trunk

7.3 Deleting an Eth-Trunk

Prerequisites

All member interfaces have been deleted from an Eth-Trunk. See 7.2 Deleting a Specified

Member Interface from an Eth-Trunk .

Procedure

Run the undo interface eth-trunk trunk-id command in the system view.


[HUAWEI] undo interface eth-trunk 10

7.4 Displaying the Eth-Trunk Configuration

# Display the configuration of all Eth-Trunks.

<HUAWEI> display eth-trunkEth-Trunk10's state information is:

Local:LAG ID: 10 WorkingMode: LACP Preempt Delay Time: 10 Hash arithmetic: According to SIP-XOR-DIP

System Priority: 120 System ID: 0018-82d4-04c3

Least Active-linknumber: 1 Max Active-linknumber: 2

Operate status: up Number Of Up Port In Trunk: 2--------------------------------------------------------------------------------

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




32



ActorPortName Status PortType PortPri PortNo PortKey

PortState WeightGigabitEthernet1/0/2 Selected 1GE 10 262 2609

10111100 1

GigabitEthernet1/0/3 Selected 1GE 10 263 2609

10111100 1

GigabitEthernet1/0/4 Unselect 1GE 32768 264 260910100000 1

Partner:

--------------------------------------------------------------------------------

ActorPortName SysPri SystemID PortPri PortNo PortKey

PortStateGigabitEthernet1/0/2 32768 00e0-fc6e-bb11 32768 262 2609

10111100

GigabitEthernet1/0/3 32768 00e0-fc6e-bb11 32768 263 2609

10111100GigabitEthernet1/0/4 32768 00e0-fc6e-bb11 32768 264 2609

10110000

Eth-Trunk11's state information is:WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP

Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8

Operate status: up Number Of Up Port In Trunk: 1--------------------------------------------------------------------------------

PortName Status Weight

GigabitEthernet1/0/1 Up 1

# Display the configuration of Eth-Trunk 10 in LACP mode.

<HUAWEI> display eth-trunk 10Eth-Trunk10's state information is:

Local:

LAG ID: 10 WorkingMode: LACPPreempt Delay Time: 10 Hash arithmetic: According to SIP-XOR-DIPSystem Priority: 120 System ID: 0018-82d4-04c3

Least Active-linknumber: 1 Max Active-linknumber: 2

Operate status: up Number Of Up Port In Trunk: 2--------------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey

PortState Weight

GigabitEthernet1/0/2 Selected 1GE 10 262 260910111100 1

GigabitEthernet1/0/3 Selected 1GE 10 263 2609

10111100 1

GigabitEthernet1/0/4 Unselect 1GE 32768 264 260910100000 1

Partner:

--------------------------------------------------------------------------------ActorPortName SysPri SystemID PortPri PortNo PortKey

PortState

GigabitEthernet1/0/2 32768 00e0-fc6e-bb11 32768 262 260910111100GigabitEthernet1/0/3 32768 00e0-fc6e-bb11 32768 263 2609

10111100

GigabitEthernet1/0/4 32768 00e0-fc6e-bb11 32768 264 260910110000

# Display the configuration of Eth-Trunk 11 in manual load balancing mode.

<HUAWEI> display eth-trunk 11Eth-Trunk11's state information is:

WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIPLeast Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8

Operate status: up Number Of Up Port In Trunk: 1

--------------------------------------------------------------------------------

PortName Status WeightGigabitEthernet1/0/1 Up 1

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




33



7.5 Displaying Information About Eth-Trunk MemberInterfaces

# Display information about member interfaces of Eth-Trunk 2.

<HUAWEI> display trunkmembership eth-trunk 2Trunk ID: 2

Used status: VALID

TYPE: ethernetWorking Mode : Normal

Number Of Ports in Trunk = 2

Number Of Up Ports in Trunk = 2

Operate status: upInterface GigabitEthernet1/0/1, valid, operate up, weight=1

Interface GigabitEthernet1/0/2, valid, operate up, weight=1

7.6 Displaying the Numbers of Eth-Trunks and MemberInterfaces Supported by the Device

NOTE

V200R005 and later versions support the display trunk configuration command.

# Display the numbers of LAGs and member interfaces.

<HUAWEI> display trunk configuration--------------------------------------------------

Item Default Current Configured

--------------------------------------------------

trunk-group 128 2 4trunk-member 8 16 16

--------------------------------------------------

Table 7-1 Description of the display trunk configuration command output

Item Meaning

Default Default Eth-Trunk specifications supported by the device.

Current Current Eth-Trunk specifications supported by the device.

Configured Configured Eth-Trunk specifications. If the configured Eth-

Trunk specifications are different from the current Eth-Trunk specifications, the configured Eth-Trunk specifications take

effect after the device restarts.

trunk-group Maximum number of Eth-Trunks supported by the device.

trunk-member Maximum number of member interfaces in each Eth-Trunk.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




34



8 Common VLAN Operations

About This Chapter

This chapter describes common VLAN operations.

8.1 Creating VLANs in a Batch

8.2 Adding Interfaces to a VLAN in a Batch

8.3 Restoring the Default VLAN Configuration of an Interface

8.4 Deleting a VLAN or VLANs in a Batch

8.5 Changing the Link Type of an Interface

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 8 Common VLAN Operations



35



8.1 Creating VLANs in a Batch

Run the vlan batch command in the system view to create VLANs in a batch.

l Create 10 contiguous VLANs in a batch: VLAN 11 to VLAN 20.<HUAWEI> system-view[HUAWEI] vlan batch 11 to 20

l Create 10 noncontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,

VLANs 28 to 30.<HUAWEI> system-view[HUAWEI] vlan batch 10 15 to 19 25 28 to 30

NOTE

You can create a maximum of 10 noncontiguous VLANs or VLAN range at one time. If more than

10 noncontiguous VLANs need to be created, run this command multiple times. For example, vlan

batch 10 15 to 19 25 28 to 30 indicates four noncontiguous VLAN ranges.

8.2 Adding Interfaces to a VLAN in a Batch

Configure a port group to add interfaces to a VLAN in a batch.

l Set the link type of interfaces to access.<HUAWEI> system-view[HUAWEI] port-group pg1 //Create a port group named pg1.[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 togigabitethernet1/0/5 //Add gigabitethernet1/0/1 to gigabitethernet1/0/5 to

the port group.[HUAWEI-port-group-pg1] port link-type access //Set the link type of

gigabitethernet1/0/1 to gigabitethernet1/0/5 to access.

[HUAWEI-port-group-pg1] port default vlan 10 //Add gigabitethernet1/0/1 togigabitethernet1/0/5 to VLAN 10.

l Set the link type of interfaces to trunk.<HUAWEI> system-view[HUAWEI] port-group pg1 //Create a port group named pg1.[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 togigabitethernet1/0/5 //Add gigabitethernet1/0/1 to gigabitethernet1/0/5 tothe port group.

[HUAWEI-port-group-pg1] port link-type trunk //Set the link type of

gigabitethernet1/0/1 to gigabitethernet1/0/5 to trunk.

[HUAWEI-port-group-pg1] port trunk allow-pass vlan 10 20 //Addgigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 10 and VLAN 20.

l Set the link type of interfaces to hybrid.<HUAWEI> system-view

[HUAWEI] port-group pg1 //Create a port group named pg1.[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 togigabitethernet1/0/5 //Add gigabitethernet1/0/1 to gigabitethernet1/0/5 tothe port group.

[HUAWEI-port-group-pg1] port link-type hybrid //Set the link type of

gigabitethernet1/0/1 to gigabitethernet1/0/5 to hybrid.[HUAWEI-port-group-pg1] port hybrid tagged vlan 10 //Add

gigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 10 in tagged mode.

[HUAWEI-port-group-pg1] port hybrid untagged vlan 20 //Add

gigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 20 in untagged mode.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




36



8.3 Restoring the Default VLAN Configuration of anInterface

The default VLAN configuration of an interface involves the PVID and VLAN 1 that the

interface joins.

l Restore the default configuration of the access interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port default vlan

l Restore the default configuration of the trunk interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port trunk pvid vlan[HUAWEI-GigabitEthernet1/0/1] undo port trunk allow-pass vlan all[HUAWEI-GigabitEthernet1/0/1] port trunk pvid vlan 1

l Restore the default configuration of the hybrid interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port hybrid pvid vlan[HUAWEI-GigabitEthernet1/0/1] undo port hybrid vlan all[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 1

8.4 Deleting a VLAN or VLANs in a Batch

The device supports deletion of a single VLAN or VLANs in a batch.

l Delete VLAN 10.

<HUAWEI> system-view[HUAWEI] undo vlan 10

l Delete VLAN 10 to VLAN 20 in a batch.<HUAWEI> system-view[HUAWEI] undo vlan batch 10 to 20

NOTE

The earlier versions of V200R005, before deleting a VLAN where a VLANIF interface has been

configured, run the undo interface vlanif command to delete the VLANIF interface.

8.5 Changing the Link Type of an Interface

The link type of an interface can be access, trunk, hybrid, or Dot1q-tunnel. The methods usedto change the link type of an interface in different versions are different.

l In V200R005 and later versions, run the port link-type { access | trunk | hybrid |

dot1q-tunnel } command and enter y or n as prompted. When the interface uses the

default VLAN configuration, the system does not display any message. The link type of

the interface is changed directly.

– When you enter y and press Enter, the device automatically deletes the non-default

VLAN configuration of the interface and set the link type of the interface to the

specified one.

– When you enter n and press Enter, the device retains the current link type and

VLAN configuration of the interface.

Change the link type of the interface to hybrid.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




37



<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid Warning: This command will delete VLANs on this port. Continue?[Y/N]:y Info: This operation may take a few seconds. Please wait for a moment...done.

l

In earlier versions of V200R005, an interface joins VLAN 1 by default, and the PVID of an interface is VLAN 1. You can run the port link-type { access | trunk | hybrid |

dot1q-tunnel } command to change the link type of the interface.

– Change the link type of the interface to access.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type access[HUAWEI-GigabitEthernet0/0/1] port default vlan 10 //Set the PVID ofthe interface to VLAN 10.

– Change the link type of the interface to trunk.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type trunk[HUAWEI-GigabitEthernet0/0/1] port trunk pvid vlan 10 //Set the PVID

of the interface to VLAN 10.

[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 10 20 //Add

the interface to VLAN 2, VLAN 10, and VLAN 20.

– Change the link type of the interface to hybrid.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] port hybrid pvid vlan 10 //Set the PVIDof the interface to VLAN 10.

[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 2 10 //Add the

interface to VLAN 2 and VLAN 10 in untagged mode.

[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 20 //Add theinterface to VLAN 20 in tagged mode.

– Change the link type of the interface to Dot1q-tunnel.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type dot1q-tunnel[HUAWEI-GigabitEthernet0/0/1] port default vlan 10 //Set the PVID ofthe interface to VLAN 10. The interface adds VLAN 10 to all received

data packets.

When you change the link type of an interface that does not use the default VLAN

configuration, the system displays the message "Error: Please renew the default

configurations."

You need to restore the default configuration of the interface, and then change the link

type of the interface.– Restore the default VLAN configuration of an access or Dot1q-tunnel interface.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] undo port default vlan

– Restore the default VLAN configuration of a trunk interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1

– Restore the default configuration of a hybrid interface.<HUAWEI> system-view

[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




38



[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




39



9 Common QinQ Operations

About This Chapter

This chapter describes common QinQ operations.

9.1 Configuring Basic QinQ

9.2 Configuring Selective QinQ

9.3 Configuring the Device to Add Double Tags to Untagged Packets

9.4 Deleting the Selective QinQ Configuration

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 9 Common QinQ Operations



40



9.1 Configuring Basic QinQ

Basic QinQ is also called common QinQ and is implemented based on interfaces. When an

interface enabled with basic QinQ receives a packet, the device tags the packets with the

default VLAN ID of the interface.

l If the received packet carries one VLAN tag, the packet then has double tags.

l If the received packet does not carry any VLAN tag, the packet then carries the default

VLAN tag of an interface.

# Create VLAN 10 in the outer tag.<HUAWEI> system-view[HUAWEI] vlan 10[HUAWEI-vlan10] quit

# Configure downlink interface GE1/0/1.[HUAWEI] interface gigabitethernet1/0/1

[HUAWEI-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Set the link typeto Dot1q-tunnel.

