Configuration Guide - Ethernet (V100R006C01 - 01)

Quidway S9300 Terabit Routing Switch V100R006C01
Configuration Guide - Ethernet

Issue Date 01 2011-10-26
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 01 (2011-10-26)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet
About This Document
About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Ethernet feature supported by the S9300 device. This document describes how to configure the Ethernet feature. This document is intended for: l l l l Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 01 (2011-10-26)
ii
About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Changes in Issue 01 (2011-10-26)

Initial commercial release.
Issue 01 (2011-10-26)
iii
Contents
Contents
About This Document.....................................................................................................................ii 1 Ethernet Interface Configuration...............................................................................................1
1.1 Introduction to Ethernet Interfaces.....................................................................................................................2 1.2 Ethernet Interface Features Supported by the S9300.........................................................................................2 1.3 Configuring Basic Attributes of the Ethernet Interface......................................................................................3 1.3.1 Establishing the Configuration Task.........................................................................................................3 1.3.2 (Optional) Configuring a Description for an Interface..............................................................................3 1.3.3 (Optional) Configuring the Cable Type on an Interface............................................................................4 1.3.4 (Optional) Setting the Duplex Mode.........................................................................................................5 1.3.5 (Optional) Setting the Rate of an Interface................................................................................................5 1.3.6 (Optional) Enabling Auto-Negotiation......................................................................................................6 1.3.7 (Optional) Switching Between Optical and Electrical Interfaces..............................................................6 1.3.8 (Optional) Configuring an Interface to Work at Layer 2 or Layer 3.........................................................7 1.3.9 Checking the Configuration.......................................................................................................................7 1.4 Configuring Advanced Attributes of an Ethernet Interface................................................................................8 1.4.1 Establishing the Configuration Task.........................................................................................................8 1.4.2 (Optional) Configuring Loopback on the Ethernet Interface....................................................................9 1.4.3 (Optional) Setting the Minimum Interval for Re-enabling an Interface....................................................9 1.4.4 (Optional) Configuring the Interface Group..............................................................................................9 1.4.5 (Optional) Setting the Maximum Frame Length on the Ethernet Interface.............................................10 1.4.6 (Optional) Enabling Flow Control...........................................................................................................10 1.4.7 (Optional) Enabling Auto-Negotiation of Flow Control.........................................................................11 1.4.8 (Optional) Enabling Port Isolation..........................................................................................................11 1.4.9 (Optional) Performing a Cable Test on an Interface...............................................................................12 1.4.10 (Optional) Configuring Link Flapping Protection on an Interface........................................................13 1.4.11 (Optional) Assigning an IP Address to an Ethernet Sub-interface........................................................14 1.4.12 Checking the Configuration...................................................................................................................14 1.5 Maintaining Ethernet Interfaces.......................................................................................................................15 1.5.1 Debugging Ethernet Interfaces................................................................................................................15 1.6 Configuration Examples...................................................................................................................................15 1.6.1 Example for Configuring Port Isolation..................................................................................................15
2 Link Aggregation Configuration..............................................................................................18

Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iv
Contents
2.1 Introduction to Link Aggregation.....................................................................................................................20 2.2 Link Aggregation Supported by the S9300......................................................................................................20 2.3 Configuring Link Aggregation in Manual Load Balancing Mode...................................................................21 2.3.1 Establishing the Configuration Task.......................................................................................................21 2.3.2 Configuring the Eth-Trunk to Work in Manual Load Balancing Mode..................................................22 2.3.3 Adding Member Interfaces to an Eth-Trunk...........................................................................................23 2.3.4 (Optional) Configuring the Load Balancing Mode.................................................................................24 2.3.5 (Optional) Limiting the Number of Active Interfaces.............................................................................25 2.3.6 (Optional) Configuring a Profile of Enhanced Eth-Trunks in Load Balancing Mode............................26 2.3.7 (Optional) Configuring the Load Balancing Mode for Unknown Unicast Traffic..................................27 2.3.8 Checking the Configuration.....................................................................................................................28 2.4 Configuring Link Aggregation in Static LACP Mode.....................................................................................28 2.4.1 Establishing the Configuration Task.......................................................................................................28 2.4.2 Configuring the Eth-Trunk to Work in Static LACP Mode....................................................................29 2.4.3 Adding Member Interfaces to an Eth-Trunk...........................................................................................29 2.4.4 (Optional) Configuring the Load Balancing Mode.................................................................................31 2.4.5 (Optional) Limiting the Number of Active Interfaces.............................................................................32 2.4.6 (Optional) Setting the LACP Priority of the System...............................................................................33 2.4.7 (Optional) Setting the LACP Priority of an Interface..............................................................................33 2.4.8 (Optional) Enabling LACP Preemption and Setting the Delay for LACP Preemption...........................34 2.4.9 (Optional) Setting the Timeout Interval for Receiving LACP Packets...................................................35 2.4.10 (Optional) Configuring a Profile of Enhanced Eth-Trunks in Load Balancing Mode..........................35 2.4.11 (Optional) Configuring the Load Balancing Mode for Unknown Unicast Traffic................................36 2.4.12 Checking the Configuration...................................................................................................................37 2.5 Configuring an Eth-Trunk Sub-interface..........................................................................................................37 2.5.1 Establishing the Configuration Task.......................................................................................................37 2.5.2 Creating an Eth-Trunk Sub-interface.......................................................................................................38 2.5.3 Setting the IP Address of an Eth-Trunk Sub-interface............................................................................38 2.5.4 Checking the Configuration.....................................................................................................................39 2.6 Configuring an E-Trunk...................................................................................................................................39 2.6.1 Establishing the Configuration Task.......................................................................................................39 2.6.2 Setting the LACP System ID and LACP Priority of an E-Trunk............................................................40 2.6.3 Creating an E-Trunk and Setting Its Priority...........................................................................................41 2.6.4 Configuring Local and Peer IP Addresses of an E-Trunk.......................................................................41 2.6.5 Binding an E-Trunk to a BFD Session....................................................................................................42 2.6.6 Adding an Eth-Trunk to an E-Trunk.......................................................................................................43 2.6.7 (Optional) Configuring the Working Mode of an Eth-Trunk in an E-Trunk..........................................43 2.6.8 (Optional) Setting the Password..............................................................................................................44 2.6.9 (Optional) Setting the Timeout of Hello Packets....................................................................................45 2.6.10 (Optional) Setting the Revertive Switching Delay................................................................................46 2.6.11 Checking the Configuration...................................................................................................................46 2.7 Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through a Local Member Interface (CSS).......................................................................................................................................................47 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
2.7.1 Establishing the Configuration Task.......................................................................................................47 2.7.2 Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through a Local Member Interface.............................................................................................................................................49 2.7.3 Checking the Configuration.....................................................................................................................50 2.8 Maintaining Link Aggregation.........................................................................................................................50 2.8.1 Clearing Statistics of LACP Packets.......................................................................................................50 2.8.2 Debugging the Link Aggregation Group.................................................................................................51 2.8.3 Monitoring the Operation Status of the Link Aggregation Group..........................................................51 2.9 Configuration Examples...................................................................................................................................52 2.9.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode.....................................52 2.9.2 Example for Configuring Link Aggregation in Static LACP Mode.......................................................55 2.9.3 Example for Connecting an E-Trunk to a VPLS Network......................................................................58 2.9.4 Example for Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through a Local Member Interface.................................................................................................................................67
3 VLAN Configuration..................................................................................................................73
3.1 Introduction......................................................................................................................................................75 3.2 VLAN Features Supported by the S9300.........................................................................................................82 3.3 Dividing a LAN into VLANs...........................................................................................................................86 3.3.1 Establishing the Configuration Task.......................................................................................................86 3.3.2 Dividing a LAN into VLANs Based on Ports.........................................................................................89 3.3.3 Dividing a LAN into VLANs Based on MAC Addresses.......................................................................91 3.3.4 Dividing a LAN into VLANs Based on IP Subnets................................................................................92 3.3.5 Dividing a LAN into VLANs Based on Protocols..................................................................................94 3.3.6 Dividing a LAN into VLANs Based on Policies.....................................................................................96 3.3.7 Checking the Configuration.....................................................................................................................97 3.4 Creating a VLANIF Interface...........................................................................................................................98 3.4.1 Establishing the Configuration Task.......................................................................................................98 3.4.2 Creating a VLANIF Interface..................................................................................................................98 3.4.3 Assigning an IP Address to a VLANIF Interface....................................................................................99 3.4.4 (Optional) Setting a Delay After Which a VLANIF Interface Goes Down............................................99 3.4.5 (Optional) Setting the MTU of a VLANIF Interface.............................................................................100 3.4.6 Checking the Configuration...................................................................................................................101 3.5 Configuring Inter-VLAN Communication.....................................................................................................101 3.5.1 Establishing the Configuration Task.....................................................................................................101 3.5.2 Configuring VLANIF Interfaces for Inter-VLAN Communication......................................................103 3.5.3 Configuring Sub-interface for Inter-VLAN Communication................................................................105 3.5.4 Configuring VLAN Switch for Inter-VLAN Communication..............................................................105 3.5.5 Checking the Configuration...................................................................................................................106 3.6 Configuring VLAN Aggregation to Save IP Addresses.................................................................................107 3.6.1 Establishing the Configuration Task.....................................................................................................107 3.6.2 Creating a Sub-VLAN...........................................................................................................................108 3.6.3 Creating a Super-VLAN........................................................................................................................109 3.6.4 Assigning an IP Address to the VLANIF Interface of a Super-VLAN.................................................110 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vi
Contents
3.6.5 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN....................................110 3.6.6 Checking the Configuration...................................................................................................................111 3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic...............................................................................111 3.7.1 Establishing the Configuration Task.....................................................................................................112 3.7.2 Configuring a Principal VLAN for a MUX VLAN..............................................................................113 3.7.3 Configuring a Group VLAN for a Subordinate VLAN.........................................................................114 3.7.4 Configuring a Separate VLAN for a Subordinate VLAN.....................................................................114 3.7.5 Enabling the MUX VLAN Function on a Port......................................................................................115 3.7.6 Checking the Configuration...................................................................................................................116 3.8 Configuring a Voice VLAN to Transmit Voice Data.....................................................................................116 3.8.1 Establishing the Configuration Task.....................................................................................................116 3.8.2 Enabling the Voice VLAN Function.....................................................................................................118 3.8.3 Configuring an OUI for a Voice VLAN................................................................................................118 3.8.4 (Optional) Setting an Aging Timer for a Voice VLAN.........................................................................119 3.8.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN...........................120 3.8.6 (Optional) Configuring the Mode in Which Ports Are Added to a Voice VLAN.................................120 3.8.7 (Optional) Configuring the Working Mode for a Voice VLAN............................................................122 3.8.8 (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor...................123 3.8.9 Checking the Configuration...................................................................................................................123 3.9 Configuring an mVLAN to Implement Integrated Management...................................................................124 3.9.1 Establishing the Configuration Task.....................................................................................................124 3.9.2 Configuring an mVLAN........................................................................................................................124 3.9.3 Configuring a VLANIF Interface for an mVLAN................................................................................125 3.9.4 Checking the Configuration...................................................................................................................125 3.10 Configuring VLAN Transparent Transport..................................................................................................126 3.10.1 Establishing the Configuration Task...................................................................................................126 3.10.2 Enabling VLAN Transparent Transport..............................................................................................127 3.10.3 Checking the Configuration.................................................................................................................128 3.11 Maintaining VLAN.......................................................................................................................................128 3.11.1 Clearing the Statistics of VLAN Packets............................................................................................128 3.12 Configuration Examples...............................................................................................................................129 3.12.1 Example for Configuring Interface-based VLANs..............................................................................129 3.12.2 Example for Configuring MAC Address-based VLAN Assignment..................................................131 3.12.3 Example for Configuring IP Subnet-based VLAN Assignment.........................................................133 3.12.4 Example for Configuring Protocol-based VLAN Assignment............................................................137 3.12.5 Example for Implementing Communication Between VLANs by Using VLANIF Interfaces...........140 3.12.6 Example for Implementing Communication Across a Layer 3 Network Through VLANIF Interfaces ........................................................................................................................................................................142 3.12.7 Example for Implementing Communication Between VLANs Through Sub-interfaces....................146 3.12.8 Example for Implementing Communication Across a Layer 3 Network Through Sub-interfaces ........................................................................................................................................................................148 3.12.9 Example for Implementing Communication Between VLANs Through VLAN Switching..............151 3.12.10 Example for Configuring VLAN Aggregation..................................................................................153 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
3.12.11 Example for Configuring the MUX VLAN......................................................................................156 3.12.12 Example for Configuring a Voice VLAN in Auto Mode..................................................................158 3.12.13 Example for Configuring a Voice VLAN in Manual Mode..............................................................161 3.12.14 Example for Configuring VLAN Transparent Transmission............................................................164
4 VLAN Mapping Configuration..............................................................................................169

4.1 Introduction to VLAN Mapping.....................................................................................................................170 4.2 VLAN Mapping Features Supported by the S9300........................................................................................170 4.3 Configuring VLAN Mapping of Single VLAN Tag......................................................................................170 4.3.1 Establishing the Configuration Task.....................................................................................................170 4.3.2 Replacing a Single Tag..........................................................................................................................171 4.3.3 Checking the Configuration...................................................................................................................172 4.4 Configuring VLAN Mapping of Double VLAN Tags...................................................................................172 4.4.1 Establishing the Configuration Task.....................................................................................................172 4.4.2 Replacing Double Tags.........................................................................................................................173 4.4.3 Replacing the Outer VLAN Tag............................................................................................................173 4.4.4 Checking the Configuration...................................................................................................................174 4.5 Configuring Flow-based VLAN Mapping.....................................................................................................174 4.5.1 Establishing the Configuration Task.....................................................................................................174 4.5.2 Replacing a Single Tag..........................................................................................................................175 4.5.3 Replacing Double Tags.........................................................................................................................177 4.5.4 Replacing the Outer VLAN Tag............................................................................................................180 4.5.5 Checking the Configuration...................................................................................................................182 4.6 Configuring VLAN Mapping Based On the VLAN Priority.........................................................................183 4.6.1 Establishing the Configuration Task.....................................................................................................183 4.6.2 Configuring VLAN Mapping Based on the VLAN Priority on the Incoming Interface.......................183 4.6.3 (Optional) Configuring VLAN Priority Mapping on the Outbound Interface......................................184 4.6.4 Checking the Configuration...................................................................................................................185 4.7 Configuration Examples.................................................................................................................................185 4.7.1 Example for Configuring Mapping of Single VLAN Tag....................................................................185 4.7.2 Example for Configuring N:1 VLAN Mapping....................................................................................189 4.7.3 Example for Configuring Mapping of Double VLAN Tags (2 to 2).....................................................191 4.7.4 Example for Configuring Flow-based VLAN Mapping........................................................................194
5 QinQ Configuration..................................................................................................................199
5.1 Concept of QinQ.............................................................................................................................................201 5.2 QinQ Features Supported by the S9300.........................................................................................................201 5.3 Configuring QinQ on an Interface..................................................................................................................201 5.3.1 Establishing the Configuration Task.....................................................................................................201 5.3.2 Setting the Link Type of an Interface....................................................................................................202 5.3.3 Specifying the Outer VLAN ID.............................................................................................................203 5.3.4 Checking the Configuration...................................................................................................................203 5.4 Configuring Selective QinQ...........................................................................................................................203 5.4.1 Establishing the Configuration Task.....................................................................................................203 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. viii
Contents
5.4.2 Setting the Link Type of an Interface....................................................................................................204 5.4.3 Adding an Outer VLAN Tag.................................................................................................................204 5.4.4 Configuring Selective QinQ..................................................................................................................205 5.4.5 Checking the Configuration...................................................................................................................206 5.5 Configuring Flow-based Selective QinQ.......................................................................................................206 5.5.1 Establishing the Configuration Task.....................................................................................................206 5.5.2 Setting the Link Type of an Interface....................................................................................................207 5.5.3 Setting the Packet Matching Rule.........................................................................................................207 5.5.4 Adding an Outer VLAN Tag.................................................................................................................207 5.5.5 Configuring a Traffic Policy..................................................................................................................208 5.5.6 Applying the Traffic Policy...................................................................................................................208 5.5.7 Checking the Configuration...................................................................................................................209 5.6 Configuring VLAN Stacking Based On the VLAN Priority..........................................................................209 5.6.1 Establishing the Configuration Task.....................................................................................................209 5.6.2 Configuring VLAN Stacking Based on the VLAN Priority on the Incoming Interface.......................210 5.6.3 (Optional) Configuring VLAN Priority Mapping on the Outbound Interface......................................210 5.6.4 Checking the Configuration...................................................................................................................211 5.7 Setting the Protocol Type in the Outer VLAN Tag........................................................................................211 5.7.1 Establishing the Configuration Task.....................................................................................................211 5.7.2 Configuring the Type of an Interface....................................................................................................212 5.7.3 Setting the Protocol Type in the Outer VLAN Tag...............................................................................212 5.7.4 Checking the Configuration...................................................................................................................213 5.8 Adding Double VLAN Tags to Untagged Packets.........................................................................................213 5.8.1 Establishing the Configuration Task.....................................................................................................213 5.8.2 Setting the Interface Type......................................................................................................................214 5.8.3 Adding an Interface to the Outer VLAN...............................................................................................214 5.8.4 Adding Double VLAN Tags to Untagged Packets................................................................................215 5.8.5 Checking the Configuration...................................................................................................................216 5.9 Connecting Sub-interfaces to a VLL Network...............................................................................................216 5.9.1 Establishing the Configuration Task.....................................................................................................216 5.9.2 Configuring a Dot1q Sub-interface.......................................................................................................217 5.9.3 Configuring a QinQ Sub-interface........................................................................................................217 5.9.4 Configuring VLAN Mapping of a Single Tag on a Sub-interface........................................................218 5.9.5 Configuring VLAN Mapping of Double Tags on a Sub-interface........................................................218 5.9.6 Configuring VLAN Stacking on a Sub-interface..................................................................................218 5.9.7 Creating a VLL Connection..................................................................................................................219 5.9.8 Checking the Configuration...................................................................................................................219 5.10 Connecting Sub-interfaces to a VPLS Network...........................................................................................219 5.10.1 Establishing the Configuration Task...................................................................................................220 5.10.2 Configuring a Dot1q Sub-interface.....................................................................................................220 5.10.3 Configuring a QinQ Sub-interface......................................................................................................221 5.10.4 Configuring VLAN Mapping of a Single Tag on a Sub-interface......................................................221 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
5.10.5 Configuring VLAN Mapping of Double Tags on a Sub-interface......................................................222 5.10.6 Configuring VLAN Stacking on a Sub-interface................................................................................222 5.10.7 Configuring VPLS...............................................................................................................................222 5.10.8 Checking the Configuration.................................................................................................................223 5.11 Configuring a Sub-interface to Access an L3VPN.......................................................................................223 5.11.1 Establishing the Configuration Task...................................................................................................223 5.11.2 Configuring a Dot1q Sub-interface.....................................................................................................224 5.11.3 Configuring a QinQ Sub-interface......................................................................................................225 5.11.4 Configuring L3VPN............................................................................................................................226 5.11.5 Checking the Configuration.................................................................................................................226 5.12 Configuration Examples...............................................................................................................................226 5.12.1 Example for Configuring QinQ on Interfaces.....................................................................................226 5.12.2 Example for Configuring Selective QinQ...........................................................................................229 5.12.3 Example for Configuring Selective QinQ with VLAN Mapping........................................................232 5.12.4 Example for Configuring Selective QinQ with a Traffic Policy.........................................................235 5.12.5 Example for Configuring Flow-based Selective QinQ........................................................................238 5.12.6 Example for Configuring the Dot1q Sub-interfaces to Access VLL...................................................243 5.12.7 Example for Connecting QinQ Sub-interfaces to a VLL Network.....................................................249 5.12.8 Example for Connecting a Sub-interface Enabled with the Single-Tag VLAN Mapping to a VLL Network ........................................................................................................................................................................256 5.12.9 Example for Connecting a Sub-interface Enabled with Double-Tag VLAN Mapping to a VLL Network ........................................................................................................................................................................262 5.12.10 Example for Connecting a Sub-interface Enabled with VLAN Stacking to a VLL Network...........270 5.12.11 Example for Connecting Dot1q Sub-interfaces to a VPLS Network................................................277 5.12.12 Example for Connecting QinQ Sub-interfaces to a VPLS Network.................................................284 5.12.13 Example for Connecting a Sub-interface Enabled with Single-Tag VLAN Mapping to a VPLS Network ........................................................................................................................................................................291 5.12.14 Example for Connecting a Sub-interface Enabled with Double-Tag VLAN Mapping to a VPLS Network..........................................................................................................................................................297 5.12.15 Example for Connecting a Sub-interface Enabled with VLAN Stacking to a VPLS Network.........305 5.12.16 Example for Configuring the Dot1q Sub-interface to Access an L3VPN.........................................312 5.12.17 Example for Configuring the QinQ Sub-interface to Access an L3VPN..........................................325
6 GVRP Configuration................................................................................................................340
6.1 GVRP Overview.............................................................................................................................................341 6.2 GVRP Features Supported by the S9300.......................................................................................................344 6.3 Configuring GVRP.........................................................................................................................................345 6.3.1 Establishing the Configuration Task.....................................................................................................345 6.3.2 Enabling GVRP.....................................................................................................................................345 6.3.3 (Optional) Setting the Registration Mode of a GVRP Interface............................................................346 6.3.4 (Optional) Setting the GARP Timers....................................................................................................347 6.3.5 Checking the Configuration...................................................................................................................348 6.4 Maintaining GVRP.........................................................................................................................................348 6.4.1 Clearing GARP Statistics......................................................................................................................348 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. x
Contents
6.5 Configuration Examples.................................................................................................................................349 6.5.1 Example for Configuring GVRP...........................................................................................................349
7 MAC Address Table Configuration.......................................................................................353

7.1 MAC Address Table Overview......................................................................................................................355 7.2 MAC Address Features Supported by the S9300...........................................................................................356 7.3 Configuring a Static MAC Address Entry......................................................................................................358 7.4 Configuring a Blackhole MAC Address Entry...............................................................................................359 7.5 Setting the Aging Time of Dynamic MAC Address Entries..........................................................................360 7.6 Disabling MAC Address Learning.................................................................................................................361 7.6.1 Establishing the Configuration Task.....................................................................................................361 7.6.2 Disabling MAC Address Learning on an Interface...............................................................................362 7.6.3 Disabling MAC Address Learning in a VLAN.....................................................................................363 7.6.4 Checking the Configuration...................................................................................................................363 7.7 Limiting the Number of Learned MAC Addresses........................................................................................363 7.7.1 Establishing the Configuration Task.....................................................................................................364 7.7.2 Limiting the Number of MAC Addresses Learned on an Interface......................................................365 7.7.3 Limiting the Number of MAC Addresses Learned in a VLAN............................................................366 7.7.4 Limiting the Number of MAC Addresses Learned in a VSI.................................................................367 7.7.5 Limiting the Number of MAC Addresses Learned in a Slot.................................................................368 7.7.6 Checking the Configuration...................................................................................................................368 7.8 Configuring Port Security...............................................................................................................................369 7.8.1 Establishing the Configuration Task.....................................................................................................369 7.8.2 Configuring the Secure Dynamic MAC Function on an Interface........................................................370 7.8.3 Configuring the Sticky MAC Function on an Interface........................................................................371 7.8.4 Checking the Configuration...................................................................................................................372 7.9 Configuring MAC Address Anti-Flapping.....................................................................................................372 7.9.1 Establishing the Configuration Task.....................................................................................................372 7.9.2 Setting the MAC Address Learning Priority of an Interface.................................................................373 7.9.3 Prohibiting MAC Address Flapping Between Interfaces with the Same Priority.................................374 7.9.4 Checking the Configuration...................................................................................................................374 7.10 Configuring MAC Address Flapping Detection...........................................................................................375 7.10.1 Establishing the Configuration Task...................................................................................................375 7.10.2 Configuring MAC Address Flapping Detection..................................................................................376 7.10.3 (Optional) Unblocking a Blocked Interface or MAC Address............................................................376 7.10.4 Checking the Configuration.................................................................................................................377 7.11 Configuring the S9300 to Discard Packets with an All-0 MAC Address....................................................377 7.12 Enabling MAC Address Triggered ARP Entry Update................................................................................378 7.13 Enabling Port Bridge....................................................................................................................................379 7.14 Configuration Examples...............................................................................................................................380 7.14.1 Example for Configuring the MAC Address Table.............................................................................380 7.14.2 Example for Configuring the Limitation on MAC Address Learning Based on VLANs...................383 7.14.3 Example for Configuring the Limitation on MAC Address Learning Based on VSIs........................385 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
7.14.4 Example for Configuring Interface Security.......................................................................................386 7.14.5 Example for Configuring MAC Address Anti-Flapping.....................................................................388
8 STP/RSTP Configuration.........................................................................................................391
8.1 STP/RSTP Overview......................................................................................................................................392 8.1.1 STP/RSTP Overview.............................................................................................................................392 8.1.2 STP/RSTP Features Supported by the S9300........................................................................................397 8.2 Configuring Basic STP/RSTP Functions.......................................................................................................399 8.2.1 Establishing the Configuration Task.....................................................................................................399 8.2.2 Configuring the STP/RSTP Mode.........................................................................................................401 8.2.3 (Optional) Configuring Switching Device Priorities.............................................................................401 8.2.4 (Optional) Setting the Path Cost for a Port............................................................................................402 8.2.5 (Optional) Configuring Port Priorities...................................................................................................403 8.2.6 Enabling STP/RSTP..............................................................................................................................404 8.2.7 Checking the Configuration...................................................................................................................404 8.3 Configuring STP/RSTP Parameters on an Interface......................................................................................405 8.3.1 Establishing the Configuration Task.....................................................................................................407 8.3.2 Setting System Parameters....................................................................................................................408 8.3.3 Setting Port Parameters.........................................................................................................................409 8.3.4 Checking the Configuration...................................................................................................................411 8.4 Configuring RSTP Protection Functions........................................................................................................411 8.4.1 Establishing the Configuration Task.....................................................................................................411 8.4.2 Configuring BPDU Protection on a Switching Device.........................................................................413 8.4.3 Configuring TC Protection on a Switching Device...............................................................................414 8.4.4 Configuring Root Protection on a Port..................................................................................................414 8.4.5 Configuring Loop Protection on a Port.................................................................................................415 8.4.6 Checking the Configuration...................................................................................................................416 8.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices....................416 8.5.1 Establishing the Configuration Task.....................................................................................................416 8.5.2 Configuring the Proposal/Agreement Mechanism................................................................................417 8.5.3 Checking the Configuration...................................................................................................................418 8.6 Maintaining STP/RSTP..................................................................................................................................418 8.6.1 Clearing STP/RSTP Statistics...............................................................................................................419 8.7 Configuration Examples.................................................................................................................................419 8.7.1 Example for Configuring Basic STP Functions....................................................................................419 8.7.2 Example for Configuring Basic RSTP Functions..................................................................................423
9 MSTP Configuration.................................................................................................................429
9.1 MSTP Overview.............................................................................................................................................431 9.1.1 MSTP Introduction................................................................................................................................431 9.1.2 MSTP Features Supported by the S9300...............................................................................................439 9.2 Configuring Basic MSTP Functions...............................................................................................................443 9.2.1 Establishing the Configuration Task.....................................................................................................443 9.2.2 Configuring the MSTP Mode................................................................................................................445 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xii
Contents
9.2.3 Configuring and Activating an MST Region........................................................................................446 9.2.4 (Optional) Setting a Priority for a Switching Device in an MSTI.........................................................447 9.2.5 (Optional) Setting a Path Cost of a Port in an MSTI.............................................................................448 9.2.6 (Optional) Setting a Port Priority in an MSTI.......................................................................................449 9.2.7 Enabling MSTP.....................................................................................................................................450 9.2.8 Checking the Configuration...................................................................................................................450 9.3 Configuring MSTP Multi-process..................................................................................................................451 9.3.1 Establishing the Configuration Task.....................................................................................................451 9.3.2 Creating an MSTP Process....................................................................................................................452 9.3.3 Adding an Interface to an MSTP Process - Access Links.....................................................................453 9.3.4 Adding an Interface to an MSTP Process - Share Link.........................................................................453 9.3.5 Configuring Priorities and Root Protection in MSTP Multi-process....................................................454 9.3.6 Configuring TC Notification in MSTP Multi-process..........................................................................454 9.3.7 Checking the Configuration...................................................................................................................455 9.4 Configuring MSTP Parameters on an Interface.............................................................................................455 9.4.1 Establishing the Configuration Task.....................................................................................................455 9.4.2 Configuring System Parameters............................................................................................................456 9.4.3 Configuring Port Parameters.................................................................................................................458 9.4.4 Checking the Configuration...................................................................................................................459 9.5 Configuring MSTP Protection Functions.......................................................................................................460 9.5.1 Establishing the Configuration Task.....................................................................................................460 9.5.2 Configuring BPDU Protection on a Switching Device.........................................................................462 9.5.3 Configuring TC Protection on a Switching Device...............................................................................462 9.5.4 Configuring Root Protection on an Interface........................................................................................463 9.5.5 Configuring Loop Protection on an Interface........................................................................................464 9.5.6 Configuring Share-Link Protection on a Switching Device..................................................................465 9.5.7 Checking the Configuration...................................................................................................................466 9.6 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices...........................466 9.6.1 Establishing the Configuration Task.....................................................................................................466 9.6.2 Configuring a Proposal/Agreement Mechanism...................................................................................467 9.6.3 Configuring the MSTP Protocol Packet Format on an Interface...........................................................468 9.6.4 Enabling the Digest Snooping Function................................................................................................469 9.6.5 Checking the Configuration...................................................................................................................470 9.7 Maintaining MSTP.........................................................................................................................................470 9.7.1 Clearing MSTP Statistics.......................................................................................................................470 9.8 Configuration Examples.................................................................................................................................470 9.8.1 Example for Configuring Basic MSTP Functions.................................................................................470 9.8.2 Example for Connecting CEs to the VPLS in Dual-Homing Mode Through MSTP............................477 9.8.3 Example for Configuring MSTP Multi-Process for Layer 2 Single-Access Rings and Layer 2 Multi-Access Rings...............................................................................................................................................................489
10 SEP Configuration...................................................................................................................497
10.1 SEP Overview...............................................................................................................................................499 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Contents
10.1.1 SEP Overview......................................................................................................................................499 10.1.2 SEP Features Supported by the S9300................................................................................................512 10.2 Configuring Basic SEP Functions................................................................................................................518 10.2.1 Establishing the Configuration Task...................................................................................................518 10.2.2 Configuring an SEP Segment..............................................................................................................519 10.2.3 Configuring a Control VLAN..............................................................................................................519 10.2.4 Creating a Protected Instance..............................................................................................................520 10.2.5 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface...................521 10.2.6 Checking the Configuration.................................................................................................................523 10.3 Specifying an Interface to Block..................................................................................................................523 10.3.1 Establishing the Configuration Task...................................................................................................523 10.3.2 Setting an Interface Blocking Mode....................................................................................................524 10.3.3 Configuring the Preemption Mode......................................................................................................526 10.3.4 Checking the Configuration.................................................................................................................527 10.4 Configuring SEP Multi-Instance..................................................................................................................528 10.4.1 Establishing the Configuration Task...................................................................................................528 10.4.2 Configuring and Activating Mappings Between Protected Instances and VLANs.............................530 10.4.3 Checking the Configuration.................................................................................................................530 10.5 Configuring the Topology Change Notification Function...........................................................................531 10.5.1 Establishing the Configuration Task...................................................................................................531 10.5.2 Reporting Topology Changes of a Lower-Layer Network - SEP Topology Change Notification ........................................................................................................................................................................533 10.5.3 Reporting Topology Changes of a Lower-Layer Network - Enabling the Edge Devices in a SEP Segment to Process SmartLink Flush Packets...............................................................................................................534 10.5.4 Reporting Topology Changes of an Upper-Layer Network - Configuring Association Between SEP and CFM................................................................................................................................................................535 10.5.5 Checking the Configuration.................................................................................................................536 10.6 Maintaining SEP...........................................................................................................................................536 10.6.1 Clearing SEP Statistics........................................................................................................................536 10.6.2 Debugging SEP....................................................................................................................................536 10.7 Configuration Examples...............................................................................................................................537 10.7.1 Example for Configuring SEP on a Closed Ring Network.................................................................537 10.7.2 Example for Configuring SEP on a Multi-ring Network....................................................................543 10.7.3 Example for Configuring a Hybrid SEP+MSTP Ring Network.........................................................554 10.7.4 Example for Configuring a Hybrid SEP+RRPP Ring Network..........................................................561 10.7.5 Example for Configuring SEP Multi-Instance....................................................................................573
11 Layer 2 Protocol Transparent Transmission Configuration............................................581

11.1 Overview of Layer 2 Protocol Transparent Transmission............................................................................583 11.2 Layer 2 Protocol Transparent Transmission Features Supported by the S9300...........................................584 11.3 Configuring Interface-based Layer 2 Protocol Transparent Transmission...................................................590 11.3.1 Establishing the Configuration Task...................................................................................................590 11.3.2 (Optional) Defining Characteristic Information About a Layer 2 Protocol........................................590 11.3.3 Configuring the Transparent Transmission Mode of Layer 2 Protocol Packets.................................591 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiv
Contents
11.3.4 Enabling Layer 2 Protocol Transparent Transmission on an Interface...............................................592 11.3.5 Checking Configuration......................................................................................................................593 11.4 Configuring VLAN-based Layer 2 Protocol Transparent Transmission......................................................593 11.4.1 Establishing the Configuration Task...................................................................................................594 11.4.2 (Optional) Defining Characteristic Information About a Layer 2 Protocol........................................594 11.4.3 Configuring the Transparent Transmission Mode of Layer 2 Protocol Packets.................................595 11.4.4 Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an Interface.........................596 11.4.5 Checking the Configuration.................................................................................................................597 11.5 Configuring QinQ-based Layer 2 Protocol Transparent Transmission........................................................597 11.5.1 Establishing the Configuration Task...................................................................................................597 11.5.2 (Optional) Defining Characteristic Information About a Layer 2 Protocol........................................598 11.5.3 Configuring the Transparent Transmission Mode of Layer 2 Protocol Packets.................................599 11.5.4 Enabling QinQ-based Layer 2 Transparent Transmission on an Interface..........................................600 11.5.5 Checking the Configuration.................................................................................................................600 11.6 Maintaining Layer 2 Protocol Transparent Transmission............................................................................601 11.6.1 Debugging Layer 2 Protocol Transparent Transmission.....................................................................601 11.7 Configuration Examples...............................................................................................................................601 11.7.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission.....................601 11.7.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission........................608 11.7.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission..........................615
12 HVRP Configuration..............................................................................................................623
12.1 HVRP Overview...........................................................................................................................................624 12.2 HVRP Features Supported by the S9300.....................................................................................................625 12.3 Enabling HVRP............................................................................................................................................628 12.3.1 Establishing the Configuration Task...................................................................................................628 12.3.2 Enabling HVRP Globally....................................................................................................................630 12.3.3 Enabling HVRP on an Interface..........................................................................................................630 12.3.4 (Optional) Setting the VLAN Registration Timer...............................................................................631 12.3.5 (Optional) Setting the Aging Time of Registered VLANs..................................................................631 12.3.6 (Optional) Configuring Permanent VLANs........................................................................................632 12.3.7 (Optional) Configuring the S9300 to Age All the VLANs.................................................................632 12.3.8 Checking the Configuration.................................................................................................................633 12.4 Maintaining HVRP.......................................................................................................................................633 12.4.1 Debugging HVRP................................................................................................................................633 12.5 Configuration Examples...............................................................................................................................634 12.5.1 Example for Configuring HVRP.........................................................................................................634
13 Loop Detection Configuration..............................................................................................637

13.1 Introduction to Loop Detection....................................................................................................................638 13.2 Configuring Loop Detection.........................................................................................................................638 13.2.1 Establishing the Configuration Task...................................................................................................638 13.2.2 Enabling Loop Detection Globally......................................................................................................639 13.2.3 Enabling Loop Detection in a VLAN..................................................................................................639 Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xv
Contents
13.2.4 Enabling Loop Detection Control on an Interface...............................................................................640 13.2.5 (Optional) Disabling Loop Detection on an Interface.........................................................................641 13.2.6 (Optional) Setting the Loop Detection Interval on an Interface..........................................................641 13.2.7 (Optional) Setting the Recovery Time of a Blocked Interface............................................................641 13.2.8 Checking the Configuration.................................................................................................................642 13.3 Configuration Examples...............................................................................................................................643 13.3.1 Example for Configuring Loop Detection...........................................................................................643
Issue 01 (2011-10-26)
xvi
1 Ethernet Interface Configuration
Ethernet Interface Configuration
About This Chapter

This chapter describes the basic knowledge, methods, and examples for configuring the Ethernet interface. 1.1 Introduction to Ethernet Interfaces This section describes the Ethernet interfaces. 1.2 Ethernet Interface Features Supported by the S9300 This section describes the Ethernet interface features supported by the S9300. 1.3 Configuring Basic Attributes of the Ethernet Interface This section describes how to configure the description, cable type, duplex mode, rate, and autonegotiation an Ethernet interface, and switch between the optical and electrical interfaces and between Layer 2 and Layer 3 interfaces. 1.4 Configuring Advanced Attributes of an Ethernet Interface This section describes how to configure the loopback on the Ethernet Interface, minimum interval for re-enabling an interface, port group, maximum frame size, flow control, flow control auto-negotiation, cable test, sub-interface IP address, and port isolation. 1.5 Maintaining Ethernet Interfaces This section describes how to maintain Ethernet interfaces. 1.6 Configuration Examples This section provides several configuration examples of Ethernet interfaces.
Issue 01 (2011-10-26)
1.1 Introduction to Ethernet Interfaces

This section describes the Ethernet interfaces. The Ethernet is flexible, simple, and easy to implement; therefore, it becomes an important local area network (LAN) networking technology. Table 1-1 shows the attributes of Ethernet electrical interfaces and Ethernet optical interfaces. Table 1-1 Attributes of Ethernet interfaces Interface Type Rate (Mbit/ s) Auto-negotiation Full Duplex Yes Yes Yes No Yes No Half Duplex Yes Yes No No No No Non-negotiation Full Duplex Yes Yes Yes Yes Yes Yes Half Duplex Yes Yes No No No No
Ethernet electrical interface
10 100 1000
Ethernet optical interface
100 1000 10000
If the local interface works in auto-negotiation mode, the peer interface must also work in autonegotiation mode; otherwise, packet loss may occur.
1.2 Ethernet Interface Features Supported by the S9300

This section describes the Ethernet interface features supported by the S9300.
Port Group
The port group function enables you to configure multiple interfaces at the same time. You can run commands in the port group view to configure all the interfaces in the group.
Auto-Negotiation
The auto-negotiation function allows interfaces on both ends of a link to select the same operating parameters by exchanging capability information. Each interface sends its capability information to the remote end and checks capabilities of the remote end. After both interfaces receive the capability information from each other, they adopt the highest capability they support to communicate with each other. The interfaces negotiate the duplex mode, speed, and flow control parameters. After a successful negotiation, the interfaces use the same duplex mode, speed, and flow control parameters.
Issue 01 (2011-10-26) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2
Port Isolation
The port isolation function isolates Layer 2 and Layer 3 communication between ports in the same VLAN. This function restricts packet transmission between ports flexibly, providing a secure and flexible network solution.
1.3 Configuring Basic Attributes of the Ethernet Interface

This section describes how to configure the description, cable type, duplex mode, rate, and autonegotiation an Ethernet interface, and switch between the optical and electrical interfaces and between Layer 2 and Layer 3 interfaces.
1.3.1 Establishing the Configuration Task

Applicable Environment
The configuration task is applicable to the following situations: l l You can configure the description of interfaces to facilitate the identification, maintenance, and configuration of the interfaces. By default, an FE electrical interface automatically identifies the network cable type. If the interface cannot identify the cable type properly, set the cable type for the interface manually. By default, an FE electrical interface negotiates the duplex mode and rate with the equipment that is directly connected to the interface. If the connected equipment does not have the auto-negotiation capability, set the duplex mode and rate for the FE interface manually so that the interface can work with the connected equipment.
Pre-configuration Tasks
None
Data Preparation
To configure the basic functions of Ethernet interfaces, you need the following data. No. 1 2 3 4 5 Data Number of an Ethernet interface (Optional) Description of an interface (Optional) Cable type of an ethernet electrical interface (Optional) Duplex mode of an ethernet electrical interface (Optional) Rate of an ethernet interface
1.3.2 (Optional) Configuring a Description for an Interface

Context
Perform the following steps on the S9300.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

interface interface-type interface-number
The interface view is displayed. Step 3 Run:

description description
A description is configured for the interface. By default, the description of an interface is "HUAWEI, Quidway Series, X interface". X specifies the interface type and number. ----End
1.3.3 (Optional) Configuring the Cable Type on an Interface

Context
Procedure
Step 1 Run:
system-view

The Ethernet electrical interface view is displayed. Step 3 Run:

mdi { across | auto | normal }
The cable type is configured for the Ethernet electrical interface. By default, an Ethernet electrical interface automatically identifies the cable type. An electrical interface can use a crossover cable or a straight through cable. If across is specified, the interface can use a crossover cable; if normal is specified, the interface can use a straight through cable; if auto is specified, the interface can use both types of network cables. ----End
1.3.4 (Optional) Setting the Duplex Mode

Context
Do as follows on the S9300 where you need to set the duplex mode of interfaces.
Procedure
Step 1 Run:
system-view

The Ethernet electrical interface view is displayed. Step 3 Run:

undo negotiation auto
The auto-negotiation mode is disabled on the Ethernet electrical interface. Step 4 Run:
duplex { full | half }
The duplex mode is set for the Ethernet electrical interface. By default, the duplex mode of an Ethernet electrical interface is full-duplex when autonegotiation is disabled on the interface. ----End
1.3.5 (Optional) Setting the Rate of an Interface

Context
Do as follows on the S9300 where you need to set the rate of interfaces.
Procedure
Step 1 Run:
system-view


undo negotiation auto
The auto-negotiation mode is disabled on the interface.

Step 4 Run:
speed { 10 | 100 | 1000 }
The rate is set for the interface. By default, an Ethernet interface works at its maximum rate when auto-negotiation is disabled on the interface. ----End
1.3.6 (Optional) Enabling Auto-Negotiation

Context
Do as follows on the S9300 where you want to enable auto-negotiation and on the switch connected to this S9300.
Procedure
Step 1 Run:
system-view


negotiation auto
Auto-negotiation is enabled on the interface. By default, an interface works in auto-negotiation mode. The local interface and peer interface must work in the same mode, that is, both in autonegotiation mode or not.
NOTE
100M and 10G optical interfaces do not support auto negotiation.
----End
1.3.7 (Optional) Switching Between Optical and Electrical Interfaces

Context
Do as follows on the S9300 where you need to switch between optical and electrical interfaces.
Procedure
Step 1 Run:

system-view

interface gigabitethernet interface-number
The GigabitEthernet interface view is displayed. Step 3 Run:

combo-port { auto | copper | fiber }
The interface is changed to an optical interface or an electrical interface. By default, a combo port selects the working mode automatically. A G24C LPU has 8 electrical interface and 24 optical interfaces, among which the first 8 optical interfaces are duplexed with electrical interfaces. You can use the combo-port command to use these interfaces as electrical interfaces or optical interfaces. ----End
1.3.8 (Optional) Configuring an Interface to Work at Layer 2 or Layer 3

Procedure
Step 1 Run:
system-view


portswitch
The interface is configured to work at Layer 2. Step 4 Run:

undo portswitch
The interface is configured to work at Layer 3. By default, an Ethernet interface works at Layer 2. When an Ethernet interface switches from Layer 3 to Layer 2, the Layer 3 functions and flag are disabled. The MAC address of the system is used. ----End
1.3.9 Checking the Configuration

Procedure
Step 1 Run the display interface [ interface-type [ interface-number [.subnumber ] ] ] command to display the description, duplex mode, and rate of an Ethernet interface. ----End
1.4 Configuring Advanced Attributes of an Ethernet Interface

This section describes how to configure the loopback on the Ethernet Interface, minimum interval for re-enabling an interface, port group, maximum frame size, flow control, flow control auto-negotiation, cable test, sub-interface IP address, and port isolation.

The configuration task is applicable to the following situations: l l The S9300 provides the interface group function, which enables you to configure multiple interfaces at the same time. If the traffic volume received on an interface of the S9300 may exceed the processing capability of the interface and the directly connected interface supports traffic control, enable the traffic control function on the interface. When the rate of received traffic reaches the threshold, the interface sends a Pause frame (in full duplex mode) or sends a back pressure signal (in half duplex mode) to notify the peer interface. If the peer interface supports traffic control, it decreases the rate of at which it sends traffic so that the local interface can properly process received traffic. Ports enabled with port isolation cannot communicate with each other so that ports on the same VLAN can be isolated. Port isolation provides secure and flexible networking schemes for customers.
None.
Data Preparation
To configure the advanced functions of Ethernet interfaces, you need the following data. No. 1 2 Data Interface number (Optional) Maximum frame length allowed on the interface
Issue 01 (2011-10-26)
1.4.2 (Optional) Configuring Loopback on the Ethernet Interface

Context
Do as follows on the S9300 where you need to configure the loopback.
Procedure
Step 1 Run:
system-view


loopback internal
The loopback is configured on the Ethernet interface. By default, loopback is not configured on an Ethernet interface. ----End
1.4.3 (Optional) Setting the Minimum Interval for Re-enabling an Interface

Context
Do as follows on the S9300 where you need to set the minimum interval for re-enabling an interface.
Procedure
Step 1 Run:
system-view

shutdown interval interval-value
The minimum interval for re-enabling an interface is set. By default, the minimum interval for re-enabling an interface after the interface is disabled is 0 seconds. ----End
1.4.4 (Optional) Configuring the Interface Group

Context
Do as follows on the S9300 where you need to configure interface groups.
Procedure
Step 1 Run:
system-view

port-group port-group-name
The interface group view is displayed. Step 3 Run:

group-member interface-type interface-number
The Ethernet interface is added to the interface group. ----End
1.4.5 (Optional) Setting the Maximum Frame Length on the Ethernet Interface
Context
Do as follows on the S9300 where you need to set the maximum frame length.
Procedure
Step 1 Run:
system-view

The Ethernet interface view is displayed. Step 3 Run:

jumboframe enable [ value ]
The maximum length of the frame is set on the Ethernet interface. By default, the maximum frame length allowed by an interface is 9216 bytes. ----End
1.4.6 (Optional) Enabling Flow Control

Context
Do as follows on the S9300 where you need to enable flow control.
Procedure
Step 1 Run:
system-view


flow-control
Flow control is enabled on the Ethernet interface. By default, flow control is disabled on an Ethernet interface. To implement flow control, you must enable this function on both the local interface and peer interface. ----End
1.4.7 (Optional) Enabling Auto-Negotiation of Flow Control

Context
Do as follows on the S9300 whose interface needs to be configured with auto-negotiation of flow control. GE interfaces support auto-negotiation of flow control, but FE interfaces do not support this function.
Procedure
Step 1 Run:
system-view

interface gigabitethernet interface-number
The GE interface view is displayed. Step 3 Run:

flow-control negotiation
Auto-negotiation of flow control is enabled on the GE interface. By default, auto-negotiation of flow control is disabled on a GE interface. You also need to configure auto-negotiation of flow control on the peer interface. ----End
1.4.8 (Optional) Enabling Port Isolation

Context
Do as follows on the S9300 where you need to enable port isolation.
Procedure
Step 1 Run:
system-view

port-isolate mode { l2 | all }
The port isolation mode is set. By default, ports are isolated on Layer 2 but can communicate on Layer 3. Step 3 Run:
The Ethernet interface view is displayed. Step 4 (Optional) Run:

am isolate interface-type interface-number [ to interface-number ]
The Ethernet interface is isolated from another interface unidirectionally.

NOTE
After interface A is isolated from interface B unidirectionally, packets sent by interface A cannot reach interface B, whereas packets sent from interface B can reach interface A.
Step 5 Run:
port-isolate enable [ group group-id ]
Port isolation is enabled.

NOTE
Ports in a port isolation group are isolated from each other, and ports in different port isolation groups can communicate with each other. If group-id is not specified, a port is added to port isolation group 1.
----End
1.4.9 (Optional) Performing a Cable Test on an Interface

Context
A cable test detects faults on the cable connected to an interface. If the cable is working properly, the total length of the cable is displayed. If the cable cannot work properly, the distance between the interface and the fault point is displayed.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
12


virtual-cable-test
A cable test is performed on the interface.

NOTE
l The test result is only for reference. l Running the virtual-cable-test command may affect services on the interface in a short period of time. l Before performing a cable test, shut down the remote interface or remove the network cable from the remote interface. Otherwise, signals from the remote interface may make the test result inaccurate.
----End
1.4.10 (Optional) Configuring Link Flapping Protection on an Interface

Context
A cable fault or an active/standby switchover may cause frequent status changes on an interface, leading to network topology changes. If a Layer 2 protection protocol (STP for example) is configured on the interface, the interface sends topology change (TC) packets to trigger ARP entry updates. If ARP entries are not updated immediately, user services may be interrupted. To solve the problem, enable link flapping protection on the interface. When the S9300 receives a Port Up or Port Down message, it checks the number of interface flapping events and link flapping detection interval. If the number of interface flapping times reaches the limit in a specified period, the interface is shut down. By default, when an interface flaps five times in 10s, it is shut down.
Procedure
Step 1 Run:
system-view


port link-flap protection enable
Link flapping protection is enabled on the interface. By default, link flapping protection is disabled on an interface. Step 4 (Optional) Run:
port link-flap interval interval-value
Issue 01 (2011-10-26)
13
The link flapping detection interval is set. By default, the link flapping detection interval is 10s. Step 5 (Optional) Run:
port link-flap threshold threshold-value
The number of link flapping events is set. By default, the number of link flapping events on an interface is 5. ----End
Follow-up Procedure
By default, an interface that is shut down can only be restored manually by running the undo shutdown command. To configure the interface to restore to Up state automatically, run the error-down auto-recovery cause link-flap command in the system view to set a recovery delay. The interface can then go Up automatically after the specified delay.
1.4.11 (Optional) Assigning an IP Address to an Ethernet Subinterface

Procedure
Step 1 Run:
system-view

interface interface-type interface-number.subinterface-number
An Ethernet sub-interface is created and the Ethernet sub-interface view is displayed. Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
The IP address of the Ethernet sub-interface is configured. Only the E-series and F-series boards supports the configuration of sub-interfaces. ----End

Procedure
l l l Run the display port-group [ all | port-group-name ] command to check information about a port group. Run the display interface [ interface-type [ interface-number [.subnumber ] ] ] command to check information about auto-negotiation capability on an Ethernet interface. Run the display virtual-cable-test interface-type interface-number command to check the cable test result on an Ethernet interface.
----End
1.5 Maintaining Ethernet Interfaces

This section describes how to maintain Ethernet interfaces.
1.5.1 Debugging Ethernet Interfaces

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When an Ethernet interface or Eth-Trunk fault occurs, run the following debugging commands in the user view to locate the fault.
Procedure
Step 1 Run the debugging l2if [ error | event | msg | updown ] command to enable the debugging of link layer features. ----End
1.6 Configuration Examples

This section provides several configuration examples of Ethernet interfaces.
1.6.1 Example for Configuring Port Isolation

Networking Requirements
As shown in Figure 1-1, it is required that PC1 and PC2 cannot communicate with each other, but they can communicate with PC3.
Issue 01 (2011-10-26)
15
Figure 1-1 Networking diagram for configuring port isolation
Switch
GE1/0/1
GE1/0/3
PC1 PC2 PC3 10.10.10.1/24 10.10.10.2/24 10.10.10.3/24
GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows: 1. Enable port isolation on the ports connected to PC1 and PC2 respectively to prevent PC1 and PC2 from communicating with each other.
Data Preparation
To complete the configuration, you need the following data: l l l l l Number of the port connected to PC1 Number of the port connected to PC2 Port isolation mode: Layer 2 isolation and Layer 3 communication (default configuration) ID of the VLAN that the ports connected to PC1, PC2, and PC3 belong to (VLAN 1 by default) Port isolation group that the ports connected to PC1 and PC2 belong to (group 1 by default)
Procedure
Step 1 Enable port isolation. # Isolate ports on Layer 2 and allow them to communicate on Layer 3.
<Quidway> system-view [Quidway] port-isolate mode l2
# Enable port isolation on GigabitEthernet 1/0/1.

<Quidway> system-view [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port-isolate enable [Quidway-GigabitEthernet1/0/1] quit
# Enable port isolation on GigabitEthernet 1/0/2.

<Quidway> system-view [Quidway] interface gigabitethernet 1/0/2
Issue 01 (2011-10-26)
16

[Quidway-GigabitEthernet1/0/2] port-isolate enable [Quidway-GigabitEthernet1/0/2] quit
Step 2 Verify the configuration. PC1 and PC2 cannot ping each other. PC1 and PC3 can ping each other. PC2 and PC3 can ping each other. ----End
Configuration Files
Configuration file of the Switch
# sysname Quidway # interface GigabitEthernet1/0/1 port-isolate enable group 1 # interface GigabitEthernet1/0/2 port-isolate enable group 1 # interface GigabitEthernet1/0/3 # return
Issue 01 (2011-10-26)
17
2 Link Aggregation Configuration
Link Aggregation Configuration
About This Chapter

This chapter describes the concepts, configuration procedures, and configuration examples of link aggregation. 2.1 Introduction to Link Aggregation This section describes the concept of link aggregation. 2.2 Link Aggregation Supported by the S9300 This section describes link aggregation features supported by the S9300. 2.3 Configuring Link Aggregation in Manual Load Balancing Mode This section describes how to configure link aggregation in manual load balancing mode. 2.4 Configuring Link Aggregation in Static LACP Mode This section describes how to configure link aggregation in static LACP mode. 2.5 Configuring an Eth-Trunk Sub-interface This section describes how to configure an Eth-Trunk sub-interface. 2.6 Configuring an E-Trunk As an extension to the Link Aggregation Protocol (LACP) that implements link aggregation on a single device, the Enhanced Trunk (E-Trunk) protocol implements link aggregation between different devices. This improves link reliability between devices. 2.7 Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through a Local Member Interface (CSS) In a cluster switch system (CSS), you are recommended to configure an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface. In this manner, traffic arriving at a chassis is forwarded preferentially through an Eth-Trunk member interface on the chassis. 2.8 Maintaining Link Aggregation This section describes how to clear the statistics of received and sent LACP packets, debug the link aggregation group, and monitor the running status of the link aggregation group. 2.9 Configuration Examples
Issue 01 (2011-10-26)
18
This section provides several configuration examples of link aggregation in manual load balancing mode and in static LACP mode.
Issue 01 (2011-10-26)
19
2.1 Introduction to Link Aggregation

This section describes the concept of link aggregation. Link aggregation refers to a method of bundling a group of physical interfaces into a logical interface to increase bandwidth. It is also called multi-interface load sharing group or link aggregation group. For details, refer to IEEE802.3ad. By setting up a link aggregation group between two devices, you can obtain higher bandwidth and reliability. Link aggregation provides redundancy protection for communication among devices without upgrading the hardware.
2.2 Link Aggregation Supported by the S9300

This section describes link aggregation features supported by the S9300.
Manual Load Balancing Mode

In load balancing mode, you can manually add member interfaces to the link aggregation group. All the interfaces configured with load balancing are in forwarding state. The S9300 can perform load balancing based on destination MAC addresses, source MAC addresses, source MAC address exclusive-or destination MAC address, source IP addresses, destination IP addresses, source address exclusive-or destination IP address, or in enhanced mode. You must set up the Eth-Trunk and add an interface to the Eth-Trunk manually. The Link Aggregation Control Protocol (LACP) is not used. The manual load balancing mode is usually used when the peer device does not support LACP.
Static LACP Mode

The static LACP mode is a link aggregation mode in which the two parties negotiate aggregation parameters by exchanging LACP packets. After the negotiation, the two parties determine the active interface and the inactive interface. In static LACP mode, you need to create an Eth-Trunk manually and add members to the Eth-Trunk. The active interfaces and inactive interfaces are determined by LACP negotiation. The static LACP mode is also called the M:N mode. In this mode, links can implement load balancing and redundancy at the same time. In a link aggregation group, M links are active and they forward data in load balancing mode. N links are inactive and they function as backup links. The backup links do not forward data. When an active link fails, the backup link with the highest priority replaces the failed link to forward data and its status changes to active. In static LACP mode, some links function as backup links. In manual load balancing mode, all member interfaces work in forwarding state to share the traffic. This is the main difference between the two modes. Link aggregation can also be implemented in dynamic LACP mode. In dynamic LACP mode, LACP creates the Eth-Trunk and adds member interfaces automatically without human intervention. This mode is easy for users, but is too flexible and hard for management; therefore, the S9300 does not support dynamic LACP mode.
Active Interface and Inactive Interface

Active interfaces refer to the interfaces that are in active state and are responsible for forwarding data. The interfaces that do not forward data and are in inactive state are called inactive interfaces. According to the operation modes, active and inactive interfaces are classified as follows: l l Manual load balancing mode: Generally, all member interfaces are active interfaces unless a fault occurs on these interfaces. Static LACP mode: The interfaces connected to M links are active interfaces that are responsible for forwarding data; the interfaces connected to N links are inactive interfaces that are used for redundancy backup.
Actor and Partner

In static LACP mode, the device in the link aggregation group with a higher LACP priority is the Actor and the device with a lower LACP priority is the Partner. If the two devices have the same LACP priority, the Actor is selected based on the MAC addresses of the devices. The device with a smaller MAC address becomes the Actor. Differentiating the Actor and the Partner is to keep the active interfaces of devices at both ends consistent. If the devices at both ends select active interfaces according to the priority of their own interfaces, the active interfaces may be different and the active links cannot be set up. Therefore, the Actor is first determined. The Partner selects active interfaces according to the priority of the interfaces of the Actor. Figure 2-1 shows the process of selecting active interfaces. Figure 2-1 Determining the active links in static LACP mode
SwitchA
SwitchB
Device with high priority SwitchA
Device with low priority The Actor determines the active link SwitchB
Active interface selected by SwitchA Active interface selected by SwitchB
2.3 Configuring Link Aggregation in Manual Load Balancing Mode

This section describes how to configure link aggregation in manual load balancing mode.

When the bandwidth or the reliability of two devices should be increased and either of the two devices does not support LACP, you should create an Eth-Trunk in manual load balancing mode on Switches and add member interfaces to the Eth-Trunk to increase the bandwidth and improve reliability of devices. As shown in Figure 2-2, Eth-Trunks are created between SwitchA and SwitchB. Figure 2-2 Networking diagram for configuring link aggregation in load balancing mode
Eth-Trunk 1 Eth-Trunk SwitchA
Eth-Trunk 1 SwitchB
Before configuring an Eth-Trunk in manual load balancing mode, complete the following tasks: l l Powering on the S9300 Creating the Eth-Trunks
Data Preparation
To configure an Eth-Trunk in manual load balancing mode, you need the following data. No. 1 2 Data Number of the Eth-Trunk in manual load balancing mode Type and number of the member interface
2.3.2 Configuring the Eth-Trunk to Work in Manual Load Balancing Mode

Context
NOTE
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk command in the interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk view.
Do as follows on the S9300 where you need to configure an Eth-Trunk in manual load balancing mode.
Procedure
Step 1 Run:
system-view

interface eth-trunk trunk-id
The Eth-Trunk view is displayed. Step 3 Run:

mode manual load-balance
The operation mode of the Eth-Trunk is set to load balancing. By default, an Eth-Trunk works in manual load balancing mode. If the local device is configured with the Eth-Trunk in manual load balancing mode, you need to configure the Eth-Trunk in manual load balancing mode on the peer device. ----End
2.3.3 Adding Member Interfaces to an Eth-Trunk

Context
Do as follows on the S9300 where you need to configure member interfaces of an Eth-Trunk.
Procedure
l Configuration in the Eth-Trunk interface view 1. Run:
system-view
The system view is displayed. 2. Run:

The Eth-Trunk interface view is displayed. 3. Run:

trunkport interface-type { interface-number1 [ to interface-number2 ] } &<1-8>
Member interfaces are added to the Eth-Trunk. l Configuration in the member interface view 1. Run:
system-view

The interface view is displayed.

3.
Run:
eth-trunk trunk-id
The interface is added to the Eth-Trunk. When adding an interface to an Eth-Trunk, pay attention to the following points: An Eth-Trunk contains a maximum of eight member interfaces. A member interface cannot be configured with any service or static MAC address. When adding an interface to an Eth-Trunk, ensure that the interface is a hybrid interface, which is the default interface type. An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk. An Ethernet interface can be added to only one Eth-trunk interface. To add the Ethernet interface to another Eth-trunk, delete the Ethernet interface from the current Eth-Trunk first. The member interfaces of an Eth-trunk must be of the same type. For example, the FE interface and the GE interface cannot be added to the same Eth-trunk. Ethernet interfaces on different LPUs can be added to the same Eth-Trunk. The peer interface directly connected to the Eth-Trunk on the local end must also be added to an Eth-Trunk; otherwise, the two ends cannot communicate. When the rates of member interfaces are different, the interfaces with a smaller rate may be congested, and packets may be lost. After an interface is added to an Eth-Trunk, MAC address learning is performed by the Eth-Trunk rather than the member interfaces. ----End
2.3.4 (Optional) Configuring the Load Balancing Mode

Context
Do as follows on the S9300 where the Eth-Trunk load balancing mode needs to be configured.
Procedure
Step 1 Run:
system-view


load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac | enhanced profile profile-name }
The load balancing mode is configured for the Eth-Trunk. The default load balancing mode is src-dst-ip. The S9300 supports the following load balancing modes:
l dst-ip: load balancing based on the destination IP address. In this mode, the system obtains the specified three bits from each of the destination IP address and the TCP or UDP port number in outgoing packets to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l dst-mac: load balancing based on the destination MAC address. In this mode, the system obtains the specified three bits from each of the destination MAC address, VLAN ID, Ethernet type, and incoming interface information to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-ip: load balancing based on the source IP address. In this mode, the system obtains the specified three bits from each of the source IP address and the TCP or UDP port number in incoming packets to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-mac: load balancing based on the source MAC address. In this mode, the system obtains the specified three bits from each of the source MAC address, VLAN ID, Ethernet type, and incoming interface information to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-dst-ip: load balancing based on the Exclusive-OR result of the source IP address and destination IP address. In this mode, the system performs the Exclusive-OR calculation between the Exclusive-OR results of the dip and dmac modes, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-dst-mac: load balancing based on the Exclusive-OR result of the source MAC address and destination MAC address. In this mode, the system obtains three bits from each of the source MAC address, destination MAC address, VLAN ID, Ethernet type, and incoming interface information to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l Enhanced load balancing: The S9300 selects interfaces to forward packets according to the load balancing mode defined for different packets by the enhanced load balancing profile. Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end and the remote end can use different load balancing modes, and the load balancing mode on one end does not affect load balancing on the other end. ----End
2.3.5 (Optional) Limiting the Number of Active Interfaces

Context
Do as follows on the S9300 where you need to limit the number of active interfaces.
Procedure
l Setting the upper threshold of the number of interfaces that determine bandwidth of the Eth-Trunk 1. Run:
system-view

Issue 01 (2011-10-26)
25
The Eth-Trunk view is displayed. 3. Run:

max bandwidth-affected-linknumber link-number
The maximum number of interfaces that determine bandwidth of the Eth-Trunk is set. By default, the maximum number of interfaces that determine bandwidth of the EthTrunk is 8.
NOTE
l The upper threshold the number of interfaces that determine bandwidth of the Eth-Trunk of the local S9300 and that of the remote S9300 can be different. If the upper thresholds at two ends are different, the smaller one is used.
Setting the lower threshold of the number of active interfaces 1. Run:

system-view


least active-linknumber link-number
The lower threshold of the number of active interfaces is set. By default, the lower threshold of the number of active interfaces is 1. In manual load balancing mode, you can determine the minimum number of active interfaces in the Eth-Trunk by setting the lower threshold. If the number of active interfaces is smaller than the value in manual load balancing mode, the status the Eth-Trunk becomes Down.
NOTE
l The lower threshold of the number of active interfaces of the local S9300 and that of the remote S9300 can be different. If the lower thresholds at two ends are different, the larger one is used.
----End
2.3.6 (Optional) Configuring a Profile of Enhanced Eth-Trunks in Load Balancing Mode

Context
Do as follows on the S9300s involved in the enhanced Eth-trunk in load balancing mode.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
load-balance-profile profile-name
A profile of enhanced Eth-Trunks in load balancing mode is created and the profile view is displayed. Step 3 Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ]
*
The load balancing mode of Layer 2 packets is specified in the profile. By default, load balancing of Layer 2 packets is based on the source MAC address (smac), destination MAC address (dmac), and VLAN (vlan) of each packet. Step 4 Run:
ipv4 field [ dip | l4-dport | l4-sport | protocol | sip | sport | vlan ]
*
The load balancing mode of Layer 3 IPv4 packets is specified in the profile. By default, load balancing of Layer 3 IPv4 packets is based on the source IP address (sip) and destination IP address (dip) of each packet. Step 5 Run:
*
mpls field [ 2nd-label | dip | sip | sport | top-label | vlan ]
*
The load balancing mode of MPLS packets is specified in the profile. By default, load balancing of MPLS packets is based on the two outmost labels ( top-label and 2nd-label) of each packet. ----End
2.3.7 (Optional) Configuring the Load Balancing Mode for Unknown Unicast Traffic
Context
Do as follows on the S9300 where you need to configure the load balancing mode for unknown unicast traffic.
Procedure
Step 1 Run:
system-view

unknown-unicast load-balance { dmac | smac | smacxordmac | enhanced }
Issue 01 (2011-10-26)
27
The load balancing mode for unknown unicast traffic is configured. ----End

Procedure
l l Run the display trunkmembership eth-trunk trunk-id command to display the member interfaces of the Eth-Trunk. Run the display eth-trunk trunk-id command to display the load balancing status of the Eth-Trunk.
----End
2.4 Configuring Link Aggregation in Static LACP Mode

This section describes how to configure link aggregation in static LACP mode.