[HUAWEI-GigabitEthernet1/0/1] port default vlan 10 //GE1/0/1 tags all receiveddata packets with VLAN 10.

# Configure uplink interface GE1/0/2 to transparently transmit packets with VLAN 10 in the

outer tag.[HUAWEI] interface gigabitethernet1/0/2[HUAWEI-GigabitEthernet1/0/2] port link-type trunk[HUAWEI-GigabitEthernet1/0/2] port trunk allow-pass vlan 10

9.2 Configuring Selective QinQ

Selective QinQ, also called VLAN stacking or QinQ stacking, is implemented based oninterfaces and VLANs.

Configure the device to tag VLAN 2 in the outer tag of packets with VLANs 100 to 200 in

inner tags, to tag VLAN 3 in the outer tag of packets with VLANs 300 to 400, and to

transparently transmit packets from VLAN 1000.

l Configure selective QinQ on a fixed switch.

# Create VLAN 2, VLAN 3, and VLAN 1000.<HUAWEI> system-view[HUAWEI] vlan batch 2 3 1000

# Configure downlink interface GE0/0/1.[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable //VLAN

translation must be enabled on the fixed device.

[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3 //The interfacejoins VLAN 2 and VLAN 3 in untagged mode.

[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 1000 //The interface

transparently transmits packets tagged with VLAN 1000.[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking vlan 100 to 200 stack-vlan2 //The interface adds VLAN 2 in the outer tag of packets with VLANs 100 to

200 in inner tags.

[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking vlan 300 to 400 stack-vlan3 //The interface adds VLAN 3 in the outer tag of packets with VLANs 300 to

400 in inner tags.

[HUAWEI-GigabitEthernet0/0/1] port vlan-mapping vlan 1000 map-vlan 1000 //

The S5700EI, S3700EI, and S3700SI must be configured to map the VLAN to

itself from which single-tagged packets need to be transparently transmitted.[HUAWEI-GigabitEthernet0/0/1] quit

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




41



# Configure uplink interface GE0/0/5 to transparently transmit packets from VLAN 2,

VLAN 3, and VLAN 1000.

[HUAWEI] interface gigabitethernet0/0/5 [HUAWEI-GigabitEthernet0/0/5] port link-type trunk[HUAWEI-GigabitEthernet0/0/5] port trunk allow-pass vlan 2 3 1000

l Configure selective QinQ on a modular switch.

# Create VLAN 2, VLAN 3, and VLAN 1000.<HUAWEI> system-view[HUAWEI] vlan batch 2 3 1000

# Configure downlink interface GE1/0/1.[HUAWEI] interface gigabitethernet1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //The interface

joins VLAN 2 and VLAN 3 in untagged mode.[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 1000 //The interface

transparently transmits packets tagged with VLAN 1000.

[HUAWEI-GigabitEthernet1/0/1] port vlan-stacking vlan 100 to 200 stack-vlan2 //The interface adds VLAN 2 in the outer tag of packets with VLANs 100 to

200 in inner tags.[HUAWEI-GigabitEthernet1/0/1] port vlan-stacking vlan 300 to 400 stack-vlan3 //The interface adds VLAN 3 in the outer tag of packets with VLANs 300 to

400 in inner tags.[HUAWEI-GigabitEthernet1/0/1] port vlan-mapping vlan 1000 map-vlan 1000 //

The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and EH1D2S24CSA0 and

EH1D2G24SSA0 cards of the S9700 must be configured to map the VLAN to itself

from which single-tagged packets need to be transparently transmitted.[HUAWEI-GigabitEthernet1/0/1] quit

# Configure uplink interface GE2/0/1 to transparently transmit packets from VLAN 2,

VLAN 3, and VLAN 1000.

[HUAWEI] interface gigabitethernet2/0/1 [HUAWEI-GigabitEthernet2/0/1] port link-type trunk[HUAWEI-GigabitEthernet2/0/1] port trunk allow-pass vlan 2 3 1000

9.3 Configuring the Device to Add Double Tags toUntagged Packets

# Configure GE0/0/1 to add double tags to received untagged packets.<HUAWEI> system-view[HUAWEI] vlan 10 //Create VLAN 10 in the outer tag.

[HUAWEI-vlan10] quit[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable //VLAN translation

must be enabled on the fixed device. This command does not need to be used on the

modular device.[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 10 //The interface

joins VLAN 10 in untagged mode.

[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10 stack-inner-vlan 5 //The interface tags untagged packets with inner VLAN 5 and outerVLAN 10.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




42



NOTE

l The S5700SI, S5700EI, ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and

EH1D2G24SSA0 and EH1D2S24CSA0 cards of the S9700 do not support this configuration.

l When you configure the device to add double tags to untagged packets, run the port link-type

hybrid command to change the link type of the interface to hybrid if the following message isdisplayed:[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10stack-inner-vlan 5Error: The port is not a Trunk or Hybrid port.

l When you configure the fixed device to add double tags to untagged packets, run the qinq vlan-

translation enable command to enable VLAN translation if the following message is displayed:[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10stack-inner-vlan 5Error: Please configure qinq vlan-translation enable on this port first.

l When you configure the device to add double tags to untagged packets, run the undo port hybrid

pvid vlan command to restore the PVID of the interface to be 1 if the following message is

displayed:[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10

stack-inner-vlan 5Error: This port has been configured with default VLAN or PVID, please

undo it first.

9.4 Deleting the Selective QinQ Configuration

# Delete all the selective QinQ configuration of an interface.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port vlan-stacking all

# Delete the configuration of an inner VLAN in selective QinQ.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo port vlan-stacking vlan 3 stack-vlan 10 //

Delete the selective QinQ configuration with VLAN 3 in the inner tag.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




43



10 Common STP/RSTP Operations

About This Chapter

This chapter describes common STP/RSTP operations.

10.1 Enabling STP/RSTP

10.2 Disabling STP/RSTP

10.3 Configuring Root Protection

10.4 Configuring an Edge Port

10.5 Changing the STP/RSTP Cost

10.6 Displaying the STP/RSTP Status

10.7 Displaying the Root Bridge

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 10 Common STP/RSTP Operations



44



10.1 Enabling STP/RSTP

Enabling STP/RSTP GloballyRun the stp enable command in the system view.

<HUAWEI> system-view[HUAWEI] stp enable

Enabling STP/RSTP on an Interface

Run the stp enable command in the interface view.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] stp enable

10.2 Disabling STP/RSTP

Disabling STP/RSTP Globally

Run the undo stp enable command in the system view.

<HUAWEI> system-view[HUAWEI] undo stp enable

Disabling STP/RSTP on an Interface

Run the undo stp enable command in the interface view.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo stp enable

10.3 Configuring Root Protection

Run the stp root-protection command in the interface view.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] stp root-protection

10.4 Configuring an Edge Port

Run the stp edged-port enable command in the interface view.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] stp edged-port enable

10.5 Changing the STP/RSTP Cost

Run the stp cost cost command in the interface view.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




45



<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] stp cost 20000

10.6 Displaying the STP/RSTP Status# Display the spanning tree status and statistics.

<HUAWEI> display stp briefMSTID Port Role STP State Protection

0 GigabitEthernet1/0/22 DESI FORWARDING NONE



0 GigabitEthernet1/0/35 DESI FORWARDING NONE0 GigabitEthernet1/0/40 DESI FORWARDING NONE

10.7 Displaying the Root Bridge

# Display the spanning tree status of the root bridge.

<HUAWEI> display stp bridge rootMSTID Root ID Root Cost Hello Max Forward Root Port

Time Age Delay

----- -------------------- ---------- ----- --- ------- -----------------

0 61440.781d-ba56-f06c 0 2 20 15

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




46



11 Common DHCP Operations

About This Chapter

This chapter describes common DHCP operations.

Table 11-1 lists the versions and products that support the DHCP server, relay, client, and

DHCP snooping functions.

Table 11-1 Applicable products and versions

Version Model

V100R006C05 l

Supporting the DHCP server and relay functions:S3700SI and S3700EI

l Supporting the DHCP client function: all

products

l Supporting the DHCP snooping function:

S2700EI, S3700SI and S3700EI

V200R001C00&C01 l Supporting the DHCP server and relay functions:

S9700, S7700, S6700, S5710EI, S5700HI,

S5700EI, S5700SI, S3700HI


products

l Supporting the DHCP snooping function: all

products

V200R002C00 l Supporting the DHCP server and relay functions:

S9700, S7700, S6700, S5710EI, S5700HI,

S5700EI, S5700SI


products


products

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 11 Common DHCP Operations



47



Version Model

V200R003C00&C02&C10 l Supporting the DHCP server and relay functions:

S9700, S7700, S6700, S5710HI, S5710EI,

S5700HI, S5700EI, S5700SI


products


products

V200R005C00&C01 l Supporting the DHCP server and relay functions:

S9700, S7700, S6700, S5710HI, S5710EI,

S5700HI, S5700EI, S5700SI, S5700LI, S5700S-

L, S2750EI


products


products

V200R006C00 and later versions l Supporting the DHCP server and relay function:

all products


products


products

11.1 Configuring IP Addresses Not Dynamically Assigned

11.2 Modifying the Lease

11.3 Assigning Fixed IP Addresses to Clients

11.4 Withdrawing the Fixed IP Addresses Assigned to Clients

11.5 Checking IP Addresses Used

11.6 Clearing Conflicting Addresses

11.7 Increasing the Address Pool Range

11.8 Decreasing the Address Pool Range

11.9 Preventing a Device from Obtaining an IP Address from a Pseudo DHCP Server

11.10 Disabling the DHCP Service

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




48



11.1 Configuring IP Addresses Not Dynamically Assigned

You can configure some IP addresses that are not dynamically assigned in the following

scenarios:

l An enterprise requires that the IP addresses assigned to employees' computers should be

within the range of 10.1.1.2-10.1.1.254 (gateway address 10.1.1.1). To ensure stability of

the DNS server deployed in the enterprise, the server IP address should be manually

configured to 10.1.1.10. Therefore, 10.1.1.10 can be configured as an IP address that is

not dynamically assigned.

l Assume that an enterprise assigns the IP addresses 10.1.1.2-10.1.1.100 (gateway address

10.1.1.1) to the clients in department A and 10.1.1.101-10.1.1.254 to those in department

B based on the global mode. When the device functions as the DHCP server, create two

address pools: pool1 (assigns addresses to hosts in department A) and pool2 (assigns

addresses to hosts in department B). The network masks are both 24 for the address

pools. Configure 10.1.1.101-10.1.1.254 in pool1 and 10.1.1.1-10.1.1.100 in pool2 as IPaddresses that are not dynamically assigned.

Configure the IP addresses that are not dynamically assigned on the device functioning as the

DHCP server. For example, in an address pool with a mask length of 24 on the network

segment 10.1.1.0, configure 10.1.1.100-10.1.1.200 as IP addresses that are not dynamically

assigned.

l Configuration in the global address pool:

<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24[HUAWEI-ip-pool-pool1] gateway-list 10.1.1.1

[HUAWEI-ip-pool-pool1] excluded-ip-address 10.1.1.100 10.1.1.200

l Configuration in the interface address pool:

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 24[HUAWEI-Vlanif100] dhcp select interface[HUAWEI-Vlanif100] dhcp server excluded-ip-address 10.1.1.100 10.1.1.200

11.2 Modifying the Lease

You can modify the lease for the device functioning as a DHCP server or client. When a

DHCP server assigns leases, it compares the lease expected by a DHCP client with the leasesin the DHCP server address pool and assigns a shorter lease to the DHCP client.

By default, the lease is one day for the device functioning as a DHCP server and is not

configured for the device functioning as a DHCP client.

# On the device functioning as a DHCP server, modify the lease of the IP addresses in the

global address pool pool1 or interface address pool VLANIF100 to 10 days.


<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] lease day 10


S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




49



<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] dhcp server lease day 10

# Modify the lease to 10 days (864000 seconds) on the device functioning as a DHCP client.

<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] dhcp client expected-lease 864000

11.3 Assigning Fixed IP Addresses to Clients

In network planning, some devices need to use fixed IP addresses to ensure stability. For

example, the devices can be DNS servers in an enterprise and printers in an office building. A

fixed IP address can be statically configured (using the ip address command) or obtained

through DHCP. The following is an example of assigning fixed IP addresses to clients through

DHCP.