To increase the bandwidth and improve the connection reliability, you can configure a link aggregation group on two directly connected Switches. The requirements are as follows: l l The links between two devices can implement redundancy backup. When a fault occurs on some links, the backup links replace the faulty ones to keep data transmission uninterrupted. The active links have the load balancing capability.
Figure 2-3 Typical networking of link aggregation in static LACP mode
Eth-Trunk 1 Eth-Trunk SwitchA
Eth-Trunk 1
Active link Standby link
SwitchB
Before configuring an Eth-Trunk in static LACP mode, complete the following tasks: l l Powering on the S9300 Creating the Eth-Trunk
Data Preparation
To configure an Eth-Trunk in static LACP mode, you need the following data.
No. 1 2 3
Data Number of the Eth-Trunk Type and number of the member interface Maximum number of active interfaces
2.4.2 Configuring the Eth-Trunk to Work in Static LACP Mode

Context
NOTE
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk command in the interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk view.
Do as follows on the S9300 where you need to configure an Eth-Trunk of static LACP mode.
Procedure
Step 1 Run:
system-view


mode lacp-static
The Eth-Trunk is configured to work in static LACP mode. By default, an Eth-Trunk works in manual load balancing mode. If the local device is configured with an Eth-Trunk of static LACP mode, you must configure the Eth-Trunk of static LACP mode on the peer device. ----End
2.4.3 Adding Member Interfaces to an Eth-Trunk

Context
Do as follows on the S9300 where you need to configure member interfaces of an Eth-Trunk.
Procedure
l Configuration in the Eth-Trunk interface view 1. Run:
system-view

The Eth-Trunk interface view is displayed. 3. Run:

trunkport interface-type { interface-number1 [ to interface-number2 ] } &<1-8>
Member interfaces are added to the Eth-Trunk. l Configuration in the member interface view 1. Run:
system-view

The interface view is displayed. 3. Run:

eth-trunk trunk-id
The interface is added to the Eth-Trunk. When adding an interface to an Eth-Trunk, pay attention to the following points: An Eth-Trunk contains a maximum of eight member interfaces. A member interface cannot be configured with any service or static MAC address. When adding an interface to an Eth-Trunk, ensure that the interface is a hybrid interface, which is the default interface type. An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk. An Ethernet interface can be added to only one Eth-Trunk interface. To add the Ethernet interface to another Eth-Trunk, delete the Ethernet interface from the current Eth-Trunk first. The member interfaces of an Eth-Trunk must be of the same type. For example, the FE interface and the GE interface cannot be added to the same Eth-Trunk. Ethernet interfaces on different LPUs can be added to the same Eth-Trunk. The peer interface directly connected to the Eth-Trunk on the local end must also be added to an Eth-Trunk; otherwise, the two ends cannot communicate. When the rates of member interfaces are different, the interfaces with a smaller rate may be congested, and packets may be lost. After an interface is added to an Eth-Trunk, MAC address learning is performed by the Eth-Trunk rather than the member interfaces. ----End
2.4.4 (Optional) Configuring the Load Balancing Mode

Context
Do as follows on the S9300 where you need to configure the Eth-Trunk load balancing mode.
Procedure
Step 1 Run:
system-view


load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac | enhanced profile profile-name }
The load balancing mode is configured for the Eth-Trunk. The default load balancing mode is src-dst-ip. The S9300 supports the following load balancing modes: l dst-ip: load balancing based on the destination IP address. In this mode, the system obtains the specified three bits from each of the destination IP address and the TCP or UDP port number in outgoing packets to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l dst-mac: load balancing based on the destination MAC address. In this mode, the system obtains the specified three bits from each of the destination MAC address, VLAN ID, Ethernet type, and incoming interface information to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-ip: load balancing based on the source IP address. In this mode, the system obtains the specified three bits from each of the source IP address and the TCP or UDP port number in incoming packets to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-mac: load balancing based on the source MAC address. In this mode, the system obtains the specified three bits from each of the source MAC address, VLAN ID, Ethernet type, and incoming interface information to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-dst-ip: load balancing based on the Exclusive-OR result of the source IP address and destination IP address. In this mode, the system performs the Exclusive-OR calculation between the Exclusive-OR results of the dip and dmac modes, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l src-dst-mac: load balancing based on the Exclusive-OR result of the source MAC address and destination MAC address. In this mode, the system obtains three bits from each of the source MAC address, destination MAC address, VLAN ID, Ethernet type, and incoming
interface information to perform the Exclusive-OR calculation, and then selects the outgoing interface from the Eth-Trunk table according to the calculation result. l Enhanced load balancing: The S9300 selects interfaces to forward packets according to the load balancing mode defined for different packets by the enhanced load balancing profile. Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end and the remote end can use different load balancing modes, and the load balancing mode on one end does not affect load balancing on the other end. ----End
2.4.5 (Optional) Limiting the Number of Active Interfaces

Context
Do as follows on the S9300 where you need to limit the number of active interfaces.
Procedure
l Setting the upper threshold of the number of active interfaces 1. Run:
system-view


max active-linknumber link-number
The upper threshold of the number of active interfaces is set. By default, the upper threshold of the number of active interfaces is 8. In static LACP mode, you can limit the maximum number (M) of active interfaces in the Eth-Trunk by setting the upper threshold. The other member interfaces function as backup. If the upper threshold is not set, up to eight interfaces in the Eth-Trunk can be active.
NOTE
l The upper threshold of the number of active interfaces should not be smaller the lower threshold for the number of active interfaces. l The upper threshold of the number of active interfaces of the local S9300 and that of the remote S9300 can be different. If the upper thresholds at two ends are different, the smaller one is used.
Setting the lower threshold of the number of active interfaces 1. Run:

system-view

Issue 01 (2011-10-26)
32

least active-linknumber link-number
The lower threshold of the number of active interfaces is set. By default, the lower threshold of the number of active interfaces is 1. In static LACP mode, you can determine the minimum number of active interfaces in the Eth-Trunk by setting the lower threshold. If the number of active interfaces is smaller than the value in static mode, the status of the Eth-Trunk becomes Down.
NOTE
l The lower threshold of the number of active interfaces should not be larger than the upper threshold of the number of active interfaces. l The lower threshold of the number of active interfaces of the local S9300 and that of the remote S9300 can be different. If the lower thresholds at two ends are different, the larger one is used.
----End
2.4.6 (Optional) Setting the LACP Priority of the System

Context
Do as follows on the S9300 where you need to set the LACP priority of the system.
Procedure
Step 1 Run:
system-view

lacp priority priority
The system LACP priority of the S9300 is set. The smaller the LACP priority value of the system is, the higher the priority is. By default, the LACP priority of the system is 32768. The end of a smaller priority value functions as the Actor. If the two ends have the same priority, the end with a smaller MAC address functions as the Actor. ----End
2.4.7 (Optional) Setting the LACP Priority of an Interface

Context
Procedure
Step 1 Run:
system-view


lacp priority priority
The LACP priority of the interface is set. By default, the interface LACP priority is 32768. A smaller priority value indicates a higher LACP priority. ----End
2.4.8 (Optional) Enabling LACP Preemption and Setting the Delay for LACP Preemption
Context
Do as follows on the S9300 where you need to enable LACP preemption mode and set the delay for LACP preemption.
Procedure
Step 1 Run:
system-view


lacp preempt enable
The LACP preemption function is enabled on the Eth-Trunk. By default, the LACP preemption function is disabled.
NOTE
To ensure normal running of an Eth-Trunk, it is recommended that you enable or disable LACP preemption on both ends of the Eth-Trunk.
Step 4 Run:
lacp preempt delay delay-time
The delay for LACP preemption on the Eth-Trunk is set.

By default, the delay for LACP preemption is 30 seconds. Enabling the LACP preemption function ensures that the interface with the highest LACP priority can be an active interface. For example, when an interface with the highest priority becomes inactive due to a failure, and then recovers, the interface can become an active interface if the LACP preemption function is enabled; if the LACP preemption function is disabled, the interface cannot become an active interface again. The delay for LACP preemption refers to the period in which an inactive interface of the EthTrunk in static LACP mode waits before it becomes active. ----End
2.4.9 (Optional) Setting the Timeout Interval for Receiving LACP Packets
Context
Do as follows on the S9300 where you need to set the timeout interval for receiving LACP packets.
Procedure
Step 1 Run:
system-view


lacp timeout { fast | slow }
The timeout for receiving LACP protocol packets the Eth-Trunk is set.
NOTE
l After the lacp timeout command is used, the local end informs the peer end of the timeout interval through LACP packets. If the fast is selected, the interval for sending LACP packets is 1 second. If the slow keyword is selected, the interval for sending LACP packets is 30 seconds. l The timeout interval for receiving LACP packets is three times the interval for sending LACP packets. That is, when the fast keyword is used, the timeout interval for receiving LACP packets is 3s; when the slow keyword is used, the timeout interval for receiving LACP packets is 90s. l You can select different keywords on the two ends. To facilitate the maintenance, however, it is recommended that you select the same keyword on both ends.
----End
2.4.10 (Optional) Configuring a Profile of Enhanced Eth-Trunks in Load Balancing Mode

Context
Do as follows on the S9300s involved in the enhanced Eth-trunk in load balancing mode.
Procedure
Step 1 Run:
system-view

load-balance-profile profile-name
A profile of enhanced Eth-Trunks in load balancing mode is created and the profile view is displayed. Step 3 Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ]
*
The load balancing mode of Layer 2 packets is specified in the profile. By default, load balancing of Layer 2 packets is based on the source MAC address (smac), destination MAC address (dmac), and VLAN (vlan) of each packet. Step 4 Run:
*
*
mpls field [ 2nd-label | dip | sip | sport | top-label | vlan ]
*
The load balancing mode of MPLS packets is specified in the profile. By default, load balancing of MPLS packets is based on the two outmost labels ( top-label and 2nd-label) of each packet. ----End
2.4.11 (Optional) Configuring the Load Balancing Mode for Unknown Unicast Traffic
Context
Do as follows on the S9300 where you need to configure the load balancing mode for unknown unicast traffic.
Procedure
Step 1 Run:
system-view

unknown-unicast load-balance { dmac | smac | smacxordmac | enhanced }
The load balancing mode for unknown unicast traffic is configured. ----End

Procedure
l l Run the display trunkmembership eth-trunk trunk-id command to display the member interfaces of the Eth-Trunk. Run the display eth-trunk [ trunk-id [interface interface-type interface-number ] ] command to display information about the Eth-Trunk and member interfaces.
----End
2.5 Configuring an Eth-Trunk Sub-interface

This section describes how to configure an Eth-Trunk sub-interface.

When two S9300s communicate with each other through a Layer 2 Eth-Trunk interface, MPLS TE cannot be enabled on the main interface. In this case, to use the MPLS TE feature, you can create a sub-interface on the Layer 2 Eth-Trunk interface and enable MPLS TE on the subinterface. In this manner, data of Layer 2 and Layer 3 services can be transmitted on the same physical link.
Before configuring an Eth-Trunk sub-interface, complete the following tasks: l l Creating and configuring a Layer 2 Eth-Trunk interface Connecting the S9300s through a physical link
Data Preparation
To configure an Eth-Trunk sub-interface, you need the following data.
No. 1 2 3 4
Data Number of the main interface Number of the sub-interface ID of the VLAN that the sub-interface belongs to Rate of sending gratuitous ARP packets
2.5.2 Creating an Eth-Trunk Sub-interface

Procedure
Step 1 Run:
system-view

An Eth-Trunk interface is created and the Eth-Trunk interface view is displayed. Step 3 Run:
quit
Return to the system view. Step 4 Run:

interface eth-trunk trunk-id.subnumber
An Eth-Trunk sub-interface is created. subinterface-number specifies the number of a sub-interface. The value ranges from 1 to 4096. ----End
2.5.3 Setting the IP Address of an Eth-Trunk Sub-interface

Procedure
Step 1 Run:
system-view

interface eth-trunk trunk-id.subnumber
The Eth-Trunk sub-interface view is displayed. Step 3 Run:

The IP address of the sub-interface is set.

When more than one IP address is set for an Eth-Trunk interface, the keyword sub can be used to indicate the IP addresses other than the first IP address. ----End

Procedure
l Run the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check the status of an Eth-Trunk interface.
----End
2.6 Configuring an E-Trunk

As an extension to the Link Aggregation Protocol (LACP) that implements link aggregation on a single device, the Enhanced Trunk (E-Trunk) protocol implements link aggregation between different devices. This improves link reliability between devices.

Before configuring an E-Trunk, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
As shown in Figure 2-4, the E-Trunk is used to protect the links between a CE and two PEs when the CE is dual-homed to the two PEs. The CE is connected to PE1 and PE2 through a static LACP Eth-Trunk respectively. The two Eth-Trunks form an E-Trunk to implement backup of link aggregation groups between PE1 and PE2, enhancing the network reliability. Figure 2-4 Networking diagram of the E-Trunk
1 r unk th-T E
PE1
E-Trunk1 CE
Network
Eth -Tru nk 2
PE2
Before configuring an E-Trunk, complete the following tasks:
l l
Connecting physical links between devices correctly Configuring static LACP Eth-Trunk interfaces
Data Preparation
To configure an E-Trunk, you need the following data. No. 1 2 3 4 5 6 Data LACP system ID and priority ID and priority of the E-Trunk Interface numbers and working modes of the Eth-Trunks Local and peer IP addresses Encrypted password Interval for sending hello packets and time multiplier for detecting hello packets
2.6.2 Setting the LACP System ID and LACP Priority of an E-Trunk

In an E-Trunk, the two PEs must be configured with the same LACP system ID and priority so that the CE considers the two PEs as one device.
Context
Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view

lacp e-trunk system-id mac-address
The LACP system ID is set for the E-Trunk. By default, the MAC address of Ethernet interface on the MPU is used as the LACP system ID a device. The master and backup devices in an E-Trunk must use the same LACP system ID. Step 3 Run:
lacp e-trunk priority priority
The LACP priority of the E-Trunk member is set. By default, the LACP priority of an E-Trunk is 32768.
The master and backup devices in an E-Trunk must use the same LACP priority. ----End
2.6.3 Creating an E-Trunk and Setting Its Priority

The E-Trunk priority determines whether a device in the E-Trunk is the master device or the standby device.
Context
Procedure
Step 1 Run:
system-view

e-trunk e-trunk-id
An Eth-Trunk is created. If the specified E-Trunk already exists, the E-Trunk view is displayed directly. The member devices in an E-Trunk must be configured with the same E-Trunk ID. At most 16 E-Trunks can be created on a device. Step 3 Run:
priority priority
The priority of the E-Trunk is set. The E-Trunk priority is applied to master/backup negotiation between two devices. The device of higher priority is the master. A smaller priority value indicates a higher priority. If the priorities of two devices are the same, the device with the smaller system ID is the master. By default, the priority of an E-Trunk is 100. ----End
2.6.4 Configuring Local and Peer IP Addresses of an E-Trunk

E-Trunk packets are sent through the local IP address and port configured on the local device. When changing the local IP address or peer IP address on a device, you must change the corresponding address on the peer device. Otherwise, LACP packets are discarded.
Context
Procedure
Step 1 Run:
system-view

e-trunk e-trunk-id
The E-Trunk view is displayed. Step 3 Run:

peer-address peer-ip-address source-address source-ip-address
The local and peer IP addresses of the E-Trunk are configured. The peer IP address of the local device is the local IP address of the peer device. For example, an E-Trunk is set up between device A and device B. On device A, the peer IP address is 2.2.2.2 and the local IP address is 1.1.1.1. Then, on device B, the peer IP address is 1.1.1.1 and the local IP address is 2.2.2.2. ----End
2.6.5 Binding an E-Trunk to a BFD Session

If the local device in an E-Trunk cannot detect whether the peer device is faulty by sending ETrunk packets, it can use the Bidirectional Fast Detection (BFD) protocol to detect faults on the peer device. Each E-Trunk needs to be configured with a peer IP address. You can create a BFD session to check whether the route to the peer is reachable. The E-Trunk can detect faults reported by the BFD session and handles the faults quickly. Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view

e-trunk e-trunk-id

e-trunk track bfd-session session-id
The E-Trunk is bound to a BFD session. BFD sessions are used to fast detect the fault of the control link between the two devices of the E-Trunk. ----End
2.6.6 Adding an Eth-Trunk to an E-Trunk

After configuring an E-Trunk, you must add Eth-Trunks to the E-Trunk to implement link aggregation between the two devices. In this manner, backup of aggregation groups is implemented between devices and the network reliability is enhanced.
Context
Procedure
Step 1 Run:
system-view

The Eth-Trunk interface view is displayed. Only static LACP Eth-Trunks can be added to an E-Trunk. Step 3 Run:
e-trunk e-trunk-id
The Eth-Trunk is added to an E-Trunk. An Eth-Trunk can be added to only one E-Trunk. On the two devices in an E-Trunk, the IDs of the Eth-Trunks added to the E-Trunk must be the same. For example, if you add Eth-Trunk 1 and Eth-Trunk 2 to E-Trunk 1 on device A, you must also add Eth-Trunk 1 and Eth-Trunk 2 to E-Trunk 1 on device B. ----End
2.6.7 (Optional) Configuring the Working Mode of an Eth-Trunk in an E-Trunk

You can configure the working mode of an Eth-Trunk only after adding the Eth-Trunk to an ETrunk. The working mode of an Eth-Trunk can be automatic, forced master, or forced backup.
Context
Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-26)
43
The Eth-Trunk interface view is displayed. Only static LACP Eth-Trunks can be added to an E-Trunk. Step 3 Run:
e-trunk mode { auto | force-master | force-backup }
The working mode of the Eth-Trunk in the E-Trunk is configured. By default, an Eth-Trunk works in automatic mode in an E-Trunk. The e-trunk mode command is valid only for an Eth-Trunk in an E-Trunk. When the Eth-Trunk exits from the E-Trunk, the configuration is cancelled. When the Eth-Trunk works in automatic mode, the master/backup status of the Eth-Trunk is determined by the E-Trunk status of the local device and the fault information of the peer EthTrunk. l If the local E-Trunk is the master, the local Eth-Trunk works in master state. l If the local E-Trunk is the backup and the peer Eth-Trunk is faulty, the local Eth-Trunk works in master state. When the local Eth-Trunk receives the message informing that the peer EthTrunk recovers, the local Eth-Trunk becomes the backup. When the E-Trunk works properly, changing the interval for sending packets or timeout of hello packets make the E-Trunk alternate between the master state and the backup state. Therefore, it is recommended that you set the working mode of a member Eth-Trunk to forcible master/backup before changing the interval for sending packets or the timeout of hello packets. After new configurations take effect, you can restore the working mode to automatic. ----End
2.6.8 (Optional) Setting the Password

An encrypted password can be set to enhance the system security. The encrypted passwords set on the two devices of an E-Trunk must be the same.
Context
You can encrypt the password in plain text or cipher text. l l When the password is encrypted in plain text, it can be displayed in the configuration file. When the password is encrypted in cipher text, it is displayed as unidentifiable characters.
Procedure
Step 1 Run:
system-view

e-trunk e-trunk-id

security-key { simple simple-key | cipher cipher-key }
Issue 01 (2011-10-26)
44
The password for encrypting packets is configured.
CAUTION
If simple is selected, the password is saved in the configuration file in plain text. In this case, users at a lower level can easily obtain the password by viewing the configuration file. This brings security risks. Therefore, it is recommended that you select cipher to save the password in cipher text. ----End
2.6.9 (Optional) Setting the Timeout of Hello Packets

If the backup device in an E-Trunk does not receive any hello packet from the peer device within the timeout interval, it becomes the master device. The timeout interval here refers to the timeout interval contained in the hello packets sent by the peer device rather than that set on the local device.
Context
Procedure
Step 1 Run:
system-view

e-trunk e-trunk-id

timer hello hello-times
The interval for sending Hello packets is set. By default, the value of hello-times is 10. Since the unit is 100 ms, the interval for sending hello packets is 1s. Step 4 Run:
timer hold-on-failure multiplier multiplier
The time multiplier for detecting Hello packets is set. The peer device checks the timeout interval contained in the received packet to check whether the local device times out. If the peer device is the backup and does not receive hello packets from the local device within the timeout interval, the peer device becomes the master. Timeout interval = Interval for sending hello packets x Time multiplier. It is recommended that you set the time multiplier to at least 3.
By default, the time multiplier for detecting hello packets is 20. ----End
2.6.10 (Optional) Setting the Revertive Switching Delay

After the revertive switching delay is set, the local Eth-Trunk must wait until the delay timer times out to become the master again after it recovers from a fault. This delays the revertive switching of the service traffic, ensuring uninterrupted forwarding of the service traffic.
Context
If an E-Trunk works with other services, after the master device recovers from a fault, the status of the member Eth-Trunk on the master device may be restored before other services are restored. If traffic is immediately switched back to the master device, service traffic will be interrupted. After the revertive switching delay is set, the local Eth-Trunk becomes Up only after the delay timer times out. Then the local device becomes the master again. This delays the revertive switching of the service traffic, thus ensuring uninterrupted forwarding of the service traffic. Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view

e-trunk e-trunk-id

timer revert delay delay-value
The revertive switching delay is set. By default, the revertive switching delay of an E-Trunk is 120 seconds. ----End

After configuring an E-Trunk, you can view information about the E-Trunk, including its priority, system ID, local IP address, peer IP address, revertive switching delay, master/backup status, and cause of status change.
Procedure
l Run the display e-trunk e-trunk-id command to view information about the E-Trunk. ----End
2.7 Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through a Local Member Interface (CSS)
In a cluster switch system (CSS), you are recommended to configure an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface. In this manner, traffic arriving at a chassis is forwarded preferentially through an Eth-Trunk member interface on the chassis.

Before configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Deploying a CSS increases the total capacity of switches. An inter-chassis Eth-Trunk interface helps implement backup between switches, improving reliability. However, an Eth-Trunk interface selects member interfaces to forward traffic based on the hash algorithm. As a result, traffic flowing into a chassis may be forwarded by another chassis. This occupies bandwidth resources between chassis and degrades traffic forwarding efficiency. To prevent this problem, you can configure the inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface.
CAUTION
Before configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface, ensure that the outbound bandwidth of Eth-Trunk member interfaces is sufficient for forwarding traffic; otherwise, certain traffic may be discarded.
Issue 01 (2011-10-26)
47
Figure 2-5 Configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface
Eth-Trunk CSS Switch3 Switch3
Eth-Trunk CSS
Switch4
Switch4
Switch2 Switch1
Switch2 Switch1
(a) The inter-chassis EthTrunk interface is not configured to forward traffic preferentially through a local member interface.
(b) The inter-chassis EthTrunk interface is configured to forward traffic preferentially through a local member interface. Special stack cable Data flow 1 Data flow 2
In the CSS shown in Figure 2-5, an Eth-Trunk interface is configured to be the outbound interface of traffic to ensure reliable transmission. Obviously, member interfaces of the EthTrunk interface are on different chassis. When the CSS forwards traffic, the Eth-Trunk interface may select an inter-chassis member interface based on the hash algorithm. This increases bandwidth usage between chassis and degrades traffic forwarding efficiency. To prevent the preceding problem in the case of comprehensive networking with the CSS and trunk interface, Huawei develops the technique to enable an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface. l Traffic is forwarded through a member interface on the local chassis. When a chassis has member interfaces of the Eth-Trunk interface and the member interfaces function properly, the Eth-Trunk forwarding table of the local chassis contains only local member interfaces. In this manner, the hash algorithm selects a local member interface, and traffic is forwarded through the local chassis.
Traffic is forwarded through a member interface on another chassis. When a chassis does not have any member interface of the Eth-Trunk interface or all member interfaces function improperly, the Eth-Trunk forwarding table of the local chassis contains all available member interfaces. In this manner, the hash algorithm selects a member interface on another chassis, and traffic is forwarded through the chassis.
NOTE
l CSS A CSS is a logical device formed by connecting two switches through stack cables. After switches are stacked, interfaces of the CSS are named in the format of chassis ID/slot ID/subcard number/interface number. For example, the number 2 in GE 2/1/0/1 indicates the chassis number. l Inter-chassis Eth-Trunk interface Physical interfaces in the CSS are added to an Eth-Trunk interface. When a switch in the CSS fails or a physical interface added to the Eth-Trunk interface fails, traffic can be transmitted between chassis through stack cables. This ensures reliable transmission and implements device backup.
Before configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface, complete the following task: l l Creating an Eth-Trunk interface and adding physical interfaces to it Connecting devices correctly and completing CSS configurations so that a CSS can be established
Data Preparation
To configure an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface, you need the following data. No. 1 Data ID of the Eth-Trunk interface
2.7.2 Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through a Local Member Interface
To ensure that traffic arriving at a chassis is preferentially forwarded through a member interface of an Eth-Trunk interface on the chassis, configure the Eth-Trunk interface to forward traffic preferentially through a local member interface.
Context
CAUTION
Before configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local member interface, ensure that the outbound bandwidth of Eth-Trunk member interfaces is sufficient for forwarding traffic; otherwise, certain traffic may be discarded.
Issue 01 (2011-10-26)
49
Procedure
Step 1 Run:
system-view

The view of the Eth-Trunk interface that needs to be configured to forward traffic preferentially through a local member interface is displayed. Step 3 Run:
local-preference enable
The Eth-Trunk interface is configured to forward traffic preferentially through a local member interface. By default, an inter-chassis Eth-Trunk interface is enabled from forwarding traffic preferentially through a local Eth-Trunk member interface. ----End

After an inter-chassis Eth-Trunk interface is configured to forward traffic preferentially through a local member interface, you can check information about member interfaces of the Eth-Trunk interface.
Prerequisite
An Eth-Trunk interface has been configured to forward traffic preferentially through a local member interface.
Procedure
l Run the display trunkmembership eth-trunk trunk-id command to check information about member interfaces of the Eth-Trunk interface.
----End
2.8 Maintaining Link Aggregation

This section describes how to clear the statistics of received and sent LACP packets, debug the link aggregation group, and monitor the running status of the link aggregation group.
2.8.1 Clearing Statistics of LACP Packets
Issue 01 (2011-10-26)
50
Context
CAUTION
The statistics of LACP packets cannot be restored after you clear them. So, confirm the action before you use the command.
Procedure
l Run the reset lacp statistics eth-trunk [ trunk-id ] command to clear statistics of received and sent LACP packets.
----End
2.8.2 Debugging the Link Aggregation Group

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a running fault occurs in the link aggregation group, run the following debugging commands in the user view to check the debugging information, and locate and analyze the fault.
Procedure
l l l l l l l l Run the debugging trunk error command to enable the debugging of Eth-Trunk errors. Run the debugging trunk event command to enable the debugging of Eth-Trunk events. Run the debugging trunk lacp-pdu command to enable the debugging of LACP packets. Run the debugging trunk lagmsg command to enable the debugging of LACP protocol messages. Run the debugging trunk msg command to enable the debugging of Eth-Trunk messages. Run the debugging trunk state-machine command to enable the debugging of Eth-Trunk status machine. Run the debugging trunk updown command to enable the debugging of Eth-Trunk Up and Down messages. Run the debugging trunk command to enable the debugging of Eth-Trunk messages.
----End
2.8.3 Monitoring the Operation Status of the Link Aggregation Group

Context
During the daily maintenance, you can run the following commands in any view to check the operation status of the link aggregation group.
Procedure
l l l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number ] ] command to display the status of the link aggregation group. Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interfacenumber ] ] command to display the statistics of sent and received LACP packets. Run the display trunkmembership eth-trunk trunk-id command to display the member interfaces of the Eth-Trunk.
----End

This section provides several configuration examples of link aggregation in manual load balancing mode and in static LACP mode.
2.9.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode
As shown in Figure 2-6, the Switch is connected to the SwitchA through an Eth-Trunk. The link between the Switch and SwitchA must ensure high reliability, and data traffic needs to be load balanced among the LPUs of the Switch. To meet this requirement, you need to configure an inter-board Eth-Trunk on the Switch.
Issue 01 (2011-10-26)
52
Figure 2-6 Networking diagram for configuring link aggregation in manual load balancing mode
SwitchA
Eth-Trunk 60
Eth-Trunk
GE3/0/0 Switch GE1/0/0 VLAN 100-150 LAN Switch
Eth-Trunk 120 GE2/0/0 GE1/0/5 VLAN 151-200 LAN Switch
The configuration roadmap is as follows: 1. 2. Create an Eth-Trunk. Add member interfaces to the Eth-Trunk.
Data Preparation
To complete the configuration, you need the following data: l l Number of the Eth-Trunk Types and numbers of the member interfaces in the Eth-Trunk
Procedure
Step 1 Create an Eth-Trunk. # Create Eth-Trunk 120.
<Quidway> system-view [Quidway] sysname Switch [Switch] interface eth-trunk 120 [Switch-Eth-Trunk120] quit
Step 2 Add member interfaces to the Eth-Trunk.

# Add GE 2/0/0 to Eth-Trunk 120.

[Switch] interface gigabitethernet 2/0/0 [Switch-GigabitEthernet2/0/0] eth-trunk 120 [Switch-GigabitEthernet2/0/0] quit
# Add GE 3/0/0 to Eth-Trunk 120.

[Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] eth-trunk 120 [Switch-GigabitEthernet3/0/0] quit
Step 3 Configure Eth-Trunk 120. # Configure Eth-Trunk 120 to allow packets of VLANs 100 to 200 to pass through.
[Switch] interface eth-trunk 120 [Switch-Eth-Trunk120] port link-type trunk [Switch-Eth-Trunk120] port trunk allow-pass vlan 100 to 200 [Switch-Eth-Trunk120] quit
Step 4 Verify the configuration. Run the display trunkmembership command in any view to check whether Eth-Trunk 120 is created and whether member interfaces are added.
[Switch] display trunkmembership eth-trunk 120 Trunk ID: 120 used status: VALID TYPE: ethernet Working Mode : Normal Number Of Ports in Trunk = 2 Number Of UP Ports in Trunk = 2 operate status: up Interface GigabitEthernet2/0/0, valid, operate up, weight=1, Interface GigabitEthernet3/0/0, valid, operate up, weight=1,
# Display the configuration of Eth-Trunk 120.

[Switch] display eth-trunk 120 Eth-Trunk120's state information is: WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8 Operate status: up Number Of Up Port In Trunk: 2 -------------------------------------------------------------------------------PortName Status Weight GigabitEthernet2/0/0 Up 1 GigabitEthernet3/0/0 Up 1
The preceding information indicates that Eth-Trunk 120 consists of member interfaces GE 2/0/0 and GE 3/0/0. The member interfaces are both in Up state. ----End
Configuration Files
# sysname Switch # interface Eth-Trunk120 port link-type trunk port trunk allow-pass vlan 100 to 200 # interface GigabitEthernet2/0/0 eth-trunk 120
Issue 01 (2011-10-26)
54

# interface GigabitEthernet3/0/0 eth-trunk 120 # return
2.9.2 Example for Configuring Link Aggregation in Static LACP Mode

To improve the bandwidth and the connection reliability, configure the link aggregation group on two directly connected Switches, as shown in Figure 2-7. The requirements are as follows: l l M active links can implement load balancing. N links between two Switches can carry out redundancy backup. When a fault occurs on an active link, the backup link replaces the faulty link to keep the reliability of data transmission.
Figure 2-7 Networking diagram for configuring link aggregation in static LACP mode
Eth-Trunk 1 GE 1/0/1 GE 1/0/2 GE 1/0/3 SwitchA
Eth-Trunk
Eth-Trunk 1 GE 1/0/1 GE 1/0/2 GE 1/0/3 SwitchB
Active link Backup link
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Create an Eth-Trunk on the Switch and configure the Eth-Trunk to work in static LACP mode. Add member interfaces to the Eth-Trunk. Set the system priority and determine the Actor. Set the upper threshold of the active interfaces. Set the priority of the interface and determine the active link.
Data Preparation
To complete the configuration, you need the following data: l l l l Numbers of the link aggregation groups on the Switches System priority of SwitchA Upper threshold of active interfaces LACP priority of the active interface
Issue 01 (2011-10-26)
55
Procedure
Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static LACP mode. # Configure SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] interface eth-trunk 1 [SwitchA-Eth-Trunk1] mode lacp-static [SwitchA-Eth-Trunk1] quit
# Configure SwitchB.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] interface eth-trunk 1 [SwitchB-Eth-Trunk1] mode lacp-static [SwitchB-Eth-Trunk1] quit
Step 2 Add member interfaces to the Eth-Trunk. # Configure SwitchA.

[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] eth-trunk 1 [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] eth-trunk 1 [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] eth-trunk 1 [SwitchA-GigabitEthernet1/0/3] quit
# Configure SwitchB.
[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] eth-trunk 1 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] eth-trunk 1 [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] eth-trunk 1 [SwitchB-GigabitEthernet1/0/3] quit
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor. [SwitchA] lacp priority 100 Step 4 Set the upper threshold M of active interfaces on SwitchA to 2.
[SwitchA] interface eth-trunk 1 [SwitchA-Eth-Trunk1] max active-linknumber 2 [SwitchA-Eth-Trunk1] quit
Step 5 Set the priority of the interface and determine active links on SwitchA.
[SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/1] lacp [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/2] lacp [SwitchA-GigabitEthernet1/0/2] quit 1/0/1 priority 100 1/0/2 priority 100
Step 6 Verify the configuration. # Check information about the Eth-Trunk of the Switches and check whether the negotiation is successful on the link.
[SwitchA] display eth-trunk 1 Eth-Trunk1's state information is: Local: LAG ID: 1 WorkingMode: STATIC Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP System Priority: 100 System ID: 00e0-fca8-0417 Least Active-linknumber: 1 Max Active-linknumber: 2 Operate status: Up Number Of Up Port In Trunk: 2 -----------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey PortState Weight GigabitEthernet1/0/1 Selected 1GE 100 6145 2865 11111100 1 GigabitEthernet1/0/2 Selected 1GE 100 6146 2865 11111100 1 GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2865 11100000 1 Partner: -----------------------------------------------------------------------------PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100 GigabitEthernet1/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100 GigabitEthernet1/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000 [SwitchB] display eth-trunk 1 Eth-Trunk1's state information is: Local: LAG ID: 1 WorkingMode: STATIC Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP System Priority: 32768 System ID: 00e0-fca6-7f85 Least Active-linknumber: 1 Max Active-linknumber: 8 Operate status: Up Number Of Up Port In Trunk: 2 -----------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey PortState Weight GigabitEthernet1/0/1 Selected 1GE 32768 6145 2609 11111100 1 GigabitEthernet1/0/2 Selected 1GE 32768 6146 2609 11111100 1 GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2609 11100000 1 Partner: -----------------------------------------------------------------------------PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState GigabitEthernet1/0/1 100 00e0-fca8-0417 100 6145 2865 11111100 GigabitEthernet1/0/2 100 00e0-fca8-0417 100 6146 2865 11111100 GigabitEthernet1/0/3 100 00e0-fca8-0417 32768 6147 2865 11110000
The preceding information shows that the system priority of SwitchA is 100 and it is higher than the system priority of SwitchB. Member interfaces GE1/0/1 and GE1/0/2 become the active interfaces and are in Selected state. Interface GE1/0/3 is in Unselect state. M active links work in load balancing mode and N links are the backup links. ----End
Configuration Files
l Configuration file of SwitchA
# sysname SwitchA #
Issue 01 (2011-10-26)
57

lacp priority 100 # interface Eth-Trunk1 mode lacp-static max active-linknumber 2 # interface GigabitEthernet1/0/1 eth-trunk 1 lacp priority 100 # interface GigabitEthernet1/0/2 eth-trunk 1 lacp priority 100 # interface GigabitEthernet1/0/3 eth-trunk 1 # return
Configuration file of SwitchB
# sysname SwitchB # interface Eth-Trunk1 mode lacp-static # interface GigabitEthernet1/0/1 eth-trunk 1 # interface GigabitEthernet1/0/2 eth-trunk 1 # interface GigabitEthernet1/0/3 eth-trunk 1 # return
2.9.3 Example for Connecting an E-Trunk to a VPLS Network

If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-Trunk. If the Eth-Trunk or the PE is fails, the CE cannot communicate with the PE. After an E-Trunk is configured, the CE can be dual homed to PEs to improve link reliability between devices. As shown in Figure 2-8, CE1 is dual homed to a VPLS network. It is connected to PE1 and PE2 using two Eth-Trunks in static LACP mode. Initially, CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or the EthTrunk between CE1 and PE1 fails, CE1 cannot communicate with CE2. To prevent service interruption, configure an E-Trunk on PE1 and PE2. When communication between CE1 and PE1 fails, traffic is switched to PE2 so that CE1 can communicate with CE2 through PE2. When PE1 or the Eth-Trunk between CE1 and PE1 recovers, traffic is switched back to PE1. The E-Trunk implements backup of link aggregation groups between PE1 and PE2 and hence improves network reliability.
Issue 01 (2011-10-26)
58
Figure 2-8 Networking diagram of the E-Trunk
Loopback1 Eth-Trunk10 Eth-Trunk20 VLAN10 E-Trunk1 CE1 VLAN10 GE1/0/0 Eth-Trunk10 PE2 Loopback1 PE1 GE1/0/0 Loopback1 GE1/0/1 GE1/0/2 PE3 GE1/0/0 CE2
Switch PE1
Interface GigabitEthernet1/0/0 GigabitEthernet1/0/1 GigabitEthernet1/0/2 Loopback1
VLANIF interface VLANIF 100 -
IP address 10.1.1.1/24 1.1.1.9/32
PE2
GigabitEthernet1/0/0 GigabitEthernet1/0/1 GigabitEthernet1/0/2 Loopback1
VLANIF 200 GigabitEthernet1/0/0.1 VLANIF 100 VLANIF 200 -
10.1.2.1/24 2.2.2.9/32 10.1.1.2/24 10.1.2.2/24 3.3.3.9/32
PE3
GigabitEthernet1/0/0 GigabitEthernet1/0/1 GigabitEthernet1/0/2 Loopback1
Issue 01 (2011-10-26)
59
CE1
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3 GigabitEthernet1/0/4
CE2
GigabitEthernet1/0/0
The configuration roadmap is as follows: 1. Configure the E-Trunk as follows: l Create an Eth-Trunk in static LACP mode between CE1 and PE1 and between CE1 and PE2. Add member interfaces to the Eth-Trunks. l Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks to the E-Trunk. l Set the following parameters of the E-Trunk: E-Trunk priority LACP system ID and LACP priority of the E-Trunk Interval for sending hello packets Time multiplier for detecting hello packets IP addresses of the local end and remote end l Bind the E-Trunk to a BFD session. 2. Configure PEs so that CE1 can access the VPLS network. l Configure a routing protocol on the backbone network to ensure that devices can communicate with each other. l Configure basic MPLS functions and LDP. l Create an LSP tunnel between PEs. l Enable MPLS L2VPN on the PEs. l Configure a VSI and specify LDP as the signaling protocol. l Create Eth-Trunk sub-interfaces and bind the VSI to the sub-interfaces.
Data Preparation
To complete the configuration, you need the following data: l l l l l l
Issue 01 (2011-10-26)
E-Trunk priority LACP system ID and LACP priority of the E-Trunk Numbers and working modes of the Eth-Trunks IP addresses of the Eth-Trunk local end and remote end Interval for sending hello packets and time multiplier for detecting hello packets Same VSI ID on PEs
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 60
l l l
MPLS LSR IDs of PEs VSI name on PEs Interfaces to which the VSI is bound
Procedure
Step 1 Configure VLANs and IP addresses on the PW-side interfaces according to Figure 2-8. Configure a routing protocol on the backbone network to ensure that devices can communicate with each other. OSPF is used in this example. Configuration details are not mentioned here. After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP routes to Loopback1 of one another, and they can ping one another. Run the display ip routing-table command on PE1, PE2, and PE3. You can see that the PEs have learned the routes to one another.
NOTE
l The AC-side interface and PW-side interface of a PE cannot be added to the same VLAN; otherwise, a loop occurs. l When configuring OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback addresses.
Step 2 Configure an Eth-Trunk in static LACP mode on CE1, PE1, and PE2, and add member interfaces to the Eth-Trunk. Configure Layer 2 forwarding on CE1. # Configure CE1.
[CE1] vlan batch 10 [CE1] interface eth-trunk 20 [CE1-Eth-Trunk20] port link-type trunk [CE1-Eth-Trunk20] port trunk allow-pass vlan 10 [CE1-Eth-Trunk20] mode lacp-static [CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4 [CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10 [PE1-Eth-Trunk10] mode lacp-static [PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 [PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10 [PE2-Eth-Trunk10] mode lacp-static [PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 [PE2-Eth-Trunk10] quit
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, local and remote IP addresses, time multiplier for detecting hello packets, and interval for sending hello packets. # Configure PE1.
[PE1] e-trunk 1 [PE1-e-trunk-1] quit [PE1] lacp e-trunk priority 1 [PE1] lacp e-trunk system-id 00E0-FC00-0000 [PE1] e-trunk 1 [PE1-e-trunk-1] priority 10 [PE1-e-trunk-1] timer hold-on-failure multiplier 3 [PE1-e-trunk-1] timer hello 9
Issue 01 (2011-10-26)
61
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9 [PE1-e-trunk-1] quit
# Configure PE2.
[PE2] e-trunk 1 [PE2-e-trunk-1] quit [PE2] lacp e-trunk priority 1 [PE2] lacp e-trunk system-id 00E0-FC00-0000 [PE2] e-trunk 1 [PE2-e-trunk-1] priority 20 [PE2-e-trunk-1] quit [PE2] e-trunk 1 [PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9 [PE2-e-trunk-1] quit
Step 4 Add the Eth-Trunks to the E-Trunk. # Configure PE1.

[PE1] e-trunk 1 [PE1-e-trunk-1] quit [PE1] interface eth-trunk 10 [PE1-Eth-Trunk10] e-trunk 1 [PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] e-trunk 1 [PE2-e-trunk-1] quit [PE2] interface eth-trunk 10 [PE2-Eth-Trunk10] e-trunk 1 [PE2-Eth-Trunk10] quit
Step 5 Bind the E-Trunk to a BFD session. l Create a BFD session. # Configure PE1.
[PE1] bfd [PE1-bfd] quit [PE1] bfd hello bind peer-ip 2.2.2.9 source-ip 1.1.1.9 [PE1-bfd-session-hello] discriminator local 1 [PE1-bfd-session-hello] discriminator remote 2 [PE1-bfd-session-hello] commit [PE1-bfd-session-hello] quit
The IP addresses of the local and remote ends of a BFD session must be the same as those of the E-Trunk. # Configure PE2.
[PE2] bfd [PE2-bfd] quit [PE2] bfd hello bind peer-ip 1.1.1.9 source-ip 2.2.2.9 [PE2-bfd-session-hello] discriminator local 2 [PE2-bfd-session-hello] discriminator remote 1 [PE2-bfd-session-hello] commit [PE2-bfd-session-hello] quit
l Bind E-Trunk 1 to the BFD session. # Configure PE1.

[PE1] e-trunk 1 [PE1-e-trunk-1] e-trunk track bfd-session 1 [PE1-e-trunk-1] quit
# Configure PE2.
[PE2] e-trunk 1 [PE2-e-trunk-1] e-trunk track bfd-session 2
Issue 01 (2011-10-26)
62

[PE2-e-trunk-1] quit
Step 6 Configure PEs so that CE1 can access the VPLS network. 1. 2. Configure basic MPLS functions and LDP on PE1, PE2, and PE3. Configuration details are not mentioned here. Create remote LDP sessions between PEs. Configuration details are not mentioned here. After completing the configuration, run the display mpls ldp session command on the PEs. You can see that the LDP session status is Operational, indicating that LDP sessions have been set up. 3. 4. 5. Enable MPLS L2VPN on PE1, PE2, and PE3. Configuration details are not mentioned here. Create a VSI on PE1,PE2, and PE and specify LDP as the signaling protocol in the VSI. Configuration details are not mentioned here. Configure an Eth-Trunk sub-interface on PE1 and PE2, and bind the VSI to the Eth-Trunk sub-interface. # Configure PE1.
[PE1] interface Eth-Trunk 10.1 [PE1-Eth-Trunk10.1] control-vid 300 dot1q-termination [PE1-Eth-Trunk10.1] dot1q termination vid 10 [PE1-Eth-Trunk10.1] l2 binding vsi ldp1 [PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1 [PE2-Eth-Trunk10.1] control-vid 300 dot1q-termination [PE2-Eth-Trunk10.1] dot1q termination vid 10 [PE2-Eth-Trunk10.1] l2 binding vsi ldp1 [PE2-Eth-Trunk10.1] quit
6.
Configure a sub-interface on PE3, and bind the VSI to the sub-interface. # Configure PE3.
[PE3] interface gigabitethernet 1/0/0.1 [PE3-GigabitEthernet1/0/0.1] control-vid 300 dot1q-termination [PE3-GigabitEthernet1/0/0.1] dot1q termination vid 10 [PE3-GigabitEthernet1/0/0.1] l2 binding vsi ldp1 [PE3-GigabitEthernet1/0/0.1] quit
Step 7 Verify the configuration. l # Run the display eth-trunk command on CE1 to check the Eth-Trunk configuration. l # Run the display e-trunk command to check information about the E-Trunk. # Check information about E-Trunk1 on PE1.
<PE1> display e-trunk 1 The E-Trunk information E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120 Priority : 10 System-ID : 00e0-0f74-eb00 Peer-IP : 2.2.2.9 Source-IP : 1.1.1.9 State : Master Causation : PRI Send-Period (100ms) : 9 Fail-Time (100ms) : 27 Receive : 41 Send : 42 RecDrop : 0 SndDrop : 0 Peer-Priority : 20 Peer-System-ID : 00e0-3b6c-6100 Peer-Fail-Time (100ms) : 27 BFD-Session : 1 ------------------------------------------------------------------------------The Member information
Issue 01 (2011-10-26)
63

Type Eth-Trunk ID 10 LocalPhyState Up Work-Mode auto

State Master Causation PEER_MEMBER_DOWN
# Check information about E-Trunk1 on PE2.

<PE2> display e-trunk 1 The E-Trunk information E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120 Priority : 20 System-ID : 00e0-3b6c-6100 Peer-IP : 1.1.1.9 Source-IP : 2.2.2.9 State : Backup Causation : PRI Send-Period (100ms) : 9 Fail-Time (100ms) : 27 Receive : 43 Send : 42 RecDrop : 3 SndDrop : 0 Peer-Priority : 10 Peer-System-ID : 00e0-0f74-eb00 Peer-Fail-Time (100ms) : 27 BFD-Session : 2 ------------------------------------------------------------------------------The Member information Type ID LocalPhyState Work-Mode State Causation Eth-Trunk 10 Down auto Backup PEER_MEMBER_UP
The preceding information shows that the E-Trunk priority on PE1 is 10, and the E-Trunk status is Master; the E-Trunk priority on PE2 is 20, and the E-Trunk status is Backup. Link backup is implemented. ----End
Configuration Files
l Configuration file of CE1
# sysname CE1 # vlan batch 10 # interface Eth-Trunk20 port link-type trunk port trunk allow-pass vlan 10 mode lacp-static # interface GigabitEthernet1/0/1 eth-trunk 20 # interface GigabitEthernet1/0/2 eth-trunk 20 # interface GigabitEthernet1/0/3 eth-trunk 20 # interface GigabitEthernet1/0/4 eth-trunk 20 # return
Configuration file of PE1

# sysname PE1 # vlan batch 100 # e-trunk 1 # lacp e-trunk system-id 00e0-fc00-0000 lacp e-trunk priority 1 # e-trunk 1 priority 10 peer-address 2.2.2.9 source-address 1.1.1.9
Issue 01 (2011-10-26)
64

timer hello 9 e-trunk track bfd-session 1 # bfd # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi ldp1 static pwsignal ldp vsi-id 2 peer 3.3.3.9 # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif 100 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp # interface Eth-Trunk10 mode lacp-static e-trunk 1 # interface Eth-Trunk10.1 control-vid 300 dot1q-termination dot1q termination vid 10 l2 binding vsi ldp1 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet1/0/1 eth-trunk 10 # interface GigabitEthernet1/0/2 eth-trunk 10 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bfd hello bind peer-ip 2.2.2.9 source-ip 1.1.1.9 discriminator local 1 discriminator remote 2 commit # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255 # return

# sysname PE2 # vlan batch 200 # e-trunk 1 # lacp e-trunk system-id 00e0-fc00-0000 lacp e-trunk priority 1 #
Issue 01 (2011-10-26)
65

e-trunk 1 priority 20 peer-address 1.1.1.9 source-address 2.2.2.9 timer hello 9 e-trunk track bfd-session 2 # bfd # mpls lsr-id 2.2.2.9 mpls # mpls l2vpn # vsi ldp1 static pwsignal ldp vsi-id 2 peer 3.3.3.9 # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif 200 ip address 10.1.2.1 255.255.255.0 mpls mpls ldp # interface Eth-Trunk 10 mode lacp-static e-trunk 1 # interface Eth-Trunk10.1 control-vid 300 dot1q-termination dot1q termination vid 10 l2 binding vsi ldp1 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 200 # interface GigabitEthernet1/0/1 eth-trunk 10 # interface GigabitEthernet1/0/2 eth-trunk 10 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # bfd hello bind peer-ip 1.1.1.9 source-ip 2.2.2.9 discriminator local 2 discriminator remote 1 commit # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.2.0 0.0.0.255 # return

# sysname PE3 # vlan batch 100 200 # mpls lsr-id 3.3.3.9 mpls
Issue 01 (2011-10-26)
66

# mpls l2vpn # vsi ldp1 static pwsignal ldp vsi-id 2 peer 1.1.1.9 peer 2.2.2.9 # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # mpls ldp remote-peer 2.2.2.9 remote-ip 2.2.2.9 # interface Vlanif 100 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif 200 ip address 10.1.2.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/0.1 control-vid 300 dot1q-termination dot1q termination vid 10 l2 binding vsi ldp1 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 200 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.1.2.0 0.0.0.255 network 10.1.1.0 0.0.0.255 # return
2.9.4 Example for Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through a Local Member Interface
In the networking with a CSS, an Eth-Trunk interface is configured to be the outbound interface of traffic to ensure reliable transmission. After the inter-chassis Eth-Trunk interface is configured to forward traffic preferentially through a local member interface, traffic arriving at a chassis is preferentially forwarded through a member interface on the chassis.
Issue 01 (2011-10-26)
67
On the network shown in Figure 2-9, switch 3 and switch 4 are connected through stack cables to increase the total capacity of devices. In this manner, the two switches are considered as a logical switch. To implement backup between devices and improve reliability, physical interfaces on the two switches are added to an Eth-Trunk interface. In normal conditions, when checking information about member interfaces on the PE, you can find that traffic from VLAN 2 is forwarded through GE 1/0/2 rather than GE 1/0/1; traffic from VLAN 3 is forwarded through GE 1/0/2. To ensure that traffic from VLAN 2 is forwarded through GE 1/0/1 and traffic from VLAN 3 is forwarded through GE 1/0/2, configure the Eth-Trunk interface to forward traffic preferentially through a local member interface. Figure 2-9 Configuring an Eth-Trunk interface to forward traffic preferentially through a local member interface
Network
PE GE1/0/1 GE1/0/2 Eth-Trunk 10
GE1/1/0/4 Switch3 GE1/1/0/3 GE1/0/2 Switch1 GE1/0/1
GE2/1/0/4
CSS
GE2/1/0/3 Switch4 GE1/0/2 Switch2 GE1/0/1
VLAN 2
VLAN 3
Special stack cable VLAN 2 data flow VLAN 3 data flow

The configuration roadmap is as follows: 1. 2. 3. 4. Create an Eth-Trunk interface. Add member interfaces to the Eth-Trunk interface. Configure the Eth-Trunk interface to forward traffic preferentially through a local member interface. Configure the Layer 2 forwarding function.
Data Preparation
To complete the configuration, you need the following data: l l ID of the Eth-Trunk interface Number of the interfaces to be added to the Eth-Trunk interface
Procedure
Step 1 Create an Eth-Trunk interface and configure the ID of a VLAN from which packets can pass through the Eth-Trunk interface. # Configure the CSS.
<Quidway> system-view [Quidway] sysname CSS [CSS] interface eth-trunk 10 [CSS-Eth-Trunk10] port link-type trunk [CSS-Eth-Trunk10] port trunk allow-pass vlan all [CSS-Eth-Trunk10] quit
# Configure the PE.

<Quidway> system-view [Quidway] sysname PE [PE] interface eth-trunk 10 [PE-Eth-Trunk10] port link-type trunk [PE-Eth-Trunk10] port trunk allow-pass vlan all [PE-Eth-Trunk10] quit
Step 2 Add member interfaces to the Eth-Trunk interface. # Configure the CSS.
[CSS] interface gigabitethernet 1/1/0/4 [CSS-GigabitEthernet1/1/0/4] eth-trunk 10 [CSS-GigabitEthernet1/1/0/4] quit [CSS] interface gigabitethernet 2/1/0/4 [CSS-GigabitEthernet2/1/0/4] eth-trunk 10 [CSS-GigabitEthernet2/1/0/4] quit
# Configure the PE.

[PE] interface gigabitethernet 1/0/1 [PE-GigabitEthernet1/0/1] eth-trunk 10 [PE-GigabitEthernet1/0/1] quit [PE] interface gigabitethernet 1/0/2 [PE-GigabitEthernet1/0/2] eth-trunk 10 [PE-GigabitEthernet1/0/2] quit
Issue 01 (2011-10-26)
69
Step 3 In the CSS view, configure the Eth-Trunk interface to forward traffic preferentially through a local member interface.
[CSS] interface eth-trunk 10 [CSS-Eth-Trunk10] local-preference enable [CSS-Eth-Trunk10] quit
Step 4 Configure the Layer 2 forwarding function. # Configure the CSS.

[CSS] vlan batch 2 3 [CSS] interface gigabitethernet 1/1/0/3 [CSS-GigabitEthernet1/1/0/3] port link-type trunk [CSS-GigabitEthernet1/1/0/3] port trunk allow-pass vlan 2 [CSS-GigabitEthernet1/1/0/3] quit [CSS] interface gigabitethernet 2/1/0/3 [CSS-GigabitEthernet2/1/0/3] port link-type trunk [CSS-GigabitEthernet2/1/0/3] port trunk allow-pass vlan 3 [CSS-GigabitEthernet2/1/0/3] quit
# Configure switch 1.
<Quidway> system-view [Quidway] sysname Switch1 [Switch1] vlan 2 [Switch1-vlan2] quit [Switch1] interface gigabitethernet [Switch1-GigabitEthernet1/0/1] port [Switch1-GigabitEthernet1/0/1] port [Switch1-GigabitEthernet1/0/1] quit [Switch1] interface gigabitethernet [Switch1-GigabitEthernet1/0/2] port [Switch1-GigabitEthernet1/0/2] port [Switch1-GigabitEthernet1/0/2] quit
1/0/1 link-type trunk trunk allow-pass vlan 2 1/0/2 link-type trunk trunk allow-pass vlan 2
# Configure switch 2.
<Quidway> system-view [Quidway] sysname Switch2 [Switch2] vlan 3 [Switch2-vlan3] quit [Switch2] interface gigabitethernet [Switch2-GigabitEthernet1/0/1] port [Switch2-GigabitEthernet1/0/1] port [Switch2-GigabitEthernet1/0/1] quit [Switch2] interface gigabitethernet [Switch2-GigabitEthernet1/0/2] port [Switch2-GigabitEthernet1/0/2] port [Switch2-GigabitEthernet1/0/2] quit
1/0/1 link-type trunk trunk allow-pass vlan 3 1/0/2 link-type trunk trunk allow-pass vlan 3
Step 5 Verify the configuration. Run the display trunkmembership eth-trunk command in any view. You can view information about member interfaces of the Eth-Trunk interface. For example: Take the display on the CSS as an example.
<CSS> display trunkmembership eth-trunk 10 Trunk ID: 10 used status: VALID TYPE: ethernet Working Mode : Normal Number Of Ports in Trunk = 2 Number Of UP Ports in Trunk = 2 operate status: up
Issue 01 (2011-10-26)
70
Interface GigabitEthernet1/1/0/4, valid, operate up, weight=1, Interface GigabitEthernet2/1/0/4, valid, operate up, weight=1,
----End
Configuration Files
l Configuration file of the CSS
# sysname CSS # vlan batch 2 3 # interface Eth-Trunk10 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet1/1/0/3 port link-type trunk port trunk allow-pass vlan 2 # interface GigabitEthernet2/1/0/3 port link-type trunk port trunk allow-pass vlan 3 # interface GigabitEthernet1/1/0/4 eth-trunk 10 # interface GigabitEthernet2/1/0/4 eth-trunk 10 # return
Configuration file of the PE

# sysname PE # interface Eth-Trunk10 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet1/0/1 eth-trunk 10 # interface GigabitEthernet1/0/2 eth-trunk 10 # return
Configuration file of switch 1

# sysname Switch1 # vlan batch 2 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 # return
Configuration file of switch 2

# sysname Switch2
Issue 01 (2011-10-26)
71

# vlan batch 3 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 3 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 3 # return
Issue 01 (2011-10-26)
72
3 VLAN Configuration
3
About This Chapter
VLAN Configuration
Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security enhancement, flexible networking, and good extensibility. 3.1 Introduction The VLAN technology is important for forwarding on Layer 2 networks. This section describes the background, functions, and advantages of the VLAN technology. 3.2 VLAN Features Supported by the S9300 This section describes VLAN features supported by the S9300 to help you understand VLAN configurations. 3.3 Dividing a LAN into VLANs A LAN can be divided into several VLANs and users in each VLAN can communicate with each other. Currently, the S9300 supports several VLAN division modes. You can choose one of them as required. 3.4 Creating a VLANIF Interface VLANIF interfaces are Layer 3 logical interfaces. After creating VLANIF interfaces on Layer 2 devices, you can configure Layer 3 features on these interfaces. 3.5 Configuring Inter-VLAN Communication Configuring inter-VLAN communication allows users in different VLANs to communicate with each other. Currently, the S9300 supports several inter-VLAN communication schemes. Choose one of them as required. 3.6 Configuring VLAN Aggregation to Save IP Addresses VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN communication. 3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic Configuring a MUX VLAN allows users in different VLANs to communicate with each other, and separates users in a certain VLAN. 3.8 Configuring a Voice VLAN to Transmit Voice Data A voice VLAN is used to transmit voice data. 3.9 Configuring an mVLAN to Implement Integrated Management
Configuring an mVLAN allows users to use the IP address of the VLANIF interface corresponding to the mVLAN to log in to a management switch to manage devices attached to the switch. 3.10 Configuring VLAN Transparent Transport VLAN transparent transport improves forwarding efficiency. A switch directly forwards packets of a specific VLAN without sending the packets to its CPU. 3.11 Maintaining VLAN A command of clearing statistics helps to locate the faults in a VLAN. 3.12 Configuration Examples This section provides several examples of VLAN configuration.
Issue 01 (2011-10-26)
74
3.1 Introduction
The VLAN technology is important for forwarding on Layer 2 networks. This section describes the background, functions, and advantages of the VLAN technology.
Overview of VLAN
The Ethernet technology is for sharing communication mediums and data based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD). If there are a large number of PCs on an Ethernet network, collision becomes a serious problem and can lead to broadcast storms. As a result, network performance deteriorates. This can even cause the Ethernet network to become unavailable. Switches can be used to interconnect local area networks (LANs). Switches forward information received by inbound ports to specified outbound ports, thereby preventing access collision in a shared medium. If no specified outbound port is found for information received by an inbound port, the switch will forward the information from all ports except the inbound port. This forms a broadcast domain. To prevent broadcast domains from being too broad and causing problems, you can divide a network into segments. In this manner, a large broadcast domain is divided into multiple small broadcast domains to confine the possible scope of broadcast packets. Routers can be deployed at the network layer to separate broadcast domains, but this method has disadvantages, which include: complex network planning, inflexible networking, and high levels of expenditure. The Virtual Local Area Network (VLAN) technology can divide a large Layer 2 network into broadcast domains to prevent broadcast storms and protect network security.
Definition of VLAN
The VLAN technology is used to divide a physical LAN into multiple logical broadcast domains, each of which is called a VLAN. Each VLAN contains a group of PCs that have the same requirements. A VLAN has the same attributes as a LAN. PCs of a VLAN can be placed on different LAN segments. If two PCs are located on one LAN segment but belong to different VLANs, they do not broadcast packets to each other. With VLAN, the broadcast traffic volume is reduced; fewer devices are required; network management is simplified; and network security is improved. Figure 3-1 shows a typical VLAN application. Three switches are placed in different locations, for example, different stories of an office building. The VLAN technology allows enterprises to share LAN facilities and ensures information security for each enterprise network.
Issue 01 (2011-10-26)
75
Figure 3-1 Schematic diagram for a typical VLAN application
Router
Switch1
Switch2
Switch3
VLAN-A VLAN-B VLAN-C
This application shows the following VLAN advantages: l l l l Broadcast domains are confined. A broadcast domain is confined to a VLAN. This saves bandwidth and improves network processing capabilities. Network security is enhanced. Packets from different VLANs are separately transmitted. PCs in one VLAN cannot directly communicate with PCs in another VLAN. Network robustness is improved. A fault in a VLAN does not affect PCs in other VLANs. Virtual groups are set up flexibly. With the VLAN technology, PCs in different geographical areas can be grouped together. This facilitates network construction and maintenance.
Basic VLAN Concepts and Principles

l 802.1Q and VLAN frame format A conventional Ethernet frame is encapsulated with the Length/Type field for an upperlayer protocol following the Destination address and Source address fields, as shown in Figure 3-2. Figure 3-2 Conventional Ethernet frame format
6bytes Destination address
6bytes 2bytes 46-1500bytes 4bytes Source Data FCS Length/Type address
IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It adds a 32-bit field between the Source address and the Length/Type fields of the original frame, as shown in Figure 3-3.
Figure 3-3 802.1Q frame format 6bytes 6bytes 4bytes 2bytes 42-1500bytes 4bytes Length/ Type Data FCS Destination Source 802.1Q address address Tag
TPID 2bytes
PRI
CFI VID
3bits 1bit 12bits
Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify the frame as an IEEE 802.1Q-tagged frame. If an 802.1Q-incapable device receives an 802.1Q frame, it will discard the frame. Priority (PRI): a 3-bit field which indicates the frame priority. The value ranges from 0 to 7. The greater the value, the higher the priority. These values can be used to prioritize different classes of traffic to ensure that frames with high priorities are transmitted first when traffic is heavy. Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC address is in the non-canonical format. If the value is 0, the MAC address is in the canonical format. CFI is used to ensure compatibility between Ethernet networks and Token Ring networks. It is always set to zero for Ethernet switches. VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. On the S9300, VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved, and therefore VLAN IDs range from 1 to 4094. Each frame sent by an 802.1Q-capable switch carries a VLAN ID. On a VLAN, Ethernet frames are classified into the following types: Tagged frames: frames with 32-bits 802.1Q tags. Untagged frames: frames without 32-bits 802.1Q tags. l VLAN division methods Table 3-1 shows VLAN division methods. Table 3-1 VLAN division methods VLAN Division Method Port-based VLAN division Definition
VLANs are configured based on ports on a switch. For example, ports 1 to 4 on a switch are added to VLAN 2; ports 5 to 8 are added to VLAN 3. Ports on different Ethernet switches can be added to one VLAN. For example, ports 1 to 4 on switch A and ports 3 to 6 on switch B can be added to the same VLAN. Each switch maintains a VLAN mapping table that records mappings between local ports and VLANs.
Issue 01 (2011-10-26)
77
VLAN Division Method MAC addressbased VLAN division IP subnet-based VLAN division
Definition
PCs are added to VLANs based on their MAC addresses. A switch maintains a VLAN mapping table that records mappings between MAC addresses and VLANs. VLANs are configured based on IP addresses of PCs. PCs belonging to one IP subnet are added to the same VLAN. A switch maintains a VLAN mapping table that records mappings between IP subnets and VLANs.
Protocol-based VLAN division
VLANs are configured based on the Length/Type fields in Layer 2 frames. Currently, IPv4, IPv6, IPX, or AppleTalk can be specified in the Length/Type field of a Layer 2 frame to indicate the running network protocol. A switch maintains a VLAN mapping table that records mappings between protocols and VLANs.
Policy-based VLAN division
PCs are added to VLANs based on their MAC and IP addresses. A switch maintains a VLAN mapping table that records mappings between MAC addresses, IP addresses, interfaces, and VLANs.
Type of VLAN links Figure 3-4 Schematic diagram for VLAN links
VLAN3 PC3 VLAN3 PC4
Access link 3 3 2
Trunk link CE1
Trunk link CE2
3 2
PE 2 Access link
PC1 VLAN2
PC2 VLAN2
As shown in Figure 3-4, there are the following types of VLAN links:
Access link: connects a PC to a switch. Generally, a PC does not know which VLAN it belongs to, and PC hardware cannot distinguish frames with VLAN tags. Therefore, PCs send and receive only untagged frames. Trunk link: connects a switch to another switch or to a router. Data of different VLANs are transmitted along a trunk link. The two ends of a trunk link must be able to distinguish frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk links. l Port types Table 3-2 lists VLAN port types. Table 3-2 Port types Port Type Method of Processing Received Untagged Frames Accepts an untagged frame and adds a tag with the default VLAN ID to the frame. Method of Processing Received Tagged Frames l Accepts a tagged frame if the VLAN ID carried in the frame is the same as the default VLAN ID. l Discards a tagged frame if the VLAN ID carried in the frame is different from the default VLAN ID. Method of Sending Frames Application
Access port
Removes the tag from a frame and sends the frame.
An access port connects a switch to a PC and can be added to only one VLAN.
Issue 01 (2011-10-26)
79
Port Type
Method of Processing Received Untagged Frames l Adds a tag with the default VLAN ID to an untagged frame and accepts the frame if the port permits the default VLAN ID. l Adds a tag with the default VLAN ID to an untagged frame and discards the frame if the port denies the default VLAN ID.
Method of Processing Received Tagged Frames l Accepts a tagged frame if the port permits the VLAN ID carried in the frame. l Discards a tagged frame if the port denies the VLAN ID carried in the frame.
Method of Sending Frames
Application
Trunk port
l Removes the tag from a received frame and sends the frame if the VLAN ID carried in the frame is the same as the default VLAN ID and permitted by the port. l Directly sends a received frame if the VLAN ID carried in the frame is different from the default VLAN ID but permitted by the port. Sends a received frame if the port permits the VLAN ID carried in the frame. A specified command can be used to determine whether a hybrid port sends frames with or without tags.
A trunk port can be added to multiple VLANs to send and receive frames for these VLANs. A trunk port connects a switch to another switch or to a router.
Hybrid port
A hybrid port can be added to multiple VLANs to send and receive frames for these VLANs. A hybrid port can connect a switch to a PC or connect a network device to another network device.
Issue 01 (2011-10-26)
80
Port Type
Method of Processing Received Untagged Frames
Method of Processing Received Tagged Frames
Method of Sending Frames
Application
QinQ port
QinQ ports are enabled with the IEEE 802.1QinQ protocol. A QinQ port adds a tag to a single-tagged frame, and thus supports a maximum of 4094 x 4094 VLAN tags, which meets the requirement of a Networkfor the number of VLANs.
Each access, trunk, hybrid, or QinQ port can be configured with a default VLAN, namely, the port default VLAN ID (PVID) to specify the VLAN to which the port belongs. The PVID of an access port indicates the VLAN to which the port belongs. As a trunk or hybrid port can be added to multiple VLANs, the port must be configured with PVIDs. By default, a port is added to VLAN 1. l Principle for data switching in a VLAN Use the network shown in Figure 3-4 as an example. If PC 1 in VLAN 2 intends to send data to PC 2, the data is forwarded as follows: 1. An access port on CE 1 receives an untagged frame from PC 1 and adds a PVID (VLAN 2) to the frame. CE 1 searches the MAC address table for an outbound port. Then the frame is transmitted from the outbound port.
NOTE
Assume that VLANs are configured based on MAC addresses. After an access port on CE 1 receives an untagged frame from PC 1, the port checks the VLAN mapping table for a VLAN ID corresponding to the source MAC address, and adds a tag with the obtained VLAN ID to the frame.
2.
After the trunk port on CE 1 and PE receives the frame, the port checks whether the VLAN ID carried in the frame is the same as that configured on the port. If the VLAN ID has been configured on the port, the port transparently transmits the frame to CE 2. If the VLAN ID is not configured on the port, the port discards the frame. After a trunk port on CE 2 receives the frame, the system searches the MAC address table for an outbound port which connects CE 2 to PC 2. After the frame is sent to the access port connecting CE 2 to PC 2, the port checks that the VLAN ID carried in the frame is the same as that configured on the port. The port then removes the tag from the frame and sends the untagged frame to PC 2.
3. 4.
VLANIF interface A VLANIF interface is a Layer 3 logical interface, which can be configured on either a Layer 3 switch or a router. Layer 3 switching combines routing and switching techniques to implement routing on a switch, thus improving the overall network performance. After sending the first data flow, a Layer 3 switch generates mappings between MAC addresses and IP addresses. To send the same data flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based on this mapping table.
Issue 01 (2011-10-26)
81
To allow that new data flows are correctly forwarded based on the routing table, be sure that the routing table's routing entries are correct. Therefore, VLANIF interfaces and routing protocols must be configured on Layer 3 switches for reachable Layer 3 routes.
NOTE
Key points are summarized as follows: l l A PC does not need to know the VLAN to which it belongs. It sends only untagged frames. After receiving an untagged frame from a PC, a switching device determines the VLAN to which the frame belongs. The determination is based on the configured VLAN division method such as port information, and then the switching device processes the frame accordingly. If the frame needs to be forwarded to another switching device, the frame must be transparently transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow other switching devices to properly forward the frame based on the VLAN information. Before sending the frame to the destination PC, the switching device connected to the destination PC removes the VLAN tag from the frame to ensure that the PC receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on access links. In this manner, switching devices on the network can properly process VLAN information and PCs are not concerned about VLAN information.
3.2 VLAN Features Supported by the S9300

This section describes VLAN features supported by the S9300 to help you understand VLAN configurations. The VLAN technology helps set up virtual groups to separate broadcast domains and implements both intra-VLAN and inter-VLAN communication. 1. 2. After VLANs are configured, users in a VLAN can communicate with each other. In addition to intra-VLAN communication, users in different VLANs need to communicate with each other sometimes.
NOTE
Intra-VLAN communication and inter-VLAN communication are basic VLAN functions.
3.
The following VLAN features are also supported to meet requirements of special applications and extended functions: l VLAN aggregation: prevents the waste of IP addresses and implements inter-VLAN communication. l MUX VLAN: provides a mechanism to isolate Layer 2 traffic between interfaces in a VLAN. l Voice VLAN: select voice data packets from various packets and changes the priority of voice data packets to improve the voice data transmission quality. l Management VLAN (mVLAN): helps implement integrated management by using a remote device. A user can use the IP address of the VLANIF interface corresponding to the mVLAN to telnet to a management switch. l VLAN transparent transport: improves forwarding efficiency. A switch directly forwards frames of a specific VLAN without sending the frames to its CPU.
VLAN Assignment
VLAN assignment is a basic VLAN configuration. After VLANs are configured, users in a VLAN can communicate with each other. VLANs are configured in different manners, as shown in Table 3-3.
Table 3-3 VLAN assignment in different usage scenarios VLAN Assignment Method Port-based VLAN assignment Advantage Disadvantage Usage Scenario
The configuration is simple. It is the most common VLAN assignment method.
The configuration is not flexible. If a port needs to transmit frames of another VLAN, the port must be deleted from the original VLAN and added to the new VLAN. For a network having a large number of traveling users, the network administrator needs to spend more time on maintenance. A network administrator needs to configure a switch with a MAC address associated with a specific VLAN. For a network with a large number of terminals, configuration will take the network administrator a lot of work before VLANbased communication can be enabled. Switches need to parse the source IP addresses of packets and convert them into MAC addresses. This slows down the response of switches. Switches need to analyze protocol address formats and convert between them. This slows down the response of switches.
Port-based VLAN assignment is applicable to large-scale networks that do not have high security requirements.
MAC addressbased VLAN assignment
If a user travels from one place to another, the user does not need to be added to a new VLAN. This improves security and flexibility for terminal users.
MAC address-based VLAN assignment is applicable to networks that have high security requirements and many traveling users.
IP subnetbased VLAN assignment
Protocolbased VLAN assignment
IP subnet-based and protocol-based VLAN assignment are both called network layerbased VLAN assignment. Network layer-based VLAN assignment greatly reduces the workload of manual configurations and allows users to easily join a VLAN, move from one VLAN to another VLAN, or leave a VLAN.
IP subnet-based VLAN assignment is applicable to networks that have traveling users and require simple management. Currently, VLANs can be configured based on AppleTalk, IPv4, IPv6, or IPX.
Issue 01 (2011-10-26)
83
VLAN Assignment Method Policies-based VLAN assignment
Advantage
Disadvantage
Usage Scenario
MAC and IP addresses-based or MAC addresses, IP addresses and interfaces-based VLAN assignment is of high security. This VLAN assignment method does not allow users to change MAC addresses or IP addresses based on which VLANs are configured. Compared with other VLAN assignment methods, policiesbased VLAN assignment has the highest priority.
Each policy needs to be manually configured.
Policies-based VLAN assignment is applicable to small-scale networks that have strict security requirements and a large number of traveling users.
Inter-VLAN Communication
After VLANs are configured, users in a VLAN can communicate with each other. Users in different VLANs cannot directly communicate with each other. Table 3-4 lists schemes for interVLAN communication.
Issue 01 (2011-10-26)
84
Table 3-4 Schemes for inter-VLAN communication Inter-VLAN Communica tion Scheme Sub-interface Advantage Disadvantage Usage Scenario
After sub-interfaces are configured, users in different VLANs and network segments can communicate with each other as long as routes are reachable.
l Both Layer 2 and Layer 3 devices are required, which increases expenditure. l If multiple users on a network belong to different VLANs, each VLAN requires a sub-interface on a Layer 3 device. Each sub-interface needs to be assigned an IP address. This increases configuration workload and uses up a large number of IP addresses. If multiple users on a network belong to different VLANs, each VLAN requires a VLANIF interface. Each VLANIF interface needs to be assigned an IP address. This increases configuration workload and uses a lot of IP addresses.
This scheme is applicable to smallscale networks on which users belong to different network segments. If Layer 3 forwarding of packets is mainly required, use subinterfaces.
VLANIF interface
After VLANIF interfaces are configured, users in different VLANs and network segments can communicate with each other as long as routes are reachable. Inter-VLAN communication can also be implemented by Layer 3 switches if routes are reachable. This scheme boasts of low operating costs.
This scheme is applicable to smallscale networks on which users belong to different network segments and IP addresses of these users are seldom changed. If a large number of VLANs are configured and both Layer 2 and Layer 3 forwarding of packets are required, use VLANIF interfaces. This scheme is applicable to smallscale and topologystable networks.
VLAN Switch
The system forwards frames without searching the MAC address table, improving forwarding efficiency and network security.
If there are a large number of users connected to a switch, each user needs to be configured with a static forwarding path. This imposes a configuration burden on network administrators.
Issue 01 (2011-10-26)
85
VLAN Aggregation
To implement inter-VLAN communication on switches, configure IP addresses for the VLANIF interfaces. When many VLANs are deployed, a great number of IP addresses are occupied. VLAN aggregation can solve the problem of occupation of excessive IP addresses. VLAN aggregation means that multiple VLANs are aggregated into a super-VLAN. The VLANs that form the super-VLAN is called sub-VLANs. You can create a VLANIF interface for a super-VLAN. Then, you can configure an IP address only for this interface rather than for each sub-VLAN. All sub-VLANs share the same IP network segment, which optimizes the use of IP addresses.
MUX VLAN
A MUX VLAN is used to isolate Layer 2 traffic between interfaces in a VLAN. For example, on an intranet, a user interface can communicate with a server interface, but the user interfaces cannot communicate with each other. In MUX VLAN implementation, VLANs are classified in to MUX VLANs and subordinate VLANs. Subordinate VLANs are classified into subordinate group VLANs and subordinate separate VLANs. The MUX VLAN can communicate with the subordinate VLANs, but the subordinate VLANs cannot communicate with each. Interfaces in a subordinate group VLAN can communicate with each other, but interfaces in a subordinate separate VLAN cannot communicate with each other. You can implement inter-device MUX VLAN by configuring the same MUX VLAN on multiple devices and configuring interfaces between the devices to allow packets of the MUX VLAN. Implementation of inter-device MUX VLAN is the same as the implementation of MUX VLAN on a single device.
VLAN Transparent Transmission

By using the VLAN transparent transmission function, the S9300 directly forwards the protocol packets in the VLAN, without sending the packets to the CPU. If the S9300 is not required to process the protocol packets, you can enable VLAN transparent transmission to improve the performance of the S9300 and protect the S9300 against attacks.
3.3 Dividing a LAN into VLANs

A LAN can be divided into several VLANs and users in each VLAN can communicate with each other. Currently, the S9300 supports several VLAN division modes. You can choose one of them as required.

Before dividing a LAN into VLANs, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Issue 01 (2011-10-26)
86
Currently, the S9300 supports the following VLAN division modes. You can choose one of them as required. Table 3-5 lists VLAN division modes. Table 3-5 VLAN assignment in different usage scenarios VLAN Assignment Method Port-based VLAN assignment Advantage Disadvantage Usage Scenario
The configuration is simple. It is the most common VLAN assignment method.
The configuration is not flexible. If a port needs to transmit frames of another VLAN, the port must be deleted from the original VLAN and added to the new VLAN. For a network having a large number of traveling users, the network administrator needs to spend more time on maintenance. A network administrator needs to configure a switch with a MAC address associated with a specific VLAN. For a network with a large number of terminals, configuration will take the network administrator a lot of work before VLANbased communication can be enabled. Switches need to parse the source IP addresses of packets and convert them into MAC addresses. This slows down the response of switches.
Port-based VLAN assignment is applicable to large-scale networks that do not have high security requirements.
MAC addressbased VLAN assignment
If a user travels from one place to another, the user does not need to be added to a new VLAN. This improves security and flexibility for terminal users.
MAC address-based VLAN assignment is applicable to networks that have high security requirements and many traveling users.
IP subnetbased VLAN assignment
IP subnet-based and protocol-based VLAN assignment are both called network layerbased VLAN assignment. Network layer-based VLAN assignment greatly reduces the workload of manual configurations and allows users to easily
IP subnet-based VLAN assignment is applicable to networks that have traveling users and require simple management.
Issue 01 (2011-10-26)
87
VLAN Assignment Method Protocolbased VLAN assignment
Advantage
Disadvantage
Usage Scenario
join a VLAN, move from one VLAN to another VLAN, or leave a VLAN.
Switches need to analyze protocol address formats and convert between them. This slows down the response of switches. Each policy needs to be manually configured.
Currently, VLANs can be configured based on AppleTalk, IPv4, IPv6, or IPX.
Policies-based VLAN assignment
MAC and IP addresses-based or MAC addresses, IP addresses and interfaces-based VLAN assignment is of high security. This VLAN assignment method does not allow users to change MAC addresses or IP addresses based on which VLANs are configured. Compared with other VLAN assignment methods, policiesbased VLAN assignment has the highest priority.
Policies-based VLAN assignment is applicable to small-scale networks that have strict security requirements and a large number of traveling users.
NOTE
In the case that the S9300 supports multiple VLAN division modes, the priorities of these VLAN division modes are in descending order: 1. Policies-based VLAN division This mode has the highest priority, but is not commonly used. 2. MAC address-based VLAN division and IP subnet-based VLAN division By default, MAC address-based VLAN division is set as the preference. You can run commands to change priorities of these two VLAN division modes. 3. Protocol-based VLAN division 4. Port-based VLAN division Port-based VLAN division has the lowest priority, but is most commonly used.
Before dividing a LAN into VLANs, complete the following task: l Connecting ports and configuring physical parameters of the ports, ensuring that the ports are physically Up
Issue 01 (2011-10-26)
Data Preparation
To dividing a LAN into VLANs, you need the following data. No. 1 2 3 4 5 Data VLAN ID, number of each Ethernet port to be added to the VLAN, and (optional) attribute of Ethernet ports VLAN ID, MAC address mapped to the VLAN and (optional) 802.1p priority value related to the MAC address VLAN ID, (optional) IP subnet index, IP address mapped to the VLAN and (optional) 802.1p priority value related to the IP address or network segment VLAN ID, (optional) protocol template index, protocol type mapped to the VLAN, and (optional) 802.1p priority value related to the protocol VLAN ID, MAC address and IP address mapped to the VLAN and (optional) number of the Ethernet port added to a VLAN based on its MAC and IP addresses
3.3.2 Dividing a LAN into VLANs Based on Ports

Dividing a LAN into VLANs based on ports is the most simple and effective VLAN division mode.
Context
After VLANs are configured based on ports, the VLANs can process tagged and untagged frames in the following manners: l l After receiving an untagged frame, a port adds the PVID to the frame, searches the MAC address table for an outbound port, and sends the tagged frame from the outbound port. After a port receives a tagged frame, it checks the VLAN ID carried in the frame: If the port allows frames with the specified VLAN ID to pass through, it forwards the frame. If the port does not allow frames with the specified VLAN ID to pass through, it discards the frame. The configuration roadmap is as follows: 1. 2. 3. Create VLANs. Configure the port type and features. (1) Configure the port type (access, trunk, hybrid, or QinQ). Add ports to VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed. The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN. Step 3 Run:
quit
The system view is displayed. Step 4 Configure the port type and features. 1. 2. Run the interface interface-type interface-number command to enter the view of an Ethernet port to be added to the VLAN. Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure the port type. By default, the port type is hybrid. l If a Layer 2 Ethernet port is directly connected to a terminal, set the port type to access or hybrid. l If a Layer 2 Ethernet port is connected to another switch, the port type can be set to access, trunk, hybrid, or QinQ. Step 5 Add ports to the VLAN. Run either of the following commands as needed: l For access or QinQ ports: Run the port default vlan vlan-id command to add a port to a specified VLAN. To add ports to a VLAN in batches, run the port interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the VLAN view. l For trunk ports: Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add the port to specified VLANs. (Optional) Run the port trunk pvid vlan vlan-id command to specify the default VLAN for a trunk interface. l For hybrid ports: Run either of the following commands to add a port to VLANs in untagged or tagged mode: Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add a port to VLANs in untagged mode. In untagged mode, a port removes tags from frames and then forwards the frames. This is applicable to scenarios in which Layer 2 Ethernet ports are connected to terminals. Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add a port to VLANs in tagged mode.
In tagged mode, a port forwards frames without removing their tags. This is applicable to scenarios in which Layer 2 Ethernet ports are connected to switches. (Optional) Run the port hybrid pvid vlan vlan-id command to specify the default VLAN of a hybrid interface. By default, all ports are added to VLAN 1. ----End
3.3.3 Dividing a LAN into VLANs Based on MAC Addresses

MAC address-based VLAN division is used if user locations do not need to be concerned. This improves security and flexibility for terminal users.
Context
VLANs configured based on MAC addresses process only untagged frames, and treat tagged frames in the same manner as VLANs configured based on ports. After receiving an untagged frame, a port searches for a MAC-VLAN mapping based on the source MAC address in the frame. l l If a mapping is found, the port forwards the frame based on the VLAN ID and priority value in the mapping. If no matching mapping is found, the port matches the frame with other matching rules.
The configuration roadmap is as follows: 1. 2. 3. Create VLANs. Map MAC addresses to VLAN IDs. Configure the port type and features. (1) Set the port type to hybrid. (2) Configure a port to allow frames with specified VLAN IDs to pass through. 4. (Optional) Configure the highest priority for MAC address-based VLAN division.
NOTE
By default, MAC address-based VLAN division is set as the preference. To use IP subnet-based VLAN division, set a higher priority for it.
5.
Enable MAC address-based VLAN division.
Procedure
Step 1 Run:
system-view

vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN. Step 3 Run:
mac-vlan mac-address mac-address [ priority priority ]
Map a MAC address to the VLAN. l The mac-address value is in the H-H-H format. H is a hexadecimal number that contains one to four digits, such as 00e0 and fc01. If an H contains less than four digits, 0s are padded ahead. For example, if you specify an H as e0, it is displayed as 00e0. A MAC address cannot be set to all 0s or all Fs. l The optional parameter priority specifies the 802.1p priority value related to the MAC addresses. The value ranges from 0 to 7. The greater the value, the higher the priority. The default value is 0. After the 802.1p priority value is specified, frames with high priorities are first forwarded when traffic is congested. Step 4 Run:
quit
The system view is displayed. Step 5 Configure the port type and features. 1. 2. 3. Run the interface interface-type interface-number command to enter the view of the port to be configured to allow frames with a specified VLAN ID to pass through. Run the port link-type hybrid command to set the port type to hybrid. By default, the port type is hybrid. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to configure the hybrid port to allow frames with a specified VLAN ID to pass through.
Step 6 (Optional) Run the vlan precedence mac-vlan command to configure a higher priority for MAC address-based VLAN division. By default, MAC address-based VLAN division is set as the preference. Step 7 Run:
mac-vlan enable
MAC address-based VLAN division is enabled. By default, MAC address-based VLAN division is disabled.
NOTE
MAC address-based VLAN assignment conflict with MUX VLAN and port vlan-stacking untagged. They cannot be configured on the same interface.
----End
3.3.4 Dividing a LAN into VLANs Based on IP Subnets

IP subnet-based and protocol-based VLAN division are called network layer-based VLAN division, which reduces manual VLAN configuration workload and allows users to easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. IP subnet-based VLAN division is applicable to networks that have traveling users and require simple management.
Context
VLANs configured based on IP subnets process only untagged frames. and treat tagged frames in the same manner as VLANs configured based on ports. After receiving untagged frames, a device determines the VLANs to which the frames belong based on their source IP addresses before sending them to corresponding VLANs. The configuration roadmap is as follows: 1. 2. 3. Create VLANs. Associate IP subnets with VLANs to determine mappings between subnets and VLANs. Configure the port type and features. (1) Set the port type to hybrid. (2) Configure a port to allow frames with the specified VLAN IDs to pass through. 4. (Optional) Set a higher priority for IP subnet-based VLAN division.
NOTE
By default, MAC address-based VLAN division is set as the preference. To use IP subnet-based VLAN division, set a higher priority for it.
5.
Enable IP subnet-based VLAN division.
Procedure
Step 1 Run:
system-view

vlan vlan-id
ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length } [ priority priority ]
An IP subnet is associated with the VLAN. l The optional parameter ip-subnet-index specifies the IP subnet index. The subnet index can be specified by a user or automatically generated by the system. l The parameter ip-address specifies the source IP address or network address based on which a VLAN is configured. The value is in dotted decimal notation. l The optional parameter priority specifies the 802.1p priority value related to the VLAN configured based on the IP address or network address. The value ranges from 0 to 7. The greater the value, the higher the priority. The default value is 0. After the 802.1p priority value is specified, frames with high priorities are first forwarded when traffic is congested. Step 4 Run:

quit
The system view is displayed. Step 5 Configure the port type and features. 1. 2. 3. Run the interface interface-type interface-number command to enter the view of the port to be configured to allow frames with the specified VLAN ID to pass through. Run the port link-type hybrid command to set the port type to hybrid. By default, the port type is hybrid. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to allow frames with the specified VLAN ID to pass through.
Step 6 (Optional) Run:

vlan precedence ip-subnet-vlan
IP subnet-based VLAN division is configured with a higher priority. By default, MAC address-based VLAN division is set as the preference. Step 7 Run:
ip-subnet-vlan enable
IP subnet-based VLAN division is enabled. By default, IP subnet-based VLAN division is disabled. ----End
3.3.5 Dividing a LAN into VLANs Based on Protocols

IP subnet-based and protocol-based VLAN division are called network layer-based VLAN division, which reduces manual VLAN configuration workload and allows users to easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN.
Context
VLANs configured based on protocols process only untagged frames. and treat tagged frames in the same manner as VLANs configured based on ports. After receiving an untagged frame, a port identifies the protocol template used by the frame to determine the VLAN to which the frame belongs. l If the port has been added to VLANs corresponding to some protocols, and the protocol template adopted by the frame matches one of these protocols, the port adds the corresponding VLAN ID to the frame. If the port has been added to VLANs corresponding to some protocols, but the protocol template adopted by the frame does not match any one of these protocols, the port adds the PVID to the frame.
The configuration roadmap is as follows: 1. 2. 3. Create VLANs. Associate protocols with VLANs to determine mappings between protocols and VLANs. Configure the port type and features. (1) Set the port type to hybrid.
(2) Configure a port to allow frames with the specified VLAN ID to pass through. (3) Associate ports with VLANs. After receiving a frame associated with a specified protocol, the system automatically assigns the VLAN ID associated with the protocol to the frame.
Procedure
Step 1 Run:
system-view

vlan vlan-id
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw | snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id | snapetype etype-id2 } }
A protocol is associated with a VLAN and the protocol template is specified. l The optional parameter protocol-index specifies the protocol template index. The protocol template is determined by the protocol type and encapsulation format. A protocol VLAN can be defined by a protocol template. l When configuring the source and destination service access points, note the following points: dsap-id and ssap-id cannot be both set to 0xaa. dsap-id and ssap-id cannot be both set to 0xe0, which corresponds to the Logical Link Control (LLC) encapsulation format for IPX packets. dsap-id and ssap-id cannot be both set to 0xff, which corresponds to the RAW encapsulation format for IPX packets. Step 4 Configure the port type and features. 1. 2. 3. 4. Run the interface interface-type interface-number command to enter the view of the port to be configured to allow frames with the specified VLAN ID to pass through. Run the port link-type hybrid command to set the port type to hybrid. By default, the port type is hybrid. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to allow frames with the specified VLAN ID to pass through. Run:
protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] } [ priority priority ]
The port is associated with the VLAN. l The parameter vlan-id specifies the ID of a VLAN configured based on a protocol.
l The optional parameter priority specifies the 802.1p priority value related to the protocol. The value ranges from 0 to 7. The greater the value, the higher the priority. The default value is 0. After the 802.1p priority value is specified, frames with high priorities are first forwarded when traffic is congested. ----End
3.3.6 Dividing a LAN into VLANs Based on Policies

VLANs configured based on policies are also called policy VLANs. Policy VLANs allow terminals to plug and play and data for different users to be separately transmitted.
Context
A LAN can be divided into VLANs based on MAC and IP addresses or based on MAC and IP addresses and interfaces. To divide a LAN into VLANs based on policies, configure MAC and IP addresses of terminals on a switch and associate pairs of MAC addresses ,IP addresses and interfaces with VLANs. Only users matching a policy can be added to a specified VLAN. If the IP or MAC addresses of users added to a VLAN are changed, they will exit from the VLAN. Policy VLANs process only untagged frames. and treat tagged frames in the same manner as VLANs configured based on ports. After receiving an untagged frame, the device finds a VLAN matching both MAC and IP addresses of the frame, and transmits the frame in the VLAN. The configuration roadmap is as follows: 1. 2. 3. Create VLANs. Associate pairs of MAC and IP addresses with VLANs to divide a LAN into VLANs based on both MAC and IP addresses. Configure the port type and features. (1) Set the port type to hybrid. (2) Configure a port to allow frames with specified MAC and IP addresses to pass through.
Procedure
Step 1 Run:
system-view

vlan vlan-id
policy-vlan mac-address mac-address ip ip-address [ interface interface-type interface-number ] [ priority priority ]
Policy VLAN is configured. If interface interface-type interface-number is not specified, the MAC and IP address policy will be applied to all ports in the VLAN. If interface interface-type interface-number is specified, the MAC and IP address policy will be applied to the specified port in the VLAN. Before deleting a policy VLAN, run the undo policy-vlan command to disable the policy VLAN function. Step 4 Run:
quit
The system view is displayed. Step 5 Configure the port type and features. 1. 2. 3. Run the interface interface-type interface-number command to enter the view of the port to be configured with a policy VLAN. Run the port link-type hybrid command to set the port type to hybrid. By default, the port type is hybrid. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to allow frames with specified MAC and IP addresses to pass through.
----End

After dividing a LAN into VLANs, you can view information about VLANs configured in different modes. For example, which VLANs are classified based on ports or MAC addresses.
Prerequisite
The configurations of VLAN division are complete.
Procedure
l l l l l l Run the display vlan [ vlan-id [ verbose ] ] command to check information about all VLANs or a specified VLAN. Run the display mac-vlan { mac-address { all | mac-address } | vlan vlan-id } command to check information about VLANs configured based on MAC addresses. Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check information about VLANs configured based on IP subnets. Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check information about VLANs configured based on protocols. Run the display protocol-vlan interface { all | interface-type interface-number } command to check information about VLANs configured based on protocols associated with ports. Run the display policy-vlan { all | vlan vlan-id } command to check information about policy vlan.
----End
3.4 Creating a VLANIF Interface

VLANIF interfaces are Layer 3 logical interfaces. After creating VLANIF interfaces on Layer 2 devices, you can configure Layer 3 features on these interfaces.

Before creating a VLANIF interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Layer 3 switching combines routing and switching techniques to implement routing on a switch, thus improving the overall network performance. After sending the first data flow, a Layer 3 switch generates mappings between MAC addresses and IP addresses. To send the same data flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based on this mapping table. To allow that new data flows are correctly forwarded based on the routing table, be sure that the routing table's routing entries are correct. Therefore, VLANIF interfaces and routing protocols must be configured on Layer 3 switches for reachable Layer 3 routes.
Before creating a VLANIF interface, complete the following task: l Creating a VLAN
Data Preparation
To create a VLANIF interface, you need to the following data. No. 1 2 3 4 Data VLAN ID IP address to be assigned to the VLANIF interface (Optional) Delay after which the VLANIF interface goes Down (Optional) MTU of the VLANIF interface
3.4.2 Creating a VLANIF Interface

Before configure Layer 3 features on a Layer 2 device, you must create a VLANIF interface on the device.
Issue 01 (2011-10-26)
98
Procedure
Step 1 Run:
system-view

interface vlanif vlan-id
A VLANIF interface is created and the VLAIF interface view is displayed. The VLAN ID specified in this command must be the ID of an existing VLAN.
NOTE
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
----End
3.4.3 Assigning an IP Address to a VLANIF Interface

As a VLANIF interface is a Layer 3 logical interface, it can communicate with other interfaces at the network layer only after being assigned an IP address.
Procedure
Step 1 Run:
system-view

The VLANIF interface view is displayed. The VLAN ID specified in this command must be the ID of an existing VLAN. Step 3 Run:
An IP address is assigned to the VLANIF interface for communication at the network layer. ----End
3.4.4 (Optional) Setting a Delay After Which a VLANIF Interface Goes Down
Setting a delay after which a VLANIF interface goes Down prevents network flapping caused by changes of VLANIF interface status. This function is also called VLAN damping.
Context
If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF interface to go Down.
To prevent network flapping caused by changes of VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF interface remains Up.
Procedure
Step 1 Run:
system-view

The VLANIF interface view is displayed. The VLAN ID specified in this command must be the ID of an existing VLAN. Step 3 Run:
damping time delay-time
The delay for VLAN damping is set. The delay-time value ranges from 0 to 20, in seconds. By default, the value is 0 seconds, indicating that VLAN damping is disabled. ----End
3.4.5 (Optional) Setting the MTU of a VLANIF Interface

Context
NOTE
l After changing the maximum transmission unit (MTU) by using the mtu command on a specified interface, you need to restart the interface to make the new MTU take effect. To restart the interface, run the shutdown command and then the undo shutdown command, or run the restart command in the interface view. l If you change the MTU of an interface, you need to change the MTU of the peer interface to the same value by using the mtu command; otherwise, services may be interrupted. l To ensure availability of Layer 3 functions, set the MTU value of the VLANIF interface to be smaller than the maximum length of frames on the physical interface in the corresponding VLAN.
Procedure
Step 1 Run:
system-view

The VLANIF interface view is displayed. Step 3 Run:


mtu mtu
The MTU of the VLANIF interface is set. The MTU of a VLANIF interface ranges from 128 to 9216, in bytes. The default value is 1500.
NOTE
If the MTU is too small whereas the packet size is large, the packet is probably split into many fragments. Therefore, the packet may be discarded due to the insufficient QoS queue length. To avoid this situation, lengthen the QoS queue accordingly.
----End

After a VLANIF interface is configured for communication at the network layer, you can check the IP address and status of a specified VLANIF interface.
Prerequisite
The configurations of a VLANIF interface are complete.
Procedure
l Run the display interface vlanif [ vlan-id ] command to check the physical status, link protocol status, description, and IP address of the VLANIF interface.
----End
3.5 Configuring Inter-VLAN Communication

Configuring inter-VLAN communication allows users in different VLANs to communicate with each other. Currently, the S9300 supports several inter-VLAN communication schemes. Choose one of them as required.

Before configuring inter-VLAN communication, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Currently, schemes listed in Table 3-6 are provided for inter-VLAN communication. You can choose one of them based on the real world situation.
Issue 01 (2011-10-26)
101
Table 3-6 Schemes for inter-VLAN communication Inter-VLAN Communica tion Scheme Sub-interface Advantage Disadvantage Usage Scenario
After sub-interfaces are configured, users in different VLANs and network segments can communicate with each other as long as routes are reachable.
l Both Layer 2 and Layer 3 devices are required, which increases expenditure. l If multiple users on a network belong to different VLANs, each VLAN requires a sub-interface on a Layer 3 device. Each sub-interface needs to be assigned an IP address. This increases configuration workload and uses up a large number of IP addresses. If multiple users on a network belong to different VLANs, each VLAN requires a VLANIF interface. Each VLANIF interface needs to be assigned an IP address. This increases configuration workload and uses a lot of IP addresses.
This scheme is applicable to smallscale networks on which users belong to different network segments. If Layer 3 forwarding of packets is mainly required, use subinterfaces.
VLANIF interface
After VLANIF interfaces are configured, users in different VLANs and network segments can communicate with each other as long as routes are reachable. Inter-VLAN communication can also be implemented by Layer 3 switches if routes are reachable. This scheme boasts of low operating costs.
This scheme is applicable to smallscale networks on which users belong to different network segments and IP addresses of these users are seldom changed. If a large number of VLANs are configured and both Layer 2 and Layer 3 forwarding of packets are required, use VLANIF interfaces. This scheme is applicable to smallscale and topologystable networks.
VLAN Switch
The system forwards frames without searching the MAC address table, improving forwarding efficiency and network security.
If there are a large number of users connected to a switch, each user needs to be configured with a static forwarding path. This imposes a configuration burden on network administrators.
Issue 01 (2011-10-26)
102
Before configuring inter-VLAN communication, complete the following task: l Creating VLANs
Data Preparation
To configure inter-VLAN communication, you need the following data. No. 1 2 3 Data Number of each Ethernet sub-interface, IP address and mask of the sub-interface, and VLAN ID associated with the sub-interface VLAN ID, VLANIF interface number, IP address and mask of the VLANIF interface (Optional) Port type, VLAN ID before mapping, VLAN ID after mapping, outer VLAN ID to be added, source port number, and destination port number
3.5.2 Configuring VLANIF Interfaces for Inter-VLAN Communication

Configuring VLANIF interfaces for inter-VLAN communication saves expenditure and helps implement fast forwarding.
Context
VLAIF interfaces are Layer 3 logical interfaces. After being assigned IP addresses, VLANIF interfaces are able to communicate at the network layer. By using VLANIF interfaces to implement inter-VLAN communication, you need to configure a VLANIF interface for each VLAN and assign an IP address to each VLANIF interface. The communication process by using VLANIF interfaces is similar to that by using sub-interfaces.
Issue 01 (2011-10-26)
103
Figure 3-5 Networking diagram for configuring VLANIF interfaces for inter-VLAN communication
Switch
VLANIF2
VLANIF3
VLAN2
VLAN3
NOTE
The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF interface. Otherwise, inter-VLAN communication will fail.
Procedure
Step 1 Run:
system-view

A VLANIF interface is created and the VLAIF interface view is displayed. The VLAN ID specified in this command must be the ID of an existing VLAN.
NOTE
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
Step 3 Run:
An IP address is assigned to the VLANIF interface. VLANIF interfaces must belong to different network segments. ----End
3.5.3 Configuring Sub-interface for Inter-VLAN Communication

Context
Do as follows on the S9300 where hosts of different VLANs need to communicate.
Procedure
Step 1 Run:
system-view

interface { ethernet | gigabitethernet number.subinterface-number | xgigabitethernet | eth-trunk } interface-
The sub-interface view is displayed. A sub-interface can be created on an Ethernet interface, a GE interface, a XGE interface, or an Eth-Trunk interface. Step 3 Run:
The IP address of the sub-interface is set. Step 4 Run:

control-vid vid dot1q-termination rt-protocol
The control VLAN ID and encapsulation mode of the sub-interface are set. Step 5 Run:
dot1q termination vid vid
The VLANs whose packets are allowed to pass through the dot1q sub-interface are specified. When a sub-interface is used for Layer 3 forwarding, you cannot specify multiple VLANs in the command. Step 6 Run:
arp broadcast enable
The ARP broadcast function is enabled on the sub-interface. When you enable or disable the ARP broadcast function on a sub-interface, the routing status of the sub-interface becomes Down and then Up. This may result in flapping of routes on the entire network, affecting the normal operation of services. ----End
3.5.4 Configuring VLAN Switch for Inter-VLAN Communication

Switches enabled with VLAN Switch for inter-VLAN communication do not search the MAC address table. This improves forwarding efficiency and network security, and prevents broadcast storms and attacks by using MAC addresses.
Context
VLAN Switch is a forwarding technique based on VLAN tags. VLAN Switch requires a preconfigured static forwarding path along switches on the network. After receiving VLAN-tagged frames that meet forwarding requirements, a switch forwards the frames to corresponding ports based on the VLAN switching table without searching the MAC address table. This improves forwarding efficiency and network security, and prevents broadcast storms and attacks by using MAC address. The S9300 supports the following VLAN Switch functions: l l VLAN Switch switch-vlan, which replaces the outer VLAN tag. It is similar to VLAN mapping and helps implement inter-VLAN communication. VLAN Switch stack-vlan, which adds a VLAN tag to single-tagged frames. Similar to VLAN stacking, it is a technique for adding outer VLAN tags to frames carrying different inner VLAN tags.
This section describes the VLAN Switch switch-vlan function. For detailed configuration about the VLAN Switch stack-vlan function, see 5.4.4 Configuring Selective QinQ.
Procedure
Step 1 Run:
system-view

vlan-switch vlan-switch-name interface interface-type1 interface-number1 vlan vlanid1 [ inner-vlan vlan-id2 [ to vlan-id3 ] ] interface interface-type2 interfacenumber2 [ switch-vlan vlan-id4 ]
VLAN Switch switch-vlan is configured to replace the outer VLAN tag. Currently, the S9300 can be configured with a maximum of 4096 VLAN Switch tables. The system will display an error message if you attempt to configure more VLAN Switch tables.
NOTE
l Ports specified for VLAN Switch must meet the following requirement: The source and destination ports specified in the vlan-switch command must be hybrid or trunk ports, but not access ports or Eth-Trunk member ports. l VLAN IDs specified for VLAN switch must meet the following requirements: l Any VLAN ID specified in the vlan-switch command cannot be a global VLAN ID. If a VLAN ID has been applied in VLAN Switch, the VLAN cannot be created in the system view. l If a specified VLAN ID has been applied in QinQ, this VLAN ID cannot be applied in VLAN Switch. l If the outer VLAN ID of a double-tagged frame has been applied in the port vlan-stacking or port vlan-mapping command or a control VLAN, this VLAN ID cannot be applied in VLAN Switch. l Currently, you can specify double tags before VLAN switching only on the E-series and F-series boards.
----End

After inter-VLAN communication is configured, you can check whether users in different VLANs can communicate with each other and check information about VLANs to which users belong.
Prerequisite
The configurations of inter-VLAN communication are complete.
Procedure
l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interfacetype interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -system-time | -t timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host command to check whether users in different VLANs can communicate with each other. If the ping fails, you can run the following commands to locate the fault: Run the display vlan [ vlan-id [ verbose ] ] command to check information about all VLANs or a specified VLAN. Run the display interface vlanif [ vlan-id ] command to check information about VLANIF interfaces. Before running this command, ensure that VLANIF interfaces have been configured. Run the display vlan-switch [ vlan-switch-name | interface interface-type interfacenumber ] command to check the configuration of VLAN Switch. Before running this command, ensure that VLAN Switch has been configured. ----End
3.6 Configuring VLAN Aggregation to Save IP Addresses

VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN communication.

Before configuring VLAN aggregation, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
As networks expand, address resources become insufficient. VLAN aggregation is developed to save IP addresses. In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical ports cannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and an IP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN but no VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use the same IP address with the VLANIF interface of the super-VLAN. This saves subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets. In addition, different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible, and the number of idle addresses is reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain and reduces the waste of IP addresses to be assigned to ordinary VLANs. Figure 3-6 shows the typical VLAN aggregation networking.
Figure 3-6 Typical networking diagram for VLAN aggregation
PE
Super VLAN4
CE1
CE2
Sub-VLAN 2
Sub-VLAN 3
Before configuring VLAN aggregation, complete the following task: l Connecting ports and configuring physical parameters of the ports, ensuring that the ports are physically Up
Data Preparation
To configure VLAN aggregation, you need the following data. No. 1 2 3 Data ID of each sub-VLAN and number of each port belonging to the sub-VLAN ID of a super-VLAN IP address and mask of a VLANIF interface
3.6.2 Creating a Sub-VLAN

Each sub-VLAN functions as a broadcast domain.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
108


port link-type access
The link type of the interface is set to access. Step 4 Run:

quit

vlan vlan-id
A sub-VLAN is created and the sub-VLAN view is displayed. Step 6 Run:

port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
A port is added to the sub-VLAN. ----End
3.6.3 Creating a Super-VLAN

A super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP address can be assigned to the VLANIF interface.
Context
NOTE
Before configuring a super-VLAN, ensure that sub-VLANs have been configured.
Procedure
Step 1 Run:
system-view

vlan vlan-id
A VLAN is created, and the VLAN view is displayed. The VLAN ID of a super-VLAN must be different from every sub-VLAN ID. Step 3 Run:
aggregate-vlan
A super-VLAN is created. A super-VLAN cannot contain any physical interfaces.

VLAN 1 cannot be configured as a super-VLAN. Step 4 Run:

access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN. Before adding sub-VLANs to a super-VLAN in batches, ensure that these sub-VLANs are not configured with VLANIF interfaces. The S9300 supports 256 sub-VLANs in a super-VLAN. ----End
3.6.4 Assigning an IP Address to the VLANIF Interface of a SuperVLAN

The IP address of the VLANIF interface of a super-VLAN must contain the subnet segments where users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIF interface of the super-VLAN, thus saving IP addresses.
Procedure
Step 1 Run:
system-view

A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is displayed. Step 3 Run:
An IP address is assigned to the VLANIF interface. ----End
3.6.5 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN

PCs in different sub-VLANs cannot directly communicate with each other in Layer2 network. To allow these PCs to communicate with each other at Layer 3, enable proxy ARP on the VLANIF interface of the super-VLAN.
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in different sub-VLANs from communicating with each other at the network layer. PCs in ordinary VLANs can communicate with each other at the network layer by using different gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate
with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer 2. Consequently, PCs in different sub-VLANs cannot communicate with each other. Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another subVLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created, proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network layer.
NOTE
An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN. Otherwise, proxy ARP cannot take effect.
VLAN aggregation simplifies configurations for the network where many VLANs are configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view

The view of the VLANIF interface of the super-VLAN is displayed. Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Inter-sub-VLAN proxy ARP is enabled. ----End

After VLAN aggregation is configured, you can view VLAN types and information about VLANIF interfaces, such as the physical status, link protocol status, IP address, and mask.
Prerequisite
The VLAN aggregation configurations are complete.
Procedure
l l Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN information. Run the display interface vlanif [ vlan-id ] command to check information about a specific VLANIF interface.
----End
3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic

Configuring a MUX VLAN allows users in different VLANs to communicate with each other, and separates users in a certain VLAN.

Before configuring a MUX VLAN, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
In an enterprise network, all employees of the enterprise can access the enterprise's server. It is required that some employees be able to communicate with each other, whereas some employees not communicate with each other. Configuring a MUX VLAN on the switch connected to PCs helps to save VLAN ID resources, reduce the configuration workload of the network administrator, and facilitate network maintenance. Figure 3-7 Networking diagram for a MUX VLAN
Switch Principal PORT Group PORT Separate PORT Enterprise server
Enterprise employee1
Enterprise employee2
In the MUX VLAN shown in Figure 3-7, the principal port connects the switch to the enterprise's server; separate ports connect the switch to employees that do not communicate with each other; group ports connect the switch to employees that need to communicate with each other. A MUX VLAN consists of VLANs in different types listed in Table 3-7. Table 3-7 Components of a MUX VLAN MUX VLAN Principal VLAN VLAN Type Port Type Principal port Communication Rights A principal port can communicate with every port in the MUX VLAN.
Issue 01 (2011-10-26)
112
MUX VLAN Subordinate VLAN
VLAN Type Separate VLAN
Port Type Separate port
Communication Rights A separate port can only communicate with principal ports. Each separate VLAN must be associated with a principal VLAN.
Group VLAN
Group port
A group port can communicate with both principal ports and other group ports in the same group VLAN but cannot communicate with group ports in other group VLANs or separate ports. Each group VLAN must be associated with a principal VLAN.
Before configuring a MUX VLAN, complete the following task: l Creating VLANs
Data Preparation
To configure a MUX VLAN, you need the following data. No. 1 2 3 Data ID of each principal VLAN and number of each port belonging to the principal VLAN ID of each group VLAN and number of each port belonging to the group VLAN ID of each separate VLAN and number of each port belonging to the separate VLAN
3.7.2 Configuring a Principal VLAN for a MUX VLAN

Ports added to a principal VLAN can communicate with every port in the MUX VLAN.
Procedure
Step 1 Run:
system-view

vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN. Step 3 Run:
mux-vlan
The VLAN is configured as a principal VLAN. The VLAN ID assigned to a principal VLAN can no longer be used to configure any VLANIF interface, super-VLAN, or sub-VLAN. ----End
3.7.3 Configuring a Group VLAN for a Subordinate VLAN

A VLAN associated with a group port is called a group VLAN. Group ports in a group VLAN can communicate with each other.
Context
In a MUX VLAN, group VLANs cannot share the same VLAN ID with a separate VLAN. Do as follows on a switching device that requires a group VLAN:
Procedure
Step 1 Run:
system-view

vlan vlan-id
The view of a created principal VLAN is displayed. Step 3 Run:

subordinate group vlan-id1 [ to vlan-id2 ]
A group VLAN is configured for the subordinate VLAN. In this command, vlan-id1 and vlan-id2 specify a range of VLAN IDs. The value is an integer ranging from 1 to 4094. The value of vlan-id2 must be greater than the value of vlan-id1. The VLAN ID assigned to a group VLAN can be assigned to no other VLANIF interface, superVLAN, or sub-VLAN. ----End
3.7.4 Configuring a Separate VLAN for a Subordinate VLAN

A VLAN associated with separate ports is called a separate VLAN. Ports in a separate VLAN cannot communicate with each other.
Context
Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.
Do as follows on a switching device that requires a separate VLAN:
Procedure
Step 1 Run:
system-view

vlan vlan-id
The view of a created principal VLAN is displayed. Step 3 Run:

subordinate separate vlan-id
A separate VLAN is configured for a subordinate VLAN. Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID. ----End
3.7.5 Enabling the MUX VLAN Function on a Port

After the MUX VLAN function is enabled on a port, the principal VLAN and subordinate VLAN can communicate with each other; ports in a group VLAN can communicate with each other; ports in a separate VLAN cannot communicate with each other.
Context
Before the MUX VLAN function is enabled on a port, ensure that: l l The port has been added to only one ordinary VLAN. If the port has been added to multiple VLANs, the MUX VLAN function cannot be enabled on this port. The port has been added to a principal or subordinate VLAN.
Do as follows on the switching device on which a port needs to be enabled with the MUX VLAN function:
Procedure
Step 1 Run:
system-view

The view of an Ethernet port connecting users is displayed. Step 3 Run:

port mux-vlan enable
The MUX VLAN function is enabled. The interface has been added only to a principal VLAN or a subordinate VLAN.
After being enabled with the MUX VLAN function, the port can no longer be configured with VLAN mapping or VLAN stacking.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface affects the MUX VLAN function on the interface. l The MUX VLAN and port security functions cannot be enabled on the same interface. l The MUX VLAN and MAC address authentication cannot be enabled on the same interface. l The MUX VLAN and 802.1x authentication cannot be enabled on the same interface.
----End

After a MUX VLAN is configured, you can check the principal VLAN ID, subordinate VLAN ID, and VLAN type.
Prerequisite
The configurations of a MUX VLAN are complete.
Procedure
Step 1 Run the display mux-vlan command to check information about the MUX VLAN. ----End
3.8 Configuring a Voice VLAN to Transmit Voice Data

A voice VLAN is used to transmit voice data.

Before configuring a voice VLAN, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
Voice and non-voice data are transmitted on networks. Voice data is configured with a higher priority than non-voice data to reduce the probability of the transmission delay and packet loss. In most cases, an Access Control List (ACL) is configured to distinguish voice data from nonvoice data, and the Quality of Service (QoS) is used to ensure the transmission quality of voice data. Voice over IP (VoIP) phones are commonly used. If an ACL is configured to distinguish voice data from non-voice data, and QoS is used to ensure the transmission quality of voice data, each terminal needs to be configured with an ACL rule. This increases the network administrator's workload and burdens maintenance. The voice VLAN technique is introduced to solve the preceding problem. After being enabled with the voice VLAN function, a device determines voice data based on source MAC addresses of received frames, adds ports that receive voice data to a voice VLAN,
and automatically applies priority rules to ensure high priorities and good qualities of voice data. This simplifies user configuration and facilitates management on voice data. On the network shown in Figure 3-8, a user's High Speed Internet (HSI), VoIP, and Internet Protocol Television (IPTV) services are connected to a switch. A voice VLAN can be configured on the switch to implement QoS for voice data, prioritize voice data, and ensure the communication quality. Figure 3-8 Networking diagram for configuring a voice VLAN
Server Network Voice VLAN VLAN 10
Switch
LAN Switch1
LAN Switch2
HSI
VoIP
IPTV
HSI
VoIP
IPTV
Voice flow
Before configuring a voice VLAN, complete the following task: l Creating VLANs
Data Preparation
To configure a voice VLAN, you need the following data. No. 1 2 3
Issue 01 (2011-10-26)
Data Type and number of the port enabled with the voice VLAN function, voice VLAN ID The Organizationally Unique Identifier (OUI) address and mask of the voice VLAN (Optional) Aging timer value of the voice VLAN
No. 4 5 6
Data (Optional) 802.1p priority and DSCP value for the voice VLAN (Optional) Mode in which the port is added to the voice VLAN (Optional) Security mode of the voice VLAN
3.8.2 Enabling the Voice VLAN Function

After being enabled with the voice VLAN function, a device is able to identify voice data based on source MAC addresses of received frames.
Procedure
Step 1 Run:
system-view

The view of a port connecting the device to users' voice devices is displayed. Step 3 Run:
voice-vlan vlan-id enable
A voice VLAN is configured and the voice VLAN function is enabled on the port. By default, the voice VLAN function is disabled on ports.
NOTE
l VLAN 1 cannot be configured as a voice VLAN. l The voice VLAN and default VLAN on a port must be assigned different VLAN IDs to ensure that every function works properly. l Only one VLAN on a port can be configured as a voice VLAN at a time. l If the voice VLAN configured on an interface works in automatic mode, you need to run the port linktype command to set the interface type to trunk, or hybrid. l Before deleting a voice VLAN, run the undo voice-vlan enable command to disable the voice VLAN function. l The port enabled with the voice VLAN function cannot be configured with VLAN mapping, VLAN stacking, or traffic policies.
----End
3.8.3 Configuring an OUI for a Voice VLAN

A voice VLAN-enabled port checks source MAC addresses of received frames. If the source MAC addresses match OUIs, the frames are considered voice data.
Context
An OUI is a globally-unique identifier assigned by the Institute of Electrical and Electronics Engineers (IEEE) to a specific equipment vendor. An OUI represents the first 24 bits of a binary MAC address. An OUI represents a MAC address segment that is obtained by performing the AND operation between a 48-bit MAC address and a mask. For example, the MAC address is 1-1-1, and the mask is FFFF-FF00-0000. The AND operation is performed between the MAC address and the mask to obtain the OUI 0001-0000-0000. If the first 24 bits of the MAC address of a device are the same as an OUI, a voice VLAN-enabled port considers the device as a voice device and data from the device as voice data.
Procedure
Step 1 Run:
system-view

voice-vlan mac-address mac-address mask oui-mask [ description text ]
An OUI is configured. l The mac-address value cannot be all 0s or a multicast or broadcast address. l A device can be configured with a maximum of 16 OUIs. When the device is configured with 16 OUIs, subsequent configurations will not take effect. l When using the undo voice-vlan mac-address command to delete an OUI, specify the macaddress value in this command as the result of the AND operation by using the configured MAC address and mask.
NOTE
When the source MAC address of a packet matches the OUI, the S9300 changes the priority of the packet basing on the configuration of 3.8.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN to improve the transmission quality.
----End
3.8.4 (Optional) Setting an Aging Timer for a Voice VLAN

In automatic mode, a voice VLAN-enabled port learns source MAC addresses of frames from voice devices, adds ports connecting the device to voice devices to a voice VLAN, and uses the voice VLAN aging timer to control the number of ports in the voice VLAN.
Context
The aging timer of a voice VLAN is effective only when ports are automatically added to the voice VLAN. If a voice VLAN-enabled port does not receive voice data from a voice device before the aging timer expires, the port will be automatically deleted from the voice VLAN. If the port receives voice data from the voice device again, the port will be automatically added to the voice VLAN and the aging timer will be reset.
Procedure
Step 1 Run:
system-view

voice-vlan aging-time minutes
The aging timer is set for a voice VLAN. The aging timer value ranges from 5 to 43200, in minutes. The default value is 1440 minutes. ----End
3.8.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN
Different 802.1p priorities and DiffServ Code Point (DSCP) values can be configured for different voice VLANs, which makes voice service deployment more flexible.
Context
By default, the 802.1p priority and DSCP value for each voice VLAN are 6 and 46 respectively. Manual configuration of the 802.1p priority and DSCP value will allow you to plan priorities for different voice services at will.
NOTE
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN frame. This field determines the transmission priority for data packets when a switching device is congested. l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4 packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks. The traffic controller on the network gateway takes actions merely based on the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view

voice-vlan remark { 8021p 8021p-value | dscp dscp-value }
*
An 802.1p priority and a DSCP value are configured for a voice VLAN. By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively. ----End
3.8.6 (Optional) Configuring the Mode in Which Ports Are Added to a Voice VLAN
On a switching device, only one VLAN on a port can be configured as a voice VLAN. Ports can be added to the voice VLAN in either automatic or manual mode.
Context
Ports can be added to a voice VLAN in either of the following modes: l Automatic mode A voice VLAN-enabled port learns source MAC addresses of frames from voice devices, adds ports connecting the device to voice devices to a voice VLAN, and uses the voice VLAN aging timer to control the number of ports in the voice VLAN. If a voice VLANenabled port does not receive voice data from a voice device before the aging timer expires, the port will be automatically deleted from the voice VLAN. If the port receives voice data from the voice device again, the port will be automatically added to the voice VLAN. l Manual mode After the voice VLAN function is enabled, ports connected to voice devices must be manually added to a voice VLAN. Otherwise, the voice VLAN function does not take effect.
Procedure
Step 1 Run:
system-view

voice-vlan mode { auto | manual }
The mode in which ports are added to a voice VLAN is configured. By default, ports are automatically added to a voice VLAN. l If the auto parameter is configured, ports will be automatically added to a voice VLAN. l If the manual parameter is configured, ports will be manually added to a voice VLAN. If trunk ports are connected to voice devices, run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to manually add these ports to a voice VLAN. If hybrid ports are connected to voice devices, do as follows as required: Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to manually add these ports to a voice VLAN in untagged mode. Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to manually add these ports to a voice VLAN in tagged mode.
NOTE
In Access ports cannot be automatically added to a voice VLAN. To add a port of the access type to the voice VLAN, run the port link-type command to change the port type to trunk or hybrid.
----End
Issue 01 (2011-10-26)
121
3.8.7 (Optional) Configuring the Working Mode for a Voice VLAN

A voice VLAN works in either security or ordinary mode to transmit merely voice data or both voice and non-voice data.
Context
Based on the data filtering mechanism, a voice VLAN works in either security or ordinary mode: l Security mode A voice VLAN-enabled inbound port transmits only frames of which the source MAC addresses match OUIs configured on the device, discards the voice data not belong to the current voice VLAN and the other data can be forwarded normally. The security mode prevents a voice VLAN from being attacked by malicious data flows, but consumes system resources to check frames. l Ordinary mode A voice VLAN-enabled inbound port transmits both voice and non-voice data. The port does not compare source MAC addresses in received frames with configured OUIs, exposing a voice VLAN to malicious attacks.
NOTE
Transmitting voice and service data at the same time in a voice VLAN is not recommended. If a voice VLAN must transmit both voice and service data, ensure that the voice VLAN works in ordinary mode.
Table 3-8 shows how to process frames in different voice VLAN working modes. Table 3-8 Frame processing in different voice VLAN working modes Voice VLAN Working Mode Security mode Frame Processing Mode If the source MAC address of a frame and the OUI do not match, the priority of the frame is not changed and the frame is prohibited from forwarding in the voice VLAN. If the source MAC address of a frame and the OUI do not match, the priority of the frame is not changed and the frame is allowed to be forwarded in the voice VLAN.
Ordinary mode
Procedure
l Security mode 1. 2. 3. Run the system-view command to enter the system view. Run the interface interface-type interface-number command to enter the view of a port connecting the device to users' voice devices. Run the voice-vlan security enable command to configure the voice VLAN work in security mode. By default, a voice VLAN works in security mode. l
Issue 01 (2011-10-26)
Ordinary mode
1. 2. 3.
Run the system-view command to enter the system view. Run the interface interface-type interface-number command to enter the view of a port connecting the device to users' voice devices. Run the undo voice-vlan security enable command to configure the voice VLAN work in ordinary mode. By default, a voice VLAN works in security mode.
----End
3.8.8 (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor
The voice VLAN legacy function can be configured to allow Huawei datacom devices to identify packets of proprietary protocols of other vendors.
Context
After VoIP devices of some vendors are powered on, proprietary protocol packets but not DHCP packets are sent to apply for IP addresses. To help Huawei datacom devices communicate with voice devices of other vendors, you can enable the voice VLAN legacy function. This allows Huawei devices to identify packets of proprietary protocols of other vendors.
Procedure
Step 1 Run:
system-view

voice-vlan legacy enable
The port is configured to communicate with a voice device of another vendor. By default, ports on Huawei devices cannot communicate with voice devices of other vendors. ----End

After a voice VLAN is configured, you can view information about the voice VLAN, including the OUI, working mode, security mode or ordinary mode, aging timer value, the 802.1p priority and DSCP value as well as the configuration of the port enabled with the voice VLAN function.
Prerequisite
The configurations of a voice VLAN are complete.
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about the voice VLAN, including the working mode, security mode, aging timer value and the 802.1p priority and DSCP value as well as the configuration of the port enabled with the voice VLAN function. Run the display voice-vlan oui command to check information about the OUI of the voice VLAN, including the mask and description of the OUI.
----End
3.9 Configuring an mVLAN to Implement Integrated Management

Configuring an mVLAN allows users to use the IP address of the VLANIF interface corresponding to the mVLAN to log in to a management switch to manage devices attached to the switch.

Before configuring an mVLAN to implement integrated management, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
An mVLAN can be configured to help a user use an NMS to manage indirectly-connected devices. After an mVLAN is configured, a user can use the IP address of the VLANIF interface corresponding to the mVLAN to telnet to a management switch and manage devices attached to the switch.
Before configuring an mVLAN, complete the following task: l Creating a VLAN
Data Preparation
To configure an mVLAN, you need the following data. No. 1 Data VLAN ID
3.9.2 Configuring an mVLAN

An mVLAN allows a user to use the IP address of the VLANIF interface corresponding to the mVLAN to telnet to a management switch to manage devices attached to the switch.
Do as follows on the device that requires an mVLAN:
Procedure
Step 1 Run:
system-view

vlan vlan-id
The VLAN view is displayed. Step 3 Run:

management-vlan
An mVLAN is configured. Only a trunk or hybrid port can be added to an mVLAN. After the undo management-vlan command is used for an mVLAN, the mVLAN becomes an ordinary VLAN, to which access, trunk, or hybrid ports can be added. ----End
3.9.3 Configuring a VLANIF Interface for an mVLAN

You need to use the IP address of the VLANIF interface corresponding to an mVLAN to telnet to a management switch to manage attached devices. Do as follows on the device that requires an mVLAN:
Procedure
Step 1 Run:
system-view

A VLANIF interface is created and the VLAIF interface view is displayed. The ID of the VLANIF interface must be the ID of a configured mVLAN. Step 3 Run:
After assigning an IP address to the VLANIF interface, you can run the telnet command to log in to a management switch to manage attached devices. ----End

After an mVLAN is configured, you can check information about the mVLAN.
Prerequisite
The configurations of an mVLAN are complete.
Procedure
l Run the display vlan command to check information about the mVLAN. The command output shows information about the mVLAN in the line started with an asterisk sign (*).
----End
3.10 Configuring VLAN Transparent Transport

VLAN transparent transport improves forwarding efficiency. A switch directly forwards packets of a specific VLAN without sending the packets to its CPU.

A VLAN enabled with transparent transport cannot be configured as a multicast or control VLAN.
A company has multiple subsidiary companies. When the parent company attempts to communicate with a subsidiary company, data is processed by a core switch before being sent to the parent company or subsidiary company. If multiple subsidiary companies communicate with the parent company at the same time, processing capabilities of the core switch deteriorate. The communication efficiency is adversely affected and communication expenditure increases. VLAN transparent transport can be configured on the core switch to prevent this problem. On the network shown in Figure 3-9, switch B is enabled with VLAN transparent transmission. After that, switch B directly forwards data from the specified VLAN instead of sending the data to its CPU. This improves processing capabilities of the switch, reduces communication expenditure, and minimizes the probability of malicious attacks on the switch.
Issue 01 (2011-10-26)
126
Figure 3-9 Networking diagram for configuring VLAN transparent transport
Marketing Department VLAN10 Finance Department VLAN50 Technology Department VLAN20
Parent Company
SwitchA Finance Department VLAN50
SwitchB Finance Department VLAN50 Subsidiary Company1
Subsidiary Company2
Subsidiary Company3
Marketing Marketing Technology Marketing Technology Department VLAN10 Technology Department Department Department Department VLAN20 Department VLAN10 VLAN20 VLAN10 VLAN20
Before configuring VLAN transparent transport, complete the following task: l 3.3 Dividing a LAN into VLANs
Data Preparation
To configure VLAN transparent transport, you need the following data. No. 1 Data VLAN ID and number of each port added to the VLAN
3.10.2 Enabling VLAN Transparent Transport

After VLAN transparent transport is enabled, the device directly forwards data from the specified VLAN without processing the data.
Procedure
Step 1 Run:
system-view

vlan vlan-id

protocol-transparent
VLAN transparent transport is enabled. By default, VLAN transparent transport is disabled. ----End

After configuring VLAN transparent transport, run the display this command in the VLAN view to verify that VLAN transparent transport has taken effect.
Prerequisite
The VLAN transparent transport configurations are complete.
Procedure
l Run the display this command in the VLAN view to check the configuration for VLAN transparent transport.
----End
3.11 Maintaining VLAN

A command of clearing statistics helps to locate the faults in a VLAN.
3.11.1 Clearing the Statistics of VLAN Packets

Before collecting traffic statistics in a specified time period on an interface, you need to reset the original statistics on the interface.
Context
CAUTION
Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before you use the command.
Issue 01 (2011-10-26)
128
To clear the Statistics of VLAN Packets, run the following reset command in the user view:
Procedure
l Run the reset vlan vlan-id statistics [ slot slot-id ] command to clear packets of a specified VLAN statistics.
----End

This section provides several examples of VLAN configuration.
3.12.1 Example for Configuring Interface-based VLANs

It is easy to divide a LAN into VLANs based on ports. After ports are added to different VLANs, users in the same VLAN can directly communicate with each other, whereas users in different VLANs cannot directly communicate with each other.
An enterprise has multiple departments. It is required that departments in charge of the same service can communicate with each other, and departments in charge of different services cannot communicate with each other. As shown in Figure 3-10, the requirements are as follows: l l l Department 1 and Department 2 are isolated from Department 3 and Department 4. Department 1 and Department 2 can communicate with each other. Department 3 and Department 4 can communicate with each other.
Figure 3-10 Networking diagram for configuring interface-based VLANs
Network GE1/0/1 GE1/0/2 Switch GE1/0/4 GE1/0/3
Group Department 1 Department 2 Department 32 Department 4 VLAN 3 VLAN 2 VLAN 3

The configuration roadmap is as follows: 1. 2. 3. Create VLANs and determine mappings between employees and VLANs. Configure port types to determine the device connected to each port. Add the ports connected to department 1 and department 2 to VLAN 2 and the ports connected to department 3 and department 4 to VLAN 3 to prevent employees in department 1 or department 2 from communicating with employees in department 3 or department 4.
Data Preparation
To complete the configuration, you need the following data: l l GE 1/0/1 and GE 1/0/2 belong to VLAN 2. GE 1/0/3 and GE 1/0/4 belong to VLAN 3.
Procedure
Step 1 Configure the Switch. # Create VLAN 2.
<Quidway> system-view [Quidway] vlan 2 [Quidway-vlan2] quit
# Set the link type of GE 1/0/1 to trunk and add GE 1/0/1 to VLAN 2.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type trunk [Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 [Quidway-GigabitEthernet1/0/1] quit
[Quidway]interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] port link-type trunk [Quidway-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 [Quidway-GigabitEthernet1/0/2] quit
# Create VLAN 3.
[Quidway] vlan 3 [Quidway-vlan3] quit
Issue 01 (2011-10-26)
130
Step 2 Verify the configuration. Ping any host in VLAN 3 from a host in VLAN 2. The ping operation fails. This indicates that Department 1 and Department 2 are isolated from Department 3 and Department 4. Ping any host in Department 2 from a host in Department 1. The ping operation is successful. This indicates that Department 1 and Department 2 can communicate with each other. Ping any host in Department 4 from a host in Department 3. The ping operation is successful. This indicates that Department 3 and Department 4 can communicate with each other. ----End
Configuration Files
The following lists the configuration file of the Switch.
# sysname Quidway # vlan batch 2 to 3 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 3 # interface GigabitEthernet1/0/4 port link-type trunk port trunk allow-pass vlan 3 # return
3.12.2 Example for Configuring MAC Address-based VLAN Assignment

MAC address-based VLAN assignment is applicable only to simple networks where network adapters are not changed frequently.
On the intranet of a company, the network administrator adds PCs of employees in a department to the same VLAN. To improve information security, only employees is this department are allowed to access the intranet. As shown in Figure 3-11, only PC1, PC2, and PC3 are allowed to access the intranet through SwitchA and Switch.
Issue 01 (2011-10-26)
131
Figure 3-11 Network diagram of MAC address-based VLAN assignment
Enterprise network
GE1/0/2 Switch GE1/0/1 GE1/0/1 SwitchA
MAC:22-22-22 MAC:33-33-33 MAC:44-44-44 PC3 PC2 PC1 VLAN 10
The configuration roadmap is as follows: 1. 2. 3. Create VLANs and determine the VLAN that PCs of employees belong to. Add Ethernet interfaces to VLANs. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the Switch can assign the VLAN to packets according to their source MAC addresses.
Data Preparation
To complete the configuration, you need the following data: l l l l l The PVID of GE1/0/1 on the Switch is 100. GE1/0/1 of the Switch needs to be added to VLAN 10 in untagged mode. GE1/0/2 of the Switch needs to be added to VLAN 10 in tagged mode. VLAN 1 to which all the interfaces are added in untagged mode on SwitchA MAC addresses of PC1, PC2, and PC3 need to be associated with VLAN 10.
Procedure
Step 1 Configure the Switch. # Create VLANs.