Configure fixed IP addresses to clients on the device functioning as the DHCP server. For example, in an address pool with a mask length of 24 in the network segment 10.1.1.0,

configure the IP address 10.1.1.100 to be assigned only to the client with the MAC address

dcd2-fc96-e4c0.


<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] static-bind ip-address 10.1.1.100 mac-address dcd2-fc96-e4c0


<HUAWEI> system-view[HUAWEI] interface vlanif 100

[HUAWEI-Vlanif100] dhcp server static-bind ip-address 10.1.1.100 mac-addressdcd2-fc96-e4c0

11.4 Withdrawing the Fixed IP Addresses Assigned toClients

Withdraw the IP addresses assigned to clients on the device functioning as the DHCP server.

For example, in an address pool with a mask length of 24 in the network segment 10.1.1.0,

withdraw the IP address 10.1.1.5 assigned to a client. You can run the display ip pool

{ interface interface-pool-name | name ip-pool-name } used command to check static

binding relationships between the clients and IP addresses. For the command output, see 11.5

Checking IP Addresses Used.


a. Withdraw the IP address 10.1.1.5.

<HUAWEI> reset ip pool name pool1 10.1.1.5

b. Cancel the static binding relationship.

<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo static-bind ip-address 10.1.1.5


a. Withdraw the IP address 10.1.1.5.

<HUAWEI> reset ip pool interface vlanif100 10.1.1.5

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




50



b. Cancel the static binding relationship.

<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] undo dhcp server static-bind ip-address 10.1.1.5

11.5 Checking IP Addresses Used

On the device functioning as a DHCP server, run the display ip pool { interface interface-

pool-name | name ip-pool-name } used command to check the IP addresses used.

For example, the following command output indicates that there are 253 available IP

addresses (10.1.1.1-10.1.1.254, excluding the gateway address 10.1.1.2) in the global address

pool pool1. The IP address 10.1.1.254 is used by the DHCP client with the MAC address

0235-2036-adcc, and 10.1.1.5 is used by the DHCP client with the MAC address

00e0-0987-7895.

<HUAWEI> display ip pool name pool1 used

Pool-name : pool1Pool-No : 0

Lease : 1 Days 0 Hours 0 Minutes

Domain-name : -DNS-server0 : -

NBNS-server0 : -

Netbios-type : -Position : Local Status : Unlocked

Gateway-0 : 10.1.1.2

Network : 10.1.1.0

Mask : 255.255.255.0VPN instance : --

-----------------------------------------------------------------------------

Start End Total Used Idle(Expired) Conflict Disable

-----------------------------------------------------------------------------

10.1.1.1 10.1.1.254 253 2 252(0) 0 0

-----------------------------------------------------------------------------

Network section :

-----------------------------------------------------------------------------

Index IP MAC Lease Status

-----------------------------------------------------------------------------

253 10.1.1.254 0235-2036-adcc 178 Used4 10.1.1.5 00e0-0987-7895 60 Static-

bind-----------------------------------------------------------------------------

11.6 Clearing Conflicting Addresses

Clear conflicting addresses in the address pool on a device functioning as a DHCP server. The

conflicting addresses then can be used. For example, clear the conflicting IP addresses in the

global address pool pool1 or interface address pool VLANIF100.

NOTE

The clients with conflicting addresses need to be reconnected to obtain new IP addresses.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




51




<HUAWEI> reset ip pool name pool1 conflict


<HUAWEI> reset ip pool interface vlanif100 conflict

11.7 Increasing the Address Pool Range

You can reduce the mask length of an address pool to increase the address pool range. For

example, a DHCP server can assign IP addresses (in an address pool with a mask length of

25) to 126 users. Then 120 users are added to the network and also obtain IP addresses

through DHCP. In this case, you need to reduce the mask length of the address pool to 24.

Before increasing the address pool range, check whether IP addresses have been assigned to

clients. For details, see 11.5 Checking IP Addresses Used.

NOTE

l After the mask length is changed from 25 to 24, 128 new users can be assigned IP addresses.

l The increased address range cannot conflict with other address ranges on the network.

l The ratio of the client quantity to the address pool range is planned according to the clients' online status.

If all clients (for example, enterprise employees' PCs) are online concurrently, ensure that the number of

addresses that can be assigned in the address pool is equal to or greater than the number of clients. If the

clients (for example, PCs in public areas such as hotels and Internet cafes) are not online concurrently, the

number of addresses that can be assigned in the address pool can be less than the number of clients.

l If the addresses have not been assigned:

Reduce the mask length of the address pool on the device functioning as the DHCP

server to increase the address pool range.

– Configuration in the global address pool:

<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo network[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24 //Adjust the masklength.

– Configuration in the interface address pool:

<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 24 //Adjust the mask length.[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interface

address pool function.

l If the addresses have been assigned:

On the device functioning as the DHCP server, perform the following operations insequence to increase the address pool range: withdraw IP addresses (only in the global

address pool), configure the function to prevent repetitive IP address allocation, and

adjust the mask length of the address pool.


<HUAWEI> reset ip pool name pool1 all //Withdraw all IP addresses.

<HUAWEI> system-view[HUAWEI] dhcp server ping packet 3 //Enable the function of preventing

repetitive IP address allocation.[HUAWEI] dhcp server ping timeout 100 //Enable the function of

preventing repetitive IP address allocation.

[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo network

[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24 //Adjust the masklength.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




52





repetitive IP address allocation.[HUAWEI] dhcp server ping timeout 100 //Enable the function of

preventing repetitive IP address allocation.[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 24 //Adjust the mask length.[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interface


11.8 Decreasing the Address Pool Range

You can increase the mask length of an address pool to decrease the address pool range. For

example, a DHCP server can assign IP addresses (in an address pool with a mask length of

24) to 254 users. Then 140 users are deleted from the network. To save address resources, you

can increase the mask length of the address pool to 25 so that the address pool range is

decreased. Before decreasing the address pool range, check whether IP addresses have beenassigned to clients. For details, see 11.5 Checking IP Addresses Used.

NOTE

After the mask length is increased from 24 to 25, 128 IP addresses can be saved.

l If the addresses have not been assigned:

Increase the mask length of an address pool on a device functioning as the DHCP server

to decrease the address pool range.


<HUAWEI> system-view[HUAWEI] ip pool pool1

[HUAWEI-ip-pool-pool1] undo network[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 25 //Adjust the mask

length.


<HUAWEI> system-view[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 25 //Adjust the mask length.

[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interface


l If the addresses have been assigned:

On the device functioning as the DHCP server, perform the following operations in

sequence to decrease the address pool range: withdraw IP addresses (only in the global

address pool), configure the function to prevent repetitive IP address allocation, andadjust the mask length of the address pool.

NOTE

After the address pool range is decreased, the clients that have IP addresses beyond the range will

re-apply for addresses when their leases expire.


<HUAWEI> reset ip pool name pool1 all //Withdraw all IP addresses.


repetitive IP address allocation.

[HUAWEI] dhcp server ping timeout 100 //Enable the function of

preventing repetitive IP address allocation.

[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] undo network

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




53



[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 25 //Adjust the mask

length.



repetitive IP address allocation.[HUAWEI] dhcp server ping timeout 100 //Enable the function ofpreventing repetitive IP address allocation.

[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 25 //Adjust the mask length.

[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interfaceaddress pool function.

11.9 Preventing a Device from Obtaining an IP Addressfrom a Pseudo DHCP Server

On the Layer 2 access device or the first DHCP relay device, configure DHCP snooping to

prevent the device from obtaining an IP address from a pseudo DHCP server.

NOTE

l For a Layer 2 access device, steps 1-3 are mandatory. Configure this function in sequence.

l For a DHCP relay device, only steps 1 and 2 are mandatory.

1. Enable DHCP snooping globally.

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable

2. Enable DHCP snooping on the interface connected to the DHCP client (configuring all

interfaces connected to the DHCP client and using GE1/0/1 as an example).

[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable[HUAWEI-GigabitEthernet1/0/1] quit

3. Configure the interface connected to the DHCP server as a trusted interface.

[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted [HUAWEI-GigabitEthernet1/0/2] quit

11.10 Disabling the DHCP Service

Disable the DHCP service on the device functioning as a DHCP server or DHCP relay, or

configured with DHCP snooping. By default, the DHCP service is disabled.<HUAWEI> system-view[HUAWEI] undo dhcp enable

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




54



12 Common ARP Operations

About This Chapter

This chapter describes common ARP operations.

12.1 Checking ARP entries

12.2 Updating ARP Entries

12.3 Setting the Aging Time of ARP Entries

12.4 Configuring Static ARP Entries

12.5 Configuring ARP Proxy

12.6 Shielding ARP Miss Alarms Based on Source IP Addresses

12.7 Configuring Dynamic ARP Detection

12.8 Configuring ARP Gateway Anti-Collision

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 12 Common ARP Operations



55



12.1 Checking ARP entries

In routine maintenance, you can run the display arp command in any view to check ARP

entry information on the device.

By checking ARP entries on a gateway device, the network administrator can view

information about the connected users, including IP addresses, MAC addresses, and

interfaces. For example, the network administrator can check ARP entry information to query

the MAC address based on the IP address of a user.

When the gateway does not learn the IP address of a connected user, the network

administrator can ping the broadcast address on the network segment on the gateway. For

example, if the gateway IP address is 10.10.10.1/24, the network administrator runs the ping

10.10.10.255 command on the gateway. Then the user on the same network segment sends an

ARP Reply packet. After receiving the ARP Reply packet, the gateway can learn the user's IP

address.

# Check ARP entries on the network segment 172.16.0.0/16.

<HUAWEI> display arp network 172.16.0.0 16IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE

VLAN/

CEVLAN

------------------------------------------------------------------------------

172.16.10.3 0025-9efb-be55 S-- GE1/0/6

100/-

172.16.20.3 0200-0000-00e8 S-- GE1/0/19172.16.10.1 0025-9ef4-abcd I -

Vlanif100

172.16.10.2 0025-9efb-be55 20 D-0 GE1/0/6

100/-

172.16.20.1 0025-9ef4-abcd I - GE1/0/19

172.16.20.2 0200-0000-00e8 18 D-0 GE1/0/19------------------------------------------------------------------------------

Total:6 Dynamic:2 Static:2 Interface:2

In the command output, the ARP entry of each row is described as follows:

l The IP address is 172.16.10.3, MAC address is 0025-9efb-be55, and type is S (indicatinga static ARP entry). For this static ARP entry, the outbound interface is GE1/0/6 and

VLAN ID is 100.

l The IP address is 172.16.20.3, MAC address is 0200-0000-00e8, and type is S

(indicating a static ARP entry). For this static ARP entry, the outbound interface is

GE1/0/19.

l The IP address is 172.16.10.1, MAC address is 0025-9ef4-abcd, and type is I (indicating

an interface ARP entry). This ARP entry indicates that 172.16.10.1 is the IP address of

the interface VLANIF 100.

l The IP address is 172.16.10.2, MAC address is 0025-9efb-be55, and type is D

(indicating a dynamic ARP entry). This dynamic ARP entry is learned from the interfaceGE1/0/6, the VLAN ID is 100, and the remaining lifetime is 20 minutes.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




56



l The IP address is 172.16.20.1, MAC address is 0025-9ef4-abcd, and type is I (indicating

an interface ARP entry). This ARP entry indicates that 172.16.20.1 is the IP address of

the interface GE1/0/19.

l The IP address is 172.16.20.2, MAC address is 0200-0000-00e8, and type is D

(indicating a dynamic ARP entry). This dynamic ARP entry is learned from the interfaceGE1/0/19, and the remaining lifetime is 18 minutes.

NOTE

If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP

packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP

Request packets to the destination network segment.

l When a temporary ARP entry is not aged out:

l Before receiving an ARP Reply packet, the device discards the IP packets matching the

temporary ARP entry, and no ARP Miss message is triggered.

l After receiving the ARP Reply packet, the device generates a correct ARP entry to replace

the temporary entry.

l After the temporary ARP entry ages out, the device deletes this entry.

12.2 Updating ARP Entries

Before updating ARP entries, clear ARP entries on the device so that the device will relearn

the entries.

NOTICE

After ARP entries are cleared, mappings between IP addresses and MAC addresses aredeleted. As a result, users may not access specified nodes. Exercise caution when you clear

ARP entries.

# Clear all ARP entries on the device.

<HUAWEI> reset arp all

# Clear the dynamic ARP entries with the IP address 172.16.10.1 on the device.

<HUAWEI> reset arp dynamic ip 172.16.10.1 //If the IP address is not specified,all dynamic ARP entries are deleted from the device.