<Quidway> system-view [Quidway] vlan batch 10 100
# Set the PVID of interfaces and add interfaces to the VLANs.

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/2] quit 1/0/1 hybrid pvid vlan 100 hybrid untagged vlan 10 1/0/2 hybrid tagged vlan 10
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Quidway] vlan 10 [Quidway-Vlan10] mac-vlan mac-address 22-22-22 [Quidway-Vlan10] mac-vlan mac-address 33-33-33 [Quidway-Vlan10] mac-vlan mac-address 44-44-44 [Quidway-Vlan10] quit
# Enable MAC address-based VLAN assignment on GE1/0/1.

[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] mac-vlan enable [Quidway-GigabitEthernet1/0/1] quit
Step 2 Verify the configuration. PC1, PC2, and PC3 can access the intranet, whereas PCs of non-employees cannot access the intranet. ----End
Configuration Files
# sysname Quidway # vlan batch 10 100 # vlan 10 mac-vlan mac-address 0022-0022-0022 mac-vlan mac-address 0033-0033-0033 mac-vlan mac-address 0044-0044-0044 # interface GigabitEthernet1/0/1 port hybrid pvid vlan 100 port hybrid untagged vlan 10 mac-vlan enable # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 # return
3.12.3 Example for Configuring IP Subnet-based VLAN Assignment

After a LAN is divided into VLANs based on IP subnets, frames from a certain network segment or IP address are transmitted in a specified VLAN. This reduces the configuration workload of network administrators and facilitates management.
A company has multiple services including the IPTV, VoIP, and Internet access services. Each service uses a unique IP address. Packets of the same service must be transmitted in the same VLAN and packets of different services must be transmitted in different VLANs. On the network shown in Figure 3-12, a switch receives Internet, IPTV, and voice services from users of which IP addresses are diverse. Packets of different services need to be transmitted in different VLANs and packets of each service need to be sent to a specified remote server. Figure 3-12 Network diagram of IP subnet-based VLAN assignment
IPTV server Internet RouterB RouterA GE1/0/3 GE1/0/2
Voice Network
RouterC GE1/0/4 Switch GE1/0/1
192.168.1.2
192.168.3.2 192.168.2.2
The configuration roadmap is as follows: 1. 2. Create VLANs and determine mappings between services and VLANs. Associate IP subnets with VLANs. The switch determines the VLAN mapped to a frame based on the source IP address carried in the frame. New nodes can be deployed on the network without too much configuration. The switch is able to add each new node to a corresponding VLAN based on the network address of the node. 3. 4. 5.
Issue 01 (2011-10-26)
Configure a port to allow frames with specified VLAN IDs to pass through. Configure the highest priority for IP subnet-based VLAN assignment. Enable IP subnet-based VLAN assignment.
Data Preparation
To complete the configuration, you need the following data: l l l VLANs to which GE1/0/1 needs to be added in untagged mode: VLAN 100, VLAN 200, and VLAN 300 VLANs to which GE1/0/2, GE1/0/3, and GE1/0/4 need to be added in tagged mode respectively: VLAN 100, VLAN 200, and VLAN 300 Configuration data for IP subnet-based VLAN assignment, as shown in Table 3-9 Table 3-9 Configuration data for IP subnet-based VLAN assignment VLAN ID 100 200 300 IP Subnet Index 1 1 1 Source IP Address 192.168.1.2 192.168.2.2 192.168.3.2 Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 802.1p Priority 2 3 4
Procedure
Step 1 Create VLANs. # Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.
<Quidway> system-view [Quidway] vlan batch 100 200 300
Step 2 Configure interfaces. # Set the link type of GE1/0/1 to hybrid and add it to VLAN 100, VLAN 200, and VLAN 300.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type hybrid [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 300 [Quidway-GigabitEthernet1/0/1] quit
# Add GE1/0/2 of the Switch to VLAN 100.



# Enable IP subnet-based VLAN assignment on GE1/0/1.


[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] ip-subnet-vlan enable [Quidway-GigabitEthernet1/0/1] quit
Step 3 Configure IP subnet-based VLAN assignment. # Associate 192.168.1.2 to VLAN 100 and set the 802.1p priority of VLAN 100 to 2.
[Quidway] vlan 100 [Quidway-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2 [Quidway-vlan100] quit
# Associate 192.168.2.2 to VLAN 200 and set the 802.1p priority of VLAN 200 to 3.
# Associate IP subnet 192.168.3.2 to VLAN 100 and set the 802.1p priority of VLAN 300 to 4.
Step 4 Verify the configuration. Run the display ip-subnet-vlan vlan all command on the Switch. The following information is displayed:
[Quidway] display ip-subnet-vlan vlan all ---------------------------------------------------------------Vlan Index IpAddress SubnetMask Priority ---------------------------------------------------------------100 1 192.168.1.2 255.255.255.0 2 200 1 192.168.2.2 255.255.255.0 3 300 1 192.168.3.2 255.255.255.0 4 ---------------------------------------------------------------ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
l Configuration file of the Switch
# sysname Quidway # vlan batch 100 200 300 # vlan 100 ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2 # vlan 200 ip-subnet-vlan 1 ip 192.168.2.2 255.255.255.0 priority 3 # vlan 300 ip-subnet-vlan 1 ip 192.168.3.2 255.255.255.0 priority 4 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 100 200 300 ip-subnet-vlan enable # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet1/0/3 port link-type trunk
Issue 01 (2011-10-26)
136

port trunk allow-pass vlan 200 # interface GigabitEthernet1/0/4 port link-type trunk port trunk allow-pass vlan 300 # return
3.12.4 Example for Configuring Protocol-based VLAN Assignment

Protocol-based VLAN assignment reduces manual configuration workload and allows users to easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN.
A company has multiple services including the IPTV, VoIP, and Internet access services. Each service uses a unique protocol. It is required that services of the same type be transmitted in a VLAN and services of different types be transmitted in separate VLANs to facilitate management and reduce manual VLAN configuration workload. As shown in Figure 3-13, the Switch receives packets of multiple services that use different protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in VLAN 20 use IPv6 to communicate with the servers. The Switch needs to assign VLANs to packets of different services and transmit packets with different VLAN IDs to different servers. Figure 3-13 Network diagram of protocol-based VLAN assignment
Voice Network
Internet
RouterA GE1/0/2
RouterB GE1/0/3 Switch GE1/0/1
IPv4 VLAN 10
IPv6 VLAN 20
Issue 01 (2011-10-26)
137
The configuration roadmap is as follows: 1. 2. Create VLANs and determine mappings between services and VLANs. Associate protocols with VLANs. The Switch assigns a VLAN ID to a frame based on the protocol or protocol suite to which the frame belongs. As long as the protocols of user devices keep unchanged, users do not need to be added to new VLANs regardless of whether their locations change, whether network cards of PCs are changed, or whether users locate in the same network segment. 3. 4. Configure a port to allow frames with specified VLAN IDs to pass through. Associate ports with VLANs. After receiving a frame associated with a specified protocol, the system automatically assigns the VLAN ID associated with the protocol to the frame.
Data Preparation
To complete the configuration, you need the following data: l l l VLANs to which GE1/0/1 of the Switch needs to be added in untagged mode: VLAN 10 and VLAN 20 VLANs to which GE1/0/2 and GE1/0/3 of the Switch need to be added in tagged mode: VLAN 10 and VLAN 20 Protocol associated with each VLAN VLAN 10: IPv4 VLAN 20: IPv6
Procedure
Step 1 Create VLANs.
<Quidway> system-view [Quidway] sysname Switch [Switch] vlan batch 10 20
Step 2 Configure protocol-based VLANs. # Associate IPv4 with VLAN 10.

[Switch] vlan 10 [Switch-vlan10] protocol-vlan ipv4 [Switch-vlan10] quit
# Associate IPv6 with VLAN 20.

[Switch] vlan 20 [Switch-vlan20] protocol-vlan ipv6 [Switch-vlan20] quit
Step 3 Associate interfaces with protocol-based VLANs. # Associate GE1/0/1 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] protocol-vlan vlan 10 all priority 5
# Associate GE1/0/1 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6.
[Switch-GigabitEthernet1/0/1] protocol-vlan vlan 20 all priority 6 [Switch-GigabitEthernet1/0/1] quit
Step 4 Configure interfaces. # Add GE1/0/1 to VLAN 10 and VLAN 20 so that GE1/0/1 allows packets of VLAN 10 and VLAN 20 to pass through.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type hybrid [Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 10 20 [Switch-GigabitEthernet1/0/1] quit
# Add GE1/0/2 to VLAN 10 so that GE1/0/2 allows packets of VLAN 10 to pass through.
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/2] quit
# Add GE1/0/3 to VLAN 20 so that GE1/0/3 allows packets of VLAN 20 to pass through.
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type trunk [Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 20 [Switch-GigabitEthernet1/0/3] quit
Step 5 Verify the configuration. After completing the configuration, run the display protocol-vlan interface all command, and you can view the configuration of protocol-based VLANs on GE1/0/1. For example:
<Switch> display protocol-vlan interface all ------------------------------------------------------------------------------Interface VLAN Index Protocol Type Priority ------------------------------------------------------------------------------GigabitEthernet1/0/1 10 0 ipv4 5 GigabitEthernet1/0/1 20 0 ipv6 6
----End
Configuration Files
# sysname Switch # vlan batch 10 20 # vlan 10 protocol-vlan 0 ipv4 vlan 20 protocol-vlan 0 ipv6 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 10 20 protocol-vlan vlan 10 0 priority 5 protocol-vlan vlan 20 0 priority 6 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 20
Issue 01 (2011-10-26)
139

# return
3.12.5 Example for Implementing Communication Between VLANs by Using VLANIF Interfaces
A Layer 3 switch can replace a router to implement communications between VLANs by using VLANIF interfaces.
Departments of an enterprise are located on different network segments and use same services such as Internet access and VoIP. Departments in different VLANs need to use the same service, so communication between VLANs must be implemented. As shown in Figure 3-14, department 1 and department 2 use the same service but belong to different VLANs and are located on different network segments. Users in department 1 and department 2 need to communicate with each other. Figure 3-14 Communication between VLANs using VLANIF interfaces
Switch
GE1/0/1 SwitchA GE1/0/2 VLAN 10 Department1 PC1 10.10.10.2/24 GE1/0/1 GE1/0/3 VLAN 20 Department2 PC2 20.20.20.2/24
The configuration roadmap is as follows: 1. 2. 3. Create VLANs on the switches for different departments. Add Layer 2 interfaces to the VLANs so that packets of the VLANs can pass through the Layer 2 interfaces. On the Layer 3 switch, create VLANIF interfaces corresponding to the VLANs and configure IP addresses for the VLANIF interfaces to implement Layer 3 communication.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the corresponding VLANIF interface as gateway address.
Issue 01 (2011-10-26)
140
Data Preparation
To complete the configuration, you need the following data: l l l l l l GE1/0/1 of the Switch needs to be added to VLAN 10 and VLAN 20. The IP address of VLANIF10 on the Switch is 10.10.10.1/24. The IP address of VLANIF20 on the Switch is 20.20.20.1/24. GE1/0/1of SwitchA needs to be added to VLAN 10 and VLAN 20. GE1/0/2 of SwitchA needs to be added to VLAN 10. GE1/0/3 of SwitchA needs to be added to VLAN 20.
Procedure
Step 1 # Configure the Switch. # Create VLANs.
# Add GE1/0/1 to VLANs.

[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type trunk [Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 [Quidway-GigabitEthernet1/0/1] quit
# Assign IP addresses to VLANIF interfaces.

[Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.10.10.1 24 [Quidway-Vlanif10] quit [Quidway] interface vlanif 20 [Quidway-Vlanif20] ip address 20.20.20.1 24 [Quidway-Vlanif20] quit
Step 2 Configure SwitchA. # Create VLANs.

# Add interfaces to VLANs.

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/2] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/3] quit 1/0/1 link-type trunk trunk allow-pass vlan 10 20 1/0/2 link-type access default vlan 10 1/0/3 link-type access default vlan 20
Step 3 Verify the configuration. On PC1 in VLAN 10, set the default gateway address to 10.10.10.1/24, which is the IP address of VLANIF10.
On PC2 in VLAN 20, set the default gateway address to 20.20.20.1/24, which is the IP address of VLANIF20. After the preceding configurations are complete, PC1 in VLAN 10 and PC2 in VLAN 20 can communicate. ----End
Configuration Files
# sysname Quidway # vlan batch 10 20 # interface Vlanif10 ip address 10.10.10.1 255.255.255.0 # interface Vlanif20 ip address 20.20.20.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 20 # return
Configuration file of SwitchA

# sysname Quidway # vlan batch 10 20 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 20 # interface GigabitEthernet1/0/2 port link-type access port default vlan 10 # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 # return
3.12.6 Example for Implementing Communication Across a Layer 3 Network Through VLANIF Interfaces
This example illustrates how to enable users in different VLANs and different network segments to communicate through VLANIF interfaces. In this example, OSPF is used on the Layer 3 network.
As shown in Figure 3-15, Switch A and Switch B are connected to Layer 2 networks that VLAN 10 belongs to. Switch A and Switch B communicate with each other through an OSPF-enabled Layer 3 network.
It is required that the computers on the two Layer 2 networks be isolated at Layer 2 and communicate at Layer 3. Figure 3-15 Networking diagram for communication across a Layer 3 network through VLANIF interfaces
SwitchA GE1/0/2
GE1/0/1
SwitchB OSPF GE1/0/1
GE1/0/2
VLAN 10
VLAN 10
The configuration roadmap is as follows: 1. 2. 3. Add interfaces to VLANs. Assign IP addresses to VLANIF interfaces. Configure basic OSPF functions.
Data Preparation
To complete the configuration, you need the following data: l l l l l l GE 1/0/1 of Switch A belongs to VLAN 10, and IP address of VLANIF 10 is 10.10.10.1/24. GE 1/0/2 of Switch B belongs to VLAN 10, and IP address of VLANIF 10 is 20.20.20.1/24. GE 1/0/2 of Switch A belongs to VLAN 30, and IP address of VLANIF 30 is 30.30.30.1/24. GE 1/0/1 of Switch B belongs to VLAN 30, and IP address of VLANIF 30 is 30.30.30.2/24. The IP address of the computer on the Layer 2 network connected to Switch A is 10.10.10.2/24. The IP address of the computer on the Layer 2 network connected to Switch B is 20.20.20.2/24.
Procedure
Step 1 Configure Switch A. # Create VLANs.

<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan batch 10 30

[SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/2] port [SwitchA-GigabitEthernet1/0/2] port [SwitchA-GigabitEthernet1/0/2] quit 1/0/1 link-type trunk trunk allow-pass vlan 10 1/0/2 link-type trunk trunk allow-pass vlan 30

[SwitchA] interface vlanif 10 [SwitchA-Vlanif10] ip address 10.10.10.1 24 [SwitchA-Vlanif10] quit [SwitchA] interface vlanif 30 [SwitchA-Vlanif30] ip address 30.30.30.1 24 [SwitchA-Vlanif30] quit
# Configure basic OSPF functions.

[SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit
Step 2 Configure Switch B. # Create VLANs.

<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan batch 10 30

[SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet1/0/2] port [SwitchB-GigabitEthernet1/0/2] port [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] quit 1/0/2 link-type trunk trunk allow-pass vlan 10 1/0/1 link-type trunk trunk allow-pass vlan 30

[SwitchB] interface vlanif 10 [SwitchB-Vlanif10] ip address 20.20.20.1 24 [SwitchB-Vlanif10] quit [SwitchB] interface vlanif 30 [SwitchB-Vlanif30] ip address 30.30.30.2 24 [SwitchB-Vlanif30] quit

[SwitchB] router id 2.2.2.2 [SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 20.20.20.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit
Issue 01 (2011-10-26)
144
Step 3 Verify the configuration. On the computer on the Layer 2 network connected to Switch A, set the default gateway address to the IP address of VLANIF 10, that is, 10.10.10.1/24. On the computer on the Layer 2 network connected to Switch B, set the default gateway address to the IP address of VLANIF 10, that is, 20.20.20.1/24. After the configurations are complete, computers of the two Layer 2 networks are isolated at Layer 2 and interwork at Layer 3. ----End
Configuration Files
Configuration file of Switch A
# sysname SwitchA # router id 1.1.1.1 # vlan batch 10 30 # interface Vlanif10 ip address 10.10.10.1 255.255.255.0 # interface Vlanif30 ip address 30.30.30.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 30 # ospf 1 area 0.0.0.0 network 10.10.10.0 0.0.0.255 network 30.30.30.0 0.0.0.255 # return
Configuration file of Switch B

# sysname SwitchB # router id 2.2.2.2 # vlan batch 10 30 # interface Vlanif10 ip address 20.20.20.1 255.255.255.0 # interface Vlanif30 ip address 30.30.30.2 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 10
Issue 01 (2011-10-26)
145

# ospf 1 area 0.0.0.0 network 20.20.20.0 0.0.0.255 network 30.30.30.0 0.0.0.255 # return
3.12.7 Example for Implementing Communication Between VLANs Through Sub-interfaces

Configuring sub-interfaces enables users in different VLANs and network segments to communicate with each other.
Departments of an enterprise are located on different network segments and use same services such as Internet access and VoIP. Departments in different VLANs need to use the same service, so communication between VLANs must be implemented. As shown in Figure 3-16, department 1 and department 2 use the same service but belong to different VLANs and are located on different network segments. Users in department 1 and department 2 need to communicate with each other. Figure 3-16 Networking diagram for implementing communication between VLANs through sub-interfaces
Switch GE1/0/1.1 10.10.10.1/24 SwitchA GE1/0/2.1 20.20.20.1/24 SwitchB
Department1 PC1 10.10.10.2/24 VLAN 10
Department2 PC2 20.20.20.2/24 VLAN 20
The configuration roadmap is as follows: 1. 2. 3.
Issue 01 (2011-10-26)
Set the encapsulation mode of GE interfaces to 802.1Q. Specify the VLANs that the GE interfaces belong to. Set the IP addresses of the GE interfaces.
Data Preparation
To complete the configuration, you need the following data: l l l l l l VLANs that GE 1/0/1.1 and GE 1/0/2.1 belong to: VLAN 10 and VLAN 20 IP addresses of GE 1/0/1.1 and GE 1/0/2.1: 10.10.10.1 and 20.20.20.1 VLAN that the uplink of Switch A belongs to: VLAN 10 (tagged mode) VLAN that the downstream interface of Switch A belongs to: VLAN 10 (default mode) VLAN that the uplink of Switch B belong to: VLAN 20 (tagged mode) VLAN that the downstream interface of Switch B belong to: VLAN 20 (default mode)
Procedure
Step 1 Configure the interface connected to Switch A. # Create and configure sub-interface GE 1/0/1.1.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/1.1 [Quidway-GigabitEthernet1/0/1.1] control-vid 100 dot1q-termination rt-protocol [Quidway-GigabitEthernet1/0/1.1] dot1q termination vid 10 [Quidway-GigabitEthernet1/0/1.1] ip address 10.10.10.1 24 [Quidway-GigabitEthernet1/0/1.1] arp broadcast enable [Quidway-GigabitEthernet1/0/1.1] quit
Step 2 Configure the interface connected to Switch B. # Create and configure sub-interface GE 1/0/2.1.
[Quidway] interface gigabitethernet 1/0/2.1 [Quidway-GigabitEthernet1/0/2.1] control-vid 200 dot1q-termination rt-protocol [Quidway-GigabitEthernet1/0/2.1] dot1q termination vid 20 [Quidway-GigabitEthernet1/0/2.1] ip address 20.20.20.1 24 [Quidway-GigabitEthernet1/0/2.1] arp broadcast enable [Quidway-GigabitEthernet1/0/2.1] quit
Step 3 Verify the configuration. On PC 1 in VLAN 10, set default gateway address to the IP address of GE 1/0/1.1, that is, 10.10.10.1/24. On PC 2 in VLAN 20, set default gateway address to the IP address of GE 1/0/2.1, that is, 20.20.20.1/24. After the configuration, PC 1 in VLAN 10 and PC 2 in VLAN 20 can communicate with each other. ----End
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/1.1 control-vid 100 dot1q-termination rt-protocol dot1q termination vid 10 ip address 10.10.10.1 255.255.255.0 arp broadcast enable
Issue 01 (2011-10-26)
147

# interface GigabitEthernet1/0/2.1 control-vid 200 dot1q-termination rt-protocol dot1q termination vid 20 ip address 20.20.20.1 255.255.255.0 arp broadcast enable # return
3.12.8 Example for Implementing Communication Across a Layer 3 Network Through Sub-interfaces
This example illustrates how to enable users in different VLANs and different network segments to communicate through sub-interfaces. In this example, OSPF is used on the Layer 3 network.
As shown in Figure 3-17, Switch A and Switch B are connected to Layer 2 networks that VLAN 10 belongs to. Switch A communicates with Switch B through a Layer 3 network where OSPF is enabled. It is required that the computers of the two Layer 2 networks be isolated at Layer 2 and interwork at Layer 3. Figure 3-17 Networking diagram for communication across a Layer 3 network through subinterfaces
SwitchA GE1/0/2 GE1/0/1.1 OSPF SwitchB GE1/0/1 GE1/0/2.1
VLAN 10
VLAN 10
The configuration roadmap is as follows: 1. 2. 3. 4.
Issue 01 (2011-10-26)
Add interfaces to VLANs. Assign IP addresses to VLANIF interfaces. Set the encapsulation type of the sub-interface. Configure the VLAN allowed by the sub-interface.
5. 6.
Assign IP addresses to sub-interfaces. Configure basic OSPF functions.

NOTE
The VLAN allowed by the sub-interface cannot be created globally.
Data Preparation
To complete the configuration, you need the following data: l l l l l l VLAN 10 allowed by GE 1/0/1.1 of Switch A and IP address being 10.10.10.1/24 VLAN 10 allowed by GE 1/0/2.1 of Switch B and IP address being 20.20.20.1/24 VLAN 30 allowed by GE 1/0/2 of Switch A and IP address of VLANIF 30 being 30.30.30.1/24 VLAN 30 allowed by GE 1/0/1 of Switch B and IP address of VLANIF 30 being 30.30.30.2/24 IP address of the computer on a Layer 2 network connected to Switch A being 10.10.10.1/24 IP address of the computer on a Layer 2 network connected to Switch B being 20.20.20.1/24
Procedure
Step 1 Configure Switch A. # Create a VLAN.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan batch 30
# Add an interface to the VLAN.

[SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 30 [SwitchA-GigabitEthernet1/0/2] quit
# Assign an IP address to the VLANIF interface.

[SwitchA] interface vlanif 30 [SwitchA-Vlanif30] ip address 30.30.30.1 24 [SwitchA-Vlanif30] quit
# Create and configure GE 1/0/1.1.

[SwitchA] interface gigabitethernet 1/0/1.1 [SwitchA-GigabitEthernet1/0/1.1] control-vid 100 dot1q-termination [SwitchA-GigabitEthernet1/0/1.1] dot1q termination vid 10 [SwitchA-GigabitEthernet1/0/1.1] ip address 10.10.10.1 24 [SwitchA-GigabitEthernet1/0/1.1] arp broadcast enable [SwitchA-GigabitEthernet1/0/1.1] quit

[SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit
Issue 01 (2011-10-26)
149
Step 2 Configure Switch B. # Create a VLAN.

<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan batch 30
# Add an interface to the VLAN.

[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 30 [SwitchB-GigabitEthernet1/0/1] quit
# Assign an IP address to the VLANIF interface.

[SwitchB] interface vlanif 30 [SwitchB-Vlanif30] ip address 30.30.30.2 24 [SwitchB-Vlanif30] quit
# Create and configure GE 1/0/2.1.

[SwitchB] interface gigabitethernet 1/0/2.1 [SwitchB-GigabitEthernet1/0/2.1] control-vid 100 dot1q-termination [SwitchB-GigabitEthernet1/0/2.1] dot1q termination vid 10 [SwitchB-GigabitEthernet1/0/2.1] ip address 20.20.20.1 24 [SwitchB-GigabitEthernet1/0/2.1] arp broadcast enable [SwitchB-GigabitEthernet1/0/2.1] quit

[SwitchB] router id 2.2.2.2 [SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 20.20.20.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit
Step 3 Verify the configuration. On the computer of the Layer 2 network connected to Switch A, set the default gateway address to the IP address of GE 1/0/1.1, that is, 10.10.10.1/24. On the computer of the Layer 2 network connected to Switch B, set the default gateway address to the IP address of GE 1/0/2.1, that is, 20.20.20.1/24. After the configurations, computers of the two Layer 2 networks are isolated at Layer 2 and interwork at Layer 3. ----End
Configuration Files
Configuration file of Switch A
# sysname SwitchA # router id 1.1.1.1 # vlan batch 30 # interface Vlanif30 ip address 30.30.30.1 255.255.255.0 # interface GigabitEthernet1/0/1.1
Issue 01 (2011-10-26)
150

control-vid 100 dot1q-termination dot1q termination vid 10 ip address 10.10.10.1 255.255.255.0 arp broadcast enable # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 30 # ospf 1 area 0.0.0.0 network 10.10.10.0 0.0.0.255 network 30.30.30.0 0.0.0.255 # return

# sysname SwitchB # router id 2.2.2.2 # vlan batch 30 # interface Vlanif30 ip address 30.30.30.2 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet1/0/2.1 control-vid 100 dot1q-termination dot1q termination vid 10 ip address 20.20.20.1 255.255.255.0 arp broadcast enable # ospf 1 area 0.0.0.0 network 20.20.20.0 0.0.0.255 network 30.30.30.0 0.0.0.255 # return
3.12.9 Example for Implementing Communication Between VLANs Through VLAN Switching
VLAN switching improves packet forwarding efficiency and enhances network security.
As shown in Figure 3-18, GE 1/0/1 and GE 1/0/2 of the Switch are connected to the uplink interfaces of Switch A and Switch B respectively. The downlink interfaces of Switch A and Switch B are added to VLAN 10 and VLAN 20 respectively. It is required that PCs in VLAN 10 and PCs in VLAN 20 should be able to communicate with each other.
Issue 01 (2011-10-26)
151
Figure 3-18 Networking diagram for communication between VLANs through VLAN switching
Switch GE1/0/1 VLAN 10 SwitchA GE1/0/2 VLAN 20 SwitchB
PC1
PC2
PC3
PC4
The configuration roadmap is as follows: 1. 2. Add the uplink and downlink interfaces of Switch A and Switch B to VLANs. Configure the VLAN switching function on the Switch.
Data Preparation
To complete the configuration, you need the following data: l l l l VLAN that the uplink interface of Switch A belongs to: VLAN 10 (tagged mode) VLAN that the downlink interface of Switch A belongs to: VLAN 10 (default mode) VLAN that the uplink interface of Switch B belongs to: VLAN 20 (tagged mode) VLAN that the downlink interface of Switch B belongs to: VLAN 20 (default mode)
NOTE
VLAN 10 and VLAN 20 cannot be created on the Switch; otherwise, the VLAN switching function cannot be configured.
Procedure
Step 1 Configure the Switch. # Configure the VLAN switching function on the Switch.
<Quidway> system-view [Quidway] vlan-switch name1 interface GigabitEthernet 1/0/1 vlan 10 interface GigabitEthernet 1/0/2 switch-vlan 20
Step 2 Verify the configuration. After the configuration, PCs in VLAN 10 and PCs in VLAN 20 can communicate with each other. ----End
Configuration Files
Configuration file of a Switch
# sysname Quidway # vlan-switch name1 interface GigabitEthernet1/0/1 vlan 10 interface GigabitEthernet1/0/2 switch-vlan 20 # return
3.12.10 Example for Configuring VLAN Aggregation

This part describes how to configure communication between VLANs with less IP addresses.
Assume that an enterprise has many departments and IP addresses of these departments are on the same network segment, to improve the service security, IP address of employee users in different departments are added to different VLANs. Employee users in different departments need to communicate with each other. As shown in Figure 3-19, IP addresses of the R&D department and test department belong to different VLANs. It is required that employee users in different VLANs communicate with each other. Figure 3-19 Network diagram of VLAN aggregation
Switch GE1/0/0 GE2/0/0 VLAN2 GE3/0/0 GE4/0/0 VLAN3 VLAN4 VLANIF4:100.1.1.12/24
VLAN2
VLAN3
The configuration roadmap is as follows: 1. 2.
Issue 01 (2011-10-26)
Add interfaces of the Switch to sub-VLANs. Add the sub-VLANs to a super-VLAN.

3. 4.
Configure the IP address for the super-VLAN. Configure proxy ARP for the super-VLAN.
Data Preparation
To complete the configuration, you need the following data: l l l l GE 1/0/0 and GE 2/0/0 belong to VLAN 2. GE 3/0/0 and GE 4/0/0 belong to VLAN 3. The VLAN ID of the super-VLAN is 4. The IP address of the super-VLAN is 100.1.1.12.
Procedure
Step 1 Set the interface type. # Configure GE 1/0/0 as an access interface.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] port link-type access [Quidway-GigabitEthernet1/0/0] quit
# Configure GE 2/0/0 as an access interface.



Step 2 Configure VLAN 2. # Create VLAN 2.

[Quidway] vlan 2
# Add GE 1/0/0 and GE 2/0/0 to VLAN 2.

[Quidway-vlan2] port gigabitethernet 1/0/0 2/0/0 [Quidway-vlan2] quit
Step 3 Configure VLAN 3. # Create VLAN 3.

[Quidway] vlan 3
# Add GE 3/0/0 and GE 4/0/0 to VLAN 3.


[Quidway-vlan3] port gigabitethernet 3/0/0 4/0/0 [Quidway-vlan3] quit
Step 4 Configure VLAN 4. # Configure the super-VLAN.

[Quidway] vlan 4 [Quidway-vlan4] aggregate-vlan [Quidway-vlan4] access-vlan 2 to 3
# Configure the VLANIF interface.

[Quidway] interface vlanif 4 [Quidway-Vlanif4] ip address 100.1.1.12 255.255.255.0 [Quidway-Vlanif4] quit
Step 5 Configure the personal computers. Configure the IP address for each personal computer and make them reside in the same network segment with VLAN 4. After the preceding configuration, the personal computers and the Switch can ping each other, but the computers in VLAN 2 and the computers in VLAN 3 cannot ping each other. Step 6 Configure proxy ARP.
[Quidway] interface vlanif 4 [Quidway-Vlanif4] arp-proxy inter-sub-vlan-proxy enable
Step 7 Verify the configuration. After the preceding configuration, the computers in VLAN 2 and the computers in VLAN 3 can ping each other. ----End
Configuration Files
# sysname Quidway # vlan batch 2 to 4 # vlan 4 aggregate-vlan access-vlan 2 to 3 # interface Vlanif4 ip address 100.1.1.12 255.255.255.0 arp-proxy inter-sub-vlan-proxy enable # interface GigabitEthernet1/0/0 port link-type access port default vlan 2 # interface GigabitEthernet2/0/0 port link-type access port default vlan 2 # interface GigabitEthernet3/0/0 port link-type access port default vlan 3 # interface GigabitEthernet4/0/0
Issue 01 (2011-10-26)
155

port link-type access port default vlan 3 # return
3.12.11 Example for Configuring the MUX VLAN

MUX VLAN isolates Layer 2 traffic of different interfaces in a VLAN. It allows some employee users of an enterprise to communicate with each other and isolates some employee users from each other.
In an enterprise network, all employees of the enterprise can access the enterprise's server. It is required that some employees be able to communicate with each other, whereas some employees not communicate with each other. As shown in Figure 3-20,in an enterprise network, all employees of the enterprise can access the enterprise's server. It is required that some employees be able to communicate with each other, whereas some employees not communicate with each other. For an enterprise with a large number of employees, each employee that is prohibited from communicating with another needs to be added to a separate VLAN if the preceding scheme is used. This wastes VLAN ID resources and imposes an additional configuration workload on the network administrator. Configuring a MUX VLAN on the switch connected to PCs helps to save VLAN ID resources, reduce the configuration workload of the network administrator, and facilitate network maintenance. Figure 3-20 Typical networking of MUX VLAN configuration
Switch
GE1/0/2 GE1/0/3 GE1/0/4 GE1/0/5
GE1/0/1
HostB HostC VLAN 3
HostD HostE VLAN 4
HostA VLAN 2
Issue 01 (2011-10-26)
Configure the MUX VLAN. Configure the group VLAN.

3. 4.
Configure the separate VLAN. Add interfaces to the VLAN and enable the MUX VLAN function.
Data Preparation
To complete the configuration, you need the following data: l l l GE 1/0/1 belongs to VLAN 2. GE 1/0/2 and GE 1/0/3 belong to VLAN 3. GE 1/0/4 and GE 1/0/5 belong to VLAN 4.
Procedure
Step 1 Configure the MUX VLAN. # Create VLAN 2, VLAN 3, and VLAN 4.
<Quidway> system-view [Quidway] vlan batch 2 3 4 [Quidway] quit
# Configure the MUX VLAN, subordinate VLAN, and interfaces.

<Quidway> system-view [Quidway] vlan 2 [Quidway-vlan2] mux-vlan [Quidway-vlan2] subordinate group 3 [Quidway-vlan2] subordinate separate 4 [Quidway-vlan2] quit [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type access [Quidway-GigabitEthernet1/0/1] port default vlan 2 [Quidway-GigabitEthernet1/0/1] port mux-vlan enable [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] port link-type access [Quidway-GigabitEthernet1/0/2] port default vlan 3 [Quidway-GigabitEthernet1/0/2] port mux-vlan enable [Quidway-GigabitEthernet1/0/2] quit [Quidway] interface gigabitethernet 1/0/3 [Quidway-GigabitEthernet1/0/3] port link-type access [Quidway-GigabitEthernet1/0/3] port default vlan 3 [Quidway-GigabitEthernet1/0/3] port mux-vlan enable [Quidway-GigabitEthernet1/0/3] quit [Quidway] interface gigabitethernet 1/0/4 [Quidway-GigabitEthernet1/0/4] port link-type access [Quidway-GigabitEthernet1/0/4] port default vlan 4 [Quidway-GigabitEthernet1/0/4] port mux-vlan enable [Quidway-GigabitEthernet1/0/4] quit [Quidway] interface gigabitethernet 1/0/5 [Quidway-GigabitEthernet1/0/5] port link-type access [Quidway-GigabitEthernet1/0/5] port default vlan 4 [Quidway-GigabitEthernet1/0/5] port mux-vlan enable [Quidway-GigabitEthernet1/0/5] quit
Step 2 Verify the configuration. Host A can ping Hosts B to E. Hosts B to E can also ping Host A. Host B and Host C can ping each other. Host D and Host E cannot ping each other.
Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or Host C. ----End
Configuration Files
# sysname Quidway # vlan batch 2 to 4 # vlan 2 mux-vlan subordinate group 3 subordinate separate 4 # interface GigabitEthernet1/0/1 port link-type access port default vlan 2 port mux-vlan enable # interface GigabitEthernet1/0/2 port link-type access port default vlan 3 port mux-vlan enable # interface GigabitEthernet1/0/3 port link-type access port default vlan 3 port mux-vlan enable # interface GigabitEthernet1/0/4 port link-type access port default vlan 4 port mux-vlan enable # interface GigabitEthernet1/0/5 port link-type access port default vlan 4 port mux-vlan enable # return
3.12.12 Example for Configuring a Voice VLAN in Auto Mode

In this example, voice traffic is transmitted by using a specific VLAN, namely, voice VLAN. During a certain period, if a voice device becomes faulty or exits from the network, the interface connected to the voice device will exit from the voice VLAN.
Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require high quality of VoIP services; therefore, voice data flows must be transmitted with a high priority to ensure the call quality. As shown in Figure 3-21, after a voice VLAN is configured on the Switch, the Switch checks whether a data flow received by GigabitEthernet1/0/1 is a voice data flow based on the source MAC address of the data flow. If the data flow is a voice data flow, the Switch changes the priority of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in
a common VLAN without changing the priority of the flow. GigabitEthernet1/0/1 needs to be automatically added to or deleted from the voice VLAN. Figure 3-21 Networking diagram of a voice VLAN in auto mode
DHCP Server
Internet
Switch
GE1/0/1
LAN Switch
HSI
VoIP
IPTV
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Create VLANs. Configure the link type and default VLAN of the interface. Enable the voice VLAN on the interface. Set the mode of adding the interface to the voice VLAN to auto. Set the OUI of the voice VLAN. Set the aging time of the voice VLAN. Set the working mode of the voice VLAN.
Data Preparation
To complete the configuration, you need the following data: l l l l
Issue 01 (2011-10-26)
Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2 and VLAN 6 OUI and mask: 0011-2200-0000 and ffff-ff00-0000 Aging time of the voice VLAN: 100 minutes Default VLAN of GigabitEthernet1/0/1: VLAN 6
Procedure
Step 1 Create VLANs and configure the interface on the Switch. # Create VLAN 2 and VLAN 6.
# Configure the link type and default VLAN of the interface.

[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 6 [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 6 [Quidway-GigabitEthernet1/0/1] quit
Step 2 Configure the voice VLAN on the Switch. # Configure the voice VLAN on the interface.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] voice-vlan 2 enable
# Set the mode of adding the interface to the voice VLAN to auto.
[Quidway-GigabitEthernet1/0/1] voice-vlan mode auto [Quidway-GigabitEthernet1/0/1] quit
# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the aging time of the voice VLAN.

[Quidway] voice-vlan aging-time 100
# Set the working mode of the voice VLAN.

[Quidway-GigabitEthernet1/0/1] voice-vlan security enable
Step 3 Verify the configuration. Run the display voice-vlan oui command to check whether the OUI of the voice VLAN is correct.
<Quidway> display voice-vlan oui --------------------------------------------------OuiAddress Mask Description --------------------------------------------------0011-2200-0000 ffff-ff00-0000
Run the display voice-vlan 2 status command to check whether the mode of adding the interface to the voice VLAN, working mode, and aging time of the voice VLAN are correct.
<Quidway> display voice-vlan 2 status Voice VLAN Configurations: --------------------------------------------------Voice VLAN ID : 2 Voice VLAN status : Enable Voice VLAN aging time : 100 (minutes) Voice VLAN 8021p remark : 6 Voice VLAN dscp remark : 46 ---------------------------------------------------------Port Information: ----------------------------------------------------------Port Add-Mode Security-Mode Legacy
Issue 01 (2011-10-26)
160

----------------------------------------------------------GigabitEthernet1/0/1 Auto Security Disable
----End
Configuration Files
# sysname Quidway # vlan batch 2 6 # voice-vlan aging-time 100 # voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 # interface GigabitEthernet1/0/1 port hybrid pvid vlan 6 port hybrid untagged vlan 6 voice-vlan 2 enable # return
3.12.13 Example for Configuring a Voice VLAN in Manual Mode

In manual voice VLAN mode, an interface must be added to the voice VLAN manually after the voice VLAN function is enabled on the interface. The interface connected to a voice device can forward voice data packets only after the interface is added to the voice VLAN manually.
Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require high quality of VoIP services; therefore, voice data flows must be transmitted with a high priority to ensure the call quality. As shown in Figure 3-22, after a voice VLAN is configured on the Switch, the Switch checks whether a data flow received by GigabitEthernet1/0/1 is a voice data flow based on the source MAC address of the data flow. If the data flow is a voice data flow, the Switch changes the priority of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in a common VLAN without changing the priority of the flow. GigabitEthernet1/0/1 needs to be added to or deleted from the voice VLAN manually.
Issue 01 (2011-10-26)
161
Figure 3-22 Networking diagram of a voice VLAN in manual mode
DHCP Server
Internet
Switch
GE1/0/1
LAN Switch
HSI
VoIP
IPTV
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Create VLANs. Configure the link type and default VLAN of the interface. Enable the voice VLAN on the interface. Set the mode of adding the interface to the voice VLAN to manual. Set the OUI of the voice VLAN. Set the working mode of the voice VLAN. Add the interface to the voice VLAN.
Data Preparation
To complete the configuration, you need the following data: l l l Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2 and VLAN 6 OUI and mask: 0011-2200-0000 and ffff-ff00-0000 Default VLAN of GigabitEthernet1/0/1: VLAN 6
Procedure
Step 1 Create VLANs and configure the interface on the Switch. # Create VLAN 2 and VLAN 6.

# Configure the link type and default VLAN of the interface.

[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 6 [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 6 [Quidway-GigabitEthernet1/0/1] quit
Step 2 Configure the voice VLAN on the Switch. # Configure the voice VLAN on the interface.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] voice-vlan 2 enable
# Set the mode of adding the interface to the voice VLAN to manual and add the interface to the voice VLAN.
[Quidway-GigabitEthernet1/0/1] voice-vlan mode manual [Quidway-GigabitEthernet1/0/1] port hybrid tagged vlan 2 [Quidway-GigabitEthernet1/0/1] quit
# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the working mode of the voice VLAN.

[Quidway-GigabitEthernet1/0/1] voice-vlan security enable
Step 3 Verify the configuration. Run the display voice-vlan oui command to check whether the OUI of the voice VLAN is correct.
<Quidway> display voice-vlan oui --------------------------------------------------OuiAddress Mask Description --------------------------------------------------0011-2200-0000 ffff-ff00-0000
Run the display voice-vlan 2 status command to check whether the mode of adding the interface to the voice VLAN, working mode, and aging time of the voice VLAN are correct.
<Quidway> display voice-vlan 2 status Voice VLAN Configurations: --------------------------------------------------Voice VLAN ID : 2 Voice VLAN status : Enable Voice VLAN aging time : 1440 (minutes) Voice VLAN 8021p remark : 6 Voice VLAN dscp remark : 46 ---------------------------------------------------------Port Information: ----------------------------------------------------------Port Add-Mode Security-Mode Legacy ----------------------------------------------------------GigabitEthernet1/0/1 Manual Security Disable
----End
Configuration Files

# sysname Quidway # vlan batch 2 6 # voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 # interface GigabitEthernet1/0/1 port hybrid pvid vlan 6 port hybrid tagged vlan 2 port hybrid untagged vlan 6 voice-vlan 2 enable voice-vlan mode manual # return
3.12.14 Example for Configuring VLAN Transparent Transmission

In this example, a device at the convergence layer is deployed with VLAN transparent transmission. This allows VLAN data to be directly forwarded at the convergence layer without sending VLAN data to the CPU. This improves the performance of the device, and prevents attacks initiated by sending malicious data.
A company has multiple subsidiary companies. When the parent company attempts to communicate with a subsidiary company, data is processed by a core switch before being sent to the parent company or subsidiary company. If multiple subsidiary companies communicate with the parent company at the same time, processing capabilities of the core switch deteriorate. The communication efficiency is adversely affected and communication expenditure increases. VLAN transparent transport can be configured on the core switch to prevent this problem. As shown in Figure 3-23, After VLAN transparent transmission is enabled, theSwitch directly forwards data from the specified VLAN instead of sending the data to its CPU. This improves processing capabilities of the switch, reduces communication expenditure, and minimizes the probability of malicious attacks on the switch.
Issue 01 (2011-10-26)
164
Figure 3-23 Networking diagram of VLAN transparent transmission
Parent Company
AN f VL so ket Pac
GE1/0/2 Switch GE1/0/1 GE1/0/3 VLAN 10 SwitchA Eth0/0/1 GE0/0/1 Eth0/0/2
20
VLAN 20 SwitchB Eth0/0/2
GE0/0/1 Eth0/0/1
Sub Company 1
Sub Company 2
The configuration roadmap is as follows: 1. 2. 3. Create VLANs. Enable VLAN transparent transmission. Add Ethernet interfaces to VLANs.
Data Preparation
To complete the configuration, you need the following data: l l l l l VLAN 10 to which GE 1/0/1 of the Switch is added in tagged mode VLAN 20 to which GE 1/0/3 of the Switch is added in tagged mode VLAN 10 and VLAN 20 to which GE 1/0/2 of the Switch is added in tagged mode VLAN 10 and VLAN 20 to which uplink interfaces of SwitchA and SwitchB are added in tagged mode VLAN 10 and VLAN 20 to which downlink interfaces of SwitchA and SwitchB are added in default mode
Issue 01 (2011-10-26)
165
Procedure
# Enable VLAN transparent transmission.

[Quidway] vlan 20 [Quidway-vlan20] protocol-transparent
# Add interfaces to the VLANs.

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/2] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/3] port [Quidway-GigabitEthernet1/0/3] quit 1/0/1 hybrid tagged vlan 10 1/0/2 hybrid tagged vlan 10 20 1/0/3 hybrid tagged vlan 20
Step 2 Configure SwitchA. # Create VLANs.

<Quidway> system-view [Quidway] vlan batch 10

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet0/0/1] port [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port hybrid [Quidway-Ethernet0/0/1] port hybrid [Quidway-Ethernet0/0/1] quit [Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/2] port hybrid [Quidway-Ethernet0/0/2] port hybrid [Quidway-Ethernet0/0/2] quit 0/0/1 hybrid tagged vlan 10 pvid vlan 10 untagged vlan 10 pvid vlan 10 untagged vlan 10
Step 3 Configure SwitchB. # Create VLANs.

<Quidway> system-view [Quidway] vlan batch 20

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet0/0/1] port [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port hybrid [Quidway-Ethernet0/0/1] port hybrid [Quidway-Ethernet0/0/1] quit [Quidway] interface ethernet 0/0/2 [Quidway-Ethernet0/0/1] port hybrid [Quidway-Ethernet0/0/2] port hybrid [Quidway-Ethernet0/0/2] quit 0/0/1 hybrid tagged vlan 20 pvid vlan 20 untagged vlan 20 pvid vlan 20 untagged vlan 20
Issue 01 (2011-10-26)
166
Step 4 Verify the configuration. After the configuration, run the display this command in the view of VLAN 20, and you can check whether VLAN transparent transmission is enabled.
[Quidway-Vlan20] display this # vlan 20 protocol-transparent # return
----End
Configuration Files
# sysname Quidway # vlan batch 10 20 # vlan 20 protocol-transparent # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 20 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 20 # return

# sysname Quidway # vlan batch 10 # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface Ethernet0/0/2 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface GigabitEthernet0/0/1 port hybrid tagged vlan 10 # return

# sysname Quidway # vlan batch 20 # interface Ethernet0/0/1 port hybrid pvid vlan 20 port hybrid untagged vlan 20 #
Issue 01 (2011-10-26)
167

interface Ethernet0/0/2 port hybrid pvid vlan 20 port hybrid untagged vlan 20 # interface GigabitEthernet0/0/1 port hybrid tagged vlan 20 # return
Issue 01 (2011-10-26)
168
4 VLAN Mapping Configuration
4
About This Chapter
VLAN Mapping Configuration
This chapter describes the basic knowledge, methods, and examples for configuring VLAN mapping. 4.1 Introduction to VLAN Mapping This section describes the concept of VLAN mapping. 4.2 VLAN Mapping Features Supported by the S9300 This section describes VLAN mapping features supported by the S9300. 4.3 Configuring VLAN Mapping of Single VLAN Tag This section describes how to configure VLAN mapping of single VLAN tag. 4.4 Configuring VLAN Mapping of Double VLAN Tags This section describes how to configure mapping of double VLAN tags. 4.5 Configuring Flow-based VLAN Mapping This section describes how to configure flow-based VLAN mapping. 4.6 Configuring VLAN Mapping Based On the VLAN Priority This section describes how to configure VLAN mapping based on the VLAN priority. 4.7 Configuration Examples This section provides several examples of VLAN mapping configuration.
Issue 01 (2011-10-26)
169
4.1 Introduction to VLAN Mapping

This section describes the concept of VLAN mapping. VLAN Mapping is a process of mapping the customer VLAN to the carrier VLAN by replacing the inner and outer VLAN tags of data frames. In this manner, VLAN aggregation is realized, and services of customers can be transmitted according to the network planning of the carrier. The S9300 can process data frames in the following ways: l l l Replace the VLAN tag of a frame with a single tag. Replace both VLAN tags of a frame with double tags. Replace the VLAN outer tag of a frame with double tags.
4.2 VLAN Mapping Features Supported by the S9300

This section describes VLAN mapping features supported by the S9300. The S9300 supports the following VLAN mapping features: l l l l Single-tag and double-tag VLAN mapping based on the interface and VLAN Single-tag VLAN mapping based on the interface and 802.1p priority Single-tag VLAN mapping based on the interface, 802.1p priority, and VLAN Single-tag and double-tag VLAN mapping based on the traffic policy
For the commands related to VLAN mapping of single tag based on the traffic policy, see the Quidway S9300 Terabit Routing Switch Command Reference - QoS.
4.3 Configuring VLAN Mapping of Single VLAN Tag

This section describes how to configure VLAN mapping of single VLAN tag.

When two private networks in different VLANs communicate with each other through a public network, the user packets may carry the C-VLAN tag when reaching the ISP network. You can configure VLAN mapping on the edge device of the public network so that the VLANs of private networks are separated from VLANs of the public network. This saves VLAN resources of the public network.
Before configuring VLAN mapping, complete the following task: l
Issue 01 (2011-10-26)
Configuring VLANs
Data Preparation
To configure VLAN mapping, you need the following data. No. 1 2 Data VLAN ID before VLAN mapping VLAN ID after VLAN mapping
4.3.2 Replacing a Single Tag

Context
Do as follows on the S9300 where you need to configure single-tag VLAN mapping.
Procedure
Step 1 Run:
system-view


port link-type trunk
The link type of the interface is set. By default, the link type of an interface is hybrid. Step 4 Run:
port trunk allow-pass vlan vlan-id
The interface is added to the VLAN specified by map-vlan. Step 5 Run:

port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3 [ remark-8021p 8021p-value ]
Single-tag VLAN mapping is configured on the interface.

NOTE
l VLAN mapping can be configured only on a trunk or hybrid interface. In addition, the interface must be added to the VLAN specified by map-vlan. On S-series boards, the interface must be added to the VLAN specified by map-vlan in tagged mode. l Currently, only the E-series and F-series boards support N:1 VLAN mapping. The side with N VLANs must send packets first. l Limiting MAC address learning on an interface may affect the N:1 VLAN mapping on the interface.
----End

Procedure
l l Run the display vlan vlan-id command to check whether the interface is added to the translated local VLAN. Run the display current-configuration command to display information about the VLAN mapping of single VLAN tag on the interface. Run the preceding command, and you can obtain the following information: The interface is added to the translated local VLAN. The information about the VLAN mapping is correct. ----End
4.4 Configuring VLAN Mapping of Double VLAN Tags

This section describes how to configure mapping of double VLAN tags.

When two private networks in different VLANs communicate with each other through a public network, the user packets may carry one or two VLAN tags when arriving on the public network. You can configure VLAN mapping of double VLAN tags on the edge device of the public network so that the VLANs of private networks and public network can be separated. This saves VLAN resources of the public network. Compared with VLAN mapping of single VLAN tag, this function is more flexible and used in a wider scope.
l Before configuring double-tag VLAN mapping, configure VLANs.
Data Preparation
To configure double-tag VLAN mapping, you need the following data. No. 1 2 3 4 Data Outer VLAN ID before VLAN mapping Inner VLAN ID before VLAN mapping Outer VLAN ID after VLAN mapping Inner VLAN ID after VLAN mapping
Issue 01 (2011-10-26)
172
4.4.2 Replacing Double Tags

Context
Do as follows on the S9300 where you need to replace the double VLAN tags.
Procedure
Step 1 Run:
system-view


The link type of the interface is set to trunk. Step 4 Run:

The interface is added to the VLAN whose ID will replace the outer VLAN tag of frames. Step 5 Run:
port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3 map-innervlan vlan-id4 [ remark-8021p 8021p-value ]
The double VLAN tags are replaced. Currently, only the E-series and F-series boards supports VLAN mapping of double tags. When the VLAN tags of a packet match both a single-tag VLAN mapping entry and a doubletag VLAN mapping entry, the double-tag VLAN mapping takes effect for the packet. ----End
4.4.3 Replacing the Outer VLAN Tag

Context
Do as follows on the S9300 where you need to replace the outer VLAN tags.
Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-26)
173


The interface is added to the VLAN whose ID will replace the outer VLAN tag of frames. Step 5 Run:
port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 [ to vlan-id3 ] map-vlan vlanid4 [ remark-8021p 8021p-value ]
The outer VLAN tag is replaced.

NOTE
Currently, only the E-series and F-series boards supports VLAN mapping of double tags. VLAN mapping can be configured only on a trunk or hybrid interface. In addition, the interface must be added to the VLAN specified by map-vlan. On S-series boards, the interface must be added to the VLAN specified by map-vlan in tagged mode.
----End

Procedure
l l Run the display vlan vlan-id command to check whether the interface is added to the translated local VLAN. Run the display current-configuration command to display information about the mapping of double VLAN tags on the interface. Run the preceding command, and you can obtain the following information: The interface is added to the translated local VLAN. The information about the VLAN mapping is correct. ----End
4.5 Configuring Flow-based VLAN Mapping

This section describes how to configure flow-based VLAN mapping.

When two private networks in different VLANs communicate with each other through a public network, the user packets may carry one or two VLAN tags when reaching the ISP network. You can configure VLAN mapping of a single VLAN tag or double VLAN tags on the edge
device of the public network so that the VLANs of private networks and public network can be separated. This saves VLAN resources of the public network.
l Before configuring VLAN mapping, configure the VLANs.
Data Preparation
Before configuring VLAN mapping, you need the following data. No. 1 2 3 4 Data Outer VLAN ID before VLAN mapping Inner VLAN ID before VLAN mapping Outer VLAN ID after VLAN mapping Inner VLAN ID after VLAN mapping
4.5.2 Replacing a Single Tag

Context
Do as follows as the S9300 that needs to replace a single tag of packets.
Procedure
l Applying a traffic policy in the inbound direction of an interface 1. Run:
system-view

traffic classifier classifier-name1
A traffic classifier is created and the traffic classifier view is displayed. 3. Run:
if-match vlan-id vlan-id1
The packet matching rule, that is, the original VLAN ID of packets matching the classifier, is set. 4. Run:
quit
Return to the system view. 5. Run:

traffic behavior behavior-name1
A traffic behavior is created and the traffic behavior view is displayed.

6.
Run:
remark vlan-id vlan-id2
The S9300 is configured to replace the original VLAN ID of the packets matching the traffic classifier with the specified VLAN ID. 7. Run:
quit

traffic policy policy-name1
A traffic policy is created and the policy view is displayed. 9. Run:

classifier classifier-name1 behavior behavior-name1
The traffic classifier is bound to the traffic behavior in the traffic policy. 10. Run:
quit


The link type of the interface is set to trunk. 13. Run:

port trunk allow-pass vlan vlan-id2
The interface is added to the VLAN specified by the translated VLAN ID. 14. Run:
traffic-policy policy-name1 inbound
The traffic policy is applied in the inbound direction of the interface. l Applying a traffic policy in the outbound direction of an interface 1. Run:
system-view

traffic classifier classifier-name2
The packet matching rule, that is, the original VLAN ID of packets matching the classifier, is set. 4. Run:
quit
Issue 01 (2011-10-26)
176

A traffic behavior is created and the traffic behavior view is displayed. 6. Run:
The S9300 is configured to replace the original VLAN ID of the packets matching the traffic classifier with the specified VLAN ID. 7. Run:
quit


quit


traffic-policy policy-name2 outbound
The traffic policy is applied in the outbound direction of the interface. ----End
4.5.3 Replacing Double Tags

Context
Do as follows as the S9300 that needs to replace double tags of packets.
Procedure
system-view

traffic classifier classifier-name1 operator and
Issue 01 (2011-10-26)
177
The packet matching rule, that is, the outer VLAN ID of packets matching the classifier, is set. 4. Run:
if-match cvlan-id vlan-id2
The packet matching rule, that is, the inner VLAN IDs of packets matching the classifier, is set. 5. Run:
quit

The S9300 is configured to replace the outer VLAN ID of the packets matching the traffic classifier with the specified VLAN ID. 8. Run:
remark cvlan-id vlan-id4
The S9300 is configured to replace the inner VLAN ID of the packets matching the traffic behavior with the specified VLAN ID. 9. Run:
quit

The classifier is bound to the traffic behavior in the traffic policy. 12. Run:
quit


The link type of the interface is set to trunk.

15. Run:
The interface is added to the VLANs specified by the translated VLAN IDs. 16. Run:
system-view

quit

remark cvlan-id vlan-id2
The S9300 is configured to replace the inner VLAN ID of the packets matching the traffic classifier with the specified VLAN ID. 9. Run:
quit

A traffic policy is created and the policy view is displayed.

11. Run:
quit


4.5.4 Replacing the Outer VLAN Tag

Context
Do as follows as the S9300 that needs to replace the outer tags of packets.
Procedure
system-view

quit

Issue 01 (2011-10-26)
180
quit

The classifier is bound to the traffic behavior in the traffic policy. 11. Run:
quit

The interface view is displayed. 13. Run: port link-type trunk The link type of the interface is set to trunk. 14. Run:
The interface is added to the VLAN specified by the translated VLAN ID. 15. Run:
system-view

The packet matching rule, that is, the outer VLAN ID of packets matching the classifier, is set. 4.
Issue 01 (2011-10-26)
Run:

quit

quit

quit



Procedure
l Run the display current-configuration command to check the configuration of flow-based VLAN mapping.
----End
4.6 Configuring VLAN Mapping Based On the VLAN Priority

This section describes how to configure VLAN mapping based on the VLAN priority.

After VLAN mapping based on VLAN priorities is configured on a switch, the switch processes VLAN tags of packets flexibly according to the VLAN priorities of packets. In this way, communication of users with high priority is ensured.
Before configuring VLAN mapping based on the VLAN priority, complete the following task. l Configuring the VLAN
Data Preparation
To configure VLAN mapping based on the VLAN priority, you need the following data. No. 1 2 3 4 5 Data Numbers of the incoming interface and outgoing interface of packets VLAN ID and 802.1p priority of the incoming interface before VLAN mapping is configured VLAN ID and internal priority of the incoming interface after VLAN mapping is configured Internal priority of the outgoing interface before VLAN mapping is configured Internal priority of the outgoing interface after VLAN mapping is configured
4.6.2 Configuring VLAN Mapping Based on the VLAN Priority on the Incoming Interface
Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-26)
183

port hybrid tagged vlan vlan-id
The interface is added to the VLAN specified by vlan-id. Step 4 Run the following commands as required. l To configure VLAN mapping based on the VLAN priority on the incoming interface, run port vlan-mapping 8021p 8021p-value map-vlan vlan-id. l To configure VLAN mapping based on the VLAN ID and VLAN priority on the incoming interface, run port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] 8021p 8021p-value1 [ to 8021p-value2 ]map-vlan vlan-id3 [ remark-8021p 8021p-value3 ]. VLAN mapping based on the VLAN priority is supported only on the E-series and F-series boards. When incoming packets match both priority-based VLAN mapping and common VLAN mapping, VLAN mapping based on the VLAN priority takes effect for the incoming packets. If priority-based VLAN mapping and common VLAN mapping are configured with the same original VLAN IDs and if the priority of the translated VLAN is set in common VLAN mapping but not in priority-based VLAN mapping, the VLAN priority set in common VLAN mapping takes effect after VLAN mapping. ----End
4.6.3 (Optional) Configuring VLAN Priority Mapping on the Outbound Interface

Procedure
Step 1 Run:
system-view

diffserv domain ds-domain-name
A DiffServ domain is created and the DiffServ domain view is displayed. Step 3 Run:
8021p-outbound service-class color map 8021p-value
The internal priority of outgoing packets in a VLAN is mapped to the 802.1p priority on the interface of the DiffServ domain. Step 4 Run:
quit
Exit from the DiffServ domain view. Step 5 Run:


Step 6 Run:
The interface is added to the VLAN specified by vlan-id. Step 7 Run:

trust upstream ds-domain-name
The interface is bound to the DiffServ domain and the mapping in the DiffServ domain is applied to the interface. By default, the priority is not changed when the internal priority is mapped to the external priority. ----End

Procedure
l l Run the display this command in the view of the incoming interface to check the configuration of VLAN mapping based on the VLAN priority. Run the display this command in the view of the outgoing interface to check the configuration of VLAN mapping based on the VLAN priority.
----End

This section provides several examples of VLAN mapping configuration.
4.7.1 Example for Configuring Mapping of Single VLAN Tag

As shown in Figure 4-1, users in VLAN 6 need to communicate with users in VLAN 5 through VLAN 10 on the network.
Issue 01 (2011-10-26)
185
Figure 4-1 Networking diagram for configuring VLAN mapping of single VLAN tag
SwitchC GE1/0/1 SwitchA VLAN6 GE3/0/1 GE1/0/1 GE3/0/2
Network VLAN10
SwitchD GE1/0/1 SwitchB GE2/0/2 VLAN5 GE3/0/2
GE3/0/1
172.16.0.1/16 172.16.0.2/16 172.16.0.3/16
172.16.0.5/16 172.16.0.6/16 172.16.0.7/16
The configuration roadmap is as follows: 1. 2. 3. 4. Create VLANs on SwitchA, SwitchB, SwitchC, and SwitchD. Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs. Configure VLAN mapping of a single tag on GE 1/0/1 of SwitchA. Configure VLAN mapping of a single tag on GE 2/0/2 of SwitchB.
Data Preparation
To complete the configuration, you need the following data: l l l VLAN to be created on SwitchA: VLAN 6 VLAN to be created on SwitchB: VLAN 5 VLAN to be created on SwitchC and SwitchD: VLAN 10
Procedure
Step 1 Create VLANs on the Switches. # Create VLAN 6 on SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan 6
# Create VLAN 5 on SwitchB.


<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan 5
# Create VLAN 10 on SwitchC.

<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] vlan 10
# Create VLAN 10 on SwitchD.

<Quidway> system-view [Quidway] sysname SwitchD [SwitchD] vlan 10
Step 2 Add interfaces to VLANs. # Add GE 3/0/1 and GE 3/0/2 of SwitchA to VLAN 6.
[SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet3/0/1] port [SwitchA-GigabitEthernet3/0/1] port [SwitchA-GigabitEthernet3/0/1] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet3/0/2] port [SwitchA-GigabitEthernet3/0/2] port [SwitchA-GigabitEthernet3/0/2] quit 3/0/1 link-type trunk trunk allow-pass vlan 6 3/0/2 link-type trunk trunk allow-pass vlan 6
# Add GE 1/0/1 of SwitchA to VLAN 6.

[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type trunk [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 6 [SwitchA-GigabitEthernet1/0/1] quit
# Add GE 3/0/1 and GE 3/0/2 of SwitchB to VLAN 5.

[SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet3/0/1] port [SwitchB-GigabitEthernet3/0/1] port [SwitchB-GigabitEthernet3/0/1] quit [SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet3/0/2] port [SwitchB-GigabitEthernet3/0/2] port [SwitchB-GigabitEthernet3/0/2] quit 3/0/1 link-type trunk trunk allow-pass vlan 5 3/0/2 link-type trunk trunk allow-pass vlan 5
# Add GE 2/0/2 of SwitchB to VLAN 5.

[SwitchB] interface gigabitethernet 2/0/2 [SwitchB-GigabitEthernet2/0/2] port link-type trunk [SwitchB-GigabitEthernet2/0/2] port trunk allow-pass vlan 5 [SwitchB-GigabitEthernet2/0/2] quit
# Add GE 1/0/1 of SwitchC to VLAN 10.

[SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type trunk [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [SwitchC-GigabitEthernet1/0/1] quit
# Add GE 1/0/1 of SwitchD to VLAN 10.

[SwitchD] interface gigabitethernet 1/0/1 [SwitchD-GigabitEthernet1/0/1] port link-type trunk [SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [SwitchD-GigabitEthernet1/0/1] quit
Step 3 Configure VLAN mapping of single tag on the Switches.

# Configure VLAN mapping of single tag on GE 1/0/1 of SwitchA.

[SwitchA-GigabitEthernet1/0/1] port vlan-mapping vlan 10 map-vlan 6
# Configure VLAN mapping of single tag on GE 2/0/2 of SwitchB.