# Clear all static ARP entries on the device.

<HUAWEI> reset arp staticWarning: This operation will reset all static ARP entries, and clear the

configurations of all static ARP, continue?[Y/N]:y

# Clear the static ARP entries with the IP address 172.16.20.1, MAC address

0023-0045-0067, and outbound interface GE1/0/1 on the device.

<HUAWEI> system-view[HUAWEI] undo arp static 172.16.20.1 0023-0045-0067 interface gigabitethernet1/0/1

# Clear the ARP entries learned from VLANIF 100 with the IP address 172.16.20.1 on the

device.

<HUAWEI> reset arp interface vlanif 100 ip 172.16.20.1 //If the IP address is notspecified, all ARP entries learned by VLANIF 100 are deleted from the device.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




57



12.3 Setting the Aging Time of ARP Entries

The ARP aging time takes effect only for dynamic ARP entries. The default ARP aging time

is 20 minutes. You can run the arp expire-time expire-time command in the system view or

interface view to configure the aging time of dynamic ARP entries. The value range of expire-

time is as follows: 60-62640 (chassis switches) and 30-62640 (box switches), in seconds.

If you run the command only in the system view, the aging time takes effect for dynamic ARP

entries learned by all interfaces on the device. If you run the command both in the view of an

interface and the system view, the aging time configured in the interface view takes effect for

the dynamic ARP entries learned by the interface.

# Set the aging time of dynamic ARP entries to 1800s.

<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] arp expire-time 1800

# After the configuration is complete, you can run the display current configuration |

include arp command in any view to check the configured aging time of dynamic ARP

entries.

<HUAWEI> display current-configuration | include arparp expire-time 1800

12.4 Configuring Static ARP Entries

Static ARP entries will not age and cannot be overridden by dynamic ARP entries. You can

manually configure a static ARP entry, or use automatic scanning and fixed ARP to batchconfigure static ARP entries.

Manually Configuring a Static ARP Entry

NOTE

If the outbound interface is an Ethernet interface in Layer 2 mode, you are advised to configure a long

static ARP entry. Specify the VLAN and outbound interface when configuring the entry.

# Configure a static ARP entry with the IP address 172.16.10.2, MAC address

0023-0045-0067, and outbound interface GE1/0/1 in Layer 2 mode. This static ARP entry

belongs to VLAN 100.

<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.10.1 24 //The IP address of the VLANIFinterface must be in the same network segment with the IP address (172.16.10.2)in the static ARP entry.

[HUAWEI-Vlanif100] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type trunk[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 //The interfaceGigabitEthernet1/0/1 is in Layer 2 mode and needs to be added to VLAN 100.

[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] arp static 172.16.10.2 0023-0045-0067 vid 100 interface gigabitethernet1/0/1

# Configure a static ARP entry with the IP address 172.16.20.2, MAC address0023-0045-0068, and outbound interface GE1/0/2 in Layer 3 mode.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




58



<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] undo portswitch[HUAWEI-GigabitEthernet1/0/2] ip address 172.16.20.1 24 //The IP address ofGigabitEthernet1/0/2 must be in the same network segment with the IP address

(172.16.20.2) in the static ARP entry.

[HUAWEI-GigabitEthernet1/0/2] quit[HUAWEI] arp static 172.16.20.2 0023-0045-0068 interface gigabitethernet 1/0/2

# Configure a static ARP entry with the IP address 172.16.30.2 and MAC address

0023-0045-0069. This static ARP entry belongs to the VPN instance vpn1.

<HUAWEI> system-view[HUAWEI] ip vpn-instance vpn1[HUAWEI-vpn-instance-vpn1] ipv4-family[HUAWEI-vpn-instance-vpn1-af-ipv4] quit[HUAWEI-vpn-instance-vpn1] quit[HUAWEI] arp static 172.16.30.2 0023-0045-0069 vpn-instance vpn1

# Configure a static ARP entry with the IP address 172.16.40.2 and MAC address

02bf-0045-0070. (For example, you can configure such short static ARP entry when the

device is connected to the NLB server cluster in multi-port ARP mode.)

<HUAWEI> system-view[HUAWEI] arp static 172.16.40.2 02bf-0045-0070

Using Automatic Scanning and Fixed ARP to Batch Configure Static ARP Entries

# The IP address of VLANIF 103 is 172.16.50.1/24. Perform automatic scanning on the ARP

entries with the IP addresses 172.16.50.2 to 172.16.50.4, and convert the learned ARP entries

into static ARP entries.

<HUAWEI> system-view[HUAWEI] vlan batch 103

[HUAWEI] interface vlanif 103[HUAWEI-Vlanif103] ip address 172.16.50.1 24[HUAWEI-Vlanif103] quit[HUAWEI] interface gigabitethernet 1/0/3[HUAWEI-GigabitEthernet1/0/3] port link-type trunk[HUAWEI-GigabitEthernet1/0/3] port trunk allow-pass vlan 103[HUAWEI-GigabitEthernet1/0/3] quit[HUAWEI] display arp network 172.16.50.0 24IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-

INSTANCE

VLAN/

CEVLAN

------------------------------------------------------------------------------

172.16.50.1 00e0-0987-7895 I -Vlanif103

------------------------------------------------------------------------------

Total:1 Dynamic:0 Static:0 Interface:1[HUAWEI] interface vlanif 103[HUAWEI-Vlanif103] arp scan 172.16.50.2 to 172.16.50.4 //Automatic scanning isperformed on VLANIF 103. The IP addresses 172.16.50.2 to 172.16.50.4 are in thesame network segment with the IP address 172.16.50.1 of VLANIF 103. That is, the

start and end IP addresses in the ARP automatically scanned area must be in the

same network segment with the IP address (primary or secondary) of the VLANIF

interface.Warning: This operation may take a long time, press CTRL+C to break. Continue?

[Y/N]:y Processing...

Info: ARP scanning is completed.[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //After automatic scanning,

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




59



check ARP entries. The device newly learns three 3 dynamic ARP entries.

IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE

VLAN/

CEVLAN

------------------------------------------------------------------------------

172.16.50.1 00e0-0987-7895 I -Vlanif103

172.16.50.2 0200-0000-0212 20 D-0

GE1/0/3

103/-

172.16.50.3 0200-0000-0212 20 D-0

GE1/0/3

103/-

172.16.50.4 0200-0000-0212 20 D-0GE1/0/3

103/-

------------------------------------------------------------------------------

Total:4 Dynamic:3 Static:0 Interface:1[HUAWEI-Vlanif103] arp fixup //Configure fixed ARP entries on VLANIF 103 byconverting dynamic ARP entries learned into static ARP entries.

Warning: This operation may generate configuration of static ARP, and take a long

time, press CTRL+C to break. Continue?[Y/N]:y Processing...

Info: ARP fixup is completed.

[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //Check fixed ARP entries.The three dynamic ARP entries that newly learned by the device have been

converted into static ARP entries.IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE

VLAN/

CEVLAN

------------------------------------------------------------------------------

172.16.50.2 0200-0000-0212 S-- GE1/0/3

103/-

172.16.50.3 0200-0000-0212 S-- GE1/0/3

103/-

172.16.50.4 0200-0000-0212 S-- GE1/0/3

103/-

172.16.50.1 00e0-0987-7895 I -Vlanif103

------------------------------------------------------------------------------

Total:4 Dynamic:0 Static:3 Interface:1

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




60



12.5 Configuring ARP Proxy

Proxy ARP Classification

Proxy ARP is classified into the following types: routed proxy ARP, intra-VLAN proxy ARP,

and inter-VLAN Proxy ARP. Table 12-1 describes the usage scenarios.

Table 12-1 Proxy ARP Type

Proxy ARP Type Scenario

Routed Proxy ARP Hosts that need to communicate and are not configured with

default gateways belong to the same network segment but

different physical networks (different broadcast domains).

Intra-VLAN Proxy ARP Hosts that need to communicate belong to the same network

segment and VLAN but port isolation is configured in the

VLAN.

Inter-VLAN Proxy ARP Hosts that need to communicate belong to the same network

segment but different VLANs.

Routed Proxy ARP

# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable routed proxy ARP.

<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.1.1 24[HUAWEI-Vlanif100] arp-proxy enable

Intra-VLAN Proxy ARP

# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable intra-VLAN proxy ARP.


[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.1.1 24[HUAWEI-Vlanif100] arp-proxy inner-sub-vlan-proxy enable

Inter-VLAN Proxy ARP

# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable inter-VLAN proxy ARP.

<HUAWEI> system-view[HUAWEI] vlan batch 100[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 172.16.1.1 24[HUAWEI-Vlanif100] arp-proxy inter-sub-vlan-proxy enable

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




61



12.6 Shielding ARP Miss Alarms Based on Source IPAddresses

When a source IP address triggers an ARP Miss alarm, you can cancel the rate limit on ARP

Miss messages of this IP address to shield the ARP Miss alarm.

# Cancel the rate limit on ARP Miss messages of IP address 10.0.0.1. (The S2750, S5710-C-

LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this command.)

<HUAWEI> system-view[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 0

# Cancel the rate limit on ARP Miss messages of all source IP addresses. (The S2750, S5710-

C-LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this command.)


[HUAWEI] arp-miss speed-limit source-ip maximum 0

12.7 Configuring Dynamic ARP Detection

Dynamic ARP inspection (DAI) is used to prevent Man in The Middle (MITM) attacks. If

DAI is not configured, ARP entries of authorized users on the device may be updated by the

pseudo ARP packets sent by attackers.

DAI is used to check ARP packets according to binding tables (dynamic and static DHCP

binding tables).

When receiving an ARP packet, the device compares the source IP address, source MAC

address, interface, and VLAN in the ARP packet with the information in the binding table.You can configure the parameters to be compared, for example, the source IP address and

VLAN.

l If the parameters match the table information, the user is authorized and the device

allows the ARP packet to pass through.

l If the parameters do not match the table information, the device considers that it is an

attack packet and discards the packet.

# Configure DHCP snooping on the device and enable DAI on the interface connecting the

device to the user side.

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable ipv4[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on theinterface connecting the device to the user side.[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the interfaceconnecting the device to the DHCP server as a trusted interface. If DHCP snooping

is deployed on the DHCP relay device, the trusted interface configuration is

optional.

[HUAWEI-GigabitEthernet1/0/2] quit[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the staticbinding table on the device for the users configured with static IP addresses.

[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI

on the interface connecting the device to the user side.[HUAWEI-GigabitEthernet1/0/1] quit

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




62



# Configure DHCP snooping on the device and enable DAI in the user-side VLAN.

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable ipv4[HUAWEI] vlan 100

[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN that theuser device belongs to.[HUAWEI-vlan100] quit[HUAWEI] vlan 200[HUAWEI-vlan200] dhcp snooping enable[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the interface connecting the device to the DHCP server as a trusted

interface. If DHCP snooping is deployed on the DHCP relay device, the trusted

interface configuration is optional.

[HUAWEI-vlan200] quit[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the staticbinding table on the device for the users configured with static IP addresses.

[HUAWEI] vlan 100[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the user-side VLAN.

[HUAWEI-vlan100] quit

12.8 Configuring ARP Gateway Anti-Collision

If an attacker forges the gateway address to send ARP packets with the source IP address

being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the

incorrect gateway address. As a result, all traffic from hosts to the gateway is sent to the

attacker and the attacker intercepts user information. Communication of users is interrupted.

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The

gateway considers that a gateway collision occurs when a received ARP packet meets either

of the following conditions:

l The source IP address in the ARP packet is the same as the IP address of the VLANIF

interface matching the inbound interface of the packet.

l The source IP address in the ARP packet is the virtual IP address of the inbound

interface but the source MAC address in the ARP packet is not the virtual MAC address

of the Virtual Router Redundancy Protocol (VRRP) group.

The device generates an ARP anti-collision entry and discards the received ARP packets with

the same source MAC address and VLAN ID in a specified period. This function prevents

ARP packets with the bogus gateway address from being broadcast in a VLAN.

# Enable the ARP gateway anti-collision function on the gateway device. By default, the ARP

gateway anti-collision function is disabled.

<HUAWEI> system-view[HUAWEI] arp anti-attack gateway-duplicate enable

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




63



13 Common ACL Operations

About This Chapter

This chapter describes common ACL operations, including how to delete time ranges, how to

delete ACL and ACL6, and how to configure time-based ACL.

13.1 Deleting a Time Range

13.2 Deleting ACL and ACL6

13.3 Configuring a Time-Based ACL Rule

13.4 Configuring a Packet Filtering Rule Based on the Source IP Address (Host Address)

13.5 Configuring a Packet Filtering Rule Based on the Source IP Address Segment

13.6 Configuring a Packet Filtering Rule Based on the IP Fragment Information and Source

IP Address Segment

13.7 Configuring a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP

Address (Host Address) and Destination IP Address Segment

13.8 Configuring a Packet Filtering Rule f or TCP Protocol Packets Based on TCP Destination

Port Number, Source IP Address (Host Address), and Destination IP Address Segment

13.9 Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address

Segment and TCP Flags

13.10 Configuring Packet Filtering Rules Based on the Source MAC Address, Destination

MAC Address, and Layer 2 Protocol Types

13.11 Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and

Inner VLAN IDs

13.12 Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String

Masks, and User-Defined Character Strings

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 13 Common ACL Operations



64



13.1 Deleting a Time Range

Before deleting a time range, you must delete the ACL rules associated with the time range or

delete the ACL to which the ACL rules belong.

For example, ACL 2001 contains rule 5 and is associated with time range time1.#

time-range time1 from 00:00 2014/1/1 to 23:59 2014/12/31

#acl number 2001

rule 5 permit time-range time1

#

Before deleting time1, delete rule 5 or ACL 2001.

l Delete rule 5, and then time1.


[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] undo rule 5[HUAWEI-acl-basic-2001] quit[HUAWEI] undo time-range time1

l Delete ACL 2001, and then time1.

<HUAWEI> system-view[HUAWEI] undo acl 2001[HUAWEI] undo time-range time1

13.2 Deleting ACL and ACL6

You do not need to delete the service configurations before using these commands to delete anACL or ACL6. These commands will delete an ACL or ACL6 regardless of whether it is

applied to a service module.

l To delete an ACL, run the undo acl { [ number ] acl-number | all } or undo acl name

acl-name command in the system view.

l To delete an ACL6, run the undo acl ipv6 { all | [ number ] acl6-number } or undo acl

ipv6 name acl6-name command in the system view.

13.3 Configuring a Time-Based ACL Rule

Create a time range working-time (for example, 8:00-18:00 on Monday through Friday) and

configure a rule in ACL work-acl. The rule rejects the packets from network segment

192.168.1.0/24 within the set working-time.<HUAWEI> system-view[HUAWEI] time-range working-time 8:00 to 18:00 working-day[HUAWEI] acl name work-acl basic[HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time

Related Information

Support Community

l Basic Knowledge About ACL

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




65





l ACL Matching

l ACL Application

13.4 Configuring a Packet Filtering Rule Based on theSource IP Address (Host Address)

To allow the packets from a host to pass, add a rule to an ACL. For example, to allow packets

from host 192.168.1.3 to pass, create the following rule in ACL 2001.<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0

Related Information

Support Community


l ACL Matching

l ACL Application

13.5 Configuring a Packet Filtering Rule Based on theSource IP Address Segment

To allow the packets from a host to pass and reject the packets from other hosts on the same

network segment, configure rules in an ACL. For example, to allow the packets from host192.168.1.3 to pass and reject the packets from other hosts on network segment

192.168.1.0/24, configure the following rules in ACL 2001 and set the description of ACL

2001 to Permit only 192.168.1.3 through.<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2001] description Permit only 192.168.1.3 through

Related Information

Support Community


l ACL Matching

l ACL Application

13.6 Configuring a Packet Filtering Rule Based on the IPFragment Information and Source IP Address Segment

To reject the non-initial fragments from a network segment, configure a rule in an ACL. For

example, to reject the non-initial fragments from network segment 192.168.1.0/24, configurethe following rule in ACL 2001.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




66

















<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment

Related Information

Support Community


l ACL Matching

l ACL Application

13.7 Configuring a Packet Filtering Rule for ICMPProtocol Packets Based on Source IP Address (Host

Address) and Destination IP Address SegmentTo allow the ICMP packets from a host that are destined for a network segment to pass,

configure a rule in an ACL. For example, to allow the ICMP packets from host 192.168.1.3

that are destined for network segment 192.168.2.0/24 to pass, configure the following rule in

ACL 3001.<HUAWEI> system-view[HUAWEI] acl 3001[HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination192.168.2.0 0.0.0.255

Related Information

Support Community


l ACL Matching

l ACL Application

13.8 Configuring a Packet Filtering Rule for TCP ProtocolPackets Based on TCP Destination Port Number, Source

IP Address (Host Address), and Destination IP AddressSegment

l To prohibit Telnet connections between the specified host and the hosts on a network

segment, configure a rule in an advanced ACL. For example, to prohibit Telnet

connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24,

configure the following rule in the advanced ACL deny-telnet.<HUAWEI> system-view[HUAWEI] acl name deny-telnet[HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source192.168.1.3 0 destination 192.168.2.0 0.0.0.255

l To prohibit the specified hosts from accessing web pages (HTTP is used to access web

pages, and TCP port number is 80), configure rules in an advanced ACL. For example,to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




67













following rules in ACL no-web and set the description for the ACL to Web access

restrictions.<HUAWEI> system-view[HUAWEI] acl name no-web[HUAWEI-acl-adv-no-web] description Web access restrictions[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source192.168.1.3 0[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source192.168.1.4 0

Related Information

Support Community


l ACL Matching

l ACL Application

13.9 Configuring a Packet Filtering Rule for TCP PacketsBased on the Source IP Address Segment and TCP Flags

To implement unidirectional access control on a network segment, configure rules in an ACL.

For example, to implement unidirectional access control on network segment 192.168.2.0/24,

configure the following rules in ACL 3002. In the following rules, the hosts on

192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake

packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow

the RST TCP packets through, and Do not Allow the other TCP packet through.

To meet the preceding requirement, configure two permit rules to allow the packets with theACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to

reject other TCP packets from this network segment.<HUAWEI> system-view[HUAWEI] acl 3002[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack[HUAWEI-acl-adv-3002] display this // If you do not specify an ID for a createdrule, you can view the rule ID allocated by the system, and configure a

description for the rule by specifying the rule ID.

#

acl number 3002rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack // The

rule ID allocated by the system is 5.

#

return[HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst[HUAWEI-acl-adv-3002] display this#acl number 3002

rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn

rule 5 description Allow the ACK TCP packets throughrule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst // The rule ID

allocated by the system is 10.

#

return[HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255[HUAWEI-acl-adv-3002] display this#

acl number 3002rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




68









rule 5 description Allow the ACK TCP packets through

rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rstrule 10 description Allow the RST TCP packets through

rule 15 deny tcp source 192.168.2.0 0.0.0.255 // The rule ID allocated by

the system is 15.

#

return[HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packetthrough

Related Information

Support Community


l ACL Matching

l ACL Application

13.10 Configuring Packet Filtering Rules Based on theSource MAC Address, Destination MAC Address, andLayer 2 Protocol Types

l To allow the ARP packets with the specified destination and source MAC addresses and

Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow

the ARP packets with destination MAC address 0000-0000-0001, source MAC address

0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule

in ACL 4001.

<HUAWEI> system-view[HUAWEI] acl 4001[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac0000-0000-0002 l2-protocol 0x0806

l To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in

a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863,

configure the following rule in ACL 4001.<HUAWEI> system-view[HUAWEI] acl 4001[HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863

Related Information

Support Community


l ACL Matching

l ACL Application

13.11 Configuring a Packet Filtering Rule Based on theSource MAC Address Segment and Inner VLAN IDs

To reject the packets from the specified MAC address segments in a VLAN, configure a rulein a Layer 2 ACL. For example, to reject the packets from source MAC address segment

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




69











00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL

deny-vlan10-mac.<HUAWEI> system-view[HUAWEI] acl name deny-vlan10-mac link[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000ffff-ffff-0000

Related Information

Support Community


l ACL Matching

l ACL Application

13.12 Configuring Packet Filtering Rules Based on Layer 2Headers, Offsets, Character String Masks, and User-Defined Character Strings

l To reject the ARP packets from the specified host, configure a rule in a user-defined

ACL. For example, to reject the ARP packets from host 192.168.0.2, configure the

following rule in ACL 5001.

In the following rule:

– 0x00000806 indicates the ARP protocol.

– 0x0000ffff is the character string mask.

– 10 indicates the protocol type field offset in the ARP packets (without VLAN ID).

– c0a80002 is the hexadecimal format of 192.168.0.2.

– 26 and 30 respectively indicate the offsets of the higher and lower two bytes in the

source IP addresses in ARP packets (without VLAN ID). The source IP address in

an ARP packet begins at the 28th byte in Layer 2 header and occupies 4 bytes. The

Layer 2 header offset defined in a user-defined ACL must be 4n+2 (n is an integer).

Therefore, the source IP address is divided into two segments for matching. The

lower two bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher

two bytes among the four bytes behind offset 30 (4 x 7 + 2) are matched separately.

To filter ARP packets with VLAN IDs, add 4 to each of the following offsets.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




70






Figure 13-1 Source IP address field offset in Layer 2 header of an ARP packet

0 2315 31 bit

Ethernet Address of destination(0-31)

Hardware Type

Ethernet Address of sender(0-15)Ethernet Address of destination(32-47)

Ethernet Address of sender(16-47)

Frame Type

Protocol Type Hardware Length Protocol Length

OP Ethernet Address of sender(0-15)

IP Address of sender

Ethernet Address of destination(32-47) IP Address of destination(0-15)

IP Address of destination(16-31)

4 byte

40 byte

32 byte

28 byte

24 byte

Ethernet Address of sender(16-47)

Ethernet Address of destination(0-31)

4×6+2=26byte

4×7+2=30byte

4×0+2=2byte

<HUAWEI> system-view[HUAWEI] acl 5001[HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a80x0000ffff 26 0x00020000 0xffff0000 30

l To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.

In the following rule:

– 0x00060000 indicates the TCP protocol.

–8 indicates the protocol type offset in the IP packets. (The protocol type field in anIP packet begins at the 10th byte in IPv4 header and occupies one byte. The IPv4

header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore,

the second higher byte among the four bytes behind offset 8 in the IPv4 header is

matched.)

<HUAWEI> system-view[HUAWEI] acl name deny-tcp user[HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8

Figure 13-2 TCP protocol field offset in IPv4 header

Version Header Length

Flags

Tos Total length

identifier Fragment offset

TTL Header checksum

Source IP address

Destination IP address

Options (variable length)

Data

0 4 8 16 19 24

H e a d e r

31 bit

Protocol

4 byte

8 byte10byte

12 byte

20 byte

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




71



Related Information

Support Community


l ACL Matching

l ACL Application

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




72






14 Common QoS Operations

About This Chapter

This chapter describes common QoS and MQC operations, including interface-based rate

limiting.

14.1 Configuring Interface-based Rate Limiting on the S7700/S9700

14.2 Configuring Interface-based Rate Limiting on the S2700/S5700/S6700

14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700

14.4 Deleting the Interface-based Rate Limiting Configuration on the S2700/S5700/S6700

14.5 Using a Traffic Policy to Limit the Rate of Packets

14.6 Using a Traffic Policy to Filter Packets

14.7 Configuring Traffic Statistics in a Traffic Policy

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 14 Common QoS Operations



73



14.1 Configuring Interface-based Rate Limiting on theS7700/S9700

Configuring Interface-based Rate Limiting in the Inbound Direction

Configure a QoS CAR profile named qoscar1, specify the rate limit in the QoS profile, and

apply the profile to GE1/0/1.

<HUAWEI> system-view[HUAWEI] qos car qoscar1 cir 10000 cbs 10240[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] qos car inbound qoscar1

Configuring Interface-based Rate Limiting in the Outbound Direction

Run the qos lr cir cir-value [ cbs cbs-value ] [ outbound ] command in the interface view to

limit the rate of traffic passing through the interface.