[SwitchB-GigabitEthernet2/0/2] port vlan-mapping vlan 10 map-vlan 5
Step 4 Verify the configuration. Run the display vlan 6 command on SwitchA, and you can obtain the following information:
[SwitchA] display vlan 6 * : management-vlan --------------------VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property -------------------------------------------------------------------------------6 common enable enable forward forward forward default ---------------Tagged Port: GigabitEthernet1/0/1 GigabitEthernet3/0/2 ---------------QinQ-map Port: GigabitEthernet1/0/1 ---------------Interface Physical GigabitEthernet1/0/1 UP GigabitEthernet3/0/1 UP GigabitEthernet3/0/2 UP GigabitEthernet3/0/1
The hosts in VLAN 6 and the hosts in VLAN 5 can ping each other. ----End
Configuration Files
l
# sysname SwitchA # vlan batch 6 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 6 port vlan-mapping vlan 10 map-vlan 6 # interface GigabitEthernet3/0/1 port link-type trunk port trunk allow-pass vlan 6 # interface GigabitEthernet3/0/2 port link-type trunk port trunk allow-pass vlan 6 # return
l
#
sysname SwitchB # vlan batch 5 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 5 port vlan-mapping vlan 10 map-vlan 5
Issue 01 (2011-10-26)
188

# interface GigabitEthernet3/0/1 port link-type trunk port trunk allow-pass vlan 5 # interface GigabitEthernet3/0/2 port link-type trunk port trunk allow-pass vlan 5 # return
Configuration file of SwitchC
# sysname SwitchC # vlan batch 10 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # return
Configuration file of SwitchD
# sysname SwitchD # vlan batch 10 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # return
4.7.2 Example for Configuring N:1 VLAN Mapping

As shown in Figure 4-2, users in VLAN 100 to VLAN 200 connect to the Internet through the aggregate switch of the carrier, that is, the Switch.
Issue 01 (2011-10-26)
189
Figure 4-2 Networking diagram for configuring N:1 VLAN mapping
Internet
Switch VLAN100~200 SwitchA
GE1/0/0
SwitchB
SwitchC
SwitchD
SwitchE
The configuration roadmap is as follows: 1. 2. 3. Configure the VLANs before and after mapping. Add GE 1/0/0 of the Switch to the VLANs before and after mapping in tagged mode. Configure VLAN mapping on GE 1/0/0 of the Switch.
Data preparation
To complete the configuration, you need the following data: l l VLANs before mapping: VLAN 100 to VLAN 200 VLAN after mapping: VLAN 10
Procedure
<Quidway> system-view [Quidway] vlan batch 10 100 to 200
Issue 01 (2011-10-26)
190
# Add related GE 1/0/0 to the VLANs.

[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] port hybrid tagged vlan 10 100 to 200
# Configure VLAN mapping on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] port vlan-mapping vlan 100 to 200 map-vlan 10 [Quidway-GigabitEthernet1/0/0] quit
Step 2 Verify the configuration. Users in VLAN 100 to VLAN 200 can connect to the Internet through the Switch. ----End
Configuration Files
# sysname Quidway # vlan batch 10 100 to 200 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 10 100 to 200 port vlan-mapping vlan 100 to 200 map-vlan 10 # return
4.7.3 Example for Configuring Mapping of Double VLAN Tags (2 to 2)

As shown in Figure 4-3, outer VLAN ID 100 and inner VLAN ID 10 are assigned to Enterprise A; outer VLAN ID 200 and inner VLAN ID 20 are assigned to Enterprise B. Hosts in Enterprise A and Enterprise B communicate through the ISP network. Outer VLAN ID 300 and inner VLAN 30 are assigned to the ISP network. Figure 4-3 Networking diagram for configuring VLAN mapping of double VLAN tags
ISP Outer: VLAN 300 Inner: VLAN 30 SwitchC GE1/0/1 SwitchA Enterprise A Outer: VLAN 100 Inner: VLAN 10 GE1/0/1 SwitchD GE1/0/2 SwitchB GE1/0/2 Enterprise B Outer: VLAN 200 Inner: VLAN 20
Issue 01 (2011-10-26)
191
The configuration roadmap is as follows: 1. 2. 3. 4. Create outer VLANs on SwitchA, SwitchB, SwitchC, and SwitchD. Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs. Configure VLAN mapping of double tags on GE 1/0/1 of SwitchA. Configure VLAN mapping of double tags on GE 1/0/2 of SwitchA.
Data Preparation
Procedure



Step 2 Add interfaces to VLANs. # Add GE 1/0/1 of SwitchA to VLAN 100.

[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type trunk [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100

[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 200

[SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type trunk [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 300
# Add GE 1/0/2 on SwitchD to VLAN 300.

[SwitchD] interface gigabitethernet 1/0/2 [SwitchD-GigabitEthernet1/0/2] port link-type trunk [SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 300
Step 3 Configure VLAN mapping of double tags on the Switches. # Configure VLAN mapping of double tags on GE 1/0/1 of SwitchA.
<SwitchA> system-view [SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port vlan-mapping vlan 300 inner-vlan 30 map-vlan 100 map-inner-vlan 10
# Configure VLAN mapping of double tags on GE 1/0/2 of SwitchB.

<SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port vlan-mapping vlan 300 inner-vlan 30 map-vlan 200 map-inner-vlan 20
Step 4 Verify the configuration. The hosts in Enterprise A and the hosts in Enterprise B can communicate with each other. ----End
Configuration Files
# sysname SwitchA # vlan batch 100 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 port vlan-mapping vlan 300 inner-vlan 30 map-vlan 100 map-inner-vlan 10 # return
# sysname SwitchB # vlan batch 200 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 200 port vlan-mapping vlan 300 inner-vlan 30 map-vlan 200 map-inner-vlan 20 # return
# sysname SwitchC # vlan batch 300 # interface GigabitEthernet1/0/1 port link-type trunk
Issue 01 (2011-10-26)
193

port trunk allow-pass vlan 300 # return
4.7.4 Example for Configuring Flow-based VLAN Mapping

As shown in Figure 4-4, outer VLAN ID 100 and inner VLAN ID 10 are assigned Enterprise A; outer VLAN ID 200 and inner VLAN ID 20 are assigned to Enterprise B. Hosts in Enterprise A and Enterprise B communicate through the ISP network. Outer VLAN ID 300 and inner VLAN 30 assigned to the ISP network. Figure 4-4 Networking diagram for configuring flow-based VLAN mapping
ISP Outer: VLAN 300 Inner: VLAN 30 SwitchC GE1/0/1 SwitchA Enterprise A Outer: VLAN 100 Inner: VLAN 10 GE1/0/1 GE1/0/2 SwitchD GE1/0/2 SwitchB
Enterprise B Outer: VLAN 200 Inner: VLAN 20
Issue 01 (2011-10-26)
Create outer VLANs on SwitchA, SwitchB, SwitchC, and SwitchD. Create traffic classifiers, traffic behaviors, and traffic policies on SwitchA and SwitchB. Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs.
4. 5.
Configure flow-based VLAN mapping of double tags on GE 1/0/1 of SwitchA. Configure flow-based VLAN mapping of double tags on GE 1/0/2 of SwitchB.
Data Preparation
Procedure



Step 2 Add interfaces to VLANs. # Add GE 1/0/1 of SwitchA to VLAN 100.

[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type trunk [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100

[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 200

[SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type trunk [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 300
# Add GE 1/0/2 on SwitchD to VLAN 300.

[SwitchD] interface gigabitethernet 1/0/2 [SwitchD-GigabitEthernet1/0/2] port link-type trunk [SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 300
Issue 01 (2011-10-26)
195
Step 3 Configure traffic classifiers, traffic behaviors, and traffic policies. # On SwitchA, configure the traffic classifier, traffic behavior, and traffic policy applied in the inbound direction.
[SwitchA] traffic classifier name1 operator and [SwitchA-classifier-name1] if-match vlan-id 300 [SwitchA-classifier-name1] if-match cvlan-id 30 [SwitchA-classifier-name1] quit [SwitchA] traffic behavior name1 [SwitchA-behavior-name1] remark vlan-id 100 [SwitchA-behavior-name1] remark cvlan-id 10 [SwitchA-behavior-name1] quit [SwitchA] traffic policy name1 [SwitchA-trafficpolicy-name1] classifier name1 behavior name1
# On SwitchA, configure the traffic classifier, traffic behavior, and traffic policy applied in the outbound direction.
[SwitchA] traffic classifier name2 operator and [SwitchA-classifier-name2] if-match vlan-id 100 [SwitchA-classifier-name2] if-match cvlan-id 10 [SwitchA-classifier-name2] quit [SwitchA] traffic behavior name2 [SwitchA-behavior-name2] remark vlan-id 300 [SwitchA-behavior-name2] remark cvlan-id 30 [SwitchA-behavior-name2] quit [SwitchA] traffic policy name2 [SwitchA-trafficpolicy-name2] classifier name2 behavior name2
# On SwitchB, configure the traffic classifier, traffic behavior, and traffic policy applied in the inbound direction.
[SwitchB] traffic classifier name1 operator and [SwitchB-classifier-name1] if-match vlan-id 300 [SwitchB-classifier-name1] if-match cvlan-id 30 [SwitchB-classifier-name1] quit [SwitchB] traffic behavior name1 [SwitchB-behavior-name1] remark vlan-id 200 [SwitchB-behavior-name1] remark cvlan-id 20 [SwitchB-behavior-name1] quit [SwitchB] traffic policy name1 [SwitchB-trafficpolicy-name1] classifier name1 behavior name1
# On SwitchB, configure the traffic classifier, traffic behavior, and traffic policy applied in the outbound direction.
[SwitchB] traffic classifier name2 operator and [SwitchB-classifier-name2] if-match vlan-id 200 [SwitchB-classifier-name2] if-match cvlan-id 20 [SwitchB-classifier-name2] quit [SwitchB] traffic behavior name2 [SwitchB-behavior-name2] remark vlan-id 300 [SwitchB-behavior-name2] remark cvlan-id 30 [SwitchB-behavior-name2] quit [SwitchB] traffic policy name2 [SwitchB-trafficpolicy-name2] classifier name2 behavior name2
Step 4 Configure flow-based VLAN mapping of double tags on the Switches. # Configure flow-based VLAN mapping of double tags on GE 1/0/1 of SwitchA.
<SwitchA> system-view [SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound [SwitchA-GigabitEthernet1/0/1] traffic-policy name2 outbound
# Configure flow-based VLAN mapping of double tags on GE 1/0/2 of SwitchB.

<SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] traffic-policy name1 inbound [SwitchB-GigabitEthernet1/0/2] traffic-policy name2 outbound
Step 5 Verify the configuration. The hosts in Enterprise A and the hosts in Enterprise B can communicate with each other. ----End
Configuration Files
# sysname SwitchA # vlan batch 100 # traffic classifier name1 operator and precedence 5 if-match 1 vlan-id 300 if-match 2 cvlan-id 30 traffic classifier name2 operator and precedence 10 if-match 1 vlan-id 100 if-match 2 cvlan-id 10 # traffic behavior name1 remark vlan-id 100 remark cvlan-id 10 traffic behavior name2 remark vlan-id 300 remark cvlan-id 30 # traffic policy name1 classifier name1 behavior name1 traffic policy name2 classifier name2 behavior name2 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 traffic-policy name1 inbound traffic-policy name2 outbound # return
# sysname SwitchB # vlan batch 200 # traffic classifier name1 operator and precedence 5 if-match 1 vlan-id 300 if-match 2 cvlan-id 30 traffic classifier name2 operator and precedence 10 if-match 1 vlan-id 200 if-match 2 cvlan-id 20 # traffic behavior name1 remark vlan-id 200 remark cvlan-id 20 traffic behavior name2 remark vlan-id 300 remark cvlan-id 30 # traffic policy name1 classifier name1 behavior name1
Issue 01 (2011-10-26)
197

traffic policy name2 classifier name2 behavior name2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 200 traffic-policy name1 inbound traffic-policy name2 outbound # return
# sysname SwitchC # vlan batch 300 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 300 # return
Issue 01 (2011-10-26)
198
5 QinQ Configuration
5
About This Chapter
5.1 Concept of QinQ This section describes the concept of QinQ.
QinQ Configuration
This chapter describes the basic knowledge, methods, and examples for configuring QinQ.
5.2 QinQ Features Supported by the S9300 This section describes the QinQ features supported by the S9300. 5.3 Configuring QinQ on an Interface This section describes how to configure the interface type, the protocol used by the outer VLAN tag, and the interface-based QinQ. 5.4 Configuring Selective QinQ This section describes how to configure the interface type, the outer VLAN ID, and selective QinQ. 5.5 Configuring Flow-based Selective QinQ This section describes how to set the interface type, the packet matching rule, the outer VLAN tag added to received packets, and enable the traffic policy to implement flow-based selective QinQ. 5.6 Configuring VLAN Stacking Based On the VLAN Priority This section describes how to configure VLAN stacking based on the VLAN priority. 5.7 Setting the Protocol Type in the Outer VLAN Tag This section describes how to set the protocol type in the outer VLAN tag on an interface. 5.8 Adding Double VLAN Tags to Untagged Packets This section describes how to set the interface type, add an interface to the VLAN specified by the outer tag of packets, and add double VLAN tags to untagged packets. 5.9 Connecting Sub-interfaces to a VLL Network This section describes how to connect sub-interfaces of a PE to a VLL network so that CEs can communicate with each other. 5.10 Connecting Sub-interfaces to a VPLS Network
Issue 01 (2011-10-26)
199
This section describes how to connect sub-interfaces of a PE to a VPLS network so that CEs can communicate with each other. 5.11 Configuring a Sub-interface to Access an L3VPN This section describes how to configure a sub-interface to access an L3VPN on the PE so that user networks between the CEs can communicate with each other. 5.12 Configuration Examples This section provides several configuration examples of QinQ.
Issue 01 (2011-10-26)
200
5.1 Concept of QinQ

This section describes the concept of QinQ. The 802.1Q-in-802.1Q (QinQ) protocol is a Layer 2 tunneling protocol based on the IEEE 802.1Q technology. The frame transmitted on the public network has double 802.1Q tags. One is a public tag and the other is a private tag. It is called the QinQ protocol. The principle of QinQ is to encapsulate a private VLAN tag in a public VLAN tag; therefore, a packet traverses the backbone network of the Internet service provider (ISP) carrying double VLAN tags. By using the QinQ technology, the S9300 provides a simpler Layer 2 VPN tunnel for users.
5.2 QinQ Features Supported by the S9300

This section describes the QinQ features supported by the S9300.
Selective QinQ
The S9300 supports selective QinQ, which is extended on the basis of QinQ. Selective QinQ enables an interface to add the outer VLAN tags with different public VLAN IDs to frames according to the private VLAN IDs in the inner VLAN tags. This can differentiate various types of users. The S9300 not only supports selective QinQ based on the interface and VLAN, but also supports flow-based selective QinQ, 802.1p-based selective QinQ, and selective QinQ for untagged packets. For the commands related to flow-based selective QinQ, see the Quidway S9300 Terabit Routing Switch Command Reference - QoS.
Protocols Used by Outer VLAN Tags

The protocols applied to outer VLAN tags vary according to the vendors. To interwork with non-Huawei devices, the S9300 supports the selective setting of the protocols used by the outer VLAN tags.
Access to VLL, VPLS, and L3VPN Through Different Sub-interfaces

You can choose to access the VLL, VPLS, or L3VPN through different types of sub-interfaces according to the networking. Currently, only the E-series and F-series boards support sub-interfaces.
5.3 Configuring QinQ on an Interface

This section describes how to configure the interface type, the protocol used by the outer VLAN tag, and the interface-based QinQ.

To separate the private network from the public network and save VLAN resources, you can configure double 802.1q tags on a QinQ interface provided by the S9300. The inner VLAN tag of the private network is distributed for the internal network such as the intranet; the outer VLAN tag of the public network is distributed for the external network such as the ISP's network. In this way, a maximum of 4094 x 4094 VLAN tags are provided to enable transparent transmission of the packets from different private network users with the same VLAN ID.
None
Data Preparation
To configure QinQ on the interface, you need the following data. No. 1 2 3 Data Number of the QinQ interface (Optional) Protocol used by the outer VLAN tag Outer VLAN ID
5.3.2 Setting the Link Type of an Interface

Context
Do as follows on the S9300 to be configured with interface QinQ.
Procedure
Step 1 Run:
system-view


port link-type dot1q-tunnel
The link type of the interface is set to dot1q-tunnel. By default, the link type of an interface is hybrid. Dot1q-tunnel interfaces do not support Layer 2 multicast. ----End
5.3.3 Specifying the Outer VLAN ID

Context
Do as follows on the S9300 to be configured with interface QinQ.
Procedure
Step 1 Run:
system-view

vlan vlan-id
The VLAN is created. Step 3 Run:

quit


port default vlan vlan-id
The VLAN ID (default VLAN) of the outer VLAN tag is set. ----End

Procedure
l Run the display current-configuration interface interface-type interface-number command to display the QinQ configuration on the interface.
----End
5.4 Configuring Selective QinQ

This section describes how to configure the interface type, the outer VLAN ID, and selective QinQ.

To enable users to communicate through the ISP network, user packets are added an outer VLAN tag.
None
Data Preparation
To configure selective QinQ, you need the following data. No. 1 2 3 Data Number of the interface to be configured with selective QinQ Inner VLAN ID Outer VLAN ID

Context
Do as follows on the S9300 to be configured with selective QinQ:
Procedure
Step 1 Run:
system-view


port link-type hybrid
The link type of the interface is set to hybrid. By default, the link type of an interface is hybrid. ----End
5.4.3 Adding an Outer VLAN Tag

Context
Do as follows on the S9300 where you need to configure selective QinQ.
Procedure
Step 1 Run:
system-view


port hybrid untagged vlan vlan-id
The interface is added to the stacked VLAN in untagged mode. The stacked outer VLAN must a VLAN existing on the S9300, but the VLANs before VLAN stacking do not need to be created on the S9300. ----End
5.4.4 Configuring Selective QinQ

Context
An interface learns the MAC address from the outer VLAN tag of a QinQ packet.
Procedure
Step 1 Run:
system-view


port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3 [ remark-8021p 8021p-value ]
The selective QinQ is configured. The meanings of the parameters are as follows: l vlan-id1 [ to vlan-id2 ] specifies the C-VLAN IDs of packets to which you need to add an outer VLAN tag. l stack-vlan vlan-id3 specifies the VLAN ID in the outer VLAN tag to be added. l [ remark-8021p 8021p-value ] specifies the internal priority in the stacked outer VLAN tag. By default, the priority in the stacked outer VLAN tag is 0 on an SA board, and is the same as the priority in the inner VLAN tag on other boards.

NOTE
Selective QinQ can also be configured by using the vlan-switch vlan-switch-name interface interfacetype interface-number vlan vlan-id1 [ to vlan-id2 ] interface interface-type interface-number [ stackvlan vlan-id3 ] command in the system view. This command configures the S9300 to add an outer VLAN tag to packets on the specified inbound interface.
----End

Procedure
l Run the display current-configuration interface interface-type interface-number command to display the selective QinQ configuration on the interface.
----End
5.5 Configuring Flow-based Selective QinQ

This section describes how to set the interface type, the packet matching rule, the outer VLAN tag added to received packets, and enable the traffic policy to implement flow-based selective QinQ.

To enable users to communicate through the ISP network, the ISP devices need to add outer VLAN tags to the packets passing through the ISP network to identify the packets from different user networks. Flow-based selective QinQ implements the same function as common selective QinQ (VLAN stacking). You can choose either of them according to your preference.
None.
Data Preparation
To configure flow-based selective QinQ, you need the following data. No. 1 2 3 Data Number of the interface where selective QinQ is to be configured VLAN IDs in the inner VLAN tag VLAN IDs in the outer VLAN tag
Issue 01 (2011-10-26)
206

Context
Procedure
Step 1 Run:
system-view


The type of the interface is set to hybrid. By default, the interface type is hybrid. ----End
5.5.3 Setting the Packet Matching Rule

Context
Procedure
Step 1 Run:
system-view

traffic classifier classifier-name
A traffic classifier is created and the traffic classifier view is displayed. Step 3 Run:
if-match vlan-id start-vlan-id [ to end-vlan-id ]
The packet matching rule, that is, the range of VLAN IDs of packets matching the classifier, is set. ----End
5.5.4 Adding an Outer VLAN Tag

Context
Procedure
Step 1 Run:
system-view

traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed. Step 3 Run:
nest top-most vlan-id vlan-id
The S9300 is configured to add an outer VLAN tag with the specified VLAN ID to the packets matching the traffic classifier. You must specify an existing VLAN ID on the S9300 in this command. You do not need to create the VLANs specified by the original VLAN tags of received packets. ----End
5.5.5 Configuring a Traffic Policy

Context
Procedure
Step 1 Run:
system-view

traffic policy policy-name
A traffic policy is created and the policy view is displayed. Step 3 Run:
classifier classifier-name behavior behavior-name
The traffic classifier is bound to the traffic behavior in the traffic policy. ----End
5.5.6 Applying the Traffic Policy

Context
Procedure
Step 1 Run:
system-view


traffic-policy policy-name inbound
The traffic policy is applied in the inbound direction of the interface. ----End

Procedure
Step 1 Run the display current-configuration command to check the configuration of flow-based selective QinQ. ----End
5.6 Configuring VLAN Stacking Based On the VLAN Priority

This section describes how to configure VLAN stacking based on the VLAN priority.

By configuring VLAN stacking based on the VLAN priority, the outer VLAN tag and the priority in the outer VLAN tag are added to the packets passing through the S9300.
Before configuring VLAN stacking based on the VLAN priority, complete the following task. l Configuring the VLAN
Data Preparation
To configure VLAN stacking based on the VLAN priority, you need the following data.
No. 1 2 3 4 5
Data Number of the incoming interface and outgoing interface of packets VLAN ID and 802.1p priority of the incoming interface before VLAN stacking is configured VLAN ID and internal priority of the incoming interface after VLAN stacking is configured Internal priority of the outgoing interface before VLAN mapping is configured 802.1p priority of the outgoing interface before VLAN mapping is configured
5.6.2 Configuring VLAN Stacking Based on the VLAN Priority on the Incoming Interface
Procedure
Step 1 Run:
system-view


The interface is added to the VLAN specified by vlan-id. Step 4 Run the following commands as required. l To configure VLAN stacking based on the VLAN priority on the incoming interface, run port vlan-stacking 8021p 8021p-value stack-vlan vlan-id. l To configure VLAN stacking based on the VLAN ID and VLAN priority on the incoming interface, run port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] 8021p 8021p-value1 [ to 8021p-value2 ]stack-vlan vlan-id3 [ remark-8021p 8021p-value3 ]. VLAN stacking based on the VLAN priority is supported only on the E-series and F-series boards. ----End
5.6.3 (Optional) Configuring VLAN Priority Mapping on the Outbound Interface

Procedure
Step 1 Run:

system-view

diffserv domain ds-domain-name
A DiffServ domain is created and the DiffServ domain view is displayed. Step 3 Run:
8021p-outbound service-class color map 8021p-value
The internal priority of outgoing packets in a VLAN is mapped to the 802.1p priority on the interface of the DiffServ domain. Step 4 Run:
quit
Exit from the DiffServ domain view. Step 5 Run:


The interface is added to the VLAN specified by vlan-id. Step 7 Run:

trust upstream ds-domain-name
The interface is bound to the DiffServ domain and the mapping in the DiffServ domain is applied to the interface. By default, the priority is not changed when the internal priority is mapped to the external priority. ----End

Procedure
l l Run the display this command in the view of the incoming interface to check the configuration of VLAN stacking based on the VLAN priority. Run the display this command in the view of the outgoing interface to check the configuration of VLAN stacking based on the VLAN priority.
----End
5.7 Setting the Protocol Type in the Outer VLAN Tag

This section describes how to set the protocol type in the outer VLAN tag on an interface.

To enable the S9300 to communicate with devices of other vendors, you need to set a protocol type that can be identified by the peer device in the outer VLAN tag.
None.
Data Preparation
To set the protocol type in the outer VLAN tag, you need the following data. No. 1 2 Data Interface number Protocol type in the outer VLAN tag
5.7.2 Configuring the Type of an Interface

Context
Do as follows on the S9300 where you need to set the protocol type in the outer VLAN tag.
Procedure
Step 1 Run:
system-view


port link-type { hybrid | trunk | access }
The interface type is configured. By default, the interface type is hybrid. ----End
5.7.3 Setting the Protocol Type in the Outer VLAN Tag

Context
Do as follows on the S9300 where you need to set the protocol type in the outer VLAN tag.
Procedure
Step 1 Run:
system-view


qinq protocol protocol-id
The protocol type of the outer VLAN tag is set. The qinq protocol command cannot be used on a QinQ interface. The qinq protocol command is used to identify incoming frames and add or change TPID for outgoing frames. By default, the protocol type in the outer VLAN tag is 0x8100.
NOTE
l To implement the connectivity between the devices of different vendors, the protocol type in the outer VLAN tag must be identified by the peer device. l The protocol IDs set by the qinq protocol command cannot be the same as well-known protocol IDs. Otherwise, the interface cannot distinguish packets of these protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.
----End

Procedure
Step 1 Run the display current-configuration interface interface-type interface-number command to display protocol type in the outer VLAN tag set on an interface. ----End
5.8 Adding Double VLAN Tags to Untagged Packets

This section describes how to set the interface type, add an interface to the VLAN specified by the outer tag of packets, and add double VLAN tags to untagged packets.
Issue 01 (2011-10-26)
213
The S9300 forwards packets according to the outer VLAN tags of packets and distinguishes packets of different services according to the inner tags of packets. Therefore, an untagged packet must be added double VLAN tags.
None.
Data Preparation
To add double VLAN tags to untagged packets, you need to the following data. No. 1 2 Data Interface number Inner VLAN ID and outer VLAN ID
5.8.2 Setting the Interface Type

Context
Do as follows on the S9300 that needs to add double VLAN tags to untagged packets.
Procedure
Step 1 Run:
system-view


The type of the interface is set to hybrid. By default, the interface type is hybrid. Only a hybrid or trunk interface can add double VLAN tags to untagged packets. ----End
5.8.3 Adding an Interface to the Outer VLAN

Context
Procedure
Step 1 Run:
system-view

vlan vlan-id
The outer VLAN is created. Step 3 Run:


The interface is added to the outer VLAN. ----End
5.8.4 Adding Double VLAN Tags to Untagged Packets

Context
Procedure
Step 1 Run:
system-view


port vlan-stacking untagged stack-vlan vlan-id1 stack-inner-vlan vlan-id2
The interface is configured to add double VLAN tags to untagged packets. If the PVID of an interface is not the default value VLAN 1, you need to cancel the setting of the PVID, and then run the port vlan-stacking untagged command.
Currently, only the E-series and F-series boards supports the port vlan-stacking untagged command. In addition, the command cannot be used on an interface enabled with MAC addressbased VLAN. ----End

Procedure
Step 1 Run the display current-configuration interface interface-type interface-number command to display protocol type in the outer VLAN tag set on an interface. ----End
5.9 Connecting Sub-interfaces to a VLL Network

This section describes how to connect sub-interfaces of a PE to a VLL network so that CEs can communicate with each other.

A CE accesses the ISP network through PEs. The user data packets sent from the CE to a PE contain one or two tags. You need to connect the sub-interfaces on the PEs to a VLL network to enable CEs to communicate with each other.
Before connecting sub-interfaces to a VLL network, complete the following tasks: l l Connecting network devices properly Configuring the VLAN of the CE and the basic Layer 2 forwarding function to ensure that the packets sent from the CE to the PE contain one or two tags
Data Preparation
To connect sub-interfaces to a VLL network, you need the following data. No. 1 2 3 4 5
Issue 01 (2011-10-26)
Data Names of the PE interfaces connected to the CEs IP addresses of interfaces L2VC IDs at both ends of the PW (must be the same) MPLS LSR-IDs of the PE and P Peer IP address of each PE
No. 6
Data Control VLAN ID, and type and number of each sub-interface
NOTE
You can perform any of the following configurations on a sub-interface as required.
5.9.2 Configuring a Dot1q Sub-interface

Procedure
Step 1 Run:
system-view

The view of the PE sub-interface connected to the CE is displayed. Step 3 Run:

control-vid vid dot1q-termination
dot1q termination vid low-pe-vid [ to high-pe-vid ]
The VLANs whose packets are allowed to pass through the dot1q sub-interface are specified. ----End
5.9.3 Configuring a QinQ Sub-interface

Procedure
Step 1 Run:
system-view


control-vid vid qinq-termination
qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
Issue 01 (2011-10-26)
217
The VLANs whose packets are allowed to pass through the QinQ sub-interface are specified. ----End
5.9.4 Configuring VLAN Mapping of a Single Tag on a Subinterface

Procedure
Step 1 Run:
system-view


qinq mapping vid vlan-id1 [ to vlan-id2 ] map-vlan vid vlan-id3
VLAN mapping of a single tag is configured on the sub-interface. ----End
5.9.5 Configuring VLAN Mapping of Double Tags on a Subinterface

Procedure
Step 1 Run:
system-view


qinq mapping pe-vid vlan-id1 ce-vid vlan-id2 [ to vlan-id3 ] map-vlan vid vlan-id4
VLAN mapping of double tags is configured on the sub-interface. ----End
5.9.6 Configuring VLAN Stacking on a Sub-interface

Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
218


qinq stacking vid vlan-id1 [ to vlan-id2 ] pe-vid vlan-id3
VLAN stacking is configured on the sub-interface. ----End
5.9.7 Creating a VLL Connection

You need to create VLL connections on the CE, PE, and P.For details, see "VLL Configuration" in the Quidway S9300 Terabit Routing Switch Configuration Guide - VPN. You can create the following types of VLL connections on a sub-interface: l l l l SVC remote connection Kompella local connection Kompella remote connection Martini remote connection

Procedure
l Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a dot1q subinterface. Run the display qinq information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a QinQ subinterface. Run the display vll ccc [ ccc-name | type { local | remote } ] command to check information about a CCC connection. Run the display mpls static-l2vc command to check information about an SVC L2VPN VC. Run the display mpls l2vc command on the PE to check information about the Martini VLL on the local PE. Run the display mpls l2vc remote-info command on the PE to check information about the Martini VLL on the remote PE.
l l l l
----End
5.10 Connecting Sub-interfaces to a VPLS Network

This section describes how to connect sub-interfaces of a PE to a VPLS network so that CEs can communicate with each other.
Issue 01 (2011-10-26)
219

A CE accesses the ISP network through PEs. The user data packets sent by the CE to a PE contain one or two tags. You need to connect the sub-interfaces on the PEs to a VPLS network to enable CEs to communicate with each other.
Before connecting sub-interfaces to a VPLS network, complete the following tasks: l l Connecting the network devices properly Configuring the VLAN of the CE and the basic Layer 2 forwarding function to ensure that the packets sent from the CE to the PE contain one or two tags
Data Preparation
To connect sub-interfaces to a VPLS network, you need the following data. No. 1 2 3 4 5 6 Data Names of the PE interfaces connected to the CEs IP addresses of interfaces VSI IDs on PEs (must be the same) MPLS LSR-IDs of the PE and P VSI names on PE1, PE2, and PE3 Name and number of the interface to which a VSI is bound
NOTE

Procedure
Step 1 Run:
system-view


control-vid vid dot1q-termination
Issue 01 (2011-10-26)
220
dot1q termination vid low-pe-vid [ to high-pe-vid ]
The VLANs whose packets are allowed to pass through the dot1q sub-interface are specified. ----End

Procedure
Step 1 Run:
system-view

The view of the PE sub-interface connected to the CE is displayed. Step 3 Run:control-vid vid qinq-terminationThe control VLAN ID and encapsulation mode of the sub-interface are set. Step 4 Run:
qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
The VLANs whose packets are allowed to pass through the QinQ sub-interface are specified. ----End
5.10.4 Configuring VLAN Mapping of a Single Tag on a Subinterface

Procedure
Step 1 Run:
system-view


qinq mapping vid vlan-id1 [ to vlan-id2 ] map-vlan vid vlan-id3
VLAN mapping of a single tag is configured on the sub-interface. ----End

5.10.5 Configuring VLAN Mapping of Double Tags on a Subinterface

Procedure
Step 1 Run:
system-view


qinq mapping pe-vid vlan-id1 ce-vid vlan-id2 [ to vlan-id3 ] map-vlan vid vlan-id4
VLAN mapping of double tags is configured on the sub-interface. ----End
5.10.6 Configuring VLAN Stacking on a Sub-interface

Procedure
Step 1 Run:
system-view


qinq stacking vid vlan-id1 [ to vlan-id2 ] pe-vid vlan-id3
VLAN stacking is configured on the sub-interface. ----End
5.10.7 Configuring VPLS

You need to configure the VPLS function on the CE, PE, and P. For details, see "VPLS Configuration" in the Quidway S9300 Terabit Routing Switch Configuration Guide - VPN. When configuring VPLS, you can adopt Martini VPLS or Kompella VPLS.
Issue 01 (2011-10-26)
222

Procedure
l Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a dot1q subinterface. Run the display qinq information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a QinQ subinterface. Run the display vsi [ name vsi-name ] [ verbose ] command to check information about a VSI.
----End
5.11 Configuring a Sub-interface to Access an L3VPN

This section describes how to configure a sub-interface to access an L3VPN on the PE so that user networks between the CEs can communicate with each other.

CEs access the ISP network through PEs. The user data packets sent by the CEs to the PEs carry one or two tags. You need to configure the sub-interface to access an L3VPN on the PEs so that the user networks between the CEs can communicate with each other.
Before configuring a sub-interface to access an L3VPN, complete the following tasks: l l Connecting devices properly Configuring the VLAN that the CEs belong to and basic Layer 2 forwarding functions to ensure that the packets sent from the CEs to the PEs carry one or two tags
Data Preparation
To configure a sub-interface to access an L3VPN, you need the following data. No. 1 2 3 4 5
Issue 01 (2011-10-26)
Data Names of the PE interfaces connected to the CEs IP addresses of interfaces VSI names on PE1 and PE2 RD and VPN target of the VPN instance Control VLAN ID, and name and number of the sub-interface
No. 6
Data Interface that is bound to the VPN instance
NOTE

Context
Do as follows on the PE.
Procedure
Step 1 Run:
system-view


ip binding vpn-instance vpn-instance-name
The sub-interface is bound to the VPN instance. Step 4 Run:

ip address ip-address { mask | mask-length }
The IP address of the sub-interface is configured. Step 5 Run:

control-vid vid dot1q-termination rt-protocol
The VLAN ID and encapsulation mode of the sub-interface are configured. Step 6 Run:
dot1q termination vid vid
The VLAN whose packets can pass through the dot1q sub-interface is configured. When a sub-interface is connected to an L3VPN, you cannot specify multiple VLANs in the command. Step 7 Run:
The ARP broadcast function is enabled on the sub-interface.

When you enable or disable the ARP broadcast function on a sub-interface, the routing status of the sub-interface becomes Down and then Up. This may result in flapping of routes on the entire network, affecting the normal operation of services. ----End

Context
Do as follows on the PE.
Procedure
Step 1 Run:
system-view


ip binding vpn-instance vpn-instance-name
The sub-interface is bound to the VPN instance. Step 4 Run:

ip address ip-address { mask | mask-length }
The IP address of the sub-interface is configured. Step 5 Run:

control-vid vid qinq-termination rt-protocol
The VLAN ID and encapsulation mode of the sub-interface are configured. Step 6 Run:
qinq termination pe-vid pe-vid ce-vid ce-vid
The VLAN whose packets can pass through the QinQ sub-interface is configured. When a sub-interface is connected to an L3VPN, you cannot specify multiple VLANs in the command. Step 7 Run:
The ARP broadcast function is enabled on the sub-interface. When you enable or disable the ARP broadcast function on a sub-interface, the routing status of the sub-interface becomes Down and then Up. This may result in flapping of routes on the entire network, affecting the normal operation of services. ----End
5.11.4 Configuring L3VPN

Configure L3VPN on the CE, PE, and P. For details, see BGP/MPLS IP VPN Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - VPN.

Procedure
l Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about the sub-interface with the encapsulation mode as dot1q. Run the display qinq information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about the sub-interface with the encapsulation mode as QinQ. Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check information about the VPN instance.
----End

This section provides several configuration examples of QinQ.
5.12.1 Example for Configuring QinQ on Interfaces

As shown in Figure 5-1, there are two enterprises on the network, namely, Enterprise 1 and Enterprise 2. Enterprise 1 has two office locations; Enterprise 2 has three office locations. The office locations of the two enterprises access SwitchG or SwitchF of the ISP network. The network of Enterprise 1 is divided into VLAN 1000 to VLAN 1500; the network of Enterprise 2 is divided into VLAN 2000 to VLAN 3000. It is required that employees in the same VLAN can communicate with each other through the ISP network but the two enterprises are isolated from each other.
Issue 01 (2011-10-26)
226
Figure 5-1 Networking diagram for configuring QinQ on interfaces

Enterprise 2 GE1/0/1 SwitchG GE2/0/1 GE3/0/1 GE4/0/1 SwitchF GE1/0/1 VLAN2000 VLAN3000 GE2/0/1 GE3/0/1 VLAN2000 VLAN3000 Enterprise 2
VLAN1000 VLAN1500 Enterprise 1
VLAN2000
VLAN3000
VLAN1000
VLAN1500
Enterprise 2
Enterprise1
The configuration roadmap is as follows: 1. 2. 3. 4. Create VLAN 10 and VLAN 20 on SwitchF; create VLAN 20 on SwitchG. Configure GE 1/0/1, GE 2/0/1, and GE 3/0/1 of SwitchF as QinQ interfaces. Configure GE 1/0/1 and GE 2/0/1 of SwitchG as QinQ interfaces. Add GE 4/0/1 of SwitchF and GE 3/0/1 of SwitchG to VLAN 20 in tagged mode.
Data Preparation
To complete the configuration, you need the following data: l l VLAN 10 assigned to Enterprise 1 on the ISP network VLAN 20 assigned to Enterprise 2 on the ISP network.
Procedure
Step 1 Create VLANs. # Create VLAN 10 and VLAN 20 on SwitchF.

<Quidway> system-view [Quidway] sysname SwitchF [SwitchF] vlan batch 10 20
# Create VLAN 20 on SwitchG.

<Quidway> system-view [Quidway] sysname SwitchG [SwitchG] vlan 20
Step 2 Configure the interfaces as QinQ interfaces. # Configure GE 1/0/1, GE 2/0/1, and GE 3/0/1 of SwitchF as QinQ interfaces. Set the VLAN ID of the outer VLAN tag added by GE 1/0/1 and GE 3/0/1/ to VLAN 10; set the VLAN ID of the outer VLAN tag added by GE 2/0/1 to VLAN 20.
[SwitchF] interface gigabitethernet [SwitchF-GigabitEthernet1/0/1] port [SwitchF-GigabitEthernet1/0/1] port [SwitchF-GigabitEthernet1/0/1] quit [SwitchF] interface gigabitethernet [SwitchF-GigabitEthernet2/0/1] port [SwitchF-GigabitEthernet2/0/1] port [SwitchF-GigabitEthernet2/0/1] quit [SwitchF] interface gigabitethernet [SwitchF-GigabitEthernet3/0/1] port [SwitchF-GigabitEthernet3/0/1] port [SwitchF-GigabitEthernet3/0/1] quit 1/0/1 link-type dot1q-tunnel default vlan 10 2/0/1 link-type dot1q-tunnel default vlan 20 3/0/1 link-type dot1q-tunnel default vlan 10
# Set GE 1/0/1 and GE 2/0/1 of SwitchG as QinQ interfaces; set the VLAN ID of the outer VLAN tags added by GE 1/0/1 and GE 2/0/1/ to VLAN 20.
[SwitchG] interface gigabitethernet [SwitchG-GigabitEthernet1/0/1] port [SwitchG-GigabitEthernet1/0/1] port [SwitchG-GigabitEthernet1/0/1] quit [SwitchG] interface gigabitethernet [SwitchG-GigabitEthernet2/0/1] port [SwitchG-GigabitEthernet2/0/1] port [SwitchG-GigabitEthernet2/0/1] quit 1/0/1 link-type dot1q-tunnel default vlan 20 2/0/1 link-type dot1q-tunnel default vlan 20
Step 3 Configure other interfaces. # Add GE 4/0/1 of SwitchF to VLAN 20.

[SwitchF] interface gigabitethernet 4/0/1 [SwitchF-GigabitEthernet4/0/1] port link-type trunk [SwitchF-GigabitEthernet4/0/1] port trunk allow-pass vlan 20 [SwitchF-GigabitEthernet4/0/1] quit
# Add GE 3/0/1 of SwitchG to VLAN 20.

[SwitchG] interface gigabitethernet 3/0/1 [SwitchG-GigabitEthernet3/0/1] port link-type trunk [SwitchG-GigabitEthernet3/0/1] port trunk allow-pass vlan 20 [SwitchG-GigabitEthernet3/0/1] quit
Step 4 Verify the configuration. Ping a remote host on the same VLAN in another office location of Enterprise 1 from a host of Enterprise 1. If it can ping the remote host, hosts in different locations of Enterprise 1 can communicate with each other. Ping a remote host on the same VLAN in another office location of Enterprise 2 from a host of Enterprise 2. If it can ping the remote host, hosts in different locations of Enterprise 2 can communicate with each other.
Ping a host of Enterprise 2 from a host in any office location of Enterprise 1. If it fails to ping the host of Enterprise 2, the two enterprises are isolated from each other. ----End
Configuration Files
The following lists the configuration files of the Switch. l Configuration file of SwitchF
# sysname SwitchF # vlan batch 10 20 # interface GigabitEthernet1/0/1 port link-type dot1q-tunnel port default vlan 10 # interface GigabitEthernet2/0/1 port link-type dot1q-tunnel port default vlan 20 # interface GigabitEthernet3/0/1 port link-type dot1q-tunnel port default vlan 10 # interface GigabitEthernet4/0/1 port link-type trunk port trunk allow-pass vlan 20 # return
Configuration file of SwitchG
# sysname SwitchG # vlan batch 20 # interface GigabitEthernet1/0/1 port link-type dot1q-tunnel port default vlan 20 # interface GigabitEthernet2/0/1 port link-type dot1q-tunnel port default vlan 20 # interface GigabitEthernet3/0/1 port link-type trunk port trunk allow-pass vlan 20 # return
5.12.2 Example for Configuring Selective QinQ

As shown in Figure 5-2, common Internet access users (using PCs) and IPTV users (using IPTV terminals) connect to the carrier network through Switch A and Switch B and communicate with each other through the carrier network. It is required that packets of PCs and IPTV terminals are tagged VLAN 2 and VLAN 3 when the packets are transmitted through the carrier network.
Figure 5-2 Networking for configuring selective QinQ
SwitchA GE1/0/2 GE1/0/1 Carrier network
SwitchB GE1/0/2 GE1/0/1
PC
IPTV
IPTV
PC
The configuration roadmap is as follows: 1. 2. 3. Create VLANs on Switch A and Switch B. Configure types of interfaces on Switch A and Switch B, and add the interfaces to corresponding VLANs. Configure selective QinQ on interfaces of Switch A and Switch B.
Data Preparation
To complete the configuration, you need the following data: l l l l VLANs that PCs belong to: VLAN 100 to VLAN 200 VLANs that IPTV terminals belong to: VLAN 300 to VLAN 400 VLAN tag that packets of PCs carry on the carrier network: VLAN 2 VLAN tag that packets of IPTV terminals carry on the carrier network: VLAN 3
Procedure
Step 1 Create VLANs. # On Switch A, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on the carrier network.
# On Switch B, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on the carrier network.

Step 2 Configure selective QinQ on interfaces of Switch A and Switch B. # Configure GE 1/0/1 of Switch A.
[SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] quit 1/0/1 link-type hybrid hybrid untagged vlan 2 3 vlan-stacking vlan 100 to 200 stack-vlan 2 vlan-stacking vlan 300 to 400 stack-vlan 3
# Configure GE 1/0/1 of Switch B.

[SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] quit 1/0/1 link-type hybrid hybrid untagged vlan 2 3 vlan-stacking vlan 100 to 200 stack-vlan 2 vlan-stacking vlan 300 to 400 stack-vlan 3
Step 3 Configure other interfaces. # Add GE 1/0/2 of Switch A to VLAN 2 and VLAN 3.
[SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchA-GigabitEthernet1/0/2] quit
# Add GE 1/0/2 of Switch B to VLAN 2 and VLAN 3.

[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchB-GigabitEthernet1/0/2] quit
Step 4 Verify the configuration. # View the configuration of each interface on Switch A.
<SwitchA> display current-configuration interface gigabitethernet 1/0/1 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 to 200 stack-vlan 2 port vlan-stacking vlan 300 to 400 stack-vlan 3 # return <SwitchA> display current-configuration interface gigabitethernet 1/0/2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
# View the configuration of each interface on Switch B.

<SwitchB> display current-configuration interface gigabitethernet 1/0/1 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 to 200 stack-vlan 2 port vlan-stacking vlan 300 to 400 stack-vlan 3 # return
Issue 01 (2011-10-26)
231
<SwitchB> display current-configuration interface gigabitethernet 1/0/2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
If Switch A and Switch B are configured correctly: l PCs can communicate with each other through the carrier network. l IPTV terminals can communicate with each other through the carrier network. ----End
Configuration Files
Only the configuration files of the Switches are provided: l Configuration file of Switch A
# sysname SwitchA # vlan batch 2 to 3 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 to 200 stack-vlan 2 port vlan-stacking vlan 300 to 400 stack-vlan 3 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
# sysname SwitchB # vlan batch 2 to 3 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 to 200 stack-vlan 2 port vlan-stacking vlan 300 to 400 stack-vlan 3 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
5.12.3 Example for Configuring Selective QinQ with VLAN Mapping

As shown in Figure 5-3, the Internet access, IPTV, and VoIP services are provided for users through home gateways. The corridor switches allocate VLANs to the services as follows:
l l l l
VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100 Shared VLAN for the IPTV service: VLAN 1101 Shared VLAN for the VoIP service: VLAN 1102 Shared VLAN for home gateways: VLAN 1103
Each community switch is connected to 50 downstream corridor switches and maps the VLAN IDs in the packets of the Internet access service from the corridor switches to VLAN 101 to VLAN 150. The aggregate switch of the carrier is connected to 50 downstream community switches and adds outer VLAN IDs 21 to 70 to the packets sent from the community switches. After user devices are powered on, they send service request packets to the switch of the carrier. After the user devices pass the authentication, services can be used. Figure 5-3 Networking for configuring selective QinQ
ME60 Internet Aggregate switch of carrier SwitchA GE1/0/0

Community switch
SwitchB GE1/0/0
GE2/0/0
Corridor switch

Home gateway
The configuration roadmap is as follows: 1. 2. 3. 4. Create VLANs on SwitchA and SwitchB. Configure VLAN mapping on SwitchB and add GE 1/0/0 and GE 2/0/0 to the VLANs. Configure selective QinQ on SwitchA and add GE 1/0/0 to VLANs. Add other downlink interfaces of SwitchA and SwitchB to the VLANs. The configurations are similar to the configurations of their GE 1/0/0 interfaces.
Issue 01 (2011-10-26)
5.
Configure other community switches. The configuration is similar to the configuration on SwitchB.
Data preparation
To complete the configuration, you need the following data: l l l l l l VLANs to which GE 1/0/0 of SwitchB is added in tagged mode: VLAN 1000 to VLAN 1100, VLAN 1101, VLAN 1102, VLAN 1103, and VLAN 101 VLANs to which GE 2/0/0 of SwitchB is added in tagged mode: VLAN 101 to VLAN 150, VLAN 1101, VLAN 1102, and VLAN 1103 VLANs to which GE 1/0/0 of SwitchA is added in tagged mode: VLAN 1101, VLAN 1102, and VLAN 1103 VLANs to which GE 1/0/0 of SwitchA is added in untagged mode: VLAN 21 Interface on SwitchB where VLAN mapping is configured: GE 1/0/0 Interface on SwitchA where selective QinQ is configured: GE 1/0/0
Procedure
Step 1 # Configure SwitchA. # Create VLANs.
<Quidway> system-view [Quidway] vlan batch 21 to 70 1101 to 1103
# Add related GE 1/0/0 to the VLANs.

[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] port hybrid untagged vlan 21 [Quidway-GigabitEthernet1/0/0] port hybrid tagged vlan 1101 to 1103 [Quidway-GigabitEthernet1/0/0] quit
# Configure selective QinQ on GE 1/0/0.

[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] port vlan-stacking vlan 101 to 150 stack-vlan 21 [Quidway-GigabitEthernet1/0/0] quit
Step 2 # Configure SwitchB. # Create VLANs.

<Quidway> system-view [Quidway] vlan batch 101 to 150 1000 to 1103
# Add GE 1/0/0 and GE 2/0/0 to the VLANs.

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] port [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet2/0/0] port [Quidway-GigabitEthernet2/0/0] quit 1/0/0 hybrid tagged vlan 101 1000 to 1103 2/0/0 hybrid tagged vlan 101 to 150 1101 to 1103
# Configure VLAN mapping on GE 1/0/0.

[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] port vlan-mapping vlan 1000 to 1100 map-vlan 101 [Quidway-GigabitEthernet1/0/0] quit
Issue 01 (2011-10-26)
234
Step 3 Verify the configuration. The Internet access service, IPTV service, and VoIP service can be used. ----End
Configuration Files
# sysname Quidway # vlan batch 21 to 70 1101 to 1103 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 1101 to 1103 port hybrid untagged vlan 21 port vlan-stacking vlan 101 to 150 stack-vlan 21 # return

# sysname Quidway # vlan batch 101 to 150 1000 to 1103 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 101 1000 to 1103 port vlan-mapping vlan 1000 to 1100 map-vlan 101 # interface GigabitEthernet2/0/0 port hybrid tagged vlan 101 to 150 1101 to 1103 # return
5.12.4 Example for Configuring Selective QinQ with a Traffic Policy

As shown in Figure 5-4, low-end switches at the user side connect to the Internet through the Switch. The IPTV and Internet access services are deployed at the user side. User PCs obtain IP addresses from ME60-A to connect to the Internet, and the set top boxes obtain IP addresses from ME60B to provide the IPTV service. The DSLAMs add different VLAN tags to packets of different services so that the PCs cannot obtain IP addresses from ME60-B. The carrier assigns VLAN 100 to VLAN 999 to PPPoE packets and assigns VLAN 1000 to VLAN 1999 to DHCP packets. The STBs are provided by the carrier; therefore, the carrier can obtain MAC addresses of STBs but cannot obtain MAC addresses of PCs. When a user starts the PC, a DHCP packet is sent to apply for an IP address. This request should be rejected and the user needs to obtain an IP address by dialing in through PPPoE.
Figure 5-4 Networking diagram for configuring selective QinQ
Internet
ME60-A GE3/0/0 GE1/0/0 Switch
ME60-B GE4/0/0 GE2/0/0
SwitchA
SwitchB
SwitchC
SwitchD
SwitchE
SwitchF
The configuration roadmap is as follows: 1. 2. 3. 4. Create VLANs on the Switch. Traffic classifier, traffic behavior, and traffic policy used to filter packets based on VLAN IDs and source MAC addresses of packets Configure GE 1/0/0 and GE 2/0/0 of the Switch as hybrid interfaces and enable selective QinQ on the two interfaces. Configure a traffic policy and apply it in the inbound direction of GE 1/0/0 and GE 2/0/0 to prevent PCs from obtaining IP addresses through DHCP packets.
Preparing Data
To complete the configuration, you need the following data: l l
Issue 01 (2011-10-26)
VLANs to which GE 1/0/0 and GE 2/0/0 of the Switch need to be added: VLAN 10 and VLAN 20 (in untagged mode) VLAN to which GE 3/0/0 needs to be added: VLAN 10 (in tagged mode)
l l l l l
VLAN to which GE 4/0/0 of the Switch needs to be added: VLAN 20 (in tagged mode) MAC address segments of STBs: 00e0-8e00-0000 ffff-ff00-0000 Traffic classifier: for STB, filtering packets based on VLAN IDs and source MAC addresses, that is, forwarding packets with the specified MAC address and VLAN ID Traffic behavior: PermitMAC, using the default action permit Traffic policy: PermitMAC, containing the preceding traffic classifier and traffic behavior
Procedure
Step 1 Configure selective QinQ. # Create VLANs.
# Add related interfaces to the VLANs.

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] port [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet2/0/0] port [Quidway-GigabitEthernet2/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet3/0/0] port [Quidway-GigabitEthernet3/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet4/0/0] port [Quidway-GigabitEthernet4/0/0] quit 1/0/0 hybrid untagged vlan 10 20 2/0/0 hybrid untagged vlan 10 20 3/0/0 hybrid tagged vlan 10 4/0/0 hybrid tagged vlan 20
# Configure selective QinQ on GE 1/0/0 and GE 2/0/0.

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] port [Quidway-GigabitEthernet1/0/0] port [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet2/0/0] port [Quidway-GigabitEthernet2/0/0] port [Quidway-GigabitEthernet2/0/0] quit 1/0/0 vlan-stacking vlan 100 to 999 stack-vlan 10 vlan-stacking vlan 1000 to 1999 stack-vlan 20 2/0/0 vlan-stacking vlan 100 to 999 stack-vlan 10 vlan-stacking vlan 1000 to 1999 stack-vlan 20
Step 2 Configure a traffic policy. # Configure an ACL to filter packets based on source MAC addresses.
<Quidway> system-view [Quidway] acl number 4001 [Quidway-acl-L2-4001] rule 1 permit source-mac 00e0-8e00-0000 ffff-f f00-0000 [Quidway-acl-L2-4001] rule 100 deny [Quidway-acl-L2-4001] quit
# Configure a traffic classifier.

[Quidway] traffic classifier STB operator and [Quidway-classifier-STB] if-match vlan-id 20 [Quidway-classifier-STB] if-match acl 4001 [Quidway-classifier-STB] quit
# Configure a traffic behavior.

[Quidway] traffic behavior PermitMAC [Quidway-behavior-PermitMAC] quit
Issue 01 (2011-10-26)
237
# Configure a traffic policy.

[Quidway] traffic policy PermitMAC [Quidway-trafficpolicy-PermitMAC] classifier STB behavior PermitMAC [Quidway-trafficpolicy-PermitMAC] quit
# Apply the traffic policy in the inbound direction of GE 1/0/0 and GE 2/0/0.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] traffic-policy PermitMAC inbound [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] traffic-policy PermitMAC inbound [Quidway-GigabitEthernet2/0/0] quit
Step 3 Verify the configuration. The IPTV and Internet access services can be used. STBs obtain IP addresses from ME60-B, and PCs obtain IP addresses from ME60-A. ----End
Configuration Files
# sysname Quidway # vlan batch 10 20 # acl number 4001 rule 1 permit source-mac 00e0-8e00-0000 ffff-ff00-0000 rule 100 deny # traffic classifier STB operator and precedence 5 if-match vlan-id 20 if-match acl 4001 # traffic behavior PermitMAC # traffic policy PermitMAC classifier STB behavior PermitMAC # interface GigabitEthernet1/0/0 port hybrid untagged vlan 10 20 port vlan-stacking vlan 100 to 999 stack-vlan 10 port vlan-stacking vlan 1000 to 1999 stack-vlan 20 traffic-policy PermitMAC inbound # interface GigabitEthernet2/0/0 port hybrid untagged vlan 10 20 port vlan-stacking vlan 100 to 999 stack-vlan 10 port vlan-stacking vlan 1000 to 1999 stack-vlan 20 traffic-policy PermitMAC inbound # interface GigabitEthernet3/0/0 port hybrid tagged vlan 10 # interface GigabitEthernet4/0/0 port hybrid tagged vlan 20 # return
5.12.5 Example for Configuring Flow-based Selective QinQ

As shown in Figure 5-5, common Internet access users (using PCs) and IPTV users (using IPTV terminals) connect to the carrier network through Switch A and Switch B and communicate with each other through the carrier network. It is required that packets of PCs and IPTV terminals are tagged VLAN 2 and VLAN 3 when the packets are transmitted through the carrier network. The Switch can implement selective QinQ through traffic policies. Figure 5-5 Networking for configuring selective QinQ
SwitchA GE1/0/2 GE1/0/1 Carrier network
SwitchB GE1/0/2 GE1/0/1
PC
IPTV
IPTV
PC
The configuration roadmap is as follows: 1. 2. 3. 4. Create VLANs on Switch A and Switch B. Configure traffic classifiers, traffic behaviors, and traffic policies on Switch A and Switch B. Configure types of interfaces on Switch A and Switch B, and add the interfaces to corresponding VLANs. Apply the traffic policies to interfaces of Switch A and Switch B to implement selective QinQ.
Data Preparation
To complete the configuration, you need the following data: l l l l
Issue 01 (2011-10-26)
VLANs that PCs belong to: VLAN 100 to VLAN 200 VLANs that IPTV terminals belong to: VLAN 300 to VLAN 400 VLAN tag that packets of PCs carry on the carrier network: VLAN 2 VLAN tag that packets of IPTV terminals carry on the carrier network: VLAN 3
l l l
Names of the traffic classifier and traffic behavior applied to common Internet access users: name1 Names of the traffic classifier and traffic behavior applied to IPTV users: name2 Name of the traffic policy applied to common Internet access users and IPTV users: name1
Procedure
Step 1 Create VLANs. # On Switch A, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on the carrier network.
# On Switch B, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on the carrier network.
Step 2 Configure traffic policies on the Switches. # Configure traffic classifiers, traffic behaviors, and traffic policies on Switch A.
[SwitchA] traffic classifier name1 [SwitchA-classifier-name1] if-match vlan-id 100 to 200 [SwitchA-classifier-name1] quit [SwitchA] traffic behavior name1 [SwitchA-behavior-name1] nest top-most vlan-id 2 [SwitchA-behavior-name1] quit [SwitchA] traffic classifier name2 [SwitchA-classifier-name2] if-match vlan-id 300 to 400 [SwitchA-classifier-name2] quit [SwitchA] traffic behavior name2 [SwitchA-behavior-name2] nest top-most vlan-id 3 [SwitchA-behavior-name2] quit [SwitchA] traffic policy name1 [SwitchA-trafficpolicy-name1] classifier name1 behavior name1 [SwitchA-trafficpolicy-name1] classifier name2 behavior name2 [SwitchA-trafficpolicy-name1] quit
# Configure traffic classifiers, traffic behaviors, and traffic policies on Switch B.

[SwitchB] traffic classifier name1 [SwitchB-classifier-name1] if-match vlan-id 100 to 200 [SwitchB-classifier-name1] quit [SwitchB] traffic behavior name1 [SwitchB-behavior-name1] nest top-most vlan-id 2 [SwitchB-behavior-name1] quit [SwitchB] traffic classifier name2 [SwitchB-classifier-name2] if-match vlan-id 300 to 400 [SwitchB-classifier-name2] quit [SwitchB] traffic behavior name2 [SwitchB-behavior-name2] nest top-most vlan-id 3 [SwitchB-behavior-name2] quit [SwitchB] traffic policy name1 [SwitchB-trafficpolicy-name1] classifier name1 behavior name1 [SwitchB-trafficpolicy-name1] classifier name2 behavior name2 [SwitchB-trafficpolicy-name1] quit
Step 3 Apply the traffic policies to interfaces of Switch A and Switch B to implement selective QinQ. # Configure GE 1/0/1 of Switch A.

[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 [SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound [SwitchA-GigabitEthernet1/0/1] quit
# Configure GE 1/0/1 of Switch B.

[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type hybrid [SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 [SwitchB-GigabitEthernet1/0/1] traffic-policy name1 inbound [SwitchB-GigabitEthernet1/0/1] quit
Step 4 Configure other interfaces. # Add GE 1/0/2 of Switch A to VLAN 2 and VLAN 3.
[SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchA-GigabitEthernet1/0/2] quit
# Add GE 1/0/2 of Switch B to VLAN 2 and VLAN 3.

[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchB-GigabitEthernet1/0/2] quit
Step 5 Verify the configuration. # View the configuration of each interface on Switch A.
<SwitchA> display current-configuration interface gigabitethernet 1/0/1 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 traffic-policy name1 inbound # return <SwitchA> display current-configuration interface gigabitethernet 1/0/2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
# View the configuration of each interface on Switch B.

<SwitchB> display current-configuration interface gigabitethernet 1/0/1 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 traffic-policy name1 inbound # return <SwitchB> display current-configuration interface gigabitethernet 1/0/2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
If Switch A and Switch B are configured correctly: l PCs can communicate with each other through the carrier network.
l IPTV terminals can communicate with each other through the carrier network. ----End
Configuration Files
Only the configuration files of the Switches are provided: l Configuration file of Switch A
# sysname SwitchA # vlan batch 2 to 3 # traffic classifier name1 operator or precedence 5 if-match vlan-id 100 to 200 traffic classifier name2 operator or precedence 10 if-match vlan-id 300 to 400 # traffic behavior name1 nest top-most vlan-id 2 traffic behavior name2 nest top-most vlan-id 3 # traffic policy name1 classifier name1 behavior name1 classifier name2 behavior name2 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 traffic-policy name1 inbound # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
# sysname SwitchB # vlan batch 2 to 3 # traffic classifier name1 operator or precedence 5 if-match vlan-id 100 to 200 traffic classifier name2 operator or precedence 10 if-match vlan-id 300 to 400 # traffic behavior name1 nest top-most vlan-id 2 traffic behavior name2 nest top-most vlan-id 3 # traffic policy name1 classifier name1 behavior name1 classifier name2 behavior name2 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 2 to 3 traffic-policy name1 inbound # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
Issue 01 (2011-10-26)
242
5.12.6 Example for Configuring the Dot1q Sub-interfaces to Access VLL

As shown in Figure 5-6, CE1 and CE2 are connected to PE1 and PE2 respectively through VLANs. A Martini VLL is set up between CE1 and CE2. Figure 5-6 Networking diagram for configuring a Martini VLL
Loopback1 1.1.1.9/32 PE 1 GE1/0/0 GE1/0/0
Loopback1 2.2.2.9/32 GE 2/0/0 GE 1/0/0 GE1/0/0 P Martini
Loopback1 3.3.3.9/32 PE 2 GE 2/0/0 GE 1/0/0
GE 2/0/0
CE 1
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 Layer 3 interface GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 30 VLANIF 20 VLANIF 10 VLANIF 10
CE 2
IP address 10.1.1.1/24 1.1.1.9/32 10.2.2.1/24 3.3.3.9/32 10.2.2.2/24 10.1.1.2/24 2.2.2.9/32 100.1.1.1/24 100.1.1.2/24
The configuration roadmap is as follows: 1. Configure the routing protocol on devices (PE and P) of the backbone network to implement interworking and enable MPLS.
Issue 01 (2011-10-26)
2. 3. 4.
Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data transmission. Enable MPLS L2VPN and create VC connections on the PEs. Configure the Dot1q sub-interface to access the VLL on the interface connecting the PE and CE.
Data Preparation
To complete the configuration, you need the following data: l l l Name of the remote peer of each PE VC ID Encapsulation mode of the sub-interface and VLAN ID
Procedure
Step 1 Configure the VLANs that interfaces of CEs, PEs and P belong to according to Figure 5-6 and assign IP addresses to VLANIF interfaces. Packets sent from CEs to PEs carry a VLAN tag. The configuration procedure is not mentioned. Step 2 Configure an IGP on the MPLS backbone network. In this example, OSPF is used. When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PE1, P, and PE2. The loopback interface addresses are the LSR IDs. The configuration procedure is not mentioned. After the configuration, OSPF relations are established between PE1, P, and PE2. Run the display ospf peer command, and you can see that the status of the OSPF relations is Full. Run the display ip routing-table command, and you can view that the PEs can learn the routes of their Loopback1 interfaces. Step 3 Configure basic MPLS functions and LDP on the MPLS backbone network. # Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 20 [PE1-Vlanif20] mpls [PE1-Vlanif20] mpls ldp [PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9 [P] mpls [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface vlanif 20 [P-Vlanif20] mpls [P-Vlanif20] mpls ldp [P-Vlanif20] quit [P] interface vlanif 30
Issue 01 (2011-10-26)
244

[P-Vlanif30] mpls [P-Vlanif30] mpls ldp [P-Vlanif30] quit
# Configure PE2.
Step 4 Create remote LDP sessions between PEs. # Configure PE1.

[PE1] mpls ldp remote-peer 3.3.3.9 [PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9 [PE1-mpls-ldp-remote-3.3.3.9] quit
# Configure PE2.
After the configuration, run the display mpls ldp session command on PE1 to view the status of the LDP session. You can see that an LDP session is set up between PE1 and PE2. Take the display on PE1 as an example.
<PE1> display mpls ldp session LDP Session(s) in Public Network -----------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv -----------------------------------------------------------------------------2.2.2.9:0 Operational DU Passive 000:15:29 3717/3717 3.3.3.9:0 Operational DU Passive 000:00:00 2/2 -----------------------------------------------------------------------------TOTAL: 2 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
Step 5 Enable MPLS L2VPN on the PEs and establish VC connections. # Configure PE1: Create a VC connection on GE 1/0/0.1, which is connected to CE1.
[PE1] mpls l2vpn [PE1-l2vpn] mpls l2vpn default martini [PE1-l2vpn] quit [PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination [PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10 [PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.9 101 [PE1-GigabitEthernet1/0/0.1] quit
# On PE2, create a VC connection on GE 2/0/0.1, which is connected to CE2.