(Optional) Configuring the Inter-frame Gap and Preamble

In V200R005C00 and later versions, you can configure the switch whether to calculate the

inter-frame gap and preamble of packets during rate limit calculation on the interface. By

default, the switch calculates the inter-frame gap and preamble of packets when the device

calculates the rate limit. You can run either of the following commands in the system view to

configure the device to not calculate the inter-frame gap and preamble of packets during rate

limit calculation, to improve rate limit accuracy.

l Inbound: qos-car exclude-interframe

l Outbound: qos-shaping exclude-interframe

14.2 Configuring Interface-based Rate Limiting on theS2700/S5700/S6700

Configuring Interface-based Rate Limiting in the Inbound Direction

Run the qos lr inbound cir cir-value [ cbs cbs-value ] command in the interface view to limit

the rate of traffic passing through the interface.

Configuring Interface-based Rate Limiting in the Outbound Direction

Run the qos lr outbound cir cir-value [ cbs cbs-value ] command in the interface view to

limit the rate of traffic passing through the interface.

(Optional) Configuring the Inter-frame Gap and Preamble

In V200R005C00 and later versions, you can configure the switch whether to calculate the

inter-frame gap and preamble of packets during rate limit calculation on the interface. By

default, the switch calculates the inter-frame gap and preamble of packets when the devicecalculates the rate limit. You can run either of the following commands in the system view to

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




74



configure the device to not calculate the inter-frame gap and preamble of packets during rate

limit calculation, to improve rate limit accuracy.

l Inbound: qos-car exclude-interframe

l Outbound: qos-shaping exclude-interframe

14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700

Deleting the Interface-based Rate Limiting Configuration in the InboundDirection

Unbind the QoS CAR profile qoscar1 from GE1/0/1 and delete the profile.

[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] undo qos car inbound [HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] undo qos car qoscar1

Deleting the Interface-based Rate Limiting Configuration in the OutboundDirection

Run the undo qos lr [ outbound ] command in the interface view to delete the interface-

based rate limiting configuration.

14.4 Deleting the Interface-based Rate Limiting

Configuration on the S2700/S5700/S6700

Deleting the Interface-based Rate Limiting Configuration in the InboundDirection

Run the undo qos lr inbound command in the interface view to delete the interface-based

rate limiting configuration.

Deleting the Interface-based Rate Limiting Configuration in the OutboundDirection

Run the undo qos lr outbound command in the interface view to delete the interface-based

rate limiting configuration.

14.5 Using a Traffic Policy to Limit the Rate of Packets

Limiting the Traffic Rate Based on IP Addresses

Set the rate limit of packets from the PC at 192.168.1.10 to 4 Mbit/s.

<HUAWEI> system-view [HUAWEI] acl 2000

[HUAWEI-acl-basic-2000] rule permit source 192.168.1.10 0.0.0.0[HUAWEI-acl-basic-2000] quit

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




75



[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] car cir 4096[HUAWEI-behavior-b1] quit

[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

Limiting the Rate of Packets from Devices on a Network Segment

Set the rate limit of packets from devices on the network segment of 192.168.1.0 to 50 Mbit/s.

<HUAWEI> system-view [HUAWEI] acl 2000[HUAWEI-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] car cir 51200[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

Limiting the Traffic Rate Based on IP Addresses and Protocols

Set the rate limit of HTTP traffic (port 80) from devices on the network segment of

192.168.1.0 to 10 Mbit/s.

<HUAWEI> system-view [HUAWEI] acl 3000[HUAWEI-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.00.0.0.255[HUAWEI-acl-adv-3000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 3000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] car cir 10240[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1

[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

14.6 Using a Traffic Policy to Filter Packets

Preventing a Specified Device from Accessing a Network

Prevent the PC at 192.168.1.10 from accessing the network.

<HUAWEI> system-view [HUAWEI] acl 2000

[HUAWEI-acl-basic-2000] rule deny source 192.168.1.10 0.0.0.0[HUAWEI-acl-basic-2000] quit

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




76



[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] deny[HUAWEI-behavior-b1] quit

[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

Preventing All Devices on a Network Segment from Accessing a Network

Prevent all devices on the network segment of 192.168.1.0 from accessing a network.

<HUAWEI> system-view [HUAWEI] acl 2000[HUAWEI-acl-basic-2000] rule deny source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2000] quit

[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 2000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] deny[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

Filtering Packets of Specified Protocols

l Prevent SMTP packets with TCP destination port 25.

l Prevent POP3 packets with TCP destination port 110.

l Prevent HTTP packets with TCP destination port 80.

<HUAWEI> system-view [HUAWEI] acl 3000[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 25[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 110[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 80[HUAWEI-acl-adv-3000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 3000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] deny[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

14.7 Configuring Traffic Statistics in a Traffic Policy

Configuring the Switch to Collect Traffic Statistics About a Specified Host

Configure the switch to collect statistics on packets with the source MAC address of 0000-0000-0003.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




77



<HUAWEI> system-view [HUAWEI] acl 4000[HUAWEI-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff[HUAWEI-acl-L2-4000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 4000

[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] statistic enable[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound [HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound

Configuring the Switch to Collect Statistics on ICMP Packets

<HUAWEI> system-view [HUAWEI] acl 3000[HUAWEI-acl-adv-3000] rule 0 permit icmp source 192.168.1.1 0 destination192.168.2.1 0[HUAWEI-acl-adv-3000] rule 5 permit icmp source 192.168.2.1 0 destination192.168.1.1 0[HUAWEI-acl-adv-3000] quit[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 3000[HUAWEI-classifier-c1] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] statistic enable[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy p1[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1[HUAWEI-trafficpolicy-p1] quit[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound [HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound

Configuring the Switch to Collect Statistics on ARP Packets

Configure the switch to collect statistics on ARP Request and Reply packets.

<HUAWEI> system-view [HUAWEI] traffic classifier arp-request[HUAWEI-classifier-arp-request] if-match l2-protocol arp[HUAWEI-classifier-arp-request] if-match source-mac 1111-1111-1111[HUAWEI-classifier-arp-request] if-match destination-mac ffff-ffff-ffff[HUAWEI-classifier-arp-request] quit[HUAWEI] traffic classifier arp-reply[HUAWEI-classifier-arp-reply] if-match l2-protocol arp[HUAWEI-classifier-arp-reply] if-match source-mac 2222-2222-2222[HUAWEI-classifier-arp-reply] if-match destination-mac 1111-1111-1111[HUAWEI-classifier-arp-reply] quit[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] statistic enable[HUAWEI-behavior-b1] quit[HUAWEI] traffic policy arp-request[HUAWEI-trafficpolicy-arp-request] classifier arp-request behavior b1[HUAWEI-trafficpolicy-arp-request] quit[HUAWEI] traffic policy arp-reply[HUAWEI-trafficpolicy-arp-reply] classifier arp-reply behavior b1[HUAWEI-trafficpolicy-arp-reply] quit[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] traffic-policy arp-request inbound

[HUAWEI-GigabitEthernet1/0/1] traffic-policy arp-reply outbound

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




78



Checking Packet Statistics

After traffic statistics is defined in a traffic policy, run the following command to view packet

statistics.

# Display statistics on incoming packets matching the traffic policy that has been applied tothe system.<HUAWEI> display traffic policy statistics interface gigabitethernet 1/0/1inbound verbose rule-base

Interface: GigabitEthernet1/0/1

Traffic policy inbound: arp-request

Rule number: 1

Current status:success

Statistics interval: 300

---------------------------------------------------------------------Classifier: arp-request operator and

Behavior: b1

if-match l2-protocol arp

if-match source-mac 1111-1111-1111if-match destination-mac ffff-ffff-ffff

Board : 0

---------------------------------------------------------------------

Passed | Packets: 0| Bytes: 0

| Rate(pps): 0

| Rate(bps): 0

---------------------------------------------------------------------Dropped | Packets: 0

| Bytes: 0

| Rate(pps): 0| Rate(bps): 0

---------------------------------------------------------------------

NOTE

SA cards of S series do not support byte-based traffic statistics. The information is displayed as -.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




79



15 Common IPSG Operations

About This Chapter

This chapter describes the common IPSG operations.

15.1 Configuring IPSG Based on a Static Binding Table

15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table

15.3 Deleting Static Binding Entries

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 15 Common IPSG Operations



80



15.1 Configuring IPSG Based on a Static Binding Table

IPSG based on a static binding table filters IP packets received by untrusted interfaces, to

prevent malicious hosts from stealing authorized hosts' IP addresses to access the network

without permission. IPSG based on a static binding table is applicable to a LAN where a

small number of hosts reside and the hosts use static IP addresses. The configuration

procedure is as follows:

1. Run the user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] }

&<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface

interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command in the

system view to configure a static binding entry.

NOTE

IPSG matches packets against all options in the static binding entry. Ensure that the created

binding entry is correct and contains all the options to check. The device forwards the packetsfrom hosts only when the packets match all options in the binding entry, and discards the packets

not matching the binding entry.

The device can bind multiple IP addresses or IP address segments to the same interface or MAC

address.

l If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For

example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12

interface gigabitethernet 1/0/1 to bind multiple IP addresses to the same interface.

l If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to

end-ip. When the keyword to is used, the IP address segments cannot overlap. For example,

you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address

0001-0001-0001 to bind multiple IP addresses to the same MAC address.

2. Run the ip source check user-bind enable command in the interface or VLAN view to

enable IPSG.

– Enabling IPSG on an interface: IPSG checks all packets received by the interface

against the binding entry. Choose this method if you need to check IP packets on

the specified interfaces and trust other interfaces. In addition, this method is

convenient if an interface belongs to multiple VLANs because you do not need to

enable IPSG in each VLAN.

– Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in

the VLAN against the binding entry. Choose this method if you need to check IP

packets in the specified VLANs and trust other VLANs. In addition, this method is

convenient if multiple interfaces belong to the same VLAN because you do not

need to enable IPSG on each interface.

The following example shows how to configure IPSG based on the static binding table:

# Create a static binding entry (source IP address 192.168.1.1 and source MAC address

0003-0003-0003) and enable IPSG on GE1/0/1.

<HUAWEI> system-view[HUAWEI] user-bind static ip-address 192.168.1.1 mac-address 0003-0003-0003[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable

# Create a static binding entry (source IP address 192.168.2.1, source MAC address

0002-0002-0002, interface GE1/0/1, and VLAN 10) and enable IPSG in VLAN 10.


S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




81



[HUAWEI] user-bind static ip-address 192.168.2.1 mac-address 0002-0002-0002interface gigabitethernet 1/0/1 vlan 10[HUAWEI] vlan 10[HUAWEI-vlan10] ip source check user-bind enable

15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table

IPSG based on a DHCP snooping dynamic binding table filters IP packets received by

untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to

access the network without permission. IPSG based on a dynamic binding table is applicable

to the LAN where a large number of hosts reside and the hosts obtain IP addresses through

DHCP. The configuration procedure is as follows:

1. Configure DHCP snooping so that a DHCP snooping dynamic binding table is

generated.

a. Run the dhcp enable command in the system view to enable DHCP globally.

b. Run the dhcp snooping enable command in the system view to enable DHCP

snooping globally.

c. Run the dhcp snooping enable command in the interface or VLAN view to enable

DHCP snooping on the interface or in the VLAN.

d. Run the dhcp snooping trusted command in the interface view or the dhcp

snooping trusted interface interface-type interface-number command in the

VLAN view to configure a trusted interface.

The device directly forwards the IP packets received by the trusted interface

without checking them against the binding entry.

2. Run the ip source check user-bind enable command in the interface or VLAN view toenable IPSG.

The following example shows how to configure IPSG based on DHCP snooping dynamic

binding table:

# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG on

GE1/0/2.

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted [HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] dhcp snooping enable[HUAWEI-GigabitEthernet1/0/2] ip source check user-bind enable

# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG in

VLAN 10.

<HUAWEI> system-view[HUAWEI] vlan batch 10[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] port link-type trunk[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 10

[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] dhcp enable

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




82



[HUAWEI] dhcp snooping enable[HUAWEI] vlan 10[HUAWEI-vlan10] dhcp snooping enable[HUAWEI-vlan10] dhcp snooping trusted interface gigabitethernet 1/0/1[HUAWEI-vlan10] ip source check user-bind enable

15.3 Deleting Static Binding Entries

If a binding entry is incorrect or the network rights of a bound host have been changed, you

can run the undo user-bind static [ { { ip-address | ipv6-address } { start-ip [ to end-ip ] }

&<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address | interface

interface-type interface-number | vlan vlan-id [ ce-vlan ce-vlan-id ] ] * command to delete the

entry.

l When you delete a binding entry, the parameters specified in the undo command must be

the same as the corresponding parameters in the binding entry; otherwise, the entry

cannot be deleted.

l Binding entries can be deleted in a batch, for example:

– Run the undo user-bind static command to delete all binding entries.