[PE2] mpls l2vpn [PE2-l2vpn] mpls l2vpn default martini [PE2-l2vpn] quit [PE2] interface gigabitethernet 2/0/0.1 [PE2-GigabitEthernet2/0/0.1] control-vid 2000 dot1q-termination [PE2-GigabitEthernet2/0/0.1] dot1q termination vid 10
Issue 01 (2011-10-26)
245

[PE2-GigabitEthernet2/0/0.1] mpls l2vc 1.1.1.9 101 [PE2-GigabitEthernet2/0/0.1] quit
Step 6 Verify the configuration. On PEs, check the L2VPN connections. You can see that an L2VC connection is set up and is in Up state. Take the display on PE1 as an example:
<PE1> display mpls l2vc interface gigabitethernet 1/0/0.1 *client interface : gigabitethernet 1/0/0.1 is up session state : up AC state : up VC state : up VC ID : 101 VC type : VLAN destination : 3.3.3.9 local group ID : 0 remote group ID : 0 local VC label : 21504 remote VC label : 21504 local AC OAM State : up local PSN State : up local forwarding state : forwarding BFD for PW : unavailable manual fault : not set active state : active forwarding entry : not exist link state : up local VC MTU : 1500 remote VC MTU : 1500 local VCCV : Disable remote VCCV : none local control word : disable remote control word : none tunnel policy name : -traffic behavior name : -PW template name : -primary or secondary : primary VC tunnel/token info : 1 tunnels/tokens NO.0 TNL type : lsp , TNL ID : 0x10007 create time : 0 days, 0 hours, 4 minutes, 19 seconds up time : 0 days, 0 hours, 3 minutes, 45 seconds last change time : 0 days, 0 hours, 3 minutes, 45 seconds
CE1 and CE2 can ping each other successfully. Take the display on CE1 as an example:
<CE1> ping 100.1.1.2 PING 100.1.1.2: 56 data bytes, press CTRL_C to break Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=5 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=28 ms --- 100.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/15/31 ms
----End
Configuration Files
# sysname CE1 # vlan batch 10
Issue 01 (2011-10-26)
246

# interface Vlanif10 ip address 100.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return

# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination dot1q termination vid 10 mpls l2vc 3.3.3.9 101 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255 # return
Configuration file of P
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif 20 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif 30
Issue 01 (2011-10-26)
247

ip address 10.2.2.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255 # return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif 30 ip address 10.2.2.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 dot1q-termination dot1q termination vid 10 mpls l2vc 1.1.1.9 101 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.2.2.0 0.0.0.255 # return
Configuration file of CE2

# sysname CE2 #
Issue 01 (2011-10-26)
248

vlan batch 10 # interface Vlanif 10 ip address 100.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return
5.12.7 Example for Connecting QinQ Sub-interfaces to a VLL Network

As shown in Figure 5-7, CE1 and CE2 are connected to PE1 and PE2 respectively through VLANs. A Martini VLL is set up between CE1 and CE2. Switch1 is connected to CE1 and PE1. Switch2 is connected to CE2 and PE2. It is required that you configure selective QinQ on the interfaces connected to CEs so that the switches add the VLAN tags specified by the carrier to the packets sent from CEs. When a switch is connected to multiple CEs, the switch can add different VLAN tags to the packets from different CEs, that is, packets with different VLAN tags. This saves VLAN IDs on the public network. Figure 5-7 Networking diagram for configuring a Martini VLL
Loopback1 1.1.1.9/32
PE1 GE1/0/0 GE2/0/0
GE2/0/0 GE1/0/0 P
GE2/0/0 GE1/0/0
PE2 GE2/0/0 GE2/0/0
Switch1 GE1/0/0 GE1/0/0
CE1
Switch PE1 Interface GigabitEthernet1/0/0 VLANIF interface
CE2
IP address -
GigabitEthernet1/0/0.1
Issue 01 (2011-10-26)
249

GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 30 VLANIF 20 VLANIF 10 VLANIF 10
10.1.1.1/24 1.1.1.9/32 10.2.2.1/24 3.3.3.9/32 10.2.2.2/24 10.1.1.2/24 2.2.2.9/32 100.1.1.1/24 100.1.1.2/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the routing protocol on devices on the backbone network (PE and P) to implement interworking and enable MPLS. Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data transmission. Enable MPLS L2VPN and create VC connections on the PEs. Configure QinQ sub-interfaces on the PE interfaces connected to the switches and connect the QinQ sub-interfaces to the VLL network. Configure selective QinQ on the switch interfaces connected to CEs.
Data Preparation
To complete the configuration, you need the following data: l l l Name of the remote peer of each PE VC ID Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of the corresponding VLANIF interfaces according to Figure 5-7. After the configuration, the packets sent from a CE to a switch should contain a VLAN tag. The configuration procedure is not mentioned. Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by the interfaces. # Configure Switch1.
[Switch1] vlan 100 [Switch1-vlan100] quit
Issue 01 (2011-10-26)
250

[Switch1] interface gigabitethernet [Switch1-GigabitEthernet2/0/0] port [Switch1-GigabitEthernet2/0/0] quit [Switch1] interface gigabitethernet [Switch1-GigabitEthernet1/0/0] port [Switch1-GigabitEthernet1/0/0] port [Switch1-GigabitEthernet1/0/0] quit 2/0/0 hybrid tagged vlan 100
1/0/0 hybrid untagged vlan 100 vlan-stacking vlan 10 stack-vlan 100
# Configure Switch2.
[Switch2] vlan 100 [Switch2-vlan100] quit [Switch2] interface gigabitethernet [Switch2-GigabitEthernet2/0/0] port [Switch2-GigabitEthernet2/0/0] quit [Switch2] interface gigabitethernet [Switch2-GigabitEthernet1/0/0] port [Switch2-GigabitEthernet1/0/0] port [Switch2-GigabitEthernet1/0/0] quit
2/0/0 hybrid tagged vlan 100 1/0/0 hybrid untagged vlan 100 vlan-stacking vlan 10 stack-vlan 100
Step 3 Configure an IGP on the MPLS backbone network. In this example, OSPF is used. When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P, which are used as the LSR IDs. The configuration procedure is not mentioned. After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By running the display ospf peer command, you can see that the status of the OSPF neighbor relations is Full. Run the display ip routing-table command, and you can find that the PEs can learn the routes of each other's Loopback1 interface. Step 4 Enable the basic MPLS functions and MPLS LDP on the MPLS network. # Configure PE1.
# Configure P.
[P] mpls lsr-id 2.2.2.9 [P] mpls [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface vlanif 20 [P-Vlanif20] mpls [P-Vlanif20] mpls ldp [P-Vlanif20] quit [P] interface vlanif 30 [P-Vlanif30] mpls [P-Vlanif30] mpls ldp [P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp
Issue 01 (2011-10-26)
251

[PE2-mpls-ldp] quit [PE2] interface vlanif 30 [PE2-Vlanif30] mpls [PE2-Vlanif30] mpls ldp [PE2-Vlanif30] quit

# Configure PE2.
After the configuration, run the display mpls ldp session command on PE1 to view the status of the LDP session. You can see that an LDP session is set up between PE1 and PE2. The display on PE1 is as follows:
Step 6 Enable MPLS L2VPN on the PEs and create VC connections. # On PE1, create a VC connection on GE 1/0/0.1 that is connected to CE1.
[PE1] mpls l2vpn [PE1-l2vpn] mpls l2vpn default martini [PE1-l2vpn] quit [PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] control-vid 1000 qinq-termination [PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10 [PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.9 101 [PE1-GigabitEthernet1/0/0.1] quit
# On PE2, create a VC connection on GE 2/0/0.1 that is connected to CE1.

Step 7 Verify the configuration. On PEs, check the L2VPN connections. You can see that an L2VC connection is set up and is in Up state. Take the display on PE1 as an example.
CE1 and CE2 can ping each other successfully. Take the display on CE1 as an example.
----End
Configuration Files
# sysname CE1 # vlan batch 10 # interface Vlanif10 ip address 100.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return
Issue 01 (2011-10-26)
253
Configuration file of Switch1

# sysname Switch1 # vlan batch 100 # interface GigabitEthernet2/0/0 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/0 port hybrid untagged vlan 100 port vlan-stacking vlan 10 stack-vlan 100 # return

# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 qinq-termination qinq termination pe-vid 100 ce-vid 10 mpls l2vc 3.3.3.9 101 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255 # return
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9 mpls # mpls ldp #
Issue 01 (2011-10-26)
254

interface Vlanif 20 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif 30 ip address 10.2.2.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255 # return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif 30 ip address 10.2.2.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination qinq termination pe-vid 100 ce-vid 10 mpls l2vc 1.1.1.9 101 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.2.2.0 0.0.0.255
Issue 01 (2011-10-26)
255

# return


# sysname CE2 # vlan batch 10 # interface Vlanif 10 ip address 100.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return
5.12.8 Example for Connecting a Sub-interface Enabled with the Single-Tag VLAN Mapping to a VLL Network
As shown in Figure 5-8, CE1 and CE2 are connected to PE1 and PE2 respectively through VLANs. A Martini VLL is set up between CE1 and CE2. Figure 5-8 Networking diagram for configuring a Martini VLL
Loopback1 1.1.1.9/32 PE 1 GE1/0/0 GE1/0/0
Loopback1 3.3.3.9/32 PE 2 GE 2/0/0 GE 1/0/0
GE 2/0/0 GE 2/0/0 P
GE 1/0/0 GE1/0/0
Martini
CE 1
Switch Interface VLANIF interface
CE 2
IP address
Issue 01 (2011-10-26)
256

PE1 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 30 VLANIF 20 VLANIF 10 VLANIF 20
10.1.1.1/24 1.1.1.9/32 10.2.2.1/24 3.3.3.9/32 10.2.2.2/24 10.1.1.2/24 2.2.2.9/32 100.1.1.1/24 100.1.1.2/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the routing protocol on devices on the backbone network (PE and P) to implement interworking and enable MPLS. Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data transmission. Enable MPLS L2VPN and create VC connections on the PEs. Configure VLAN mapping of a single tag on the sub-interface of the PE1 interface connected to CE1 and connect the sub-interface to the VLL. Configure a dot1q sub-interface on the PE2 interface connected to CE2 and connect the dot1q sub-interface to the VLL.
Data Preparation
To complete the configuration, you need the following data: l l l l Name of the remote peer of each PE VC ID VLAN IDs used in VLAN mapping Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of the corresponding VLANIF interfaces according to Figure 5-8. After the configuration, the packets sent from a CE to a switch should contain a VLAN tag. The configuration procedure is not mentioned.
Step 2 Configure an IGP on the MPLS backbone network. In this example, OSPF is used. When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P, which are used as the LSR IDs. The configuration procedure is not mentioned. After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By running the display ospf peer command, you can find that the status of the OSPF neighbor relations is Full. Run the display ip routing-table command, and you can see that the PEs can learn the routes of each other's Loopback1 interface. Step 3 Enable the basic MPLS functions and MPLS LDP on the MPLS network. # Configure PE1.
# Configure P.
# Configure PE2.

# Configure PE2.
Issue 01 (2011-10-26)
258
Step 5 Enable MPLS L2VPN on the PEs and create VC connections. # On PE1, create a VC connection on GigabitEthernet 1/0/0.1 that is connected to CE1.
[PE1] mpls l2vpn [PE1-l2vpn] mpls l2vpn default martini [PE1-l2vpn] quit [PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] qinq mapping vid 10 map-vlan vid 20 [PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.9 101 [PE1-GigabitEthernet1/0/0.1] quit
# On PE2, create a VC connection on GigabitEthernet1/0/0.1 that is connected to CE2.

[PE2] mpls l2vpn [PE2-l2vpn] mpls l2vpn default martini [PE2-l2vpn] quit [PE2] interface gigabitethernet 2/0/0.1 [PE2-GigabitEthernet2/0/0.1] control-vid 2000 dot1q-termination [PE2-GigabitEthernet2/0/0.1] dot1q termination vid 20 [PE2-GigabitEthernet2/0/0.1] mpls l2vc 1.1.1.9 101 [PE2-GigabitEthernet2/0/0.1] quit
<PE1> display mpls l2vc interface gigabitethernet 1/0/0.1 *client interface : gigabitethernet 1/0/0.1 is up session state : up AC state : up VC state : up VC ID : 101 VC type : VLAN destination : 3.3.3.9 local group ID : 0 remote group ID local VC label : 21504 remote VC label local AC OAM State : up local PSN State : up local forwarding state : forwarding BFD for PW : unavailable manual fault : not set active state : active forwarding entry : not exist link state : up local VC MTU : 1500 remote VC MTU local VCCV : Disable remote VCCV : none
: 0 : 21504
: 1500
Issue 01 (2011-10-26)
259

local control word tunnel policy name traffic behavior name PW template name primary or secondary VC tunnel/token info NO.0 TNL type : lsp create time up time last change time : : : : : : disable remote control ---primary 1 tunnels/tokens , TNL ID : 0x10007 : 0 days, 0 hours, 4 minutes, : 0 days, 0 hours, 3 minutes, : 0 days, 0 hours, 3 minutes, word
: none
19 seconds 45 seconds 45 seconds
----End
Configuration Files

# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp
Issue 01 (2011-10-26)
260

# interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 qinq mapping vid 10 map-vlan vid 20 mpls l2vc 3.3.3.9 101 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255 # return
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif 20 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif 30 ip address 10.2.2.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255 # return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls #
Issue 01 (2011-10-26)
261

mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif 30 ip address 10.2.2.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 dot1q-termination dot1q termination vid 20 mpls l2vc 1.1.1.9 101 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.2.2.0 0.0.0.255 # return

5.12.9 Example for Connecting a Sub-interface Enabled with Double-Tag VLAN Mapping to a VLL Network
As shown in Figure 5-9, CE1 and CE2 are connected to PE1 and PE2 respectively through VLANs. A Martini VLL is set up between CE1 and CE2. Switch1 is connected to CE1 and PE1. Switch2 is connected to CE2 and PE2. Selective QinQ is configured on the interfaces connected to CEs so that the switches add the VLAN tags specified by the carrier to the packets sent from CEs.
When Switch1 and Switch2 add different VLAN tags to packets, configure VLAN mapping of double tags on a sub-interface and connect the sub-interface to the VLL. Then CE1 and CE2 can communicate with each other. When a switch is connected to multiple CEs, the switch can add different VLAN tags to the packets from different CEs, that is, packets with different VLAN tags. This saves VLAN IDs on the public network. Figure 5-9 Networking diagram for configuring a Martini VLL
PE1 GE1/0/0 GE2/0/0
GE2/0/0 GE1/0/0 P
GE2/0/0 GE1/0/0
PE2 GE2/0/0 GE2/0/0
CE1
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 VLANIF interface
CE2
IP address 10.1.1.1/24 1.1.1.9/32 10.2.2.1/24 3.3.3.9/32 10.2.2.2/24 10.1.1.2/24 2.2.2.9/32 100.1.1.1/24 100.1.1.2/24
GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 30 VLANIF 20 VLANIF 10 VLANIF 10
The configuration roadmap is as follows:
1. 2. 3. 4. 5. 6.
Configure the routing protocol on devices on the backbone network (PE and P) to implement interworking and enable MPLS. Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data transmission. Enable MPLS L2VPN and create VC connections on the PEs. Configure VLAN mapping of double tags on the sub-interface of the PE1 interface connected to CE1 and connect the sub-interface to the VLL network. Configure QinQ sub-interfaces on the PE interfaces connected to the switches and connect the QinQ sub-interfaces to the VLL network. Configure selective QinQ on the switch interfaces connected to CEs.
Data Preparation
To complete the configuration, you need the following data: l l l l Name of the remote peer of each PE VC ID VLAN IDs used in VLAN mapping Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of the corresponding VLANIF interfaces according to Figure 5-9. After the configuration, the packets sent from a CE to a switch should contain a VLAN tag. The configuration procedure is not mentioned. Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by the interfaces. # Configure Switch1.
Step 3 Configure an IGP on the MPLS backbone network. In this example, OSPF is used.
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P, which are used as the LSR IDs. The configuration procedure is not mentioned. After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By running the display ospf peer command, you can find that the status of the OSPF neighbor relations is Full. Run the display ip routing-table command, and you can see that the PEs can learn the routes of each other's Loopback1 interface. Step 4 Enable the basic MPLS functions and MPLS LDP on the MPLS network. # Configure PE1.
# Configure P.
# Configure PE2.

# Configure PE2.
After the configuration, run the display mpls ldp session command on PE1 to view the status of the LDP session. You can see that an LDP session is set up between PE1 and PE2.
Take the display on PE1 as an example.

Step 6 Enable MPLS L2VPN on the PEs and create VC connections. # Configure PE1: Create a VC connection on GigabitEthernet 1/0/0.1 that is connected to CE1.
[PE1] mpls l2vpn [PE1-l2vpn] mpls l2vpn default martini [PE1-l2vpn] quit [PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200 [PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.9 101 [PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2, create a VC connection on GigabitEthernet 2/0/0.1 that is connected to CE1.

<PE1> display mpls l2vc interface gigabitethernet 1/0/0.1 *client interface : gigabitethernet 1/0/0.1 is up session state : up AC state : up VC state : up VC ID : 101 VC type : VLAN destination : 3.3.3.9 local group ID : 0 remote group ID local VC label : 21504 remote VC label local AC OAM State : up local PSN State : up local forwarding state : forwarding BFD for PW : unavailable manual fault : not set active state : active forwarding entry : not exist link state : up local VC MTU : 1500 remote VC MTU local VCCV : Disable remote VCCV : none local control word : disable remote control word tunnel policy name : -traffic behavior name : --
: 0 : 21504
: 1500 : none
Issue 01 (2011-10-26)
266

PW template name primary or secondary VC tunnel/token info NO.0 TNL type : lsp create time up time last change time
: -: primary : 1 tunnels/tokens , TNL ID : 0x10007 : 0 days, 0 hours, 4 minutes, 19 seconds : 0 days, 0 hours, 3 minutes, 45 seconds : 0 days, 0 hours, 3 minutes, 45 seconds
----End
Configuration Files


# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls #
Issue 01 (2011-10-26)
267

mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200 mpls l2vc 3.3.3.9 101 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255 # return
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif 20 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif 30 ip address 10.2.2.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255
Issue 01 (2011-10-26)
268

# return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif 30 ip address 10.2.2.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination qinq termination pe-vid 200 ce-vid 10 mpls l2vc 1.1.1.9 101 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.2.2.0 0.0.0.255 # return


# sysname CE2 # vlan batch 10 # interface Vlanif 10 ip address 100.1.1.2 255.255.255.0 #
Issue 01 (2011-10-26)
269

interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return
5.12.10 Example for Connecting a Sub-interface Enabled with VLAN Stacking to a VLL Network
As shown in Figure 5-10, CE1 and CE2 are connected to PE1 and PE2 respectively through VLANs. A Martini VLL is set up between CE1 and CE2. Switch1 is connected to CE1 and PE1. Switch2 is connected to CE2 and PE2. Switch1 forwards the packets sent from CE1 without changing the VLAN tags of the packets. Selective QinQ is configured on the interface connected to CE2 so that Switch2 adds the VLAN tag specified by the carrier to the packets sent from CE2. The packets sent by Switch1 to PE1 contain only one VLAN tag, and the packets sent by Switch2 to PE2 contain two VLAN tags. Therefore, you need to configure VLAN stacking on the sub-interface of PE1 connected to Switch1 and connect the sub-interface to the VLL. Then CE1 and CE2 can communicate with each other. When a switch is connected to multiple CEs, the switch can add different VLAN tags to the packets from different CEs, that is, packets with different VLAN tags. This saves VLAN IDs on the public network. Figure 5-10 Networking diagram for configuring a Martini VLL
PE1 GE1/0/0 GE2/0/0
GE2/0/0 GE1/0/0 P
GE2/0/0 GE1/0/0
PE2 GE2/0/0 GE2/0/0
CE1
Switch Interface VLANIF interface
CE2
IP address
Issue 01 (2011-10-26)
270

PE1 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 30 VLANIF 20 VLANIF 10 VLANIF 10
10.1.1.1/24 1.1.1.9/32 10.2.2.1/24 3.3.3.9/32 10.2.2.2/24 10.1.1.2/24 2.2.2.9/32 100.1.1.1/24 100.1.1.2/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Configure the routing protocol on devices on the backbone network (PE and P) to implement interworking and enable MPLS. Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data transmission. Enable MPLS L2VPN and create VC connections on the PEs. On PE1, configure VLAN stacking on the sub-interface connected to Switch1 and connect the sub-interface to the VLL. On PE2, configure a QinQ sub-interface on the interface connected to Switch2 and connect the sub-interface to VLL. On Switch1, add the interface connected to CE1 to a specified VLAN. On Switch2, configure selective QinQ on the interface connected to CE2.
Data Preparation
To complete the configuration, you need the following data: l l l l Name of the remote peer of each PE VC ID VLAN IDs used in VLAN stacking Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of the corresponding VLANIF interfaces according to Figure 5-10. After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
The configuration procedure is not mentioned. Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by the interfaces. # Configure Switch1.
[Switch1] vlan 10 [Switch1-vlan100] quit [Switch1] interface gigabitethernet [Switch1-GigabitEthernet2/0/0] port [Switch1-GigabitEthernet2/0/0] quit [Switch1] interface gigabitethernet [Switch1-GigabitEthernet1/0/0] port [Switch1-GigabitEthernet1/0/0] quit
2/0/0 hybrid tagged vlan 10 1/0/0 hybrid tagged vlan 10
Step 3 Configure an IGP on the MPLS backbone network. In this example, OSPF is used. When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P, which are used as the LSR IDs. The configuration procedure is not mentioned. After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By running the display ospf peer command, you can find that the status of the OSPF neighbor relations is Full. Run the display ip routing-table command, and you can see that the PEs can learn the routes of each other's Loopback1 interface. Step 4 Enable the basic MPLS functions and MPLS LDP on the MPLS network. # Configure PE1.
# Configure P.
[P] mpls lsr-id 2.2.2.9 [P] mpls [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface vlanif 20 [P-Vlanif20] mpls [P-Vlanif20] mpls ldp [P-Vlanif20] quit [P] interface vlanif 30 [P-Vlanif30] mpls
Issue 01 (2011-10-26)
272

[P-Vlanif30] mpls ldp [P-Vlanif30] quit
# Configure PE2.

# Configure PE2.
Step 6 Enable MPLS L2VPN on the PEs and create VC connections. # On PE1, create a VC connection on GigabitEthernet 1/0/0.1 that is connected to CE1.
[PE1] mpls l2vpn [PE1-l2vpn] mpls l2vpn default martini [PE1-l2vpn] quit [PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] qinq stacking vid 10 pe-vid 100 [PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.9 101 [PE1-GigabitEthernet1/0/0.1] quit
# On PE2, create a VC connection on GigabitEthernet 2/0/0.1 that is connected to CE1.

Issue 01 (2011-10-26)
273
----End
Configuration Files
# sysname CE1 # vlan batch 10 # interface Vlanif10 ip address 100.1.1.1 255.255.255.0
Issue 01 (2011-10-26)
274

# interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return

# sysname Switch1 # vlan batch 10 # interface GigabitEthernet2/0/0 port hybrid tagged vlan 10 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 10 # return

# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 qinq stacking vid 10 pe-vid 100 mpls l2vc 3.3.3.9 101 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255 # return
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9
Issue 01 (2011-10-26)
275

mpls # mpls ldp # interface Vlanif 20 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif 30 ip address 10.2.2.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255 # return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn mpls l2vpn default martini # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif 30 ip address 10.2.2.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination qinq termination pe-vid 100 ce-vid 10 mpls l2vc 1.1.1.9 101 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1
Issue 01 (2011-10-26)
276

area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.2.2.0 0.0.0.255 # return


5.12.11 Example for Connecting Dot1q Sub-interfaces to a VPLS Network

As shown in Figure 5-11, VPLS is enabled on PE1 and PE2. CE1 is connected to PE1 and CE2 is connected to PE2. CE1 and CE2 belong to the same VSI. LDP is used as the VPLS signaling protocol to set up the PW and Martini VPLS is configured to enable CE1 and CE2 to communicate with each other.
Issue 01 (2011-10-26)
277
Figure 5-11 Networking diagram for configuring Martini VPLS
Loopback1 1.1.1.9/32 PE 1 GE1/0/0 GE1/0/0
Loopback1 3.3.3.9/32 PE 2 GE 2/0/0 GE 1/0/0
GE 2/0/0 GE 2/0/0 P
GE 1/0/0 GE1/0/0
Martini
CE 1
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 VLANIF interface GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 20 VLANIF 30 VLANIF 10 VLANIF 10
CE 2
IP address 168.1.1.1/24 1.1.1.9/32 169.1.1.2/24 3.3.3.9/32 168.1.1.2/24 169.1.1.1/24 2.2.2.9/32 10.1.1.1/24 10.1.1.2/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the routing protocol on the backbone network to implement interworking. Set up a remote LDP session between the PEs. Set up a tunnel between the PEs to transmit user data. Enable MPLS L2VPN on the PEs. Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC interfaces. Configure dot1q sub-interfaces on the PE interfaces connected to CEs and connect the dot1q sub-interfaces to the VPLS network.
Data Preparation
To complete the configuration, you need the following data:
l l l l
VSI name and VSI ID IP addresses of peers and tunnel policy used for setting up the peer relationship Interfaces to which the VSI is bound Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Configure the VLANs that the interfaces belong to according to Figure 5-11. The configuration procedure is not mentioned.
NOTE
l The AC-side physical interface and PW-side physical interface of a PE cannot be added to the same VLAN; otherwise, a loop occurs. l After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
Step 2 Configure the IGP protocol. OSPF is used in this example. When configuring OSPF, advertise the 32-bit loopback interface addresses (LSR IDs) of PE1, P, and PE2. The configuration details are not mentioned here. After the configuration, run the display ip routing-table command on PE1, P, and PE2. You can view the routes learned by PE1, P, and PE2 from each other. Step 3 Configure basic MPLS functions and LDP. The configuration procedure is not mentioned. After the configuration, run the display mpls ldp session command on PE1, P and PE2. You can see that the peer relationship is set up between PE1 and P, and between P and PE2. The status of the peer relationship is Operational. Run the display mpls lsp command, and you can see the status of the LSP. Step 4 Create remote LDP sessions between PEs. # Configure PE1.
# Configure PE2.
After the configuration, run the display mpls ldp session command on PE1 or PE2, and you can find that the status of the peer relationship between PE1 and PE2 is Operational. That is, the peer relationship is set up. Step 5 Enable MPLS L2VPN on PEs. # Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.

[PE2] mpls l2vpn
Step 6 Configure VSIs on PEs. # Configure PE1.

[PE1] vsi a2 static [PE1-vsi-a2] pwsignal ldp [PE1-vsi-a2-ldp] vsi-id 2 [PE1-vsi-a2-ldp] peer 3.3.3.9
# Configure PE2.
Step 7 Bind the VSI to interfaces on PEs. # Configure PE1.

[PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination [PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10 [PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2 [PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.
Step 8 Assign IP addresses to VLANIF interfaces on the CEs. # Configure CE1.

<Quidway> sysname CE1 [CE1] interface vlanif 10 [CE1-Vlanif10] ip address 10.1.1.1 255.255.255.0 [CE1-Vlanif10] quit
# Configure CE2.
Step 9 Verify the configuration. After the configuration, run the display vsi name a2 verbose command on PE1, and you can find that VSI a2 sets up a PW to PE2, and the status of the VSI is Up.
<PE1> display vsi name a2 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style PW MAC Learn Style Encapsulation Type MTU Mode : : : : : : : : : : a2 no disable 0 ldp static unqualify vlan 1500 uniform
Issue 01 (2011-10-26)
280

Service Class Color DomainId Domain Name VSI State VSI ID *Peer Router ID VC Label Peer Type Session Tunnel ID Interface Name State **PW Information: *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID : : : : : : 3.3.3.9 up 23552 23552 label 0x20021, : : : : : : : : : : : --0 up 2 3.3.3.9 23552 dynamic up 0x20021,
: Vlanif10 : up
CE1 (10.1.1.1) can ping CE2 (10.1.1.2) successfully.

<CE1> ping 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=90 Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=77 Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=34 Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=46 Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=94 --- 10.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/68/94 ms
ms ms ms ms ms
----End
Configuration Files

# sysname CE2 # vlan batch 10 # interface Vlanif10 ip address 10.1.1.2 255.255.255.0 #
Issue 01 (2011-10-26)
281

interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return

# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 3.3.3.9 # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 168.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination dot1q termination vid 10 l2 binding vsi a2 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 168.1.1.0 0.0.0.255 # return
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif20 ip address 168.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif30
Issue 01 (2011-10-26)
282


# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.9 # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif30 ip address 169.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 dot1q-termination dot1q termination vid 10 l2 binding vsi a2 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 169.1.1.0 0.0.0.255 # return
Issue 01 (2011-10-26)
283
5.12.12 Example for Connecting QinQ Sub-interfaces to a VPLS Network

As shown in Figure 5-12, VPLS is enabled on PE1 and PE2. CE1 is connected to Switch1 through PE1, and CE2 is connected to Switch2 through PE2. CE1 and CE2 belong to the same VSI. LDP is used as the VPLS signaling protocol to set up the PW and Martini VPLS is configured to enable CE1 and CE2 to communicate with each other. It is required that you configure selective QinQ on the interfaces connected to CEs so that the switches add the VLAN tags specified by the carrier to the packets sent from CEs. When a switch is connected to multiple CEs, the switch can add different VLAN tags to the packets from different CEs, that is, packets with different VLAN tags. This saves VLAN IDs on the public network. Figure 5-12 Networking diagram for configuring Martini VPLS
PE1 GE1/0/0 GE2/0/0
GE2/0/0 GE1/0/0 P
GE2/0/0 GE1/0/0
PE2 GE2/0/0 GE2/0/0
CE1
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 VLANIF interface
CE2
IP address 168.1.1.1/24 1.1.1.9/32 169.1.1.2/24 3.3.3.9/32 168.1.1.2/24 169.1.1.1/24 2.2.2.9/32
GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 20 VLANIF 30 -
Issue 01 (2011-10-26)
284

CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 VLANIF 10 VLANIF 10
10.1.1.1/24 10.1.1.2/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Configure the routing protocol on the backbone network to implement interworking. Set up a remote LDP session between the PEs. Set up a tunnel between the PEs to transmit user data. Enable MPLS L2VPN on the PEs. Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC interfaces. Configure QinQ sub-interfaces on the PE interfaces connected to the switches and connect the QinQ sub-interfaces to the VPLS network. Configure selective QinQ on the switch interfaces connected to CEs.
Data Preparation
To complete the configuration, you need the following data: l l l l VSI name and VSI ID IP addresses of peers and tunnel policy used for setting up the peer relationship Interfaces to which the VSI is bound Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
NOTE
Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by the interfaces. # Configure Switch1.
Issue 01 (2011-10-26)
285
Step 3 Configure the IGP protocol. OSPF is used in this example. When configuring OSPF, advertise the 32-bit loopback interface addresses (LSR IDs) of PE1, P, and PE2. The configuration details are not mentioned here. After the configuration, run the display ip routing-table command on PE1, P, and PE2. You can view the routes learned by PE1, P, and PE2 from each other. Step 4 Configure basic MPLS functions and LDP. The configuration procedure is not mentioned. After the configuration, run the display mpls ldp session command on PE1, P and PE2. You can see that the peer relationship is set up between PE1 and P, and between P and PE2. The status of the peer relationship is Operational. Run the display mpls lsp command, and you can see the status of the LSP. Step 5 Create remote LDP sessions between PEs. # Configure PE1.
# Configure PE2.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn

Issue 01 (2011-10-26)
286
# Configure PE2.
Step 8 Bind VSIs to interfaces on PEs. # Configure PE1.

[PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] control-vid 1000 qinq-termination [PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10 [PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2 [PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.

# Configure CE2.
<PE1> display vsi name a2 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style PW MAC Learn Style Encapsulation Type MTU Mode Service Class Color DomainId Domain Name VSI State VSI ID *Peer Router ID VC Label Peer Type Session : : : : : : : : : : : : : : : : : : : : a2 no disable 0 ldp static unqualify vlan 1500 uniform --0 up 2 3.3.3.9 23552 dynamic up
Issue 01 (2011-10-26)
287

Tunnel ID Interface Name State **PW Information: *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID : : : : : : 3.3.3.9 up 23552 23552 label 0x20021, : 0x20021, : Vlanif10 : up

ms ms ms ms ms
----End
Configuration Files


# sysname Switch1 # vlan batch 100
Issue 01 (2011-10-26)
288

# interface GigabitEthernet2/0/0 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/0 port hybrid untagged vlan 100 port vlan-stacking vlan 10 stack-vlan 100 # return


# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 3.3.3.9 # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 168.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 qinq-termination qinq termination pe-vid 100 ce-vid 10 l2 binding vsi a2 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 168.1.1.0 0.0.0.255
Issue 01 (2011-10-26)
289

# return
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif20 ip address 168.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif30 ip address 169.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 168.1.1.0 0.0.0.255 network 169.1.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0 # return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.9 # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif30 ip address 169.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0
Issue 01 (2011-10-26)
290

port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination qinq termination pe-vid 100 ce-vid 10 l2 binding vsi a2 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 169.1.1.0 0.0.0.255 # return
5.12.13 Example for Connecting a Sub-interface Enabled with Single-Tag VLAN Mapping to a VPLS Network
As shown in Figure 5-13, VPLS is enabled on PE1 and PE2. CE1 is connected to PE1 and CE2 is connected to PE2. CE1 and CE2 belong to the same VSI. LDP is used as the VPLS signaling protocol to set up the PW and Martini VPLS is configured to enable CE1 and CE2 to communicate with each other. Figure 5-13 Networking diagram for configuring Martini VPLS
Loopback1 1.1.1.9/32 PE 1 GE1/0/0 GE1/0/0 GE 2/0/0 GE 2/0/0
Loopback1 2.2.2.9/32 GE 1/0/0 GE1/0/0

P
Loopback1 3.3.3.9/32 PE 2 GE 2/0/0 GE 1/0/0
Martini
CE 1
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 VLANIF interface GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 -
CE 2
IP address 168.1.1.1/24 1.1.1.9/32 169.1.1.2/24 3.3.3.9/32
Issue 01 (2011-10-26)
291

P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 VLANIF 20 VLANIF 30 VLANIF 10 VLANIF 20
168.1.1.2/24 169.1.1.1/24 2.2.2.9/32 10.1.1.1/24 10.1.1.2/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Configure the routing protocol on the backbone network to implement interworking. Set up a remote LDP session between the PEs. Set up a tunnel between the PEs to transmit user data. Enable MPLS L2VPN on the PEs. Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC interfaces. Configure VLAN mapping of a single tag on the sub-interface of the PE1 interface connected to CE1 and connect the sub-interface to the VPLS network. Configure a dot1q sub-interface on the PE2 interface connected to CE2 and connect the dot1q sub-interface to the VPLS network.
Data Preparation
To complete the configuration, you need the following data: l l l l l VSI name and VSI ID IP addresses of peers and tunnel policy used for setting up the peer relationship Interfaces to which the VSI is bound VLAN IDs used in VLAN mapping Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
NOTE
Step 2 Configure the IGP protocol. OSPF is used in this example. When configuring OSPF, advertise the 32-bit loopback interface addresses (LSR IDs) of PE1, P, and PE2. The configuration details are not mentioned here.
After the configuration, run the display ip routing-table command on PE1, P, and PE2. You can view the routes learned by PE1, P, and PE2 from each other. Step 3 Configure basic MPLS functions and LDP. The configuration procedure is not mentioned. After the configuration, run the display mpls ldp session command on PE1, P and PE2. You can see that the peer relationship is set up between PE1 and P, and between P and PE2. The status of the peer relationship is Operational. Run the display mpls lsp command, and you can see the status of the LSP. Step 4 Create remote LDP sessions between PEs. # Configure PE1.
# Configure PE2.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn

# Configure PE2.

[PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] qinq mapping vid 10 map-vlan vid 20 [PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2 [PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.


# Configure CE2.
<PE1> display vsi name a2 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style PW MAC Learn Style Encapsulation Type MTU Mode Service Class Color DomainId Domain Name VSI State VSI ID *Peer Router ID VC Label Peer Type Session Tunnel ID Interface Name State **PW Information: *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID : : : : : : 3.3.3.9 up 23552 23552 label 0x20021, : : : : : : : : : : : : : : : : : : : : : a2 no disable 0 ldp static unqualify vlan 1500 uniform --0 up 2 3.3.3.9 23552 dynamic up 0x20021,
: Vlanif10 : up

<CE1> ping 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=90 ms
Issue 01 (2011-10-26)
294

Reply from 10.1.1.2: bytes=56 Sequence=2 Reply from 10.1.1.2: bytes=56 Sequence=3 Reply from 10.1.1.2: bytes=56 Sequence=4 Reply from 10.1.1.2: bytes=56 Sequence=5 --- 10.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/68/94 ms ttl=255 ttl=255 ttl=255 ttl=255 time=77 time=34 time=46 time=94 ms ms ms ms
----End
Configuration Files


# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 3.3.3.9 # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 168.1.1.1 255.255.255.0 mpls
Issue 01 (2011-10-26)
295

mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 qinq mapping vid 10 map-vlan vid 20 l2 binding vsi a2 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 168.1.1.0 0.0.0.255 # return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls
Issue 01 (2011-10-26)
296

# mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.9 # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif30 ip address 169.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 dot1q-termination dot1q termination vid 20 l2 binding vsi a2 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 169.1.1.0 0.0.0.255 # return
5.12.14 Example for Connecting a Sub-interface Enabled with Double-Tag VLAN Mapping to a VPLS Network
As shown in Figure 5-14, VPLS is enabled on PE1 and PE2. CE1 is connected to Switch1 through PE1, and CE2 is connected to Switch2 through PE2. CE1 and CE2 belong to the same VSI. LDP is used as the VPLS signaling protocol to set up the PW and Martini VPLS is configured to enable CE1 and CE2 to communicate with each other. Selective QinQ is configured on the interfaces connected to CEs so that the switches add the VLAN tags specified by the carrier to the packets sent from CEs. When Switch1 and Switch2 add different VLAN tags to packets, configure VLAN mapping of double tags on a sub-interface and connect the sub-interface to the VLL. Then CE1 and CE2 can communicate with each other. When a switch is connected to multiple CEs, the switch can add different VLAN tags to the packets from different CEs, that is, packets with different VLAN tags. This saves VLAN IDs on the public network.
Issue 01 (2011-10-26)
297
Figure 5-14 Networking diagram for configuring Martini VPLS
PE1 GE1/0/0 GE2/0/0
GE2/0/0 GE1/0/0 P
GE2/0/0 GE1/0/0
PE2 GE2/0/0 GE2/0/0
CE1
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 VLANIF interface
CE2
IP address 168.1.1.1/24 1.1.1.9/32 169.1.1.2/24 3.3.3.9/32 168.1.1.2/24 169.1.1.1/24 2.2.2.9/32 10.1.1.1/24 10.1.1.2/24
GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1 VLANIF 20 VLANIF 30 VLANIF 10 VLANIF 10
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the routing protocol on the backbone network to implement interworking. Set up a remote LDP session between the PEs. Set up a tunnel between the PEs to transmit user data. Enable MPLS L2VPN on the PEs. Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC interfaces.
Issue 01 (2011-10-26)
6. 7. 8.
On PE1, configure VLAN mapping of double tags on the sub-interface connected to CE1 and connect the sub-interface to the VPLS network. On PE2, configure a QinQ sub-interface on the interface connected to Switch2 and connect the sub-interface to the VPLS network. Configure selective QinQ on the switch interfaces connected to CEs.
Data Preparation
To complete the configuration, you need the following data: l l l l l VSI name and VSI ID IP addresses of peers and tunnel policy used for setting up the peer relationship Interfaces to which the VSI is bound VLAN IDs used in VLAN mapping Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
NOTE
Step 3 Configure the IGP protocol. OSPF is used in this example. When configuring OSPF, advertise the 32-bit loopback interface addresses (LSR IDs) of PE1, P, and PE2.
The configuration details are not mentioned here. After the configuration, run the display ip routing-table command on PE1, P, and PE2. You can view the routes learned by PE1, P, and PE2 from each other. Step 4 Configure basic MPLS functions and LDP. The configuration procedure is not mentioned. After the configuration, run the display mpls ldp session command on PE1, P and PE2. You can see that the peer relationship is set up between PE1 and P, and between P and PE2. The status of the peer relationship is Operational. Run the display mpls lsp command, and you can see the status of the LSP. Step 5 Create remote LDP sessions between PEs. # Configure PE1.
# Configure PE2.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn

# Configure PE2.

[PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200 [PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2 [PE1-GigabitEthernet1/0/0.1] quit
Issue 01 (2011-10-26)
300
# Configure PE2.

# Configure CE2.
<PE1> display vsi name a2 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style PW MAC Learn Style Encapsulation Type MTU Mode Service Class Color DomainId Domain Name VSI State VSI ID *Peer Router ID VC Label Peer Type Session Tunnel ID Interface Name State **PW Information: *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID : : : : : : 3.3.3.9 up 23552 23552 label 0x20021, : : : : : : : : : : : : : : : : : : : : : a2 no disable 0 ldp static unqualify vlan 1500 uniform --0 up 2 3.3.3.9 23552 dynamic up 0x20021,
: Vlanif10 : up

<CE1> ping 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Issue 01 (2011-10-26)
301

Reply from 10.1.1.2: bytes=56 Sequence=1 Reply from 10.1.1.2: bytes=56 Sequence=2 Reply from 10.1.1.2: bytes=56 Sequence=3 Reply from 10.1.1.2: bytes=56 Sequence=4 Reply from 10.1.1.2: bytes=56 Sequence=5 --- 10.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/68/94 ms ttl=255 ttl=255 ttl=255 ttl=255 ttl=255 time=90 time=77 time=34 time=46 time=94 ms ms ms ms ms
----End
Configuration Files



# sysname Switch2 # vlan batch 200 # interface GigabitEthernet2/0/0 port hybrid tagged vlan 200
Issue 01 (2011-10-26)
302

# interface GigabitEthernet1/0/0 port hybrid untagged vlan 200 port vlan-stacking vlan 10 stack-vlan 200 # return

# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 3.3.3.9 # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 168.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200 l2 binding vsi a2 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 168.1.1.0 0.0.0.255 # return
# sysname P # vlan batch 20 30 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif20 ip address 168.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif30
Issue 01 (2011-10-26)
303


# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.9 # mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif30 ip address 169.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination qinq termination pe-vid 200 ce-vid 10 l2 binding vsi a2 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 169.1.1.0 0.0.0.255 # return
Issue 01 (2011-10-26)
304
5.12.15 Example for Connecting a Sub-interface Enabled with VLAN Stacking to a VPLS Network
As shown in Figure 5-15, VPLS is enabled on PE1 and PE2. CE1 is connected to Switch1 through PE1, and CE2 is connected to Switch2 through PE2. CE1 and CE2 belong to the same VSI. LDP is used as the VPLS signaling protocol to set up the PW and Martini VPLS is configured to enable CE1 and CE2 to communicate with each other. Switch1 forwards the packets sent from CE1 without changing the VLAN tags of the packets. Selective QinQ is configured on the interface connected to CE2 so that Switch2 adds the VLAN tag specified by the carrier to the packets sent from CE2. The packets sent by Switch1 to PE1 contain only one VLAN tag, and the packets sent by Switch2 to PE2 contain two VLAN tags. Therefore, you need to configure VLAN stacking on the sub-interface of PE1 connected to Switch1 and connect the sub-interface to the VPLS network. Then CE1 and CE2 can communicate with each other. When a switch is connected to multiple CEs, the switch can add different VLAN tags to the packets from different CEs, that is, packets with different VLAN tags. This saves VLAN IDs on the public network. Figure 5-15 Networking diagram for configuring Martini VPLS
PE1 GE1/0/0 GE2/0/0
GE2/0/0 GE1/0/0 P
GE2/0/0 GE1/0/0
PE2 GE2/0/0 GE2/0/0
CE1
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 VLANIF interface
CE2
IP address 168.1.1.1/24 1.1.1.9/32 169.1.1.2/24 -
GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet2/0/0.1
Issue 01 (2011-10-26)
305

Loopback1 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 Loopback1 CE1 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0 VLANIF 20 VLANIF 30 VLANIF 10 VLANIF 10
3.3.3.9/32 168.1.1.2/24 169.1.1.1/24 2.2.2.9/32 10.1.1.1/24 10.1.1.2/24
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure the routing protocol on the backbone network to implement interworking. Set up a remote LDP session between the PEs. Set up a tunnel between the PEs to transmit user data. Enable MPLS L2VPN on the PEs. Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC interfaces. On PE1, configure VLAN stacking on the sub-interface connected to Switch1 and connect the sub-interface to the VPLS network. On PE2, configure a QinQ sub-interface on the interface connected to Switch2 and connect the sub-interface to the VPLS network. On Switch1, add the interface connected to CE1 to a specified VLAN. On Switch2, configure selective QinQ on the interface connected to CE2.
Data Preparation
To complete the configuration, you need the following data: l l l l l VSI name and VSI ID IP addresses of peers and tunnel policy used for setting up the peer relationship Interfaces to which the VSI is bound VLAN IDs used in VLAN stacking Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
NOTE
Issue 01 (2011-10-26)
306
[Switch1] vlan 10 [Switch1-vlan100] quit [Switch1] interface gigabitethernet [Switch1-GigabitEthernet2/0/0] port [Switch1-GigabitEthernet2/0/0] quit [Switch1] interface gigabitethernet [Switch1-GigabitEthernet1/0/0] port [Switch1-GigabitEthernet1/0/0] quit
2/0/0 hybrid tagged vlan 10 1/0/0 hybrid tagged vlan 10
Step 3 Configure the IGP protocol. OSPF is used in this example. When configuring OSPF, advertise the 32-bit loopback interface addresses (LSR IDs) of PE1, P, and PE2. The configuration details are not mentioned here. After the configuration is complete, run the display ip routing-table command on PE1, P, and PE2. You can view the routes learned by PE1, P, and PE2 from each other. Step 4 Configure basic MPLS functions and LDP. The configuration procedure is not mentioned. After the configuration, run the display mpls ldp session command on PE1, P and PE2. You can see that the peer relationship is set up between PE1 and P, and between P and PE2. The status of the peer relationship is Operational. Run the display mpls lsp command, and you can see the status of the LSP. Step 5 Create remote LDP sessions between PEs. # Configure PE1.
# Configure PE2.

[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn

# Configure PE2.

[PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] qinq stacking vid 10 pe-vid 100 [PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2 [PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.

# Configure CE2.
<PE1> display vsi name a2 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style PW MAC Learn Style : : : : : : : a2 no disable 0 ldp static unqualify
Issue 01 (2011-10-26)
308

Encapsulation Type MTU Mode Service Class Color DomainId Domain Name VSI State VSI ID *Peer Router ID VC Label Peer Type Session Tunnel ID Interface Name State **PW Information: *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID : : : : : : 3.3.3.9 up 23552 23552 label 0x20021, : : : : : : : : : : : : : : vlan 1500 uniform --0 up 2 3.3.3.9 23552 dynamic up 0x20021,
: Vlanif10 : up

ms ms ms ms ms
----End
Configuration Files

# sysname CE2 # vlan batch 10 #
Issue 01 (2011-10-26)
309

interface Vlanif10 ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # return

# sysname Switch1 # vlan batch 10 # interface GigabitEthernet2/0/0 port hybrid tagged vlan 10 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 10 # return


# sysname PE1 # vlan batch 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 3.3.3.9 # mpls ldp # mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9 # interface Vlanif20 ip address 168.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 qinq stacking vid 10 pe-vid 100 l2 binding vsi a2 #
Issue 01 (2011-10-26)
310

interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 168.1.1.0 0.0.0.255 # return

# sysname PE2 # vlan batch 30 # mpls lsr-id 3.3.3.9 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.9 #
Issue 01 (2011-10-26)
311

mpls ldp # mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9 # interface Vlanif30 ip address 169.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid tagged vlan 30 # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination qinq termination pe-vid 100 ce-vid 10 l2 binding vsi a2 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 169.1.1.0 0.0.0.255 # return
5.12.16 Example for Configuring the Dot1q Sub-interface to Access an L3VPN

As shown in Figure 5-16, CE1 and CE3 belong to VPN-A and CE2 and CE4 belong to VPNB. The VPN target of VPN-A is 111:1, and VPN target of VPN-B is 222:2. The users in different VPNs cannot communicate with each other.
Issue 01 (2011-10-26)
312
Figure 5-16 Networking diagram for configuring the dot1q sub-interface to access an L3VPN
VPN-A CE1 GE1/0/0
AS: 65410
AS: 65430 VPN-A CE3 GE1/0/0 Loopback1 2.2.2.9/32 GE1/0/0 GE2/0/0
GE1/0/0 Loopback1 1.1.1.9/32 GE2/0/0
PE1 GE3/0/0
PE2
GE1/0/0 Loopback1 3.3.3.9/32 GE2/0/0
GE3/0/0 P MPLS backbone AS: 100
GE1/0/0 CE2 VPN-B AS: 65420

Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 CE1 CE2 CE3 CE4 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0 Layer 3 interface GigabitEthernet1/0/0.1 GigabitEthernet2/0/0.1 VLANIF 30 GigabitEthernet1/0/0.1 GigabitEthernet2/0/0.1 VLANIF 60 VLANIF 30 VLANIF 60 VLANIF 10 VLANIF 20 VLANIF 10 VLANIF 20
GE1/0/0 CE4 VPN-B AS: 65440

IP address 10.1.1.2/24 10.2.1.2/24 172.1.1.1/24 10.3.1.2/24 10.4.1.2/24 172.2.1.2/24 172.1.1.2/24 172.2.1.1/24 10.1.1.1/24 10.2.1.1/24 10.3.1.1/24 10.4.1.1/24
Issue 01 (2011-10-26)
313
1.
On the backbone network, configure VPN instances on the PEs connected to CEs and bind related VPNs to the interfaces connected to the CEs. Then, assign IP addresses to the interfaces connected to the CEs. Configure OSPF between the PEs to implement interworking between PEs. Configure basic MPLS functions and MPLS LDP and create MPLS LSPs. Configure MP-IBGP for exchanging VPN routing information. Configure EBGP between the CE and the PE to exchange VPN routing information. Configure the Dot1q sub-interface to access the L3VPN on the interface connecting the PE and CE.
2. 3. 4. 5. 6.
Data Preparation
To complete the configuration, you need the following data: l l l l l l IDs of the VLANs that the interfaces belong to, as shown in Figure 5-16 IP addresses of VLANIF interfaces, as shown in Figure 5-16 MPLS LSR-IDs of PEs and P RDs of VPN-A and VPN-B VPN targets of received and sent routes of VPN-A and VPN-B Encapsulation mode and VLAN ID of the sub-interface
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that the PE and P can interwork with each other. # Configure PE1.
<Quidway> system-view [Quidway] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] vlan batch 30 [PE1] interface GigabitEthernet 3/0/0 [PE1-GigabitEthernet3/0/0]port hybrid pvid vlan 30 [PE1-GigabitEthernet3/0/0]port hybrid untagged vlan 30 [PE1-GigabitEthernet3/0/0] quit [PE1] interface vlanif 30 [PE1-Vlanif30] ip address 172.1.1.1 24 [PE1-Vlanif30] quit [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
# Configure P.
<Quidway> system-view [Quidway] sysname P [P] interface loopback 1 [P-LoopBack1] ip address 2.2.2.9 32 [P-LoopBack1] quit [P] vlan batch 30 60 [P] interface GigabitEthernet 1/0/0 [P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
Issue 01 (2011-10-26)
314

[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30 [P-GigabitEthernet1/0/0] quit [P] interface GigabitEthernet 2/0/0 [P-GigabitEthernet2/0/0] port hybrid pvid vlan 60 [P-GigabitEthernet2/0/0] port hybrid untagged vlan 60 [P-GigabitEthernet2/0/0] quit [P] interface vlanif 30 [P-Vlanif30] ip address 172.1.1.2 24 [P-Vlanif30] quit [P] interface vlanif 60 [P-Vlanif60] ip address 172.2.1.1 24 [P-Vlanif60] quit [P] ospf [P-ospf-1] area 0 [P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [P-ospf-1-area-0.0.0.0] quit [P-ospf-1] quit
# Configure PE2.
<Quidway> system-view [Quidway] sysname PE2 [PE2] interface loopback 1 [PE2-LoopBack1] ip address 3.3.3.9 32 [PE2-LoopBack1] quit [PE2] vlan batch 60 [PE2] interface GigabitEthernet 3/0/0 [PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60 [PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60 [PE2-GigabitEthernet3/0/0] quit [PE2] interface vlanif 60 [PE2-Vlanif20] ip address 172.2.1.2 24 [PE2-Vlanif20] quit [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
After the configuration, OSPF relations are established between PE1, P, and PE2. Run the display ospf peer command, and you can view that the status of the OSPF relations is Full. Run the display ip routing-table command, and you can view that the PEs can learn the routes of Loopback1 interfaces of each other. Take the display on PE1 as an example.
[PE1] display ip routing-table Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask 1.1.1.9/32 2.2.2.9/32 3.3.3.9/32 127.0.0.0/8 127.0.0.1/32 127.255.255.255/32 172.1.1.0/24 172.1.1.1/32 172.1.1.2/32 172.1.1.255/32 172.2.1.0/24 255.255.255.255/32 Proto Direct OSPF OSPF Direct Direct Direct Direct Direct Direct Direct OSPF Direct Pre 0 10 10 0 0 0 0 0 0 0 10 0 Cost 0 1 2 0 0 0 0 0 0 0 2 0 Flags NextHop D D D D D D D D D D D D 127.0.0.1 172.1.1.2 172.1.1.2 127.0.0.1 127.0.0.1 127.0.0.1 172.1.1.1 127.0.0.1 172.1.1.2 127.0.0.1 172.1.1.2 127.0.0.1 Interface InLoopBack0 Vlanif30 Vlanif30 InLoopBack0 InLoopBack0 InLoopBack0 Vlanif30 InLoopBack0 Vlanif30 InLoopBack0 Vlanif30 InLoopBack0
Issue 01 (2011-10-26)
315

[PE1] display ospf peer OSPF Process 1 with Router ID 1.1.1.9 Neighbors Area 0.0.0.0 interface 172.1.1.1(Vlanif30)'s neighbors Router ID: 172.1.1.2 Address: 172.1.1.2 State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 1500 Dead timer due in 37 sec Neighbor is up for 00:16:21 Authentication Sequence: [ 0 ]
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS backbone network. # Configure PE1.
# Configure the P.
# Configure PE2.
After the configuration, LDP sessions should be set up between PE1 and P, and between PE2 and P. Run the display mpls ldp session command, and you can view that Status is Operational. Run the display mpls ldp lsp command, and you can view the establishment of LDP LSPs. Take the display on PE1 as an example:
[PE1] display mpls ldp session LDP Session(s) in Public Network -----------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv ------------------------------------------------------------------------------
Issue 01 (2011-10-26)
316
2.2.2.9:0 Operational DU Active 000:00:01 6/6 -----------------------------------------------------------------------------TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM [PE1] display mpls ldp lsp LDP LSP Information -----------------------------------------------------------------------------SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface -----------------------------------------------------------------------------1 1.1.1.9/32 3/NULL 127.0.0.1 Vlanif30/InLoop0 2 2.2.2.9/32 NULL/3 172.1.1.2 -------/Vlanif30 3 3.3.3.9/32 NULL/1025 172.1.1.2 -------/Vlanif30 -----------------------------------------------------------------------------TOTAL: 3 Normal LSP(s) Found. TOTAL: - Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
Step 3 Configure VPN instances on the PEs and connect the CEs to the PEs. # Configure PE1.
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] route-distinguisher 100:1 [PE1-vpn-instance-vpna] vpn-target 111:1 both [PE1-vpn-instance-vpna] quit [PE1] ip vpn-instance vpnb [PE1-vpn-instance-vpnb] route-distinguisher 100:2 [PE1-vpn-instance-vpnb] vpn-target 222:2 both [PE1-vpn-instance-vpnb] quit [PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination rt-protocol [PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10 [PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna [PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24 [PE1-GigabitEthernet1/0/0.1] arp broadcast enable [PE1-GigabitEthernet1/0/0.1] quit [PE1] interface gigabitethernet 2/0/0.1 [PE1-GigabitEthernet2/0/0.1] control-vid 2000 dot1q-termination rt-protocol [PE1-GigabitEthernet2/0/0.1] dot1q termination vid 20 [PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb [PE1-GigabitEthernet2/0/0.1] ip address 10.2.1.2 24 [PE1-GigabitEthernet2/0/0.1] arp broadcast enable [PE1-GigabitEthernet2/0/0.1] quit
# Configure PE2.
[PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] route-distinguisher 200:1 [PE2-vpn-instance-vpna] vpn-target 111:1 both [PE2-vpn-instance-vpna] quit [PE2] ip vpn-instance vpnb [PE2-vpn-instance-vpnb] route-distinguisher 200:2 [PE2-vpn-instance-vpnb] vpn-target 222:2 both [PE2-vpn-instance-vpnb] quit [PE2] interface gigabitethernet 1/0/0.1 [PE2-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination rt-protocol [PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10 [PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna [PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24 [PE2-GigabitEthernet1/0/0.1] arp broadcast enable [PE2-GigabitEthernet1/0/0.1] quit [PE2] interface gigabitethernet 2/0/0.1 [PE2-GigabitEthernet2/0/0.1] control-vid 2000 dot1q-termination rt-protocol [PE2-GigabitEthernet2/0/0.1] dot1q termination vid 20
Issue 01 (2011-10-26)
317

[PE2-GigabitEthernet2/0/0.1] [PE2-GigabitEthernet2/0/0.1] [PE2-GigabitEthernet2/0/0.1] [PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb ip address 10.4.1.2 24 arp broadcast enable quit
# Assign IP addresses to the interfaces on the CEs according to Figure 5-16. The configuration procedure is not mentioned here. After the configuration, run the display ip vpn-instance verbose command on the PEs, and you can view the configuration of VPN instances. The PE can ping the connected CE successfully.
NOTE
If multiple interfaces on a PE are bound to the same VPN, you must specify the source IP address when you run the ping -vpn-instance command to ping the CE connected to the peer PE. That is, specify -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command. Otherwise, the ping operation may fail.
Take the display on PE1 and CE1 as an example.

[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 2 VPN-Instance Name and ID : vpna, 1 Create date : 2008/11/24 16:28:27 Up time : 0 days, 00 hours, 11 minutes and 25 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : pipe Interfaces : Vlanif10 VPN-Instance Name and ID : vpnb, 2 Create date : 2008/11/24 16:30:37 Up time : 0 days, 00 hours, 09 minutes and 15 seconds Route Distinguisher : 100:2 Export VPN Targets : 222:2 Import VPN Targets : 222:2 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : pipe Interfaces : Vlanif20 [PE1] ping -vpn-instance vpna 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms --- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/6/16 ms
Step 4 Set up EBGP peer relations between PEs and CEs to import VPN routes. # Configure CE1.
[CE1] bgp 65410 [CE1-bgp] peer 10.1.1.2 as-number 100 [CE1-bgp] import-route direct
Issue 01 (2011-10-26)
318

NOTE
The configurations of CE2, CE3 and CE4 are similar to the configuration of CE1, and are not mentioned here.
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] peer 10.1.1.1 as-number 65410 [PE1-bgp-vpna] import-route direct [PE1-bgp-vpna] quit [PE1-bgp] ipv4-family vpn-instance vpnb [PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420 [PE1-bgp-vpnb] import-route direct [PE1-bgp-vpnb] quit
NOTE
The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here.
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PE, and you can see that the BGP peer relation between the PE and CE is in Established state. Take the peer relation between PE1 and CE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peer PrefRcv 118.118.118.2 1 V AS MsgRcvd 11 MsgSent 9
Peers in established state : 1 OutQ Up/Down State Established
4 65410
0 00:07:25
Step 5 Set up MP-IBGP peer relations between PEs. # Configure PE1.

[PE1] bgp 100 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and you can view that the BGP peer relation between the PEs is in Established state.
[PE1] display bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peer V AS MsgRcvd MsgSent
Peers in established state : 1 OutQ Up/Down State
Issue 01 (2011-10-26)
319

PrefRcv 3.3.3.9 0 [PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 3 Peer PrefRcv V AS MsgRcvd 12 MsgSent 18 4 100 12 6 0 00:02:21
Established
Peers in established state : 3 OutQ 0 Up/Down 00:09:38 State Established 0
3.3.3.9 4 100 Peer of vpn instance: vpn instance vpna : 10.1.1.1 4 65410 vpn instance vpnb : 10.2.1.1 4 65420
25 21
25 22
0 0
00:17:57 00:17:10
Established Established
1 1
Step 6 Verify the configuration. Run the display ip routing-table vpn-instance command on a PE, and you can view the routes to the remote CE. Take the display on PE1 as an example:
[PE1] display ip routing-table vpn-instance vpna Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpna Destinations : 3 Routes : 3 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif30 [PE1] display ip routing-table vpn-instance vpnb Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpnb Destinations : 3 Routes : 3 Destination/Mask 10.2.1.0/24 10.2.1.2/32 10.2.1.255/32 10.4.1.0/24 Proto Direct Direct Direct BGP Pre 0 0 0 255 Cost 0 0 0 0 Flags D D D RD NextHop 10.2.1.2 127.0.0.1 127.0.0.1 3.3.3.9 Interface Vlanif20 InLoopBack0 InLoopBack0 Vlanif30
The CEs in the same VPN can ping each other, but the CEs in different VPNs cannot ping each other. For example, CE1 can ping CE3 (10.3.1.1) but cannot ping CE4 (10.4.1.1).
[CE1] ping 10.3.1.1 PING 10.3.1.1: 56 data bytes, press CTRL_C to break Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 --- 10.3.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/48/72 ms [CE1] ping 10.4.1.1
ms ms ms ms ms
Issue 01 (2011-10-26)
320

PING 10.4.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.4.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
----End
Configuration Files
l Configuration file of PE1
# sysname PE1 # vlan batch 30 # ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity ip vpn-instance vpnb route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 1.1.1.1 mpls # mpls ldp # interface Vlanif30 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination rt-protocol dot1q termination vid 10 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 dot1q-termination rt-protocol dot1q termination vid 20 ip binding vpn-instance vpnb ip address 10.2.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet3/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1
Issue 01 (2011-10-26)
321

# ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpna peer 10.1.1.1 as-number 65410 import-route direct # ospf 1 area 0.0.0.0 network 172.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0 # return
# sysname P # vlan batch 30 60 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif30 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif60 ip address 172.2.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 60 port hybrid untagged vlan 60 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0 # return

# sysname PE2 # vlan batch 60 # ip vpn-instance vpna route-distinguisher 200:1 vpn-target 111:1 export-extcommunity
Issue 01 (2011-10-26)
322

vpn-target 111:1 import-extcommunity # ip vpn-instance vpnb route-distinguisher 200:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 3.3.3.9 mpls # mpls ldp # interface Vlanif60 ip address 172.2.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination rt-protocol dot1q termination vid 10 ip binding vpn-instance vpna ip address 10.3.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 dot1q-termination rt-protocol dot1q termination vid 20 ip binding vpn-instance vpnb ip address 10.4.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet3/0/0 port hybrid pvid vlan 60 port hybrid untagged vlan 60 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpna peer 10.3.1.1 as-number 65430 import-route direct # ipv4-family vpn-instance vpnb peer 10.4.1.1 as-number 65440 import-route direct # ospf 1 area 0.0.0.0 network 172.2.1.0 0.0.0.255 network 3.3.3.9 0.0.0.0 # return
Issue 01 (2011-10-26)
323

# sysname CE1 # vlan batch 10 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 10 port hybrid tagged vlan 10 # bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable # return

# sysname CE2 # vlan batch 20 # interface Vlanif20 ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 bgp 65420 peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable # return

Issue 01 (2011-10-26)
324

5.12.17 Example for Configuring the QinQ Sub-interface to Access an L3VPN

As shown in Figure 5-17, CE1 and CE3 belong to VPN-A and CE2 and CE4 belong to VPNB. The VPN target of VPN-A is 111:1, and VPN target of VPN-B is 222:2. The users in different VPNs cannot communicate with each other. Switch1 is connected to CE1 and PE1. Switch2 is connected to CE2 and PE2. Switch3 is connected to CE3 and PE3. Switch4 is connected to CE4 and PE4. Selective QinQ is configured on the interface connecting the Switch and CE to add the outer VLAN tag specified by the carrier to packets sent from the CE. When the Switch is connected to multiple CEs, packets with the VLAN tag sent from different CEs are added with the same outer VLAN tag. This saves public VLANs.
Issue 01 (2011-10-26)
325
Figure 5-17 Networking diagram for configuring the QinQ sub-interface to access an L3VPN
VPN-A CE1
AS: 65410
AS: 65430 VPN-A CE3 GE1/0/0 Loopback1 2.2.2.9/32 GE1/0/0 GE2/0/0 GE1/0/0 Switch3 GE2/0/0 PE2 GE1/0/0 Loopback1 3.3.3.9/32
GE1/0/0 GE1/0/0 Switch1
GE2/0/0 GE1/0/0 PE1 GE3/0/0 GE2/0/0 GE1/0/0
Loopback1 1.1.1.9/32 GE2/0/0 Switch2 GE1/0/0 CE2 VPN-B
GE3/0/0 P GE2/0/0 GE2/0/0 MPLS backbone AS: 100 Switch4 GE1/0/0 GE1/0/0
AS: 65420
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 P GigabitEthernet1/0/0 GigabitEthernet2/0/0 CE1 CE2 CE3 CE4 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0 Layer 3 interface GigabitEthernet1/0/0.1 GigabitEthernet2/0/0.1 VLANIF 30 GigabitEthernet1/0/0.1 GigabitEthernet2/0/0.1 VLANIF 60 VLANIF 30 VLANIF 60 VLANIF 10 VLANIF 20 VLANIF 10 VLANIF 20
CE4 VPN-B AS: 65440

IP address 10.1.1.2/24 10.2.1.2/24 172.1.1.1/24 10.3.1.2/24 10.4.1.2/24 172.2.1.2/24 172.1.1.2/24 172.2.1.1/24 10.1.1.1/24 10.2.1.1/24 10.3.1.1/24 10.4.1.1/24
Issue 01 (2011-10-26)
326
1.
On the backbone network, configure VPN instances on the PEs connected to CEs and bind related VPNs to the interfaces connected to the CEs. Then, assign IP addresses to the interfaces connected to the CEs. Configure OSPF between the PEs to implement interworking between PEs. Configure basic MPLS functions and MPLS LDP and create MPLS LSPs. Configure MP-IBGP for exchanging VPN routing information. Configure EBGP between the CE and the PE to exchange VPN routing information. Configure the QinQ sub-interface to access an L3VPN on the interface connecting the PE and Switch. Configure selective QinQ on the interface connecting the Switch and CE.
2. 3. 4. 5. 6. 7.
Data Preparation
To complete the configuration, you need the following data: l l l l l l IDs of the VLANs that the interfaces belong to, as shown in Figure 5-17 IP addresses of VLANIF interface, as shown in Figure 5-17 MPLS LSR-IDs of PEs and P RDs of VPN-A and VPN-B VPN targets of received and sent routes of VPN-A and VPN-B Encapsulation mode and VLAN ID of the sub-interface
Procedure
Step 1 On the interface of the switch, configure selective QinQ and the VLAN whose packets can pass through the interface. # Configure Switch1.
[Switch3] vlan 100 [Switch3-vlan100] quit [Switch3] interface gigabitethernet 2/0/0 [Switch3-GigabitEthernet2/0/0] port hybrid tagged vlan 100
Issue 01 (2011-10-26)
327
[Switch3-GigabitEthernet2/0/0] quit [Switch3] interface gigabitethernet 1/0/0 [Switch3-GigabitEthernet1/0/0] port hybrid untagged vlan 100 [Switch3-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 [Switch3-GigabitEthernet1/0/0] quit
Step 2 Configure an IGP on the MPLS backbone network so that the PE and P can interwork with each other. # Configure PE1.
<Quidway> system-view [Quidway] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] vlan batch 30 [PE1] interface GigabitEthernet 3/0/0 [PE1-GigabitEthernet3/0/0]port hybrid pvid vlan 30 [PE1-GigabitEthernet3/0/0]port hybrid untagged vlan 30 [PE1-GigabitEthernet3/0/0] quit [PE1] interface vlanif 30 [PE1-Vlanif30] ip address 172.1.1.1 24 [PE1-Vlanif30] quit [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
# Configure P.
<Quidway> system-view [Quidway] sysname P [P] interface loopback 1 [P-LoopBack1] ip address 2.2.2.9 32 [P-LoopBack1] quit [P] vlan batch 30 60 [P] interface GigabitEthernet 1/0/0 [P-GigabitEthernet1/0/0] port hybrid pvid vlan 30 [P-GigabitEthernet1/0/0] port hybrid untagged vlan 30 [P-GigabitEthernet1/0/0] quit [P] interface GigabitEthernet 2/0/0 [P-GigabitEthernet2/0/0] port hybrid pvid vlan 60 [P-GigabitEthernet2/0/0] port hybrid untagged vlan 60 [P-GigabitEthernet2/0/0] quit [P] interface vlanif 30 [P-Vlanif30] ip address 172.1.1.2 24 [P-Vlanif30] quit [P] interface vlanif 60 [P-Vlanif60] ip address 172.2.1.1 24 [P-Vlanif60] quit [P] ospf [P-ospf-1] area 0 [P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
Issue 01 (2011-10-26)
328

[P-ospf-1-area-0.0.0.0] quit [P-ospf-1] quit
# Configure PE2.
<Quidway> system-view [Quidway] sysname PE2 [PE2] interface loopback 1 [PE2-LoopBack1] ip address 3.3.3.9 32 [PE2-LoopBack1] quit [PE2] vlan batch 60 [PE2] interface GigabitEthernet 3/0/0 [PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60 [PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60 [PE2-GigabitEthernet3/0/0] quit [PE2] interface vlanif 60 [PE2-Vlanif20] ip address 172.2.1.2 24 [PE2-Vlanif20] quit [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
After the configuration, OSPF relations are established between PE1, P, and PE2. Run the display ospf peer command, and you can view that the status of the OSPF relations is Full. Run the display ip routing-table command, and you can view that the PEs can learn the routes of Loopback1 interfaces of each other. Take the display on PE1 as an example.
[PE1] display ip routing-table Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask Proto Pre 0 10 10 0 0 0 0 0 0 0 10 0 Cost 0 1 2 0 0 0 0 0 0 0 2 0 Flags NextHop D D D D D D D D D D D D 127.0.0.1 172.1.1.2 172.1.1.2 127.0.0.1 127.0.0.1 127.0.0.1 172.1.1.1 127.0.0.1 172.1.1.2 127.0.0.1 172.1.1.2 127.0.0.1 Interface InLoopBack0 Vlanif30 Vlanif30 InLoopBack0 InLoopBack0 InLoopBack0 Vlanif30 InLoopBack0 Vlanif30 InLoopBack0 Vlanif30 InLoopBack0
1.1.1.9/32 Direct 2.2.2.9/32 OSPF 3.3.3.9/32 OSPF 127.0.0.0/8 Direct 127.0.0.1/32 Direct 127.255.255.255/32 Direct 172.1.1.0/24 Direct 172.1.1.1/32 Direct 172.1.1.2/32 Direct 172.1.1.255/32 Direct 172.2.1.0/24 OSPF 255.255.255.255/32 Direct [PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9 Neighbors Area 0.0.0.0 interface 172.1.1.1(Vlanif30)'s neighbors Router ID: 172.1.1.2 Address: 172.1.1.2 State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 1500 Dead timer due in 37 sec Neighbor is up for 00:16:21 Authentication Sequence: [ 0 ]
Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS backbone network. # Configure PE1.