– Run the undo user-bind static interface gigabitethernet 1/0/1 command to delete

all entries on the specified interface GE1/0/1.

– Run the undo user-bind static vlan 10 command to delete all entries in VLAN 10.

The following example shows how to delete a static binding entry:

Run the display dhcp static user-bind all command to view all static binding entries on the

device.

<HUAWEI> display dhcp static user-bind

all DHCP static Bind-table:

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

IP Address MAC Address VSI/VLAN(O/I/P) Interface

--------------------------------------------------------------------------------192.168.1.1 0001-0001-0001 -- /-- /-- --

192.168.1.2 0002-0002-0002 -- /-- /-- GE1/0/2

192.168.2.1 -- -- /-- /-- GE1/0/1

192.168.2.2 -- -- /-- /-- GE1/0/1192.168.2.3 -- -- /-- /-- GE1/0/1

192.168.3.1 0004-0004-0004 10 /-- /-- --

192.168.3.2 0005-0005-0005 10 /-- /-- --

--------------------------------------------------------------------------------Print count: 7 Total count: 7

# Delete the static binding entry of IP address 192.168.1.1.

<HUAWEI> system-view[HUAWEI] undo user-bind static ip-address 192.168.1.1 mac-address 0001-0001-0001

# Delete the static binding entry of IP address 192.168.1.2.

<HUAWEI> system-view[HUAWEI] undo user-bind static ip-address 192.168.1.2 mac-address 0002-0002-0002interface gigabitethernet 1/0/2

# Delete all static binding entries on GE1/0/1.

<HUAWEI> system-view[HUAWEI] undo user-bind static interface gigabitethernet 1/0/1

# Delete all static binding entries in VLAN 10.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




83



<HUAWEI> system-view[HUAWEI] undo user-bind static vlan 10

After the preceding steps are performed in sequence, all binding entries are deleted.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




84



16 Common AAA Operations

About This Chapter

This chapter describes common AAA operations.

16.1 Configuring Authentication for Telnet Login Users (AAA Local Authentication)

16.2 Setting the User Level

16.3 Configuring the Global Default Domain

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 16 Common AAA Operations



85



16.1 Configuring Authentication for Telnet Login Users(AAA Local Authentication)

The authentication mode must be specified on the device; otherwise, users cannot log in to the

device through Telnet. The device supports non-authentication, password authentication, and

AAA authentication, in which AAA authentication has the highest security.

To authenticate the Telnet users through AAA, enable the Telnet service on the device, set the

authentication mode of the user interface (for example, VTY) to aaa, create a local account in

the AAA view, and set the user access type and user level.

<HUAWEI> system-view[HUAWEI] telnet server enable //Enable the Telnet service.

[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY login

users to 15.

[HUAWEI] user-interface vty 0 14 //Enter the view of VTY users at level 0-14.[HUAWEI-ui-vty0-14] authentication-mode aaa //Set the VTY authentication mode to

AAA.

[HUAWEI-ui-vty0-14] protocol inbound telnet //By default, switches in V200R006and earlier versions support Telnet, and switches in V200R007 and later versions

support SSH.

[HUAWEI-ui-vty0-14] quit[HUAWEI] aaa[HUAWEI-aaa] local-user user1 password irreversible-cipher Huawei@1234 //Create

the local user user1 and set the password. The password is displayed in cipher

text in the configuration file, so remember the password. If you forget the

password, run this command again to overwrite the old configuration.[HUAWEI-aaa] local-user user1 service-type telnet //Set the access type of user1

to Telnet. This user can only log in to the device through Telnet.

[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of user1

to 15. After login, the user can run the commands at level 0-15.[HUAWEI-aaa] quit

16.2 Setting the User Level

A user level matches a certain command level. After logging in to the device, a user can run

only the commands of which the levels are the same as or lower than the user level. For

example, a user at level 2 can run only the commands at levels 0, 1, and 2.

When AAA local authentication is used, set the user level on the device. If the user level is

not set, the login users are at level 0 (visit level), and can use only the commands at level 0,

such as network diagnostic commands ping and tracert.

To allow the users to use commands of higher levels, such as monitoring, configuration, or

management level, the users must have higher user levels.

If AAA local authentication is used, you have the following methods to set the user level. The

user level set in the first method has the highest priority and the user level set in the last

method has the lowest priority.

l Set the user level for a specified user.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of

user1 to 15.

l Set the user level for all users in a domain.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




86



<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] service-scheme sch1[HUAWEI-aaa-service-sch1] admin-user privilege level 15 //Set the user

levels of all users in a domain to 15.

l Set the user level for all users logging in through the same user interface (such as VTY

user interface).

<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15[HUAWEI] user-interface vty 0 14[HUAWEI-ui-vty0-14] user privilege level 15 //Set the user level in VTY 0-VTY 14 to 15.

16.3 Configuring the Global Default Domain

The administrator plans to authenticate the users of a department in the domain huawei. The

user name provided for authentication always does not contain a domain name (for example,

the user name is zhangsan). In this case, the access device cannot send the user name to theAAA server configured in the domain huawei, and therefore the user fails the authentication.

To solve the problem, you can configure the global default domain to huawei.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] domain huawei[HUAWEI-aaa-domain-huawei] quit[HUAWEI-aaa] quit[HUAWEI] domain huawei

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




87



17 Common NAC Operations

About This Chapter

This chapter describes common NAC operations.

17.1 Configuring MAC Address Bypass Authentication

17.2 Configuring the Guest VLAN Function

17.3 Configuring Layer 2 Transparent Transmission of 802.1x Authentication Packets

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 17 Common NAC Operations



88



17.1 Configuring MAC Address Bypass Authentication

When there are PCs and a few dumb terminals (such as printers) on a network, you can

configure 802.1x authentication and MAC address bypass authentication so that the dumb

terminals can also connect to the 802.1x authentication network. For example, when many

PCs and some dumb terminals are connected to the interfaces GE1/0/1 and GE1/0/5, you can

enable 802.1x authentication and MAC address bypass authentication on the interfaces so that

the PCs and dumb terminals can connect to the network.

NOTE

In the V200R005C00 and later versions, only the common NAC mode supports MAC address bypass

authentication.

l Batch configure multiple interfaces in the system view:<HUAWEI> system-view

[HUAWEI] dot1x enable[HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5[HUAWEI] dot1x mac-bypass interface gigabitethernet 1/0/1 gigabitethernet1/0/5

l Configure each interface in the interface view:<HUAWEI> system-view[HUAWEI] dot1x enable[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dot1x enable[HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/5[HUAWEI-GigabitEthernet1/0/5] dot1x enable[HUAWEI-GigabitEthernet1/0/5] dot1x mac-bypass

17.2 Configuring the Guest VLAN Function

You can configure the guest VLAN function to enable users to access some network resources

without authentication. For example, the users can download client software, upgrade clients,

and update the virus library. For example, configure the guest VLAN function on GE1/0/1

and GE1/0/5 so that the users on the two interfaces can update the virus library in real time.

Assume that the virus library server is located in VLAN 10.

NOTE

In the V200R005C00 and later versions, only the common NAC mode supports the guest VLAN function.

l Batch configure multiple interfaces in the system view:<HUAWEI> system-view[HUAWEI] dot1x enable[HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5[HUAWEI] authentication guest-vlan 10 interface gigabitethernet 1/0/1gigabitethernet 1/0/5

l Configure each interface in the interface view:<HUAWEI> system-view[HUAWEI] dot1x enable[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] dot1x enable[HUAWEI-GigabitEthernet1/0/1] authentication guest-vlan 10[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface gigabitethernet 1/0/5

[HUAWEI-GigabitEthernet1/0/5] dot1x enable[HUAWEI-GigabitEthernet1/0/5] authentication guest-vlan 10

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




89



17.3 Configuring Layer 2 Transparent Transmission of802.1x Authentication Packets

The EAP packet in 802.1x authentication is a bridge protocol data unit (BPDU). By default,

Huawei switches do not perform Layer 2 forwarding for BPDUs. If a Layer switch still exists

between the 802.1x-enabled device and a user, Layer 2 transparent transmission must be

configured on the switch. Otherwise, the EAP packet sent by the user cannot reach the

authentication device and the user cannot pass authentication.

Figure 17-1 Configuring Layer 2 transparent transmission of 802.1x authentication packets

Switch/802.1x

authentication

User

User

LAN Switch

RADIUS Server

IntranetGE0/0/1GE0/0/2

GE0/0/3

As shown in Figure 17-1, there is the Layer 2 LAN Switch between the user and device

Switch enabled with 802.1x authentication. To ensure that the user's 802.1x authentication packet can reach the Switch through the LAN Switch, perform the following configurations

on the LAN Switch (using the S5700HI as an example of the Layer 2 switch).

<HUAWEI> system-view[HUAWEI] sysname LAN Switch[LAN Switch] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 //group-mac cannot be set to the reservedmulticast MAC addresses (from 0180-C200-0000 to 0180-C200-002F) and some otherspecial MAC addresses.

[LAN Switch] interface gigabitethernet 0/0/1 //Connect the Layer 2 switch to theuplink network and configure all interfaces of the users.

[LAN Switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1xenable[LAN Switch-GigabitEthernet0/0/1] bpdu enable

[LAN Switch-GigabitEthernet0/0/1] quit[LAN Switch] interface gigabitethernet 0/0/2[LAN Switch-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1xenable[LAN Switch-GigabitEthernet0/0/2] bpdu enable[LAN Switch-GigabitEthernet0/0/2] quit[LAN Switch] interface gigabitethernet 0/0/3[LAN Switch-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol dot1xenable[LAN Switch-GigabitEthernet0/0/3] bpdu enable[LAN Switch-GigabitEthernet0/0/3] quit

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




90



18 Common VRRP Operations

About This Chapter

This chapter describes common VRRP operations.

18.1 Enabling the Master to Respond to Ping Packets Sent to a Virtual IP Address

18.2 Configuring Association Between VRRP and the Interface Status

18.3 Configuring Association Between VRRP and BFD

18.4 Configuring Association Between VRRP and NQA

18.5 Configuring Association Between VRRP and Routing

18.6 Configuring the VRRP Version Number

18.7 Configuring a Preemption Mode

18.8 Configuring the Mode in Which the Master Sends VRRP Advertisement Packets in a

Super-VLAN

18.9 Enabling MAC Address Triggered ARP Entry Update

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 18 Common VRRP Operations



91



18.1 Enabling the Master to Respond to Ping Packets Sentto a Virtual IP Address

# Enable the master to respond to ping packets sent to a virtual IP address.

<HUAWEI> system-view[HUAWEI] vrrp virtual-ip ping enable

18.2 Configuring Association Between VRRP and theInterface Status

# Configure association between VRRP and the interface status to implement an active/

standby switchover.

<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced 40[HUAWEI-Vlanif10] quit

18.3 Configuring Association Between VRRP and BFD

# Configure association between VRRP and BFD to implement a rapid active/standby

switchover.

<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] quit[HUAWEI] bfd [HUAWEI-bfd] quit[HUAWEI] bfd atob bind peer-ip 10.1.1.2 interface vlanif 10[HUAWEI-bfd-session-atob] discriminator local 1[HUAWEI-bfd-session-atob] discriminator remote 2[HUAWEI-bfd-session-atob] min-rx-interval 100[HUAWEI-bfd-session-atob] min-tx-interval 100[HUAWEI-bfd-session-atob] commit

[HUAWEI-bfd-session-atob] quit[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 track bfd-session 1 increased 40[HUAWEI-Vlanif10] quit

18.4 Configuring Association Between VRRP and NQA

# Configure association between VRRP and NQA to implement an active/standby switchover.

<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24

[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] quit

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




92



[HUAWEI] nqa test-instance user test[HUAWEI-nqa-user-test] test-type icmp[HUAWEI-nqa-user-test] destination-address ipv4 10.20.1.2[HUAWEI-nqa-user-test] frequency 15[HUAWEI-nqa-user-test] start now[HUAWEI-nqa-user-test] quit

[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 track nqa user test reduced 40[HUAWEI-Vlanif10] quit

18.5 Configuring Association Between VRRP and Routing

# Configure association between VRRP and routing to implement an active/standby

switchover.

<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.1.1.1 24[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3[HUAWEI-Vlanif10] vrrp vrid 1 track ip route 10.20.1.0 24 reduced 40[HUAWEI-Vlanif10] quit

18.6 Configuring the VRRP Version Number

# Configure the VRRP version number.

<HUAWEI> system-view[HUAWEI] vrrp version v3

18.7 Configuring a Preemption Mode

Configuring a Non-preemption Mode<HUAWEI> system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 preempt-mode disable

Configuring a Preemption Mode<HUAWEI> system-view

[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] vrrp vrid 1 preempt-mode timer delay 20

18.8 Configuring the Mode in Which the Master SendsVRRP Advertisement Packets in a Super-VLAN

# Configure the mode in which the master sends VRRP Advertisement packets in a super-

VLAN.


[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] vrrp advertise send-mode 10

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




93



18.9 Enabling MAC Address Triggered ARP Entry Update

# Enable the MAC address triggered ARP entry update function.

<HUAWEI> system-view[HUAWEI] mac-address update arp

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




94



19 Common SNMP Operations

About This Chapter

This chapter describes common SNMP operations.

19.1 Configuring Access Control

19.2 Setting the SNMP Version and Community Name

19.3 Configuring User Group and User Name

19.4 Configuring the Device to Send Traps

19.5 Deleting Community Name

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 19 Common SNMP Operations



95



19.1 Configuring Access Control

To ensure device security, you can configure the access control list (ACL) and MIB views to

restrict the access of NMS to the device.

l Configure an ACL.

ACL 2001 allows only the NMS on network segment 192.168.1.0 to access the device.

<HUAWEI> system-view[HUAWEI] acl 2001[HUAWEI-acl-basic-2001] rule permit source 192.168.1.0 0.0.0.255[HUAWEI-acl-basic-2001] rule deny source any

l Create a MIB view.

The MIB view name is alliso and accessed view includes iso.

<HUAWEI> system-view[HUAWEI] snmp-agent mib-view included alliso iso

19.2 Setting the SNMP Version and Community Name

SNMP has three versions: v1, v2c and v3. v1 and v2c support community name, whereas v3

does not support. A lack of authentication capabilities in v1 and v2c results in vulnerability to

security threats, so v3 is recommended. When the community name is configured, ACL can

be used to restrict the access of NMS to the device.

l SNMPv1

SNMP version is v1, read/write community name is community001, and access control

is configured.

<HUAWEI> system-view[HUAWEI] snmp-agent sys-info version v1[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001

l SNMPv2c

SNMP version is v2c, read/write community name is community001, and access control

is configured.

<HUAWEI> system-view[HUAWEI] snmp-agent sys-info version v2c[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001

19.3 Configuring User Group and User Name

Only v3 supports the configuration of user group and user name. By default, SNMPv3 is

enabled on a device.

The security level of a user cannot be lower than the security level of the user group to which

the user belongs. Security levels in the descending order are as follows:

l privacy: authentication and encryption

l authentication: authentication and no encryption

l none: no authentication and no encryption

If a user group is at the privacy level, the users and trap hosts of the user group must be at the

privacy level. If a user group is at the authentication level, the users and trap hosts of the user group must be at the privacy or authentication level.

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




96



l In the versions earlier than V200R003C00:

# Set the user group name to group001 and security level to privacy, and configure

access control to restrict the access of the NMS to the device.


[HUAWEI] snmp-agent group v3 group001 privacy write-view alliso acl 2001# Set the user name to user001, authentication password to Authe1234 and encryption

password to Priva1234.

<HUAWEI> system-view[HUAWEI] snmp-agent usm-user v3 user001 group001 authentication-mode sha Authe1234 privacy-mode des56 Priva1234

l V200R003C00 and later versions:

# Set the user group name to group001 and security level to privacy, and configure

access control to restrict the access of the NMS to the device.

<HUAWEI> system-view[HUAWEI] snmp-agent group v3 group001 privacy write-view alliso acl 2001

# Set the user name to user001, authentication password to Authe@1234 and encryption

password to Priva@1234.

<HUAWEI> system-view[HUAWEI] snmp-agent usm-user v3 user001 group group001[HUAWEI] snmp-agent usm-user v3 user001 authentication-mode shaPlease configure the authentication password

(8-64)

Enter Password: // Enter authentication password Authe@1234.

Confirm Password: // Enter authentication password Authe@1234.[HUAWEI] snmp-agent usm-user v3 user001 privacy-mode aes256Please configure the privacy password

(8-64)

Enter Password: // Enter encryption passwordPriva@1234.

Confirm Password: // Enter encryption password Priva@1234.

19.4 Configuring the Device to Send Traps

After the trap function is enabled and the trap host is configured, the device automatically

sends traps to the trap host.

1. Enable the trap function.

Enable the trap function for the SNMP module.

<HUAWEI> system-view[HUAWEI] snmp-agent trap enable feature-name snmp

NOTE

If the trap function is not enabled for modules, each module uses the default trap configuration. To view

the default trap configuration of each module, run the display snmp-agent trap all command. The trap

function of the SNMP module is used as an example here.

2. Configure the interface to send traps.

Configure LoopBack0 with IP address 10.1.1.1 as the interface to send traps.

<HUAWEI> system-view[HUAWEI] interface loopback 0[HUAWEI-LoopBack0] ip address 10.1.1.1 32[HUAWEI-LoopBack0] quit[HUAWEI] snmp-agent trap source loopback 0

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




97



NOTE

After the interface is configured, the IP address of the interface is used to send traps. To ensure device

security, it is recommended that you configure a loopback interface to send traps. The trap sending

interface configured on the switch must be the same as that configured on the NMS; otherwise, the

NMS cannot receive traps. In addition, a reachable route must exist between the IP addresses of trap

sending interface and trap host.

3. Configure the trap host.

Set the trap host address to 10.1.2.10, UDP port number to 50000, security name to

user001, trap version to v3, and security level to privacy.

<HUAWEI> system-view[HUAWEI] snmp-agent target-host trap address udp-domain 10.1.2.10 udp-port50000 params securityname user001 v3 privacy

NOTE

The trap version must be the same as the SNMP version configured on the device; otherwise, traps

cannot be sent to the NMS. When the version is set to v3, the security name must be the same as the

created user name; otherwise, traps cannot be sent to the NMS. v1 and v2c do not have limitation on the

configuration of security names.

The default UDP port number is 162. After the UDP port number is changed, you must reconfigure the

UDP port of the NMS that receives traps. If the UDP ports of the device and NMS are different, traps

cannot be sent to the NMS.

The security level of the trap host cannot be lower than the security level of the user.

19.5 Deleting Community Name

When you delete a community name, the configuration related to the community name is also

deleted. The community names are stored in cipher text on the device; therefore, you can

delete the community name in either of the following ways:

l In plain text:

You must enter the correct community name; otherwise, the community name cannot be

deleted.

<HUAWEI> system-view[HUAWEI] undo snmp-agent community community001

l In cipher text:

Before deleting a community name in cipher text, you must query the encrypted

community name.

<HUAWEI> system-view[HUAWEI] display snmp-agent community Community name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#

+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%# Group name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#

+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%#

Acl:

2001

Storage-type: nonVolatile

[HUAWEI] undo snmp-agent community %#%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#+X4QV5CAI^:Z;NlA3*&ta4}a53-%#%#

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




98



20 Common OSPF Operations

This chapter uses the Open Shortest Path First (OSPF) network shown in Figure 20-1 as an

example to describe common OSPF operations.

Figure 20-1 Basic OSPF network

SwitchA SwitchB

SwitchD

10GE1/0/1

VLANIF10

192.168.0.1/24

10GE1/0/1

VLANIF10

192.168.0.2/24

10GE1/0/2

VLANIF30

192.168.2.1/24

10GE1/0/1

VLANIF30

192.168.2.2/24

Area0

10GE1/0/2

VLANIF20

192.168.1.1/24

10GE1/0/2

VLANIF50

172.17.1.1/24

SwitchC

10GE1/0/1

VLANIF20

192.168.1.2/24

Area1

10GE1/0/2

VLANIF40

172.16.1.1/24

Area2

10GE1/0/1

VLANIF40

172.16.1.2/24

10GE1/0/1

VLANIF50

172.17.1.2/24SwitchE SwitchF10GE1/0/2

VLANIF60172.18.1.1/24

Configuring Basic OSPF Functions

The following uses the configuration of SwitchA as an example. The configurations of other

switches are similar to the configuration of SwitchA.

<SwitchA> system-view

[SwitchA] ospf 1[SwitchA-ospf-1] area 0

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches

Common Operation Guide 20 Common OSPF Operations



99



[SwitchA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 //Enable OSPF on

VLANIF10.[SwitchA-ospf-1-area-0.0.0.0] quit[SwitchA-ospf-1] area 1[SwitchA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Enable OSPF on

VLANIF20.

[SwitchA-ospf-1-area-0.0.0.1] quit[SwitchA-ospf-1] quit

Configuring a Stub Area

A stub area is a special area where an area border router (ABR) does not flood received

autonomous system (AS) external routes, which significantly reduces the routing table size

and transmitted routing information of routers. A border area on an OSPF network is often

configured as a stub area. For example, configure Area1 as a stub area.

The following uses the configuration of SwitchA as an example. The configurations of other

switches in Area1 are similar to the configuration of SwitchA.

[SwitchA] ospf 1[SwitchA-ospf-1] area 1[SwitchA-ospf-1-area-0.0.0.1] stub[SwitchA-ospf-1-area-0.0.0.1] quit[SwitchA-ospf-1] quit

Configuring an NSSA

In a not-so-stubby area (NSSA), an ABR does not flood AS external routes received from

other areas, similar to the situation in a stub area. The difference is that an ABR can import

and flood AS external routes to the entire OSPF domain. A border area connected to another

AS on an OSPF network is often configured as an NSSA. For example, configure Area2 as an

NSSA.

The following uses the configuration of SwitchB as an example. The configurations of other

switches in Area2 are similar to the configuration of SwitchB.

[SwitchB] ospf 1[SwitchB-ospf-1] area 2[SwitchB-ospf-1-area-0.0.0.2] nssa[SwitchB-ospf-1-area-0.0.0.2] quit[SwitchB-ospf-1] quit

Configuring OSPF to Import Routes

To access a device running a non-OSPF protocol, an OSPF-capable device needs to import

routes of the non-OSPF protocol into the OSPF network. For example, configure OSPF to

import direct routes of SwitchF into the OSPF network.

[SwitchF] ospf 1[SwitchF-ospf-1] import-route direct[SwitchF-ospf-1] quit

Setting the OSPF Interface Cost

OSPF automatically calculates the cost of an interface according to the interface bandwidth by

default. You can also manually set the OSPF interface cost. For example, set the cost of

VLANIF 20 on SwitchA to 5.

[SwitchA] interface vlanif 20

[SwitchA-Vlanif20] ospf cost 5[SwitchA-Vlanif20] quit

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches




100



Configuring Association Between OSPF and BFD

To accelerate OSPF convergence when the status of a link changes, you can configure

bidirectional forwarding detection (BFD) on OSPF links. After detecting a link failure, BFD

notifies OSPF of the failure, which triggers fast OSPF convergence. When the OSPF neighbor

relationship is Down, the BFD session is deleted dynamically.

For example, set up a BFD session on the OSPF link between SwitchA and SwitchB.

# Configure SwitchA.

[SwitchA] bfd [SwitchA-bfd] quit[SwitchA] ospf 1[SwitchA-ospf-1] bfd all-interfaces enable[SwitchA-ospf-1] quit

# Configure SwitchB.

[SwitchB] bfd

[SwitchB-bfd] quit[SwitchB] ospf 1[SwitchB-ospf-1] bfd all-interfaces enable[SwitchB-ospf-1] quit

Configuring OSPF to Advertise Default Routes

Multiple switches for next-hop backup or traffic load balancing often reside on the area

border and AS border of an OSPF network. A default route can be configured to reduce

routing entries and improve resource usage on the OSPF network.

The advertising mode of the default route is determined by the type of the area to which the

default route is imported, as shown in Table 20-1.

Table 20-1 Default route advertising mode

AreaType

Generated By Advertised By

LSA Type Flooding Area

Commo

n area

The default-route-advertise command ASBR Type5 LSA Comm

on area

S1720&S2700&S3700&S5700&S6700&S7700&S9700

Series Switches