# Configure the P.
# Configure PE2.
After the configuration, LDP sessions should be set up between PE1 and P, and between PE2 and P. Run the display mpls ldp session command, and you can view that Status is Operational. Run the display mpls ldp lsp command, and you can view the establishment of LDP LSPs. Take the display on PE1 as an example:
[PE1] display mpls ldp session LDP Session(s) in Public Network -----------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv -----------------------------------------------------------------------------2.2.2.9:0 Operational DU Active 000:00:01 6/6 -----------------------------------------------------------------------------TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM [PE1] display mpls ldp lsp LDP LSP Information -----------------------------------------------------------------------------SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface -----------------------------------------------------------------------------1 1.1.1.9/32 3/NULL 127.0.0.1 Vlanif30/InLoop0 2 2.2.2.9/32 NULL/3 172.1.1.2 -------/Vlanif30 3 3.3.3.9/32 NULL/1025 172.1.1.2 -------/Vlanif30 ------------------------------------------------------------------------------
Issue 01 (2011-10-26)
330

TOTAL: 3 Normal LSP(s) Found. TOTAL: - Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
Step 4 Configure VPN instances on the PEs and connect the CEs to the PEs. # Configure PE1.
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] route-distinguisher 100:1 [PE1-vpn-instance-vpna] vpn-target 111:1 both [PE1-vpn-instance-vpna] quit [PE1] ip vpn-instance vpnb [PE1-vpn-instance-vpnb] route-distinguisher 100:2 [PE1-vpn-instance-vpnb] vpn-target 222:2 both [PE1-vpn-instance-vpnb] quit [PE1] interface gigabitethernet 1/0/0.1 [PE1-GigabitEthernet1/0/0.1] control-vid 1000 qinq-termination rt-protocol [PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10 [PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna [PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24 [PE1-GigabitEthernet1/0/0.1] arp broadcast enable [PE1-GigabitEthernet1/0/0.1] quit [PE1] interface gigabitethernet 2/0/0.1 [PE1-GigabitEthernet2/0/0.1] control-vid 2000 qinq-termination rt-protocol [PE1-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20 [PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb [PE1-GigabitEthernet2/0/0.1] ip address 10.2.1.2 24 [PE1-GigabitEthernet2/0/0.1] arp broadcast enable [PE1-GigabitEthernet2/0/0.1] quit
# Configure PE2.
[PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] route-distinguisher 200:1 [PE2-vpn-instance-vpna] vpn-target 111:1 both [PE2-vpn-instance-vpna] quit [PE2] ip vpn-instance vpnb [PE2-vpn-instance-vpnb] route-distinguisher 200:2 [PE2-vpn-instance-vpnb] vpn-target 222:2 both [PE2-vpn-instance-vpnb] quit [PE2] interface gigabitethernet 1/0/0.1 [PE2-GigabitEthernet1/0/0.1] control-vid 1000 qinq-termination rt-protocol [PE2-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10 [PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna [PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24 [PE2-GigabitEthernet1/0/0.1] arp broadcast enable [PE2-GigabitEthernet1/0/0.1] quit [PE2] interface gigabitethernet 2/0/0.1 [PE2-GigabitEthernet2/0/0.1] control-vid 2000 qinq-termination rt-protocol [PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20 [PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb [PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24 [PE2-GigabitEthernet2/0/0.1] arp broadcast enable [PE2-GigabitEthernet2/0/0.1] quit
# Assign IP addresses to the interfaces on the CEs according to Figure 5-17. The configuration procedure is not mentioned here. After the configuration, run the display ip vpn-instance verbose command on the PEs, and you can view the configuration of VPN instances. The PE can ping the connected CE successfully.
NOTE
If multiple interfaces on a PE are bound to the same VPN, you must specify the source IP address when you run the ping -vpn-instance command to ping the CE connected to the peer PE. That is, specify -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command. Otherwise, the ping operation may fail.
Issue 01 (2011-10-26)
331
Take the display on PE1 and CE1 as an example.

[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 2 VPN-Instance Name and ID : vpna, 1 Create date : 2008/11/24 16:28:27 Up time : 0 days, 00 hours, 11 minutes and 25 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : pipe Interfaces : Vlanif10 VPN-Instance Name and ID : vpnb, 2 Create date : 2008/11/24 16:30:37 Up time : 0 days, 00 hours, 09 minutes and 15 seconds Route Distinguisher : 100:2 Export VPN Targets : 222:2 Import VPN Targets : 222:2 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : pipe Interfaces : Vlanif20 [PE1] ping -vpn-instance vpna 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms --- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/6/16 ms
Step 5 Set up EBGP peer relations between PEs and CEs to import VPN routes. # Configure CE1.
[CE1] bgp 65410 [CE1-bgp] peer 10.1.1.2 as-number 100 [CE1-bgp] import-route direct
NOTE
The configurations of CE2, CE3 and CE4 are similar to the configuration of CE1, and are not mentioned here.
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] peer 10.1.1.1 as-number 65410 [PE1-bgp-vpna] import-route direct [PE1-bgp-vpna] quit [PE1-bgp] ipv4-family vpn-instance vpnb [PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420 [PE1-bgp-vpnb] import-route direct [PE1-bgp-vpnb] quit
NOTE
The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here.
Issue 01 (2011-10-26)
332
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PE, and you can see that the BGP peer relation between the PE and CE is in Established state. Take the peer relation between PE1 and CE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peer PrefRcv 118.118.118.2 1 V AS MsgRcvd 11 MsgSent 9
4 65410
0 00:07:25
Step 6 Set up MP-IBGP peer relations between PEs. # Configure PE1.

[PE1] bgp 100 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and you can view that the BGP peer relation between the PEs is in Established state.
[PE1] display bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peer PrefRcv 3.3.3.9 0 [PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 3 Peer PrefRcv V AS MsgRcvd 12 MsgSent 18 V 4 AS 100 MsgRcvd 12 MsgSent 6
0 00:02:21
Peers in established state : 3 OutQ 0 Up/Down 00:09:38 State Established 0
3.3.3.9 4 100 Peer of vpn instance: vpn instance vpna : 10.1.1.1 4 65410 vpn instance vpnb : 10.2.1.1 4 65420
25 21
25 22
0 0
00:17:57 00:17:10
Established Established
1 1
Issue 01 (2011-10-26)
333
Step 7 Verify the configuration. Run the display ip routing-table vpn-instance command on a PE, and you can view the routes to the remote CE. Take the display on PE1 as an example:
[PE1] display ip routing-table vpn-instance vpna Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpna Destinations : 3 Routes : 3 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif30 [PE1] display ip routing-table vpn-instance vpnb Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpnb Destinations : 3 Routes : 3 Destination/Mask 10.2.1.0/24 10.2.1.2/32 10.2.1.255/32 10.4.1.0/24 Proto Direct Direct Direct BGP Pre 0 0 0 255 Cost 0 0 0 0 Flags D D D RD NextHop 10.2.1.2 127.0.0.1 127.0.0.1 3.3.3.9 Interface Vlanif20 InLoopBack0 InLoopBack0 Vlanif30
The CEs in the same VPN can ping each other, but the CEs in different VPNs cannot ping each other. For example, CE1 can ping CE3 (10.3.1.1) but cannot ping CE4 (10.4.1.1).
[CE1] ping 10.3.1.1 PING 10.3.1.1: 56 data bytes, press CTRL_C to break Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 --- 10.3.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/48/72 ms [CE1] ping 10.4.1.1 PING 10.4.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.4.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
ms ms ms ms ms
----End
Configuration Files
l Configuration file of PE1
# sysname PE1 #
Issue 01 (2011-10-26)
334

vlan batch 30 # ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity ip vpn-instance vpnb route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 1.1.1.1 mpls # mpls ldp # interface Vlanif30 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 qinq-termination rt-protocol qinq termination pe-vid 100 ce-vid 10 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination rt-protocol qinq termination pe-vid 200 ce-vid 20 ip binding vpn-instance vpnb ip address 10.2.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet3/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpna peer 10.1.1.1 as-number 65410 import-route direct # ospf 1 area 0.0.0.0 network 172.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0 # return
l
Issue 01 (2011-10-26)

# sysname P # vlan batch 30 60 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif30 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif60 ip address 172.2.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 60 port hybrid untagged vlan 60 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0 # return

# sysname PE2 # vlan batch 60 # ip vpn-instance vpna route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # ip vpn-instance vpnb route-distinguisher 200:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 3.3.3.9 mpls # mpls ldp # interface Vlanif60 ip address 172.2.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0.1 control-vid 1000 qinq-termination rt-protocol
Issue 01 (2011-10-26)
336

qinq termination pe-vid 100 ce-vid 10 ip binding vpn-instance vpna ip address 10.3.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet2/0/0 # interface GigabitEthernet2/0/0.1 control-vid 2000 qinq-termination rt-protocol qinq termination pe-vid 200 ce-vid 20 ip binding vpn-instance vpnb ip address 10.4.1.2 255.255.255.0 arp broadcast enable # interface GigabitEthernet3/0/0 port hybrid pvid vlan 60 port hybrid untagged vlan 60 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpna peer 10.3.1.1 as-number 65430 import-route direct # ipv4-family vpn-instance vpnb peer 10.4.1.1 as-number 65440 import-route direct # ospf 1 area 0.0.0.0 network 172.2.1.0 0.0.0.255 network 3.3.3.9 0.0.0.0 # return

# sysname CE1 # vlan batch 10 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 10 port hybrid tagged vlan 10 # bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable
Issue 01 (2011-10-26)
337

# return

# sysname CE2 # vlan batch 20 # interface Vlanif20 ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 bgp 65420 peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable # return


# sysname CE4 # vlan batch 20 # interface Vlanif20 ip address 10.4.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 20 port hybrid tagged vlan 20 # bgp 65440 peer 10.4.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.4.1.2 enable
Issue 01 (2011-10-26)
338

# return




Issue 01 (2011-10-26)
339
6 GVRP Configuration
6
About This Chapter
GVRP Configuration
This chapter describes basic concepts involved in GVRP, GVRP configuration procedures, and concludes with a GVRP configuration example. 6.1 GVRP Overview This section explains the concepts of Generic Attribute Registration Protocol (GARP) and GARP VLAN Registration Protocol (GVRP), and how they relate to each another. 6.2 GVRP Features Supported by the S9300 This section describes the GVRP features supported by the S9300. 6.3 Configuring GVRP This section describes how to configure the GVRP function. 6.4 Maintaining GVRP This section describes how to clear the statistics about GARP. 6.5 Configuration Examples This section provides configuration examples of GVRP.
Issue 01 (2011-10-26)
340
6.1 GVRP Overview

This section explains the concepts of Generic Attribute Registration Protocol (GARP) and GARP VLAN Registration Protocol (GVRP), and how they relate to each another.
GVRP
GVRP is an application of GARP that maintains and propagates VLAN registration information to other devices.
GARP
GARP enables member switches on a LAN to distribute, transmit, and register information such as VLAN information and multicast addresses with one another. GARP is not an entity on a device. GARP-compliant entities are called GARP participants. GVRP is a GARP application. When a GARP application runs on an interface, the interface is considered a GARP participant. l GARP messages and timers GARP messages GARP members transmit VLAN registration information by exchanging GARP messages. The three main GARP messages are Join, Leave, and LeaveAll. When a GARP participant expects other devices to register its attributes, it sends Join messages to other devices. When the GARP participant receives a Join message from another participant or is configured with attributes statically, it also sends Join messages to other devices for the devices to register the new attributes. When a GARP participant expects other devices to deregister its attributes, it sends Leave messages to other devices. When the GARP participant receives a Leave message from another participant or some of its attributes are deregistered statically, it also sends Leave messages to other devices. When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to request other GARP participants to deregister all the attributes of the sender. Then other participants can re-register the attributes. The Join, Leave, and LeaveAll messages are used to control registration and deregistration of attributes. Through GARP messages, all attributes that need to be registered are sent to all the GARP-enabled devices on the same LAN. GARP timers The intervals for sending GARP messages are controlled by GARP timers. GARP defines four timers to control the intervals for sending GARP messages. Hold timer: When a GARP participant receives a registration message from another participant, it does not send the registration message in a Join message to other participants immediately. Instead, the participant starts the Hold timer. When the Hold timer expires, the participant packs all the registration messages received within this period in a Join message and sends the Join message to other participants. This saves bandwidth on the network.
Join timer: To ensure reliable transmission of Join messages, a participant can send each Join message twice. If the participant does not receive the response after sending the Join message the first time, it sends the Join message again. The Join timer specifies the interval between the two Join messages. Leave timer: When a GARP participant expects other participants to deregister its attribute, it sends Leave messages to other participants. When another participant receives the Leave message, it starts the Leave timer. If the participant does not receive any Join message before the Leave timer expires, it deregisters the attributes of the Leave message sender. LeaveAll timer: When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to request other GARP participants to re-register all its attributes. Then the LeaveAll timer restarts.
NOTE
l The GARP timers apply to all GARP participants (such as GVRP) on the same LAN. l The Hold timer, Join timer, and Leave timer must be set individually on each interface, whereas the LeaveAll timer is set globally and takes effect on all interfaces of a device. l Devices on a network may have different settings of the LeaveAll timer. In this case, all the devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a device expires, the device sends LeaveAll messages to other devices. After other devices receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeavelAll timer with the smallest value takes effect even if devices have different settings of the LeaveAll timer.
GARP operation process Through GARP, the configuration information of a GARP member can be propagated on the entire LAN. A GARP member may be a terminal workstation or a bridge. A GARP member sends an attribute declaration or an attribute reclaim declaration to request other GARP members to register or deregister its attributes. The GARP member can also register or deregister attributes of other members when receiving attribute declarations or attribute reclaim declarations from other members. When an interface receives an attribute declaration, it registers the attribute. When the interface receives an attribute reclaim declaration, the interface deregisters the attribute. PDUs sent from a GARP participant use a multicast MAC address as the destination MAC address. When a device receives a packet from a GARP participant, the device identifies the packet according to the destination MAC address of the packet and sends the packet to the corresponding GARP participant (such as GVRP).
Format of a GARP packet Figure 6-1 shows the format of a GARP packet.
Issue 01 (2011-10-26)
342
Figure 6-1 Format of a GARP packet
DA SA length DSAP SSAP Ctrl 1 3
PDU N
Ethernet Frame
Protocol ID Message 1 Message N End Mark 1 Attribute Type 1 Attribute 1 1 2 2 Attribute List N Attribute N End Mark 3 N N
GARP PDU structure
Message structure
Attribute List structure
Attribute Length Attribute Event Attribute Value
Attribute structure
The following table describes the fields in a GARP packet. Field Protocol ID Message Description Indicates the protocol ID. Indicates the messages in the packet. A message consists of the Attribute Type and Attribute List fields. Indicates the type of an attribute, which is defined by the GARP application. Indicates the attribute list, which consists of multiple attributes. Indicates an attribute, which consists of the Attribute Length, Attribute Event, and Attribute Value fields. Indicates the length of an attribute. Value The value is 1. -
Attribute Type
The value is 0x01 for GVRP, indicating that the attribute value is a VLAN ID. -
Attribute List
Attribute
Attribute Length
The value ranges from 2 to 255, in bytes.
Issue 01 (2011-10-26)
343
Field Attribute Event
Description Indicates the event that an attribute describes. The value can be:
Value l 0: LeaveAll event l 1: JoinEmpty event l 2: JoinIn event l 3: LeaveEmpty event l 4: LeaveIn event l 5: Empty event
Attribute Value
Indicates the value of an attribute. Indicates the end of a GARP PDU.
The value is a VLAN ID for GVRP. This field is invalid in a LeaveAll attribute. The value is 0x00.
End Mark
6.2 GVRP Features Supported by the S9300

This section describes the GVRP features supported by the S9300. GVRP is an application of GARP. Based on the working mechanism of GARP, GVRP maintains dynamic VLAN registration information in a device and propagates the registration information to other devices. After GVRP is enabled on the S9300, the S9300 can receive VLAN registration information from other devices and dynamically update local VLAN registration information. VLAN registration information includes which VLAN members are on the VLAN and through which interfaces their packets can be sent to the S9300. The S9300 can also send the local VLAN registration information to other devices. By exchanging VLAN registration information, all the devices on the same LAN have the same VLAN information. The VLAN registration information transmitted through GVRP contains both static local registration information that is manually configured and the dynamic registration information from other devices. A GVRP interface supports three registration modes: l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs, and transmit dynamic VLAN registration information and static VLAN registration information. Fixed: In this mode, the GVRP interface is disabled from dynamically registering and deregistering VLANs and can transmit only the static registration information. If the registration mode of a trunk interface is set to fixed, the interface allows only the manually configured VLANs to pass even if it is configured to allow all the VLANs to pass. Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and deregistering VLANs and can transmit only information about VLAN 1. If the registration mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 to pass even if it is configured to allow all the VLANs to pass.
NOTE
The S9300 supports a maximum of 4094 dynamic VLANs. The GVRP protocol can run only in the Common and Internal Spanning Tree (CIST) instance. The interface blocked by MSTP in the CIST instance cannot send or receive GVRP packets.
Issue 01 (2011-10-26)
344
6.3 Configuring GVRP

This section describes how to configure the GVRP function.

On a complicated Layer 2 network, you can enable interfaces to dynamically join or leave VLANs by configuring the GVRP function. This simplifies the configuration
Before configuring the GVRP function, complete the following task: l Adding the GVRP interfaces to all VLANs
Data Preparation
To configure the GVRP function, you need the following data. No. 1 2 Data (Optional) Registration mode of GVRP interfaces (Optional) Values of GARP timers
6.3.2 Enabling GVRP

Context
Do as follows on the S9300 to enable GVRP.
Procedure
Step 1 Run:
system-view

gvrp
GVRP is enabled globally. Step 3 Run:


Step 4 Run:

port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs. Step 6 Run:

gvrp
GVRP is enabled on the interface. By default, GVRP is disabled globally and on each interface.
NOTE
l Before enabling GVRP on an interface, you must enable GVRP globally. l Before enabling GVRP on an interface, you must set the link type of the interface to trunk.
----End
6.3.3 (Optional) Setting the Registration Mode of a GVRP Interface

Context
A GVRP interface supports three registration modes: l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs, and transmit dynamic VLAN registration information and static VLAN registration information. Fixed: In this mode, the GVRP interface is disabled from dynamically registering and deregistering VLANs and can transmit only the static registration information. If the registration mode of a trunk interface is set to fixed, the interface allows only the manually configured VLANs to pass even if it is configured to allow all the VLANs to pass. Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and deregistering VLANs and can transmit only information about VLAN 1. If the registration mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 even if it is configured to allow all the VLANs.
Do as follows on the S9300 to set the registration mode of interfaces.
Procedure
Step 1 Run:
system-view



gvrp registration { fixed | forbidden | normal }
The registration mode of the interface is set. By default, the registration type of a GVRP interface is normal.
NOTE
Before setting the registration mode of an interface, you need to enable GVRP on the interface.
----End
6.3.4 (Optional) Setting the GARP Timers

Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to request other GARP participants to re-register all its attributes. Then the LeaveAll timer restarts. Devices on a network may have different settings of the LeaveAll timer. In this case, all the devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a device expires, the device sends LeaveAll messages to other devices. After other devices receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeavelAll timer with the smallest value takes effect even if devices have different settings of the LeaveAll timer. When using the garp timer command to set the GARP timers, pay attention to the following points: l The undo garp timer command restores the default values of the GARP timers. If the default value of a timer is out of the valid range, the undo garp timer command does not take effect. The value range of each timer changes with the values of the other timers. If a value you set for a timer is not in the allowed range, you can change the value of the timer that determines the value range of this timer. To restore the default values of all the GARP timers, restore the Hold timer to the default value, and then restore the Join timer, Leave timer, and LeaveAll timer to the default values in sequence.
NOTE
In actual application, it is recommended that you use the following values of the GVRP timers: l l l l GARP Hold timer: 100 centiseconds (1 second) GARP Join timer: 600 centiseconds (6 seconds) GARP Leave timer: 3000 centiseconds (30 seconds) GARP LeaveAll timer: 12000 centiseconds (2 minutes)
When more than 100 dynamic VLANs are created, use the preceding recommended values. When the number of dynamic VLANs increases, lengths of the GARP timers need to be increased.
Procedure
Step 1 Run:
system-view

Step 2 Run:
garp timer leaveall timer-value
The value of the LeaveAll timer is set. The default value of the LeaveAll timer is 1000 centiseconds (10 seconds). Step 3 Run:

garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set. By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20 centiseconds, and the value of the Leave timer is 60 centiseconds. ----End

Procedure
l l Run the display gvrp status command to view the status of global GVRP is enabled. Run the display gvrp statistics [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the statistics about GVRP on an interface. Run the display garp timer [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the values of GARP timers.
----End
6.4 Maintaining GVRP

This section describes how to clear the statistics about GARP.
6.4.1 Clearing GARP Statistics

Context
CAUTION
GARP statistics cannot be restored after being cleared. Therefore, use this command with caution.
Issue 01 (2011-10-26)
348
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type interface-number ] }&<1-10> ] command in the user view to clear statistics about GARP on the specified interfaces. ----End

This section provides configuration examples of GVRP.
6.5.1 Example for Configuring GVRP

As shown in Figure 6-2, a branch of company A communicates with the headquarters through Switch A and Switch B. To simplify the configuration, you need to enable GVRP on all switches of company A and set the registration mode to normal on interfaces of these switches. Company B communicates with company A through Switch B and Switch C. To configure switches of company B to transmit packets of only VLANs of company B, you need to enable GVRP on all switches of company B and set the registration mode to fixed on the interfaces connected to switches of company A. Figure 6-2 Networking for configuring GVRP
SwitchB GE1/0/1 SwitchA GE1/0/2 GE1/0/1 Company A GE1/0/2 GE1/0/2 GE1/0/1 SwitchC
Branch of company A
Company A
Company A
Company B
Issue 01 (2011-10-26)
Enable GVRP globally. Set the link type of interfaces to trunk. Enable GVRP on interfaces.
4.
Set the registration mode of interfaces.
Data Preparation
To complete the configuration, you need the following data: l l l l VLANs allowed by interfaces of Switch A, Switch B, and Switch C: all VLANs Registration mode of interfaces of Switch A and Switch B: normal Registration modes of GE 1/0/1 and GE 1/0/2 of Switch C: fixed and normal respectively VLANS of company B on Switch C: VLAN 101 to VLAN 200
Procedure
Step 1 Configure Switch A. # Enable GVRP globally.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] gvrp
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all VLANs.
[SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/2] port [SwitchA-GigabitEthernet1/0/2] port [SwitchA-GigabitEthernet1/0/2] quit 1/0/1 link-type trunk trunk allow-pass vlan all 1/0/2 link-type trunk trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/1] gvrp [SwitchA-GigabitEthernet1/0/1] gvrp [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/2] gvrp [SwitchA-GigabitEthernet1/0/2] gvrp [SwitchA-GigabitEthernet1/0/2] quit 1/0/1 registration normal 1/0/2 registration normal
The configuration of Switch B is similar to the configuration of Switch A, and is not mentioned here. Step 2 Configure Switch C. # Create VLAN 101 to VLAN 200.
<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] vlan batch 101 to 200
# Enable GVRP globally.

[SwitchC] gvrp
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all VLANs.
[SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type trunk
Issue 01 (2011-10-26)
350

[SwitchC-GigabitEthernet1/0/1] port [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet [SwitchC-GigabitEthernet1/0/2] port [SwitchC-GigabitEthernet1/0/2] port [SwitchC-GigabitEthernet1/0/2] quit trunk allow-pass vlan all 1/0/2 link-type trunk trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchC] interface gigabitethernet [SwitchC-GigabitEthernet1/0/1] gvrp [SwitchC-GigabitEthernet1/0/1] gvrp [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet [SwitchC-GigabitEthernet1/0/2] gvrp [SwitchC-GigabitEthernet1/0/2] gvrp [SwitchC-GigabitEthernet1/0/2] quit 1/0/1 registration fixed 1/0/2 registration normal
Step 3 Verify the configuration. After the configuration is complete, the branch of company A can communicate with the headquarters, and users of company A in VLAN 101 to VLAN 200 can communicate with users in company B. Run the display gvrp status command on Switch A to check whether GVRP is enabled globally. The following information is displayed:
<SwitchA> display gvrp status GVRP is enabled
Run the display gvrp statistics command on Switch A to view statistics about GVRP on GVRP interfaces, including the GVRP state of each interface, number of GVRP registration failures, source MAC address of the last GVRP PDU, and registration type of each interface.
<SwitchA> display gvrp statistics GVRP statistics on port GigabitEthernet1/0/1 GVRP status : Enabled GVRP registrations failed : 0 GVRP last PDU origin : 0000-0000-0000 GVRP registration type : Normal GVRP GVRP GVRP GVRP GVRP statistics on port GigabitEthernet1/0/2 status : Enabled registrations failed : 0 last PDU origin : 0000-0000-0000 registration type : Normal
Verify the configurations of Switch B and Switch C in the same way. ----End
Configuration Files
l Configuration file of Switch A
# sysname SwitchA # gvrp # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # interface GigabitEthernet1/0/2 port link-type trunk
Issue 01 (2011-10-26)
351

port trunk allow-pass vlan 2 to 4094 gvrp # return
# sysname SwitchB # gvrp # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # return
Configuration file of Switch C
# sysname SwitchC # vlan batch 101 to 200 # gvrp # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp gvrp registration fixed # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # return
Issue 01 (2011-10-26)
352
7 MAC Address Table Configuration
MAC Address Table Configuration
About This Chapter

This chapter provides the basics for MAC address table configuration, configuration procedure, and configuration examples. 7.1 MAC Address Table Overview This section describes the definition of the MAC address table, how MAC address entries are generated, and how packets are forwarded based on the MAC address table. 7.2 MAC Address Features Supported by the S9300 This section describes the MAC address features supported by the S9300 and provides usage scenarios of the features to help you complete configuration tasks quickly and accurately. 7.3 Configuring a Static MAC Address Entry A static MAC address entry specifies an outbound interface for packets destined for a specified MAC address. Static MAC address entries protect the S9300 from MAC address attacks. 7.4 Configuring a Blackhole MAC Address Entry You can configure a blackhole MAC address entry so that the S9300 can discard packets with the specified source or destination MAC address. 7.5 Setting the Aging Time of Dynamic MAC Address Entries Dynamic MAC address entries are created by the S9300 and can be aged out. Setting a proper aging time prevents sharp increase of MAC address entries. 7.6 Disabling MAC Address Learning If a fixed device is connected to an interface, you can disable MAC address learning on the interface. This prevents other devices from accessing the interface and improves device security. 7.7 Limiting the Number of Learned MAC Addresses This section describes how to limit the number of MAC addresses learned on an interface, in a VLAN, in a slot, or in a VSI. 7.8 Configuring Port Security The port security function prevents devices with untrusted MAC addresses from accessing an interface. This function is applicable to the networks that require high access security. 7.9 Configuring MAC Address Anti-Flapping This section describes how to prevent MAC address flapping between interfaces.
7.10 Configuring MAC Address Flapping Detection This section describes how to configure MAC address flapping detection. 7.11 Configuring the S9300 to Discard Packets with an All-0 MAC Address You can configure the S9300 to discard packets with an all-0 source or destination MAC address. 7.12 Enabling MAC Address Triggered ARP Entry Update The MAC address triggered ARP entry update function enables the S9300 to update the corresponding ARP entry when the outbound interface in a MAC address entry changes. 7.13 Enabling Port Bridge The port bridge function enables an interface to process packets in which the source and destination MAC addresses are the same. 7.14 Configuration Examples This section provides several examples for the configuration of the MAC address table.
Issue 01 (2011-10-26)
354
7.1 MAC Address Table Overview

This section describes the definition of the MAC address table, how MAC address entries are generated, and how packets are forwarded based on the MAC address table.
Definition
A MAC address table is maintained on each Line Processing Unit (LPU) of theS9300. The MAC address table stores the MAC addresses of other devices learned by the S9300, the VLAN IDs, and the outbound interfaces that are used to send data. Before forwarding a data packet, the S9300 searches the MAC address table based on the destination MAC address and the VLAN ID of the packet to find the outbound interface quickly. This reduces the number of broadcast packets.
Creation of MAC Address Entries

MAC address entries can be created dynamically or manually. l Automatic creation: MAC address entries are learned by the system automatically. The MAC address table needs to be updated constantly because the network topology always changes. The automatically created MAC address entries are not always valid. Each entry has an aging time. If an entry is not updated within the aging time, it is deleted. If the entry is updated before its aging time expires, the aging timer is reset. Manual creation: Automatically created MAC address entries cannot distinguish packets of authorized users from attack packets. If a hacker sets the source MAC address of attack packets to the MAC address of an authorized user and connects to another interface of the S9300, the S9300 learns an incorrect MAC address entry. The packets that should be forwarded to the authorized user are forwarded to the hacker. To improve interface security, you can manually create MAC address entries to bind MAC addresses of authorized users to specified interfaces. This prevents hackers from intercepting data of authorized users. Manually created MAC address entries take precedence over automatically created MAC address entries.
Classification of MAC Address Entries

MAC address entries are classified into the following types: l l l Dynamic MAC address entries that are learned by an interface after MAC address learning is enabled. Static MAC address entries that are configured manually. Static MAC address entries take precedence over dynamic MAC address entries. Blackhole MAC address entries that are the manually configured and used to discard data frames with the specified source or destination MAC addresses. Blackhole MAC address entries take precedence over dynamic MAC address entries.
Packet Forwarding Based on the MAC Address Table

The S9300 forwards packets based on the MAC address table in either of the following modes:
Unicast mode: If the destination MAC address of a packet can be found in the MAC address table, the S9300 forwards the packet through the outbound interface specified in the matching entry. Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC address cannot be found in the MAC address table, the S9300 broadcasts the packet to all the interfaces except the inbound interface of the packet.
7.2 MAC Address Features Supported by the S9300

This section describes the MAC address features supported by the S9300 and provides usage scenarios of the features to help you complete configuration tasks quickly and accurately. You can configure the following MAC address features to improve device security and control the number of entries in the MAC address table: l l l Create static MAC address entries for MAC addresses of fixed upstream devices or trusted user devices to improve communication security. Configure blackhole MAC address entries to protect the S9300 from attacks. Set a proper aging time for dynamic MAC addresses to prevent sharp increase of dynamic MAC address entries.
NOTE
The S9300 supports a maximum of 4 K static and blackhole MAC address entries.
You can use the following methods to improve security or meet special requirements: l Disable MAC address learning. This method can be used on a network where the topology seldom changes or forwarding paths are specified in static MAC address entries. This method prevents users with unknown MAC addresses from accessing the network, protects the network from MAC address attacks, and improves network security. Limit the number of MAC addresses that can be learned. MAC address limiting protects the S9300 from MAC address attacks on an insecure network. Enable port security. If a network requires high security, port security can be configured on the interfaces connected to trusted devices. The port security function prevents devices with untrusted MAC addresses from accessing these interfaces and improves device security. Configure MAC address anti-flapping. If an interface is connected to a trusted upstream device or server, you can set a high MAC address learning priority for the interface. The MAC address learned by the interface will not be overridden by an entry learned by another interface. This protects the S9300 from MAC address attacks. Configure MAC address flapping detection. This function reduces impact of loops on the S9300. Discard packets with an all-0 MAC address. A faulty device may send packets with an all-0 source or destination MAC address to the S9300. You can configure the S9300 to discard such packets and send a trap to the network management system (NMS). You can locate the faulty device according to the trap message. Enable MAC address triggered ARP entry update. This function enables the S9300 to update the corresponding ARP entry when the outbound interface in a MAC address entry changes. Enable port bridge. This function enables an interface to process packets in which the source and destination MAC addresses are the same. It can be configured on an S9300 connected
l l
l l
Issue 01 (2011-10-26)
to a device without Layer 2 forwarding capability or an S9300 functioning as an access device in a data center.
Disabling MAC Address Learning

When an S9300 enabled with MAC address learning receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the S9300 forwards the frames through the corresponding outbound interface according to the MAC address entry. The MAC address learning function reduces broadcast packets on a network. After MAC address learning is disabled on an interface, the S9300 does not learn source MAC addresses of packets received by the interface.
Limiting the Number of Learned MAC Addresses

The S9300 can limit the number of MAC addresses learned on an interface, VLAN, LPU, or VSI. When the number of learned MAC address entries reaches the limit, the S9300 stops learning MAC addresses. When the S9300 receives packets with unknown source MAC addresses, it discards or forwards the packets and generates an alarm to alert you if it is configured to do so. This method protects user devices and the network from MAC address attacks.
Port Security
The port security function changes MAC addresses learned by an interface to secure dynamic MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses from accessing an interface and improves device security. Differences between secure dynamic MAC addresses and sticky MAC addresses are: l Secure dynamic MAC addresses are learned after port security is enabled and will not be aged out by default. Secure dynamic MAC addresses will be lost after the device restarts and the device needs to learn the MAC addresses again. Sticky MAC addresses are learned after the sticky MAC function is enabled. Sticky MAC addresses will not be aged out and will exist after the S9300 restarts.
NOTE
The S9300 supports a maximum of 4 K sticky and secure dynamic MAC address entries.
MAC Address Anti-flapping

MAC address flapping occurs on a network when the network has a loop or is attacked. To prevent MAC address flapping, you can set MAC address learning priorities for interfaces so that MAC addresses can be learned by correct interfaces. When the same MAC address is learned by interfaces with different priorities, the MAC address entry learned by the interface with the highest priority overrides the MAC address entries learned by other interfaces. You can also determine whether to allow MAC address flapping between interfaces with the same priority.
MAC Address Flapping Detection

MAC address flapping occurs on a network when the network has a loop or is attacked. The S9300 can detect MAC address flapping and perform a specified action, for example, block the interface, to minimize impact of MAC address flapping on the network. You can also configure the S9300 only to send trap messages to the network management system when the S9300 detects MAC address flapping.
7.3 Configuring a Static MAC Address Entry

A static MAC address entry specifies an outbound interface for packets destined for a specified MAC address. Static MAC address entries protect the S9300 from MAC address attacks.
You can configure a static MAC address entry if an interface is connected to an upstream device or a server, as shown in Figure 7-1. Attackers may set the source MAC address of packets to the server MAC address and send the packets to the Switch to intercept data of the server. To protect the server and ensure communication between users and the server, you can configure a static MAC address entry in which the destination MAC address is the server MAC address and the outbound interface is the interface connected to the server. Figure 7-1 Networking diagram of static MAC address entry configurations
Network
Server
Switch VLAN2
LSW
VLAN4
PC1
PC2
None.
Data Preparation
To configure a static MAC address entry, you need the following data. No. 1 Data Destination MAC address, destination outbound interface number, name of the VSI and ID of the VLAN which the outbound interface belongs to
Issue 01 (2011-10-26)
358
Procedure
Step 1 Run:
system-view

mac-address static mac-address interface-type interface-number { vlan vlan-id1 | [ vlanif vlan-id2 ] vsi vsi-name }
A static MAC address entry is configured.

NOTE
Static MAC address entries take precedence over dynamic MAC address entries.
----End
Checking the Configuration

Run the display mac-address static [ vlan vlan-id | interface-type interface-number ] * [ verbose ] command to view static MAC address entries.
7.4 Configuring a Blackhole MAC Address Entry

You can configure a blackhole MAC address entry so that the S9300 can discard packets with the specified source or destination MAC address.
To protect user devices or network devices from MAC address attacks, you can configure untrusted MAC addresses as blackhole MAC addresses. Packets with source or destination MAC addresses matching the blackhole MAC address entries are discarded.
None.
Data Preparation
To configure a blackhole MAC address entry, you need the following data. No. 1 Data Destination or source MAC address, name of the VSI and ID of VLAN to which the outbound interface belongs to
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
359

mac-address blackhole mac-address [ vlan vlan-id | vsi vsi-name ]
A blackhole MAC address entry is configured. ----End

Run the display mac-address blackhole [ vlan vlan-id | vsi vsi-name ] [ verbose ] command to view blackhole MAC address entries.
7.5 Setting the Aging Time of Dynamic MAC Address Entries

Dynamic MAC address entries are created by the S9300 and can be aged out. Setting a proper aging time prevents sharp increase of MAC address entries.
Dynamical MAC address entries are learned by the S9300 from source MAC addresses of received packets. The system starts an aging timer for dynamic MAC address entry. If a dynamic MAC address entry is not updated within a certain period (twice the aging time), this entry is deleted. If the entry is updated within this period, the aging timer of this entry is reset. A shorter aging time enables the S9300 to respond to network topology changes more quickly. The network topology changes frequently, and the S9300 will learn many MAC addresses. After the aging time of dynamic MAC address entries is set, the S9300 can delete unneeded MAC address entries to prevent sharp increase of MAC address entries.
None.
Data Preparation
To set the aging time of dynamic MAC address entries, you need the following data. No. 1 Data Aging time
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address aging-time aging-time
The aging time of dynamic MAC address entries is set. By default, the aging time of dynamic MAC address entries is 300 seconds. ----End

l Run the display mac-address aging-time command to check whether the aging time of dynamic MAC address entries is set properly.
7.6 Disabling MAC Address Learning

If a fixed device is connected to an interface, you can disable MAC address learning on the interface. This prevents other devices from accessing the interface and improves device security.

Before disabling MAC address learning, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
As shown in Figure 7-2, an interface of the Switch is connected to a server. To protect the server, configure the server MAC address as a static MAC address, disable MAC address learning on the interface, and configure the interface to discard the packets with unknown MAC addresses. The configuration prevents other servers or terminals from accessing the interface and improves network stability and security. Figure 7-2 Disabling MAC address learning
Server
mac-address learning disable Switch
Issue 01 (2011-10-26)
361
None.
Data Preparation
To disable MAC address learning, you need the following data. No. 1 2 Data Interface type and number VLAN ID
7.6.2 Disabling MAC Address Learning on an Interface

Disabling MAC address learning on an interface can improve security of the device connected to the interface.
Context
When an S9300 enabled with MAC address learning receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the S9300 forwards the frames through the corresponding outbound interface according to the MAC address entry. The MAC address learning function reduces broadcast packets on a network. After MAC address learning is disabled on an interface, the S9300 does not learn source MAC addresses of packets received by the interface.
Procedure
Step 1 Run:
system-view


mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface. By default, MAC address learning is enabled on an interface. You can configure an action for the S9300 to perform when a packet with an unknown MAC address is received on the interface. By default, the S9300 forwards such packets based on the MAC address table. When the action is set to discard, the S9300 searches for the source MAC address of the packet in the MAC address table. If the source MAC address is found in the MAC address table, the S9300 forwards the packet according to the MAC address entry. If the source MAC address is not found, the S9300 discards the packet.

NOTE
If you set the action to forward when disabling MAC address learning, untrusted terminals can still access the network. This action only controls the number of learned MAC address entries.
----End
7.6.3 Disabling MAC Address Learning in a VLAN

Disabling MAC address learning in a VLAN can protect users in this VLAN from MAC address attacks.
Context
After MAC address learning is disabled in a VLAN, the S9300 checks source MAC addresses of packets received by interfaces in the VLAN. If the source MAC address of a packet is in the MAC address table, the S9300 forwards the packet; otherwise, the S9300 broadcasts the packet.
Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-address learning disable
MAC address learning is disabled in the VLAN. By default, MAC address learning is enabled in a VLAN. ----End

After disabling MAC address learning on an interface or in a VLAN, use the following commands to verify the configuration.
Procedure
l l Run the display current-configuration interface interface-type interface-number command to view the current configuration of an interface. Run the display vlan command to check the VLAN configuration.
----End
7.7 Limiting the Number of Learned MAC Addresses

This section describes how to limit the number of MAC addresses learned on an interface, in a VLAN, in a slot, or in a VSI.

Before limiting the number of learned MAC addresses, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
As shown in Figure 7-3, an insecure residential network or enterprise often receives packets with bogus MAC addresses. The capacity of a MAC address table is limited; therefore, if hackers forge a large number of packets with different source MAC addresses and send the packets to the Switch, the MAC address table of the Switch becomes full quickly. When the MAC address table is full, the Switch cannot learn source MAC addresses of valid packets. A limit can be set for the number of learned MAC addresses. When the number of learned MAC addresses reaches the limit, the Switch stops learning MAC addresses. When the Switch receives packets with unknown source MAC addresses, it can be configured to discard the packets or generate an alarm. This protects the network from MAC address attacks. Figure 7-3 Limiting the number of MAC addresses on an insecure network
Internet
Switch
MAC- Limit
VLAN2
LSW1
VLAN2
LSW2
VLAN2
Before limiting the number of learned MAC addresses, complete the following task: l Deleting the existing MAC address entries from the interface, VLAN, slot, or VSI where you want to limit the number of learned MAC addresses
Data Preparation
To limit the number of learned MAC addresses, you need the following data.
No. 1
Data Maximum number of MAC addresses that can be learned on an interface, VLAN, slot, or VSI
7.7.2 Limiting the Number of MAC Addresses Learned on an Interface

When MAC address limiting is configured on an interface and the number of learned MAC addresses on the interface reaches the limit, the S9300 stops learning MAC addresses on this interface. When the interface receives packets with unknown source MAC addresses, it can be configured to discard the packets or generate an alarm. This protects the network from MAC address attacks.
Context
The MAC address limiting rule applies to all MAC addresses, including trusted MAC addresses. If a user from an enterprise or a family uses bogus MAC addresses to attack the network, users in the enterprise or family are not allowed to access the network, but other users on the network are not affected.
Procedure
Step 1 Run:
system-view


mac-limit maximum max-num
The maximum number of MAC addresses learned on the interface is set. By default, the number of MAC addresses learned on an interface is not limited. Step 4 Run:
mac-limit action { discard | forward }
The action to be taken on the packets with unknown source MAC addresses when the number of learned MAC addresses reaches the limit is configured. By default, packets with unknown source MAC addresses are discarded after the number of learned MAC addresses reaches the limit. Step 5 Run:
mac-limit alarm { disable | enable }
The S9300 is configured to (or not to) send a trap to the NMS when the number of learned MAC addresses reaches the limit.
By default, the S9300 sends a trap to the NMS when the number of learned MAC addresses reaches the limit. ----End
7.7.3 Limiting the Number of MAC Addresses Learned in a VLAN

When MAC address limiting is configured in a VLAN and the number of learned MAC addresses in the VLAN reaches the limit, the S9300 stops learning MAC addresses in this VLAN. When the interface receives packets with unknown source MAC addresses, it can be configured to discard the packets or generate an alarm. This protects the network from MAC address attacks.
Context
Procedure
Step 1 Run:
system-view

vlan vlan-id

The maximum number of MAC addresses learned in the VLAN is set. By default, the number of MAC addresses learned in a VLAN is not limited. Step 4 Run:
The action to be taken on the packets with unknown source MAC addresses when the number of learned MAC addresses reaches the limit is configured. By default, packets with unknown source MAC addresses are discarded after the number of learned MAC addresses reaches the limit. S-series boards do not support the discard action. Step 5 Run:
The S9300 is configured to (or not to) send a trap to the NMS when the number of learned MAC addresses reaches the limit. By default, the S9300 sends a trap to the NMS when the number of learned MAC addresses reaches the limit. ----End
7.7.4 Limiting the Number of MAC Addresses Learned in a VSI

A limit can be set for the number of MAC addresses learned in a virtual service instance (VSI) to control the number of users in the VSI. When the number of learned MAC addresses in the VSI reaches the limit, the S9300 stops learning MAC addresses in this VSI. When an interface in the VSI receives packets with unknown source MAC addresses, the S9300 discards the packets or sends a trap to the network management system (NMS). This protects the network from MAC address attacks.
Context
NOTE
The X40SFC board does not support MAC address limiting in VSIs.
Procedure
Step 1 Run:
system-view

vsi vsi-name
The VSI view is displayed. Step 3 Run:

The maximum number of MAC addresses learned in the VSI is set. By default, the number of MAC addresses learned in a VSI is not limited. Step 4 Run:
7.7.5 Limiting the Number of MAC Addresses Learned in a Slot

A limit can be set for the number of MAC addresses learned in a slot to control the number of users on the board. When the number of learned MAC addresses in the slot reaches the limit, the S9300 stops learning MAC addresses in this slot. When an interface in the slot receives packets with unknown source MAC addresses, the S9300 discards the packets or sends a trap to the network management system (NMS). This protects the network from MAC address attacks.
Context
If no action is specified, the S9300 discards packets with unknown source MAC addresses and sends a trap to the NMS when the number of learned MAC addresses reaches the limit.
Procedure
Step 1 Run:
system-view

mac-limit slot slot-id maximum max-num
The maximum number of MAC addresses learned in a slot is set. By default, the number of MAC addresses learned in a slot is not limited. Step 3 Run:
mac-limit slot slot-id action { discard | forward }
mac-limit slot slot-id alarm { disable | enable }

After completing the configuration of MAC address limiting, use the following command to verify the configuration.
Issue 01 (2011-10-26)
368
Procedure
Step 1 Run the display mac-limit [ interface-type interface-number | vlan vlan-id | vsi vsi-name | slot slot-id ] command to view the MAC address limiting rule. ----End
7.8 Configuring Port Security

The port security function prevents devices with untrusted MAC addresses from accessing an interface. This function is applicable to the networks that require high access security.

The port security function changes MAC addresses learned by an interface to secure dynamic MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses from accessing an interface and improves device security.
If a network requires high access security, you can configure port security on specified interfaces. MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the S9300. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the S9300 and the network.
Before configuring port security on an interface, complete the following tasks: l l l l l Disabling MAC address limiting on the interface Disabling MUX VLAN on the interface Disabling MAC address authentication on the interface Disabling 802.1x authentication on the interface Disabling MAC address security for DHCP snooping on the interface
Data Preparation
To configure port security on an interface, you need the following data. No. 1 2 Data Secure dynamic MAC: interface type and number, limit on the number of learned MAC addresses, action to perform when the limit is exceeded Sticky MAC: interface type and number, limit on the number of learned MAC addresses, and action to perform when the limit is exceeded
Issue 01 (2011-10-26)
369
7.8.2 Configuring the Secure Dynamic MAC Function on an Interface

After port security is enabled on an interface, MAC addresses learned by the interface change to secure dynamic MAC addresses. When the number of secure dynamic MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the S9300. You can configure a protection action for the S9300 to perform when it receives a packet with a new source MAC address.
Context
By default, secure dynamic MAC addresses will not be aged out. Secure dynamic MAC addresses will be lost after the device restarts and the device needs to learn the MAC addresses again.
Procedure
Step 1 Run:
system-view


port-security enable
Port security is enabled. By default, port security is disabled on an interface.

NOTE
You can set the limit on the number of secure dynamic MAC addresses and protection action only when port security is enabled.

port-security max-mac-num max-number
The limit on the number of secure dynamic MAC addresses is set. By default, the limit on the number of secure dynamic MAC addresses is 1. Step 5 (Optional) Run:
port-security protect-action { protect | restrict | shutdown }
The protection action is configured. The default action is restrict. l protect: discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit. l restrict: discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses exceeds the limit.
l shutdown: shuts down the interface when the number of learned MAC addresses exceeds the limit. ----End
7.8.3 Configuring the Sticky MAC Function on an Interface

After the sticky MAC function is enabled on an interface, MAC addresses learned by the interface change to sticky MAC addresses. When the number of sticky MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the S9300. You can configure a protection action for the S9300 to perform when it receives a packet with a new source MAC address.
Context
The sticky MAC function changes MAC addresses learned by an interface to sticky MAC addresses. Sticky MAC addresses will not be aged out and will exist after the S9300 restarts.
Procedure
Step 1 Run:
system-view


port-security enable
Port security is enabled. By default, port security is disabled on an interface. Step 4 Run:
port-security mac-address sticky
The sticky MAC function is enabled on the interface. By default, the sticky MAC function is disabled on an interface. Step 5 (Optional) Run:
port-security max-mac-num max-number
The limit on the number of sticky MAC addresses is set. By default, the limit on the number of sticky MAC addresses is 1. Step 6 (Optional) Run:
port-security protect-action { protect | restrict | shutdown }
The protection action is configured. The default action is restrict.

l protect: discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit. l restrict: discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses exceeds the limit. l shutdown: shuts down the interface when the number of learned MAC addresses exceeds the limit. Step 7 (Optional) Run:
port-security mac-address sticky mac-address vlan vlan-id
A sticky MAC address entry is configured. ----End

After completing the configuration of port security, you can verify the configuration and view secure dynamic MAC address entries or sticky MAC address entries.
Procedure
l l l Run the display current-configuration interface interface-type interface-number command to view the current configuration of an interface. Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ] * [ verbose ] command to view sticky MAC address entries.
*
Run the display mac-address security [ vlan vlan-id | interface-type interface-number ] [ verbose ] command to view secure dynamic MAC address entries.
----End
7.9 Configuring MAC Address Anti-Flapping

This section describes how to prevent MAC address flapping between interfaces.

Before configuring MAC address anti-flapping, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
As shown in Figure 7-4, an interface of the Switch is connected to a server. To prevent unauthorized users from using the server MAC address to intercept data of the server, you can set a high MAC address learning priority on the interface. When the same MAC address is learned by the server-side interface and other interfaces, the entry learned by the server-side interface overrides the MAC address entries learned by other interfaces. Therefore, the Switch will not learn MAC addresses of unauthorized users and only authorized users can access the server and use network resources.
Figure 7-4 Networking diagram for MAC address anti-flapping

MAC:11-22-33 Server
MAC:11-22-33 Switch
None.
Data Preparation
To configure MAC address anti-flapping, you need the following data. No. 1 Data (Optional) MAC address learning priority of each interface
7.9.2 Setting the MAC Address Learning Priority of an Interface

To prevent MAC address flapping, set different MAC address learning priorities for interfaces. When interfaces learn the same MAC address, the MAC address entry learned by the interface with the highest priority overrides the MAC address entries learned by the other interfaces.
Context
Setting different MAC address learning priorities for interface prevents MAC address flapping. If an attacker uses the MAC address of an unauthorized network device to connect to the S9300 after the network device is powered off, the S9300 learns the bogus MAC address. After the network device is powered on, the S9300 can learn the correct MAC address entry.
Procedure
Step 1 Run:
system-view

Step 2 Run:

mac-learning priority priority-id
The MAC address learning priority of the interface is set. By default, the MAC address learning priority of an interface is 0. A greater priority value indicates a higher MAC address learning priority. ----End
7.9.3 Prohibiting MAC Address Flapping Between Interfaces with the Same Priority
Prohibiting MAC address flapping between interfaces with the same priority can improve network security.
Context
When MAC address flapping between interfaces with the same priority is prohibited, these interfaces cannot learn the same MAC addresses simultaneously. If an attacker uses the MAC address of an unauthorized network device to connect to the S9300 after the network device is powered off, the S9300 learns the bogus MAC address. After the network device is powered on, the S9300 cannot learn the correct MAC address entry.
Procedure
Step 1 Run:
system-view

undo mac-learning priority priority-id allow-flapping
MAC address flapping between the interfaces with a specified priority is prohibited. By default, MAC address flapping between interfaces with the same priority is allowed. ----End

Procedure
Step 1 Run the display current-configuration command to check the MAC address learning priorities of interfaces. ----End
7.10 Configuring MAC Address Flapping Detection

This section describes how to configure MAC address flapping detection.

Before configuring MAC address flapping detection, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
As shown in Figure 7-5, a loop occurs on the network, which will cause MAC address flapping. After MAC address flapping detection is configured in a VLAN, the Switch checks all MAC addresses in the VLAN to detect MAC address flapping. The Switch checks whether a MAC address moves from one interface to another in the VLAN. If MAC address flapping occurs, it performs the configured action, for example, blocks the interface to remove the loop. This function reduces MAC address flapping caused by loops and broadcast storms. You can also configure the Switch only to send trap messages to the network management system when the S9300 detects MAC address flapping. Figure 7-5 Networking diagram for MAC address flapping detection
Switch
None.
Data Preparation
To configure MAC flapping detection, you need the following data.
No. 1 2 3
Data ID of the VLAN where MAC address flapping needs to be configured Blocking time for the interface where MAC address flapping occurs Number of detection attempts before an interface is permanently blocked
7.10.2 Configuring MAC Address Flapping Detection

After MAC address flapping detection is configured in a VLAN, the S9300 checks all MAC addresses in the VLAN to detect MAC address flapping. When MAC address flapping occurs on an interface, the S9300 blocks the interface, blocks the MAC address, or just reports a trap according to the configuration.
Procedure
Step 1 Run:
system-view

vlan vlan-id

loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times | alarm-only }
MAC address flapping detection is configured in the VLAN. When the S9300 detects MAC address flapping in the VLAN, it performs either of the following actions: l Block the interface or MAC address. When the block-mac keyword is used in the command, the S9300 does not block the interface but blocks the traffic from the flapping MAC address. l Send a trap to the network management system. ----End
7.10.3 (Optional) Unblocking a Blocked Interface or MAC Address

After an interface or a MAC address is permanently blocked because of MAC address flapping, the interface or MAC address can be restored only by using the reset loop-detect eth-loop command in the corresponding VLAN view.
Context
After MAC address flapping detection is configured in a VLAN, the system checks all MAC addresses in the VLAN to detect MAC address flapping. If MAC address flapping occurs on an interface, the system blocks the interface. After a specified period of time, the system unblocks the interface. If no MAC address flapping is detected within 20 seconds, the system completely
unblocks the interface and starts detection. If MAC address flapping is detected again within 20 seconds, the system blocks the interface. This process repeats for a specified number of times. If MAC address flapping persists, the interface is permanently blocked.
Procedure
Step 1 Run:
system-view

reset loop-detect eth-loop vlan vlan-id { all | interface { interface-type interface-number } | mac-address mac-address }
The specified interface or MAC address is unblocked. Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop command to check the blocked interface or MAC address. ----End

After configuring MAC address flapping detection, use the following commands to verify the configuration and view information about permanent interfaces and MAC addresses.
Procedure
Step 1 Run the display loop-detect eth-loop [ vlan vlan-id ] command to check information about MAC address flapping detection on a VLAN. ----End
7.11 Configuring the S9300 to Discard Packets with an All-0 MAC Address
You can configure the S9300 to discard packets with an all-0 source or destination MAC address.
A faulty network device may send packets with an all-0 source or destination MAC address to the S9300. You can configure the S9300 to discard such packets and send a trap to the network management system (NMS). You can locate the faulty device according to the trap message.
l Powering on the S9300 and ensuring that it functions properly
Data Preparation
None.
Procedure
Step 1 Run:
system-view

drop illegal-mac enable
The S9300 is configured to discard packets with an all-0 MAC address. By default, the S9300 does not discard packets with an all-0 MAC address. Step 3 (Optional) Run:
drop illegal-mac alarm
The S9300 is configured to send a trap to the NMS when receiving packets with an all-0 MAC address. By default, the S9300 does not send a trap to the NMS when receiving packets with an all-0 MAC address.
NOTE
The S9300 sends only one trap after receiving packets with an all-0 MAC address. To enable the S9300 to send a trap again, run the drop illegal-mac alarm command.
----End

Run the display current-configuration command to check whether the S9300 is configured to discard the packets with an all-0 MAC address.
7.12 Enabling MAC Address Triggered ARP Entry Update

The MAC address triggered ARP entry update function enables the S9300 to update the corresponding ARP entry when the outbound interface in a MAC address entry changes.
Each network device uses an IP address to communicate with other devices. On an Ethernet network, a device sends and receives Ethernet data frames based on MAC addresses. The ARP protocol maps IP addresses to MAC addresses. When a device communicates with a device on a different network segment, it finds the MAC address and outbound interface of a packet according to the corresponding ARP entry. If a user host moves from one interface to another, the MAC address of the host is learned by the new interface, so the outbound interface mapping the MAC address changes. The corresponding ARP entry, however, is updated until the aging time expires. Before the ARP entry aging time expires, the device sends data frames based on the original ARP entry. This causes data frame loss. The MAC address triggered ARP entry update function enables the S9300 to update the corresponding ARP entry when the outbound interface in a MAC address entry changes.
None.
Data Preparation
None.
Procedure
Step 1 Run:
system-view

mac-address update arp
The MAC address triggered ARP entry update function is enabled. By default, the S9300 does not update the corresponding ARP entry when the outbound interface in a MAC address entry changes.
NOTE
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when the corresponding MAC address entries change. l The mac-address update arp command does not take effect after ARP anti-spoofing is enabled by using the arp anti-attack entry-check enable command. l After the mac-address update arp command is run, the S9300 updates an ARP entry only if the outbound interface in the corresponding MAC address entry changes.
----End

Run the display current-configuration command to check whether the MAC address triggered ARP entry update function is enabled.
7.13 Enabling Port Bridge

The port bridge function enables an interface to process packets in which the source and destination MAC addresses are the same.
By default, an interface does not forward frames whose source and destination MAC addresses are both learned by this interface. When the interface receives such a frame, it discards the frame as an invalid frame. After the port bridge function is enabled on the interface, the interface forwards such a frame if the destination MAC address of the frame is in the MAC address table. The port bridge function is used in the following scenarios:
The S9300 connects to a device that does not support Layer 2 forwarding. When users connected to this device communicate with each other, user packets are sent to the S9300 and forwarded by the S9300. In this scenario, the port bridge function must be enabled. The S9300 is used as an access switch in a data center and is connected to servers. Each server is configured with multiple virtual machines. The virtual machines need to transmit data to each other. To improve the data transmission rate and server performance, enable the port bridge functions on the interfaces connected to the servers so that the S9300 forwards data packets between the virtual machines.
Data Preparation
No. 1 Data Interface type and number
Procedure
Step 1 Run:
system-view


port bridge enable
The port bridge function is enabled. By default, the port bridge function is disabled on an interface. ----End

Run the display current-configuration command to check whether the port bridge function is enabled.

This section provides several examples for the configuration of the MAC address table.
7.14.1 Example for Configuring the MAC Address Table

As shown in Figure 7-6, the MAC address of the user host PC1 is 0002-0002-0002 and the MAC address of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch
through the LSW. The LSW is connected to GE 1/0/1 of the Switch. Interface GE 1/0/1 belongs to VLAN 2. The MAC address of the server is 0004-0004-0004. The server is connected to GE 1/0/2 of the Switch. Interface GE 1/0/2 belongs to VLAN 2. l To prevent hackers from attacking the network with MAC addresses, you need to add a static entry to the MAC table of the Switch for each user host. When sending packets through GE 1/0/1, the Switch changes the VLAN ID to VLAN 4 to which the LSW belongs. In addition, you need to set the aging time of the dynamic entries in the MAC address table to 500 seconds. To prevent hackers from forging the MAC address of the server and stealing user information, you can configure the packet forwarding based on static MAC address entries on the Switch.
Figure 7-6 Networking diagram for configuring the MAC address table
Network
Server
Switch
MAC address: 4-4-4 GE1/0/2 VLAN2
GE1/0/1 LSW VLAN4
PC1
PC2
MAC address: 2-2-2 MAC address: 3-3-3
The configuration roadmap is as follows: 1. 2. 3. Create a VLAN and add interfaces to the VLAN. Add static MAC address entries. Set the aging time of dynamic MAC address entries.
Data Preparation
To complete the configuration, you need the following data: l l l
Issue 01 (2011-10-26)
MAC address of PC1: 0002-0002-0002 MAC address of PC2: 0003-0003-0003 MAC address of the server: 0004-0004-0004
l l l l l
VLAN to which the Switch belongs: VLAN 2 Interface connecting the Switch to the LSW: GE 1/0/1 Interface connecting the Switch to the server: GE 1/0/2 VLAN ID required to be changed to when the Switch sends packets through the outgoing interface: VLAN 4 Aging time of dynamic entries in the MAC address table of the Switch: 500 seconds
Procedure
Step 1 Add static MAC address entries. # Create VLAN 2; add GE 1/0/1 1/0/2 to VLAN 2; configure VLAN mapping on GE 1/0/1.
<Quidway> system-view [Quidway] vlan 2 [Quidway-vlan2] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/2] port [Quidway-GigabitEthernet1/0/2] quit
1/0/1 hybrid pvid vlan 2 hybrid untagged vlan 2 vlan-mapping vlan 4 map-vlan 2 1/0/2 hybrid pvid vlan 2 hybrid untagged vlan 2
# Configure static MAC address entries.

[Quidway] mac-address static 2-2-2 gigabitethernet 1/0/1 vlan 2 [Quidway] mac-address static 3-3-3 gigabitethernet 1/0/1 vlan 2 [Quidway] mac-address static 4-4-4 gigabitethernet 1/0/2 vlan 2
Step 2 Set the aging time of dynamic MAC address entries.

[Quidway] mac-address aging-time 500
Step 3 Verify the configuration. # Run the display mac-address command in any view. You can check whether the static MAC address entries are successfully added.
[Quidway] display mac-address static vlan 2 ------------------------------------------------------------------------------MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------------------------------0002-0002-0002 2/GE1/0/1 static 0003-0003-0003 2/GE1/0/1 static 0004-0004-0004 2/GE1/0/2 static ------------------------------------------------------------------------------Total items displayed = 3
# Run the display mac-address aging-time command in any view. You can check whether the aging time of dynamic entries is set successfully.
[Quidway] display mac-address aging-time Aging time: 500 seconds
----End
Configuration Files

# sysname Quidway # vlan batch 2 # mac-address aging-time 500 # interface GigabitEthernet1/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 port vlan-mapping vlan 4 map-vlan # interface GigabitEthernet1/0/2 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # mac-address static 0002-0002-0002 mac-address static 0003-0003-0003 mac-address static 0004-0004-0004 # return
GigabitEthernet1/0/1 vlan 2 GigabitEthernet1/0/1 vlan 2 GigabitEthernet1/0/2 vlan 2
7.14.2 Example for Configuring the Limitation on MAC Address Learning Based on VLANs
As shown in Figure 7-7, user network 1 is connected to GE 1/0/1 on the Switch through an LSW. User network 2 is connected to GE 2/0/1 on the Switch through another LSW. GE 1/0/1 and GE 2/0/1 belong to VLAN 2. To prevent MAC address attacks and control the number of access users, you need to limit the MAC address learning in VLAN 2. Figure 7-7 Networking diagram for configuring the limitation on MAC address learning based on VLAN
Network
Switch
GE1/0/1 LSW GE2/0/1 LSW
User network 1
VLAN 2
User network 2
Issue 01 (2011-10-26)
383
The configuration roadmap is as follows: 1. 2. Create a VLAN and add interfaces to the VLAN. Configure the limitation on MAC address learning based on VLANs.
Data Preparation
To complete the configuration, you need the following data: l l l VLAN to which the interfaces belong: VLAN 2 User interfaces: GE 1/0/1 and GE 2/0/1 Maximum number of learned MAC addresses: 100
Procedure
Step 1 Configure the limitation on MAC address learning. # Add GE 1/0/1 and GE 2/0/1 to VLAN 2.
<Quidway> system-view [Quidway] vlan 2 [Quidway-vlan2] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] port [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet2/0/1] port [Quidway-GigabitEthernet2/0/1] port [Quidway-GigabitEthernet2/0/1] quit
1/0/1 hybrid pvid vlan 2 hybrid untagged vlan 2 2/0/1 hybrid pvid vlan 2 hybrid untagged vlan 2
# Configure the rule of limiting MAC address learning in VLAN 2: A maximum of 100 MAC addresses can be learned; packets are still forwarded and an alarm is generated when the number of learned MAC addresses reaches the limit, but new MAC addresses are not added to the MAC address table.
[Quidway] vlan 2 [Quidway-vlan2] mac-limit maximum 100 action forward alarm enable [Quidway-vlan2] quit
Step 2 Verify the configuration. # Run the display mac-limit command in any view. You can check whether the rule of limiting MAC address learning is successfully configured.
<Quidway> display mac-limit MAC Limit is enabled Total MAC Limit rule count : 1 PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm ---------------------------------------------------------------------------2 100 forward enable
----End
Configuration Files

# sysname Quidway # vlan batch 2 # vlan 2 mac-limit maximum 100 action forward # interface GigabitEthernet1/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # interface GigabitEthernet2/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # return
7.14.3 Example for Configuring the Limitation on MAC Address Learning Based on VSIs
To ensure the security for the users within the VSI, configure the limitation on MAC address learning in the VSI named huawei. Figure 7-8 Networking diagram for configuring the limitation on MAC address learning based on VSI
VSI : huawei
Simulated VLAN
VSI : huawei
User network 1
User network 2
Issue 01 (2011-10-26)
Create a VSI. Configure the limitation on MAC address learning based on VSIs.
Data Preparation
To complete the configuration, you need the following data: l l Name of the VSI: huawei Maximum number of learned MAC addresses: 300
Procedure
Step 1 Create a VSI. # Create a VSI named huawei.
<Quidway> system-view [Quidway] vsi huawei static
Step 2 Configure the limitation on MAC address learning in the VSI. # Configure the rule of limiting MAC address learning for the VSI: A maximum of 300 MAC addresses can be learned; extra packets are directly discarded and alarms are generated.
[Quidway-vsi-huawei] mac-limit maximum 300 action discard alarm enable [Quidway-vsi-huawei] quit
Step 3 Verify the configuration. # Run the display mac-limit command in any view. You can check whether the rule of limiting MAC address learning is successfully configured.
<Quidway> display mac-limit MAC Limit is enabled Total MAC Limit rule count : 1 PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm ---------------------------------------------------------------------------huawei 300 discard enable
----End
Configuration Files
# sysname Quidway # vsi huawei static mac-limit maximum 300 # return
7.14.4 Example for Configuring Interface Security

As shown in Figure 7-9, a company wants to prevent the computers of non-employees from accessing the intranet of the company to protect information security. To achieve this goal, the company needs to enable the sticky MAC function on the interface connected to computers of employees and set the maximum number of MAC addresses learned by the interface to be the same as the number of trusted computers.
Figure 7-9 Networking diagram of interface security configuration
Internet
Switch GE1/0/1
VLAN 10 SwitchA
PC1
PC2
PC3
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Create a VLAN and set the link type of the interface to trunk. Enable the interface security function. Enable the sticky MAC function on the interface. Configure the security protection action on the interface. Set the maximum number of MAC addresses that can be learned by the interface.
Data Preparation
To complete the configuration, you need the following data: l l l l VLAN allowed by the interface Type and number of the interface connected to computers of employees Security protection action Maximum number of MAC addresses learned by the interface
Procedure
Step 1 Create a VLAN and set the link type of the interface to trunk.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type trunk [Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
Issue 01 (2011-10-26)
387
Step 2 Configure the interface security function. # Enable the interface security function.
[Quidway-GigabitEthernet1/0/1] port-security enable
Enable the sticky MAC function.

[Quidway-GigabitEthernet1/0/1] port-security mac-address sticky
# Configure the security protection action.

[Quidway-GigabitEthernet1/0/1] port-security protect-action protect
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-GigabitEthernet1/0/1] port-security max-mac-num 4
To enable the interface security function on other interfaces, repeat the preceding steps. Step 3 Verify the configuration. If PC1 is replaced by another PC, this PC cannot access the intranet of the company. ----End
Configuration Files
# sysname Quidway # vlan batch 10 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 port-security enable port-security protect-action protect port-security mac-address sticky port-security max-mac-num 4 # return
7.14.5 Example for Configuring MAC Address Anti-Flapping

The MAC address anti-flapping function protects servers of an enterprise or VIP customers from attacks.
As shown in Figure 7-10, employees of an enterprise need to access the server connected to a Switch interface. If an attacker uses the server MAC address as the source MAC address to send packets to another interface, the server MAC address is learned on the interface. Employees cannot access the server, and important data will be intercepted by the attacker. MAC address anti-flapping can be configured to protect the server from attacks.
Issue 01 (2011-10-26)
388
Figure 7-10 Networking diagram for MAC address anti-flapping

Server MAC:11-22-33 GE1/0/1 Switch GE1/0/2 PC4 MAC:11-22-33 VLAN 10
LSW
PC1 VLAN10
PC2
PC3
The configuration roadmap is as follows: 1. 2. Create a VLAN and add interfaces to the VLAN. Configure MAC address anti-flapping on the server-side interface.
Data Preparation
To complete the configuration, you need the following data: l l l l VLAN that the server-side and user-side interfaces belong to: VLAN 10 Server-side interface: GigabitEthernet1/0/1 User-side interface: GigabitEthernet1/0/2 MAC address learning priority of the server-side interface: 2
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN. # Add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 to VLAN 10.
<Quidway> system-view [Quidway] vlan 10 [Quidwayvlan10] quit [Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] port link-type trunk [Quidway-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 [Quidway-GigabitEthernet1/0/2] quit
Issue 01 (2011-10-26)
389
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10
Step 2 Configure MAC anti-flapping. # Set the MAC address learning priority of GigabitEthernet1/0/1 to 2.
[Quidway-GigabitEthernet1/0/1] mac-learning priority 2
Step 3 Verify the configuration. # Run the display current-configuration command in any view to check whether the MAC address learning priority of GigabitEthernet1/0/1 is set correctly.
<Quidway> display current-configuration # interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 mac-learning priority 2 # return
----End
Configuration Files
# sysname Quidway # vlan batch 10 # interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 mac-learning priority 2 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 10 # return
Issue 01 (2011-10-26)
390
8 STP/RSTP Configuration
8
About This Chapter
STP/RSTP Configuration
The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents replication and circular propagation of packets, provides multiple redundant paths for Virtual LAN (VLAN) data traffic, and enables load balancing. The Rapid Spanning Tree Protocol (RSTP) develops rapid convergence and introduces the edge port and its protection function based on STP. 8.1 STP/RSTP Overview STP is a management protocol on the data link layer. It is used to block redundant links on the Layer 2 network and trim a network into a loop-free tree. RSTP is a refinement of STP and introduces rapid convergence of the network topology. 8.2 Configuring Basic STP/RSTP Functions STP/RSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-free tree topology. 8.3 Configuring STP/RSTP Parameters on an Interface A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence is implemented for RSTP. 8.4 Configuring RSTP Protection Functions RSTP protection functions are as follows, and you can configure one or more functions as required. 8.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices To supports STP/RSTP interoperability between Huawei devices and non-Huawei devices, proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop communication. 8.6 Maintaining STP/RSTP STP/RSTP maintenance includes resetting STP/RSTP statistics. 8.7 Configuration Examples This section shows typical usage scenarios of STP/RSTP by describing networking requirements, configuration roadmap, and data preparation, and provides related configuration files.
Issue 01 (2011-10-26)
391
8.1 STP/RSTP Overview

STP is a management protocol on the data link layer. It is used to block redundant links on the Layer 2 network and trim a network into a loop-free tree. RSTP is a refinement of STP and introduces rapid convergence of the network topology.
8.1.1 STP/RSTP Overview

STP/RSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-free tree topology.
Introduction
On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation. Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and thus damages MAC address entries. The devices running STP discover loops on the network by exchanging information with each other and trim the ring topology into a loop-free tree topology by blocking a certain interface. In this manner, replication and circular propagation of packets are prevented on the network. In addition, it is prevented that the processing performance of devices is degraded when continuously processing repeated packets. STP, however, converges the network topology slowly. In 2001, the IEEE published document 802.1w to introduce an evolution of the Spanning Tree Protocol: Rapid Spanning Tree Protocol (RSTP). RSTP is developed based on STP but outperforms STP.
Concepts
l Root bridge A tree topology must have a root. Therefore, the root bridge is introduced by STP/RSTP. There is only one root bridge on the entire STP/RSTP-capable network. The root bridge is the logical center but is unnecessarily the physical center of the entire network. The root bridge may be served by another switching device along with the network topology change. l ID There are Bridge IDs (BIDs) and port IDs (PIDs). BID IEEE 802.1D defines that a BID is composed of a 2-bit bridge priority and a bridge MAC address. That is, BID (8 bits) = Bridge priority (2 bits) + Bridge MAC address (6 bits). On the STP-capable network, the device with the smallest BID is selected as the root bridge. The bridge priority that is allowed to be configured on a Huawei device ranges from 0 to 61440. By default, the bridge priority is 32768. PID
A 16-bit PID is composed of a 4-bit port priority and a 12-bit port number. The PID is used when the designated port needs to be selected. That is, when the root path costs and the sender BIDs of two ports are the same, the port with a smaller PID is selected as the designated port. As shown in Figure 8-1, the root path costs and sender BIDs of port A and port B on S2 are the same. Port A has a smaller PID, and is thus selected as the designated port on the local segment. The port priority that can be configured on a Huawei device ranges from 0 to 240, with the step 16. That is, the port priority can be 0, 16, or 32. By default, the port priority is 128. l Path cost A path cost is port-specific, which is used by STP/RSTP as a reference to select a link. STP/RSTP calculates the path cost to select the robust link and blocks redundant links to trim the network into a loop-free tree topology. On an STP/RSTP-capable network, the accumulative cost of the path from a certain port to the root bridge is the sum of the costs of the segment paths into which the path is separated by the ports on the transit bridges. l Port roles STP-capable port Root port The root port is the port that is nearest to the root bridge. The root port is determined based on the path cost. Among all the ports where STP is enabled on the network bridge, the port with the smallest root path cost is the root port. There is only one root port on an STP-capable device, but there is no root port on the root bridge. Designated Port The designated port on a switching device forwards bridge protocol data units (BPDUs) to the downstream switching device. All ports on the root bridge are designated ports. A designated port is selected on each network segment. The device where the designated port resides is called the designated bridge on the network segment. RSTP-capable port Compared with STP, RSTP has two additional types of ports, namely, the alternate port and backup port. More port roles are defined to simplify the knowledge and deployment of STP.
Issue 01 (2011-10-26)
393
Figure 8-1 Diagram of port roles

S1 Root bridge
S2 A
S3 A a
S1 Root bridge
S2 A B b
S3 A a
Root port Designated port Alternate port Backup port
As shown in Figure 8-1, RSTP defines four port roles: root port, designated port, alternate port, and backup port. The functions of the root port and designated port are the same as those defined in STP. The description of the alternate port and backup port is as follows: From the perspective of configuration BPDU transmission: The alternate port is blocked after learning the configuration BPDUs sent by other bridges. The backup port is blocked after learning the configuration BPDUs sent by itself. From the perspective of user traffic: The alternate port backs up the root port and provides an alternate path from the designated bridge to the root bridge. The backup port backs up the designated port and provides an alternate path from the root node to the leaf node. After all ports are assigned roles, topology convergence is completed.
Port status STP port state Table 8-1 shows the port status of an STP-capable port. Table 8-1 STP port state Port state Forward ing Learnin g Purpose The port in the Forwarding state forwards not only user traffic but also BPDUs. When a port is in the Learning state, a device creates a MAC address table based on the received user traffic but does not forward user traffic. When a port is in the Listening state, the root bridge, root port, and designated port are to be selected. The port in the Blocking state receives and forwards only BPDUs but does not forward user traffic. The port in the Disabled state forwards neither BPDUs nor user traffic. Description Only the root port and designated port can enter the Forwarding state. This is a transition state, which is designed to prevent temporary loops.
Listenin g Blockin g Disabled
This is a transition state.
This is the final state of a blocked port. The port is Down.
RSTP port state Table 8-2 shows the port status of an RSTP-capable port. Table 8-2 RSTP port state Port state Forwarding Learning Description A port in the Forwarding state can send and receive BPDUs as well as forward user traffic. This is a transition state. A port in the Learning state learns MAC addresses from user traffic to construct a MAC address table. In the Learning state, the port can send and receive BPDUs, but cannot forward user traffic. Discarding A port in the Discarding state can only receive BPDUs.
Issue 01 (2011-10-26)
395
CAUTION
A Huawei datacom device is in MSTP mode by default. After a device experiences the transition from the MSTP mode to the STP mode, an STP-capable port supports the same port states as those supported by an MSTP-capable port, including the Forwarding, Learning, and Discarding states. For details, see Table 8-2. l Three timers Hello Timer Sets the interval at which BPDUs are sent. Forward Delay Timer Sets the time spent in the Listening and Learning states. Max Age Sets the maximum lifetime of a BPDU on the network. When the Max Age time expires, the connection to the root bridge fails.
Comparison between STP, RSTP, and MSTP

Table 8-3 shows the comparison between STP, RSTP, and MSTP. Table 8-3 Comparison between STP, RSTP, and MSTP Spanning Tree Protocol STP Characteristics Applicable Environment Irrespective of different users or services, all VLANs share one spanning tree. Precautions
A loop-free tree is generated. Thus, broadcast storms are prevented and redundancy is implemented. l A loop-free tree is generated. Thus, broadcast storms are prevented and redundancy is implemented. l A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence is implemented.
NOTE l If the current switching device supports STP and RSTP, RSTP is recommended. l If the current switching device supports STP or RSTP, and MSTP, MSTP is recommended. See MSTP Configuration.
RSTP
Issue 01 (2011-10-26)
396
Spanning Tree Protocol MSTP
Characteristics
Applicable Environment User or service-specific load balancing is required. Traffic for different VLANs is forwarded through different spanning trees, which are independent of each other.
Precautions
l In an MSTP region, a loop-free tree is generated. Thus, broadcast storms are prevented and redundancy is implemented. l A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence is implemented. l MSTP implements load balancing among VLANs. Traffic in different VLANs is transmitted along different paths.
8.1.2 STP/RSTP Features Supported by the S9300

Before configuring STP/RSTP, familiarize yourself with the concepts of basic STP/RSTP functions, topology convergence, STP/RSTP protection, and STP/RSTP interoperability between Huawei devices and non-Huawei devices. This will help you complete the configuration task quickly and accurately. STP/RSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-free tree topology. The basic configuration roadmap of STP/RSTP is as follows: 1. Select a switching device (functioning as a root bridge) from switching devices for each spanning tree. You can configure the priorities of the switching devices to preferentially select a root bridge. In each spanning tree, calculate the shortest paths from the other switching devices to the root bridge, and select a root port for each non-root switching device. You can configure the cost of the path from a switching device to the root bridge to preferentially select a root port. In each spanning tree, select a designated port for each connection according to the bridge ID, the cost of path and port IDs. If the devices have the same bridge ID and the cost of path, You can configure the port priorities to preferentially select a designated port.
2.
3.
STP/RSTP also supports the following features to meet requirements of special applications and extended functions: l l
Issue 01 (2011-10-26)
A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence is implemented. RSTP provides the following protection functions, as listed in Table 8-4.
Supports STP/RSTP interoperability between Huawei devices and non-Huawei devices. Proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop communication. Table 8-4 RSTP Protection Function Protection Function BPDU protection Scenario An edge port changes to be a non-edge port after receiving a BPDU, which triggers spanning tree recalculation. If an attacker keeps sending bogus BPDUs to a switching device, network flapping occurs. Generally, after receiving TC BPDUs (packets for advertising network topology changes), a switching device needs to delete MAC entries and ARP entries. Frequent deletion operations will exhaust CPU resources. Configuration Impact After BPDU protection is enabled on the switching device, the switching device shuts down the edge port if the edge port receives an RST BPDU, and notifies the NMS of the shutdown event. The attributes of the edge port are not changed.
TC protection
TC protection is used to suppress TCBPDUs. The number of times that TCBPDUs are processed by a switching device within a given time period is configurable. If the number of TC-BPDUs that the switching device receives within a given time exceeds the specified threshold, the switching device handles TC-BPDUs only for the specified number of times. Excess TC-BPDUs are processed by the switching device as a whole for once after the timer (that is, the specified time period) expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding over-burdened. If a designated port is enabled with the root protection function, the role of the port cannot be changed. Once a designated port that is enabled with root protection receives RST BPDUs with a higher priority, the port enters the Discarding state and does not forward packets. If the port does not receive any RST BPDUs with a higher priority before a period (generally two Forward Delay periods) expires, the port automatically enters the Forwarding state.
Root protection
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is illegitimately changed, triggering spanning tree recalculation. This may transfer traffic from highspeed links to low-speed links, causing traffic congestion.
Issue 01 (2011-10-26)
398
Protection Function Loop protection
Scenario A root port or an alternate port will age if link congestion or a one-way link failure occurs. After the root port ages, a switching device may reselect a root port incorrectly and after the alternate port ages, the port enters the Forwarding state. Loops may occur in such a situation.
Configuration Impact After loop protection is configured, if the root port or alternate port does not receive RST BPDUs from the upstream switching device for a long time, the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after receiving new BPDUs.
8.2 Configuring Basic STP/RSTP Functions

STP/RSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-free tree topology. STP/RSTP is commonly configured on a switching device to trim a ring network to a loop-free network. STP/RSTP configurations on the switching device involve STP/RSTP working mode configuration. If you need to interfere in the spanning tree calculation, the following methods are available: l Setting a priority for a switching device: The lower the numerical value, the higher the priority of the switching device and the more likely the switching device becomes a root bridge; the higher the numerical value, the lower the priority of the switching device and the less likely that the switching device becomes a root bridge. Setting a path cost for a port: With the same calculation method, the lower the numerical value, the smaller the cost of the path from the port to the root bridge and the more likely the port becomes a root port; the higher the numerical value, the larger the cost of the path from the port to the root bridge and the less likely that the port becomes a root port. Setting a priority for a port: The lower the numerical value, the more likely the port becomes a designated port; the higher the numerical value, the less likely that the port becomes a designated port.

Before configuring basic STP/RSTP functions, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and thus damages MAC address entries. STP/RSTP can be deployed on a network to eliminate loops. If a loop is detected, STP/RSTP blocks one port to eliminate the loop. As shown in Figure 8-2, Switch A, Switch B, Switch C, and Switch D form a ring network, and STP/RSTP is enabled on the ring network to eliminate loops. Figure 8-2 Diagram of a ring network
Network
Root Bridge SwitchA SwitchB
SwitchC
SwitchD
PC1
PC2 Blocked port
NOTE
If the current switching device supports STP and RSTP, RSTP is recommended.
Before configuring basic STP/RSTP functions, complete the following task: l Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Data Preparation
To configure basic STP/RSTP functions, you need the following data.
Issue 01 (2011-10-26)
400
No. 1 2 3
Data (Optional) Priority of a switching device (Optional) Priority of a port (Optional) Path cost of a port
8.2.2 Configuring the STP/RSTP Mode

Before configuring basic STP/RSTP functions, you need to configure the working mode of a switching device to STP/RSTP. RSTP is compatible with STP.
Procedure
Step 1 Run:
system-view

stp mode { stp | rstp }
The working mode of the switching device is configured as STP/RSTP. By default, the working mode of the S9300 is MSTP. ----End
8.2.3 (Optional) Configuring Switching Device Priorities

The lower the numerical value is, the higher priority a switching device has and the more likely the switching device will be selected as a root bridge.
Context
On an STP/RSTP-capable network, there is only one root bridge and it is the logic center of the entire spanning tree. In root bridge selection, the switching device with high performance and network hierarchy is generally selected as a root bridge; however, the priority of such a device may be not that high. Thus setting a high priority for the switching device is necessary so that the device can function as a root bridge. Other devices with low performance and network hierarchy are not fit to be a root bridge. Therefore, set low priorities for these devices.
CAUTION
If an S9300 is configured as the root switch or secondary root switch, the priority of the S9300 cannot be set. If you want to set the priority of the S9300, you must disable the root switch or secondary root switch.
Issue 01 (2011-10-26)
401
Procedure
Step 1 Run:
system-view

stp priority priority
The priority of a switching device is configured. The default priority value of a switching device is 32768.
NOTE
l To configure a switching device as a primary root bridge, you can run the stp root primary command directly. The priority value of this switching device is 0. l To configure a switching device as a secondary root bridge, run the stp root secondary command. The priority value of this switching device is 4096. A switching device cannot act as a primary root bridge and a secondary root bridge at the same time.
----End
8.2.4 (Optional) Setting the Path Cost for a Port

The STP/RSTP path cost determines root port selection. The port from which to the root port costs the least is selected as the root port.
Context
A path cost is port-specific, which is used by STP/RSTP as a reference to select a link. The range of the path cost value is determined by the calculation method. After the calculation method is determined, you are recommended to set a relatively small path cost value for the port at a high link rate. Use the Huawei proprietory calculation method as an example. Different link rates correspond to default path cost values of ports. For details, see Table 8-5. Table 8-5 Mappings between link rates and path cost values Link Rate 10 Mbit/s 100 Mbit/s 1 Gbit/s 10 Gbit/s Over 10 Gbit/s Recommended value 2000 200 20 2 1 Recommended Value Range 200-20000 20-2000 2-200 2-20 1-2 Value Range 1-200000 1-200000 1-200000 1-200000 1-200000
Issue 01 (2011-10-26)
402
On a network where loops occur, you are recommended to set a relatively large path cost for the port at a low link rate. STP/RSTP puts the port with the large path cost in the Blocking state and blocks the link where this port resides.
Procedure
Step 1 Run:
system-view

stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured. By default, the IEEE 802.1t standard method is used to calculate the default path cost. All switching devices on a network must use the same calculation method for path costs. Step 3 Run:

stp cost cost
A path cost is set for the port. l When the Huawei proprietory calculation method is used, cost ranges from 1 to 200000. l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535. l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000. ----End
8.2.5 (Optional) Configuring Port Priorities

The lower the numerical value, the more likely the port on a switching device becomes a designated port; the higher the numerical value, the more likely the port is to be blocked.
Context
Whether a port on a switching device will be selected as a designated port is determined by its priority. For details, see 8.1.1 STP/RSTP Overview. If you expect to block a port on a switching device to eliminate loops, set the port priority value to be larger than the default value when the devices have the same bridge ID and the cost of path. This port will be blocked in designated port selection.
Procedure
Step 1 Run:
system-view

Step 2 Run:

stp port priority priority
The port priority is configured. The default priority value of a port on a switching device is 128. ----End
8.2.6 Enabling STP/RSTP

After STP/RSTP is enabled, spanning trees are calculated.
Context
After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees on the network. Configurations on the switching device, such as the switching device priority and port priority, will affect spanning tree calculation. Any change of the configurations may cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic configurations on the switching device and its ports and enable STP/RSTP.
Procedure
Step 1 Run:
system-view

stp enable
STP/RSTP is enabled on the switching device. By default, the STP/RSTP function is disabled on a S9300. ----End

After basic STP/RSTP functions are configured, you can view the information such as the port role and port status to check whether the spanning tree calculation is correctly performed.
Prerequisite
All configurations of basic STP/RSTP functions are complete.
Procedure
l Run the display stp [ interface interface-typeinterface-number ] [ brief ] command to view spanning-tree status and statistics.
----End
8.3 Configuring STP/RSTP Parameters on an Interface

A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence is implemented for RSTP. STP does not implement rapid convergence; however, STP parameters, such as the network diameter, hello time, Max Age time, and Forward Delay time, may affect network convergence. RSTP is a refinement of STP and implements rapid convergence. In addition to the preceding parameters, such parameters as the type of the link where the port resides, rapid transition mechanism, and maximum number of sent BPDUs port parameters also affect STP/RSTP topology convergence. For the parameters of devices running STP/RSTP, see Table 8-6. Table 8-6 Parameters affecting the STP/RSTP topology convergence Paramete r System parameter Parameter Description network diameter, timer value (Hello Time, Forward Delay period, Max Age time), and timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor) Commands l stp bridge-diameter diameter l stp timer hello hello-time l stp timer forward-delay forward-delay l stp timer max-age max-age l stp timer-factor factor Description It is recommended that you set the network diameter to determine the timer value. The switching device automatically calculates the Forward Delay period, Hello time, and Max Age time based on the network diameter. Then, you can run the stp timer-factor factor command to set the timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor).
Issue 01 (2011-10-26)
405
Paramete r Port parameter
Parameter Description Link type of a port
Commands l stp point-to-point { auto | force-false | force-true }
Description A P2P link helps implement the rapid convergence. l If the port works in fullduplex mode, the link where the port resides is a P2P link. l If the port works in half-duplex mode, you can forcibly switch the link where the port resides to a P2P link. l In other cases, you can enable the port to automatically determine whether to connect to the P2P link.
Port transition to the RSTP mode
l stp mcheck
On a switching device running RSTP, if an interface is connected to a device running STP, the interface automatically transitions to the STP mode. Enabling MCheck on the interface is required When the interface fail to automatically transition to the RSTP mode.
Maximum number of BPDUs sent by the interface within each Hello time
l stp transmit-limit packetnumber
If the maximum number of BPDUs sent by the interface within each Hello time is set properly, the rate at which BPDUs are sent can be restricted, which prevents RSTP from consuming too many bandwidths when network flapping occurs.
Issue 01 (2011-10-26)
406
Paramete r
Parameter Description Edge ports
Commands l stp edged-port enable l error-down auto-recovery cause cause-item interval interval-value
Description The ports connecting to terminals do not participate in STP/RSTP calculation. If a port is configured as an edge port, the port does not participate in STP/RSTP calculation. After BPDU protection is configured on a switching device, an edge port is shut down when receiving BPDUs. The port can be configured to automatically go Up after a specific delay.

Before configuring parameters affecting STP/RSTP rapid convergence, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
On some specific networks, RSTP parameters will affect the speed of network convergence. Configuring proper RSTP parameters is required.
NOTE
The default configurations of the parameters described in this section help implement RSTP rapid convergence. Therefore, the configuration process and all involved procedures described in this section are optional. You can perform some of the configurations as required.
Pre-configuration Tasks Before configuring STP/RSTP parameters, complete the following task: l Configuring basic STP/RSTP functions
Data Preparation
To configure STP/RSTP parameters, you need the following data. No. 1 2 3
Issue 01 (2011-10-26)
Data Network diameter Hello time, forwarding delay time, maximum aging time, and timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor) Link type of a port
No. 4 5 6 7 8 9 10
Data Whether a port is enabled with rapid transition mechanism Whether a port needs to transition to the RSTP mode Maximum number of sent BPDUs Whether a port needs to be configured as an edge port Whether auto recovery needs to be configured for an edge port being shut down Whether a port needs to clear statistics of the spanning tree Whether an edge port needs to be configured as a BPDU filter
8.3.2 Setting System Parameters

STP/RSTP parameters that may affect network convergence include the network diameter, hello time, and timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor). Therefore, STP/RSTP parameters need to be set properly to help implement rapid network convergence.
Procedure
Step 1 Run:
system-view

stp bridge-diameter diameter
The network diameter is configured. By default, the network diameter is 7. l RSTP uses a single spanning tree instance on the entire network, which cannot prevent the performance from deteriorating when the network scale grows. Therefore, the network diameter cannot be larger than 7. l It is recommended that you run the stp bridge-diameter diameter command to set the network diameter. Then, the switching device calculates the optimal Forward Delay period, Hello time, and Max Age period based on the set network diameter. Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream of a switching device is set. By default, the timeout period of a switching device is 9 times as long as the Hello time. Step 4 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the following operations: l Run the stp timer forward-delay forward-delay command to set the Forward Delay period for a switching device.
The default Forward Delay period of a switching device is 1500, in centiseconds. l Run the stp timer hello hello-time command to set the Hello time for a switching device. The default Hello time of a switching device is 200, in centiseconds. l Run the stp timer max-age max-age command to set the Max Age period for a switching device. The default Max Age period of a switching device is 2000, in centiseconds.
NOTE
The values of the Hello time, Forward Delay period, and Max Age period must comply with the following formulas. Otherwise, networking flapping occurs. l 2 (Forward Delay - 1.0 second) >= Max Age l Max Age >= 2 (Hello Time + 1.0 second)
----End
8.3.3 Setting Port Parameters

Port parameters that may affect RSTP topology convergence include the link type and maximum number of sent BPDUs. Proper port parameters help RSTP to implement rapid topology convergence.
Procedure
Step 1 Run:
system-view


stp point-to-point { auto | force-false | force-true }
The link type is configured for a port. By default, a port automatically determines whether to connect to a P2P link. The P2P link supports rapid network convergence. l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this case, force-true can be configured to implement rapid network convergence. l If the Ethernet port works in half-duplex mode, you can configure stp point-to-point forcetrue to forcibly set the link type to P2P to implement rapid network convergence. Step 4 Run:
stp mcheck
MCheck is enabled. On a switching device running RSTP, if a port is connected to a device running STP, the port automatically transitions to the STP interoperable mode. Enabling MCheck on the port is required because the port may fail to automatically transition to the RSTP mode in the following situations:
l The switching device running STP is shut down or moved. l The switching device running STP transitions to the RSTP mode.
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the interfaces.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port within each Hello time is set. By default, the maximum number of BPDUs that a port sends within each Hello time is 147. Step 6 (Optional) Run:
stp edged-port enable
The port is configured as an edge port. If a device port is connected to a terminal, you can run this command to configure the port as an edge port. By default, the port is a non-edge port. Step 7 Run:
quit
Return to the system view. Step 8 (Optional) Run:

error-down auto-recovery cause cause-item interval interval-value
The auto recovery function on an edge port is configured. That is, enable the port in the errordown state to automatically go Up, and set the delay for the transition from Down to Up. There is no default value for the recovery time. Therefore, you must specify a delay when configuring this command. ----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are changed. Then, ARP entries corresponding to those VLANs on the switching device need to be updated. STP/RSTP processes ARP entries in either fast or normal mode. l l In fast mode, ARP entries to be updated are directly deleted. In normal mode, ARP entries to be updated are rapidly aged. The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly processes these aged entries. If the number of ARP aging probe attempts is not set to 0, ARP implements aging probe for these ARP entries. In either fast or normal mode, MAC entries are directly deleted. You can run the stp converge { fast | normal } command in the system view to configure the STP/RSTP convergence mode. By default, the STP/RSTP convergence is configured as normal.

NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted, causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.

You can verify that the configurations take effect after configuring STP/RSTP parameters that affect the topology convergence.
Prerequisite
The parameters that affect the topology convergence have been configured.
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view spanning-tree status and statistics.
----End
8.4 Configuring RSTP Protection Functions

RSTP protection functions are as follows, and you can configure one or more functions as required.

Before configuring RSTP protection functions, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
RSTP provides the following protection functions, as listed in Table 8-7. Table 8-7 RSTP Protection Function Protection Function BPDU protection Scenario An edge port changes to be a non-edge port after receiving a BPDU, which triggers spanning tree recalculation. If an attacker keeps sending bogus BPDUs to a switching device, network flapping occurs. Configuration Impact After BPDU protection is enabled on the switching device, the switching device shuts down the edge port if the edge port receives an RST BPDU, and notifies the NMS of the shutdown event. The attributes of the edge port are not changed.
Issue 01 (2011-10-26)
411
Protection Function TC protection
Scenario Generally, after receiving TC BPDUs (packets for advertising network topology changes), a switching device needs to delete MAC entries and ARP entries. Frequent deletion operations will exhaust CPU resources.
Configuration Impact TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are processed by a switching device within a given time period is configurable. If the number of TC-BPDUs that the switching device receives within a given time exceeds the specified threshold, the switching device handles TC-BPDUs only for the specified number of times. Excess TC-BPDUs are processed by the switching device as a whole for once after the timer (that is, the specified time period) expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding over-burdened. If a designated port is enabled with the root protection function, the role of the port cannot be changed. Once a designated port that is enabled with root protection receives RST BPDUs with a higher priority, the port enters the Discarding state and does not forward packets. If the port does not receive any RST BPDUs with a higher priority before a period (generally two Forward Delay periods) expires, the port automatically enters the Forwarding state.
Root protection
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is illegitimately changed, triggering spanning tree recalculation. This may transfer traffic from high-speed links to low-speed links, causing traffic congestion. A root port or an alternate port will age if link congestion or a one-way link failure occurs. After the root port ages, a switching device may re-select a root port incorrectly and after the alternate port ages, the port enters the Forwarding state. Loops may occur in such a situation.
Loop protection
After loop protection is configured, if the root port or alternate port does not receive RST BPDUs from the upstream switching device for a long time, the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after receiving new BPDUs.
Before configuring basic RSTP functions, complete the following task:
Issue 01 (2011-10-26)
412
Configuring basic RSTP functions

NOTE
Configuring an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure basic RSTP functions, you need the following data. No. 1 2 Data Number of the port on which root protection is to be enabled Number of the port on which loop protection is to be enabled
8.4.2 Configuring BPDU Protection on a Switching Device

After BPDU protection is enabled on a switching device, the switching device shuts down an edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminals and normally, the edge ports will not receive BPDUs. Some attackers may send pseudo BPDUs to attach the switching device. If the edge ports receive the BPDUs, the switching device automatically configures the edge ports as nonedge ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU protection can be used to protect switching devices against malicious attacks.
NOTE
Do as follows on a switching device having an edge port:
Procedure
Step 1 Run:
system-view

stp bpdu-protection
BPDU protection is enabled on the switching device. By default, BPDU protection is not enabled on the switching device. ----End
Follow-up Procedure
To allow an edge port to automatically start after being shut down, you can run the error-down auto-recovery cause cause-item interval interval-value command to configure the auto recovery function and set the delay on the port. After the delay expires, the port automatically goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following when setting this parameter:
l l
The smaller the interval-value is set, the sooner the edge port becomes Up, and the more frequently the edge port alternates between Up and Down. The larger the interval-value is set, the later the edge port becomes Up, and the longer the service interruption lasts.
8.4.3 Configuring TC Protection on a Switching Device

After TC protection is enabled, you can set the number of times for a switching device to process TC BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries and ARP entries, thereby protecting switching devices.
Context
An attacker may send pseudo TC BPDUs to attack switching devices. Switching devices receive a large number of TC BPDUs in a short time and delete entries frequently, which burdens system processing and degrades network stability. TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processed by a switching device within a given time period is configurable. If the number of TC BPDUs that the switching device receives within a given time exceeds the specified threshold, the switching device handles TC BPDUs only for the specified number of times. Excess TC-BPDUs are processed by the switching device as a whole for once after the specified time period expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding overburden.
Procedure
Step 1 Run:
system-view

stp tc-protection
TC protection is enabled for a switching device. By default, TC protection is enabled on the switching device. Step 3 Run:
stp tc-protection threshold threshold
The threshold of the number of times the switching device handles the received TC BPDUs and updates forwarding entries within a given time is set.
NOTE
The value of the given time is consistent with the RSTP Hello time set by using the stp timer hello hellotime command.
----End
8.4.4 Configuring Root Protection on a Port

The root protection function on a switching device protects a root bridge by preserving the role of a designated port.
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is incorrectly changed, triggering spanning tree recalculation. This also may cause the traffic that should be transmitted over high-speed links to be transmitted over low-speed links, leading to network congestion. The root protection function on a switching device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection is configured on a designated port. Root protection takes effect only on a designated port.
Do as follows on the root bridge.
Procedure
Step 1 Run:
system-view


stp root-protection
Root protection is configured on the switching device. By default, root protection is disabled. ----End
8.4.5 Configuring Loop Protection on a Port

The loop protection function suppresses the loops caused by link congestion.
Context
On a network running RSTP, a switching device maintains the root port status and status of blocked ports by receiving BPDUs from an upstream switching device. If the switching device cannot receive BPDUs from the upstream because of link congestion or unidirectional-link failure, the switching device re-selects a root port. The original root port becomes a designated port and the original blocked ports change to the Forwarding state. This may cause network loops. To address such a problem, configure loop protection. After loop protection is configured, if the root port or alternate port does not receive BPDUs from the upstream switching device, the root port is blocked and the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after receiving new BPDUs.

NOTE
An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to configure loop protection on both the root port and the alternate port.
Do as follows on a root port and an alternate port on a switching device.
Procedure
Step 1 Run:
system-view


stp loop-protection
Loop protection for the root port or the alternate port is configured on the switching device. By default, loop protection is disabled. ----End

After RSTP protection functions are configured, you can verify that the configurations take effect.
Prerequisite
All configurations of RSTP protection functions are complete.
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view the status of a spanning tree, including the status of protection functions on a switching device
----End
8.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices
To supports STP/RSTP interoperability between Huawei devices and non-Huawei devices, proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop communication.

Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei devices, familiarize yourself with the applicable environment, complete the pre-configuration
tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
On a network running STP/RSTP, inconsistent protocol packet formats and BPDU keys may lead to a communication failure. Configuring proper STP/RSTP parameters on Huawei devices ensures interoperability between Huawei devices and non-Huawei devices.
Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei devices, complete the following task: l Configuring basic STP/RSTP functions
Data Preparation
To configure STP/RSTP interoperability between Huawei devices and non-Huawei devices, you need the following data. No. 1 Data BPDU format
8.5.2 Configuring the Proposal/Agreement Mechanism

To enable Huawei Datacom devices to communicate with non-Huawei devices, a proper rapid transition mechanism needs to be configured on Huawei devices based on the Proposal/ Agreement mechanism on non-Huawei devices.
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching devices currently support the following modes: l Enhanced mode: The current interface counts a root port when it counts the synchronization flag bit. An upstream device sends a Proposal message to a downstream device, requesting rapid status transition. After receiving the message, the downstream device sets the port connected to the upstream device to a root port and blocks all non-edge ports. The upstream device then sends an Agreement message to the downstream device. After the downstream device receives the message, the root port transitions to the Forwarding state. The downstream device responds the Proposal message with an Agreement message. After receiving the message, the upstream device sets the port connected to the downstream device as a designated port. The designated port then transitions to the Forwarding state. l Common mode: The current interface ignores the root port when it counts the synchronization flag bit.
Issue 01 (2011-10-26)
An upstream device sends a Proposal message to a downstream device, requesting rapid status transition. After receiving the message, the downstream device sets the port connected to the upstream device to a root port and blocks all non-edge ports. The root port then transitions to the Forwarding state. The downstream device responds the Proposal message with an Agreement message. After receiving the message, the upstream device sets the port connected to the downstream device as a designated port. The designated port then transitions to the Forwarding state. When Huawei datacom devices are interworking with non-Huawei devices, select either mode depending on the Proposal/Agreement mechanisms on non-Huawei devices.
Procedure
Step 1 Run:
system-view


stp no-agreement-check
The common rapid transition mechanism is configured. By default, the interface uses the enhanced rapid transition mechanism. ----End

After MSTP parameters are configured for the interoperability between Huawei devices and non-Huawei devices, you can verify that the configurations take effect.
Prerequisite
Parameters have been configured to ensure MSTP interoperability between Huawei devices and non-Huawei devices.
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view spanning-tree status.
----End
8.6 Maintaining STP/RSTP

STP/RSTP maintenance includes resetting STP/RSTP statistics.
Issue 01 (2011-10-26)
418
8.6.1 Clearing STP/RSTP Statistics

You can run the reset commands to reset STP/RSTP statistics to 0.
Context
CAUTION
STP/RSTP statistics cannot be restored after you clear them. Therefore, exercise caution when using the reset commands. After you confirm that STP/RSTP statistics need to be cleared, run the following command in the user view.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear spanning-tree statistics. ----End

This section shows typical usage scenarios of STP/RSTP by describing networking requirements, configuration roadmap, and data preparation, and provides related configuration files.
8.7.1 Example for Configuring Basic STP Functions

This example shows how to configure basic STP functions.
On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation. Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and damages MAC address entries. STP can be deployed on a network to eliminate loops by blocking some ports. On the network shown in Figure 8-3, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover loops on the network by exchanging information with each other, they trim the ring topology into a loop-free tree topology by blocking a certain port. In this manner, replication and circular propagation of packets are prevented on the network and the switching devices are released from processing duplicated packets, thereby improving their processing performance.
Figure 8-3 Networking diagram of configuring basic STP functions
Network
GE1/0/3 SwitchD
GE1/0/3 Root GE1/0/1 GE1/0/1 Bridge GE1/0/2 SwitchA STP
GE1/0/2
GE1/0/3 SwitchC GE1/0/2 GE1/0/1 GE1/0/1
GE1/0/3 SwitchB GE1/0/2
PC1
PC2 Blocked port
The configuration roadmap is as follows: 1. Configure basic STP functions, including: (1) Configure the STP mode for the ring network. (2) Configure primary and secondary root bridges. (3) Set path costs for ports to block certain ports. (4) Enable STP to eliminate loops.
NOTE
STP is not required on the interfaces connected to terminals because these interfaces do not need to participate in STP calculation.
Data Preparation
Issue 01 (2011-10-26)
GE interface number, as shown in Figure 8-3 Primary root bridge SwitchA and secondary root bridge SwitchD Path cost of a port to be blocked (20000 is used in this example)
Procedure
Step 1 Configure basic STP functions. 1. Configure the STP mode for the devices on the ring network. # Configure the STP mode on SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] stp mode stp
# Configure the STP mode on SwitchB.

<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] stp mode stp
# Configure the STP mode on SwitchC.

<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] stp mode stp
# Configure the STP mode on SwitchD.

<Quidway> system-view [Quidway] sysname SwitchD [SwitchD] stp mode stp
2.
Configure primary and secondary root bridges. # Configure SwitchA as a primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary
3.
Set path costs for ports in each spanning tree to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary calculation method as an example to set the path costs of the ports to be blocked to 20000. l All switching devices on a network must use the same path cost calculation method.
# Set the path cost of GE1/0/1 on SwitchC to 20000.

[SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] stp cost 20000 [SwitchC-GigabitEthernet1/0/1] quit
4.
Enable STP to eliminate loops. l Disable STP on interfaces connected to PCs. # Disable STP on GE 1/0/2 on SwitchB.
[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] stp disable [SwitchB-GigabitEthernet1/0/2] quit
# Disable STP on GE 1/0/2 on SwitchC.

[SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] stp disable [SwitchC-GigabitEthernet1/0/2] quit
l Enable STP globally. # Enable STP globally on SwitchA.

[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
Issue 01 (2011-10-26)
421
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable
Step 2 Verify the configuration. After the previous configurations, run the following commands to verify the configuration when the network is stable: # Run the display stp brief command on SwitchA to view the interface status and protection type. The displayed information is as follows:
[SwitchA] display stp brief MSTID Port 0 GigabitEthernet1/0/1 0 GigabitEthernet1/0/2 Role DESI DESI STP State FORWARDING FORWARDING Protection NONE NONE
After SwitchA is configured as a root bridge, GE 1/0/2 and GE 1/0/1 connected to SwitchB and SwitchD respectively are elected as designated ports in spanning tree calculation. # Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view status of GE 1/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/1 DESI FORWARDING NONE
GE 1/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding state. # Run the display stp brief command on SwitchC to view the interface status and protection type. The displayed information is as follows:
[SwitchC] display stp brief MSTID Port 0 GigabitEthernet1/0/1 0 GigabitEthernet1/0/3 Role ALTE ROOT STP State DISCARDING FORWARDING Protection NONE NONE
GE 1/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state. GE 1/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state. ----End
Configuration Files
# sysname SwitchA # stp mode stp stp instance 0 root primary stp enable # return

# sysname SwitchB
Issue 01 (2011-10-26)
422

# stp mode stp stp enable # interface GigabitEthernet1/0/2 stp disable # return

# sysname SwitchC # stp mode stp stp enable # interface GigabitEthernet1/0/1 stp instance 0 cost 20000 # interface GigabitEthernet1/0/2 stp disable # return

# sysname SwitchD # stp mode stp stp instance 0 root secondary stp enable # return
8.7.2 Example for Configuring Basic RSTP Functions

This example shows how to configure basic RSTP functions.
On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation. Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and damage MAC address entries. RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network shown in Figure 8-4, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP discover loops on the network by exchanging information with each other, they trim the ring topology into a loop-free tree topology by blocking a certain port. In this manner, replication and circular propagation of packets are prevented on the network and the switching devices are released from processing duplicated packets, thereby improving their processing performance.
Figure 8-4 Networking diagram of basic RSTP configurations
Network
GE1/0/3 SwitchD
GE1/0/3 Root GE1/0/1 GE1/0/1 Bridge GE1/0/2 SwitchA RSTP
GE1/0/2
GE1/0/3 SwitchC GE1/0/2 GE1/0/1 GE1/0/1
GE1/0/3 SwitchB GE1/0/2
PC1
PC2 Blocked port
The configuration roadmap is as follows: 1. Configure basic RSTP functions, including: (1) Configure the RSTP mode for the ring network. (2) Configure primary and secondary root bridges. (3) Set path costs for ports in each MSTI to block certain ports. (4) Enable RSTP to eliminate loops.
NOTE
RSTP is not required on the interfaces connected to terminals because these interfaces do not need to participate in RSTP calculation.
2.
Configure RSTP protection functions, for example, root protection on a designated port of a root bridge in each MSTI.
Data Preparation
To complete the configuration, you need the following data: l l
Issue 01 (2011-10-26)
GE interface number, as shown in Figure 8-4 Primary root bridge SwitchA and secondary root bridge Switch
D l Path cost of a port to be blocked (20000 is used in this example)
Procedure
Step 1 Configure basic RSTP functions. 1. Configure the RSTP mode for the devices on the ring network. # Configure the RSTP mode on SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] stp mode rstp
# Configure the RSTP mode on SwitchB.

<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] stp mode rstp
# Configure the RSTP mode on SwitchC.

<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] stp mode rstp
# Configure the RSTP mode on SwitchD.

<Quidway> system-view [Quidway] sysname SwitchD [SwitchD] stp mode rstp
2.
Configure primary and secondary root bridges. # Configure SwitchA as a primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary
3.
Set path costs for ports in each MSTI to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary calculation method as an example to set the path costs of the ports to be blocked to 20000. l All switching devices on a network must use the same path cost calculation method.
# Set the path cost of GE1/0/1 on SwitchC to 20000.

[SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] stp cost 20000 [SwitchC-GigabitEthernet1/0/1] quit
4.
Enable RSTP to eliminate loops. l Disable RSTP on interfaces connected to PCs. # Disable RSTP on GE 1/0/2 on SwitchB.
[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] stp disable [SwitchB-GigabitEthernet1/0/2] quit
# Disable RSTP on GE 1/0/2 on SwitchC.

[SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] stp disable [SwitchC-GigabitEthernet1/0/2] quit
l Enable RSTP globally. # Enable RSTP globally on SwitchA.


# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

Step 2 Configure RSTP protection functions, for example, root protection on a designated port of a root bridge in each MSTI. # Enable root protection on GE 1/0/1 on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] stp root-protection [SwitchA-GigabitEthernet1/0/1] quit
# Enable root protection on GE 1/0/2 on SwitchA.

[SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] stp root-protection [SwitchA-GigabitEthernet1/0/2] quit
Step 3 Verify the configuration. After the previous configurations, run the following commands to verify the configuration when the network is stable: # Run the display stp brief command on SwitchA to view the interface status and protection type. The displayed information is as follows:
[SwitchA] display stp brief MSTID Port 0 GigabitEthernet1/0/1 0 GigabitEthernet1/0/2 Role DESI DESI STP State FORWARDING FORWARDING Protection ROOT ROOT
After SwitchA is configured as a root bridge, GE 1/0/2 and GE 1/0/1 connected to SwitchB and SwitchD respectively are elected as designated ports in spanning tree calculation. The root protection function is enabled on the designated ports. # Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view status of GE 1/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/1 DESI FORWARDING NONE
GE 1/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding state. # Run the display stp brief command on SwitchC to view the interface status and protection type. The displayed information is as follows:
[SwitchC] display stp brief MSTID Port 0 GigabitEthernet1/0/1 0 GigabitEthernet1/0/3 Role ALTE ROOT STP State DISCARDING FORWARDING Protection NONE NONE
GE 1/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state. GE 1/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state. ----End
Configuration Files
# sysname SwitchA # stp mode rstp stp instance 0 root primary stp enable # interface GigabitEthernet1/0/1 stp rootprotection # interface GigabitEthernet1/0/2 stp rootprotection # return

# sysname SwitchB # stp mode rstp stp enable # interface GigabitEthernet1/0/2 stp disable # return

# sysname SwitchC # stp mode rstp stp enable # interface GigabitEthernet1/0/1 stp instance 0 cost 20000 # interface GigabitEthernet1/0/2 stp disable # return

# sysname SwitchD # stp mode rstp stp instance 0 root secondary stp enable
Issue 01 (2011-10-26)
427

# return
Issue 01 (2011-10-26)
428
9 MSTP Configuration
9
About This Chapter
MSTP Configuration
The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network. It prevents replication and circular propagation of packets, provides multiple redundant paths for Virtual LAN (VLAN) data traffic, and enables load balancing. 9.1 MSTP Overview MSTP enables multiple VLANs to be grouped into a spanning-tree instance, forming a VLAN mapping table. Each instance has a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic and enables load balancing. 9.2 Configuring Basic MSTP Functions MSTP based on the basic STP/RSTP function divides a switching network into multiple regions, each of which has multiple spanning trees that are independent of each other. MSTP isolates user traffic and service traffic, and load-balances VLAN traffic. 9.3 Configuring MSTP Multi-process After an MSTP device binds its ports to different processes, the MSTP device performs the MSTP calculation based on processes, and only relevant ports in each process take part in MSTP calculation. 9.4 Configuring MSTP Parameters on an Interface MSTP implements RSTP rapid convergence. To achieve rapid convergence, you need to configure proper MSTP parameters. 9.5 Configuring MSTP Protection Functions MSTP protection functions are as follows, and you can configure one or more functions as required. 9.6 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices To enable Huawei devices to interwork with non-Huawei devices, configure proper parameters and functions, including the BPDU format, MSTP protocol packet format, and digest snooping function, on the Huawei devices running MSTP. 9.7 Maintaining MSTP MSTP maintenance includes resetting MSTP statistics. 9.8 Configuration Examples
This section provides a configuration example of MSTP.
Issue 01 (2011-10-26)
430
9.1 MSTP Overview

MSTP enables multiple VLANs to be grouped into a spanning-tree instance, forming a VLAN mapping table. Each instance has a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic and enables load balancing.
9.1.1 MSTP Introduction

The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables rapid convergence and provides load balancing across redundant paths.
Background
STP and RSTP are used in a LAN to prevent loops. The devices running STP/RSTP discover loops on the network by exchanging information with each other and trim the ring topology into a loop-free tree topology by blocking a certain interface. Replication and circular propagation of packets are thus prevented on the network and the processing performance of devices is improved by avoiding repeated packets on the network. STP and RSTP both have a defect: All VLANs on a LAN use one spanning tree, and thus interVLAN load balancing cannot be performed. Once a link is blocked, the link will no longer transmit traffic, wasting bandwidth and causing a failure in forwarding certain VLAN packets. To fix the defect of STP and RSTP, the IEEE released the 802.1s standard in 2002, defining MSTP. MSTP compatible with STP and RSTP implements rapid convergence and provides multiple paths to load balance VLAN traffic. Table 9-1 shows the comparison between STP, RSTP, and MSTP.
Issue 01 (2011-10-26)
431
Table 9-1 Comparison between STP, RSTP, and MSTP Spannin g Tree Protocol s STP Characteristics Application Scenarios Precautions
A loop-free tree is generated. Thus, broadcast storms are prevented and redundancy is implemented. l A loop-free tree is generated. Thus, broadcast storms are prevented and redundancy is implemented. l A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence is implemented.
Irrespective of different users or services, all VLANs share one spanning tree.
NOTE l If the current switching device supports only STP, STP is recommended. For details, see STP/ RSTP Configuration. l If the current switching device supports both STP and RSTP, RSTP is recommended. For details, see STP/ RSTP Configuration. l If the current switching device supports STP or RSTP, and MSTP, MSTP is recommended.
RSTP
MSTP
l A loop-free tree or some loop-free trees are generated. Thus, broadcast storms are prevented and redundancy is implemented. l A feedback mechanism is provided to confirm topology convergence. Thus, rapid convergence is implemented. l MSTP implements load balancing among VLANs. Traffic in different VLANs is transmitted along different paths.
User or service-specific load balancing is required. Traffic for different VLANs is forwarded through different spanning trees, which are independent of each other.
Introduction
On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a situation. Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and thus damages MAC address entries. MSTP, compatible with STP and RSTP, isolates service traffic and user traffic by using multiple instances and provides multiple paths to load balance VLAN traffic. If MSTP is deployed in the LAN shown in Figure 9-1, MSTIs are generated, as shown in Figure 9-1. Figure 9-1 Multiple spanning trees in an MST region
SwitchA VLAN3 Host C (VLAN3) SwitchB VLAN2 Host B (VLAN2) VLAN2 VLAN2 VLAN3
SwitchD VLAN2
VLAN2 VLAN2 VLAN3 VLAN3
Host A (VLAN2) SwitchE
VLAN2 VLAN3 VLAN3 SwitchF VLAN3
Host D (VLAN3)
SwitchC
MSTI1 (root switch: SwitchD) MSTI2 (root switch: SwitchF)
VLAN2 --> MSTI1 VLAN3 --> MSTI2
l l
MSTI 1 uses Switch D as the root switching device to forward packets of VLAN 2. MSTI 2 uses Switch F as the root switching device to forward packets of VLAN 3.
Devices within the same VLAN can communicate with each other and packets of different VLANs are load-balanced along different paths.
Basic MSTP Concepts

l MST region An MST region contains multiple switching devices and network segments between them. The switching devices have the following characteristics: MSTP-enabled Same region name Same VLAN-to-instance mapping Same MSTP revision number
A LAN can comprise several MST regions that are directly or indirectly connected. Multiple switching devices can be grouped into an MST region by using MSTP configuration commands. As shown in Figure 9-2, the MST region D0 contains the switching devices S1, S2, S3, and S4, and has three MSTIs. Figure 9-2 MST region AP1 Master Bridge S1 MSTI2 root switch:S2 MSTI1 root switch:S3
D0
S2
S3
MSTI0 (IST) root switch:S1
S4
VLAN1 MSTI1 VLAN2,VLAN3 MSTI2 other VLANs MSTI0
VLAN mapping table The VLAN mapping table is an attribute of the MST region. It describes mappings between VLANs and MSTIs. Figure 9-2 shows the mappings in the VLAN mapping table of the MST region D0: VLAN 1 is mapped to MSTI 1. VLAN 2 and VLAN 3 are mapped to MSTI 2. Other VLANs are mapped to MSTI 0.
Regional root Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots. In the region B0, C0, and D0 on the network shown in Figure 9-4, the switching devices closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots. An MST region can contain multiple spanning trees, each called an MSTI. An MSTI regional root is the root of the MSTI. On the network shown in Figure 9-3, each MSTI has its own regional root.
Issue 01 (2011-10-26)
434
Figure 9-3 MSTI
VLAN 10&20&30
MST Region
VLA N 10& 20
VLAN 20&30 VLAN 10&30
VLAN
30
VLAN
VLAN 10
20
VLAN 10&30
Root
Root MSTI corresponding to VLAN 10 MSTI corresponding to VLAN 20 MSTI Root corresponding to VLAN 30
MSTI links MSTI links blocked by the protocol
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs, but a VLAN can be mapped to only one MSTI. l CIST root
Issue 01 (2011-10-26)
435
Figure 9-4 MSTP network
A0 CIST Root
D0
Region Root
B0 Region Root
C0
Region Root
IST CST
On the network shown in Figure 9-4, the CIST root is the root bridge of a CIST. The CIST root is a device in A0. l CST A Common Spanning Tree (CST) connects all the MST regions on a switching network. Each MST region can be considered a node. A CST is calculated by using STP or RSTP based on all the nodes. As shown in Figure 9-4, the MST regions are connected to form a CST. l IST An IST resides within an MST region. An IST is a special MSTI with the MSTI ID of 0, called MSTI 0. An IST is a segment of the CIST in an MST region. As shown in Figure 9-4, the switching devices in an MST region are connected to form an IST. l CIST A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching network. As shown in Figure 9-4, the ISTs and the CST form a complete spanning tree, that is, CIST. l SST A Single Spanning Tree (SST) is formed in either of the following situations:
A switching device running STP or RSTP belongs to only one spanning tree. An MST region has only one switching device. As shown in Figure 9-4, the switching device in B0 is an SST. l Port roles Compared with RSTP, MSTP has two additional port types. MSTP ports can be root ports, designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge ports. The functions of root ports, designated ports, alternate ports, backup ports, and edge ports have been defined in RSTP. Table 9-2 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation. A port can play different roles in different MSTIs.
Table 9-2 Port roles Port Roles Root port Description A root port is the non-root bridge port closest to the root bridge. Root bridges do not have root ports. Root ports are responsible for sending data to root bridges. As shown in Figure 9-5, S1 is the root; CP1 is the root port on S3; BP1 is the root port on S2; DP1 is the root port on S4. Designat ed port The designated port on a switching device forwards bridge protocol data units (BPDUs) to the downstream switching device. As shown in Figure 9-5, AP2 and AP3 are designated ports on S1; BP2 is a designated port on S2; CP2 is a designated port on S3. Alternate port l From the perspective of sending BPDUs, an alternate port is blocked after a BPDU sent by another switching devices is received. l From the perspective of user traffic, an alternate port provides an alternate path to the root bridge. This path is different than using the root port. As shown in Figure 9-5, BP2 and AP4 are alternate ports. Backup port l From the perspective of sending BPDUs, a backup port is blocked after a BPDU sent by itself is received. l From the perspective of user traffic, a backup port provides a backup/ redundant path to a segment where a designated port already connects. As shown in Figure 9-5, CP3 is a backup port.
Issue 01 (2011-10-26)
437
Port Roles Master port
Description A master port is on the shortest path connecting MST regions to the CIST root. BPDUs of an MST region are sent to the CIST root through the master port. Master ports are special regional edge ports, functioning as root ports on ISTs or CISTs and master ports in instances. As shown in Figure 9-5, S1, S2, S3, and S4 form an MST region. AP1 on S1, being the nearest port in the region to the CIST root, is the master port.
Regional edge port
A regional edge port is located at the edge of an MST region and connects to another MST region or an SST. During MSTP calculation, the roles of a regional edge port in the MSTI and the CIST instance are the same. If the regional edge port is the master port in the CIST instance, it is the master port in all the MSTIs in the region. As shown in Figure 9-5, AP1, DP2, and DP3 in an MST region are directly connected to other regions, and therefore they are all regional edge ports of the MST region. As shown in Figure 9-5, AP1 is a regional edge port and also a master port in the CIST. Therefore, AP1 is the master port in every MSTI in the MST region.
Edge port
An edge port is located at the edge of an MST region and does not connect to any switching device. Generally, edge ports are directly connected to terminals. As shown in Figure 9-5, BP3 is an edge port.
Figure 9-5 Port roles
AP1 MST Region AP2
AP4 AP3
Root port Designated port Alternate port
S1 Root Bridge CP1 S3 CP2 CP3 BP1 S2 BP2
Backup port Regional edge port
BP3
Master port Edge port
DP1
S4
DP4
PC
DP2
DP3
Issue 01 (2011-10-26)
438
Port status Table 9-3 lists the MSTP port status, which is the same as the RSTP port status. Table 9-3 Port status Port Status Forwardi ng Learning Description A port in the Forwarding state can send and receive BPDUs as well as forward user traffic. This is a transition state. A port in the Learning state learns MAC addresses from user traffic to construct a MAC address table. In the Learning state, the port can send and receive BPDUs, but cannot forward user traffic. Discardi ng A port in the Discarding state can only receive BPDUs.
There is no necessary link between the port status and the port role. Table 9-4 lists the relationships between port roles and port status. Table 9-4 Relationships between port roles and port status Port Status Forwardi ng Learning Discardi ng Root Port/ Master Port Yes Yes Yes Designate d Port Yes Yes Yes Regional Edge Port Yes Yes Yes Alternate Port No No Yes Backup Port No No Yes
Yes: The port supports this status. No: The port does not support this status.
9.1.2 MSTP Features Supported by the S9300

Before configuring MSTP, familiarize yourself with the concepts of basic MSTP functions, topology convergence, MSTP protection, MSTP multi-process, and MSTP interoperability between Huawei devices and non-Huawei devices. This will help you complete the configuration task quickly and accurately. MSTP is used to block redundant links on the Layer 2 network and trim a network into a loopfree tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into different instances to load-balance VLAN traffic. The basic configuration roadmap of MSTP is as follows:
1. 2. 3. 4.
In a ring network, divide regions and create different instances for regions. Select a switching device functioning as a root bridge from switching devices for each instance. In each instance, calculate the shortest paths from the other switching devices to the root bridge, and select a root port for each non-root switching device. In each instance, select a designated port for each connection according to port IDs.
According to current networking, master ports and backup ports may be involved. For details, see 9.1.1 MSTP Introduction. MSTP also supports the following features to meet requirements of special applications and extended functions: l l l Supports the Proposal/Agreement mechanism to implement rapid convergence. Supports protection functions as listed in Table 9-5. Supports MSTP multi-process in the scenario where MSTP and STP/RSTP are used together. MSTP multi-process implements independent spanning tree calculation for every access rings. Supports MSTP interoperability between Huawei devices and non-Huawei devices. Proper parameters are required on Huawei devices running MSTP to ensure nonstop communication.
Table 9-5 MSTP protection MSTP Protection BPDU protection Scenario An edge port changes to be a non-edge port after receiving a BPDU, which triggers spanning tree recalculation. If an attacker keeps sending bogus BPDUs to a switching device, network flapping occurs. Generally, after receiving TC BPDUs (packets for advertising network topology changes), a switching device needs to delete MAC entries and ARP entries. Frequent deletion operations will exhaust CPU resources. Configuration Impact After BPDU protection is enabled on the switching device, the switching device shuts down the edge port if the edge port receives an RST BPDU, and notifies the NMS of the shutdown event. The attributes of the edge port are not changed.
TC protection
TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are processed by a switching device within a given time period is configurable. If the number of TC-BPDUs that the switching device receives within the given time exceeds the specified threshold, the switching device handles TC-BPDUs only for the specified number of times. Excessive TC-BPDUs are processed by the switching device as a whole for once after the timeout period expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding over-burden.
Issue 01 (2011-10-26)
440
MSTP Protection Root protection
Scenario Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is illegitimately changed, triggering spanning tree recalculation. This may transfer traffic from high-speed links to low-speed links, causing traffic congestion. A root port or an alternate port will age if link congestion or a one-way link failure occurs. After the root port ages, a switching device may re-select a root port incorrectly and after the alternate port ages, the port enters the Forwarding state. Loops may occur in such a situation. In the scenario where a switching device is dualhomed to a network, when the share link of multiple processes fails, loops may occur.
Configuration Impact To address this issue, the root protection function can be configured to protect the root bridge by preserving the role of the designated port. With this function, when the designated port receives RST BPDUs with a higher priority, the port enters the Discarding state and does not forward the BPDUs. If the port does not receive any RST BPDUs with a higher priority for a certain period (double the Forward Delay), the port transitions to the Forwarding state.
Loop protection
The loop protection function can be used to prevent such network loops. If the root port or alternate port cannot receive RST BPDUs from the upstream switching device, the root port is blocked and the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after new RST BPDUs are received. Share-link protection can address such a problem. This function forcibly changes the working mode of the local switching device to RSTP. Share-link protection needs to be used together with root protection to avoid network loops.
Share-link protection
MSTP Multi-process
l Background As shown in Figure 9-6, SwitchA, SwitchB, and SwitchC are connected through Layer 2 links, and are all enabled with MSTP. The CEs on the rings support only STP/RSTP. Multiple access rings exist and these rings access the MST region by using different interfaces on SwitchA and SwitchB.
Issue 01 (2011-10-26)
441
Figure 9-6 Networking diagram of MSTP multi-process
SwitchC
PE1 CE Ring1 CE Instance1:VLAN2~100 Process 1
SwitchA
SwitchB
PE2 CE Ring3
Ring2
CE Instance3:VLAN201~300 Process 3
CE
CE
Instance2:VLAN101~200 Process 2
On the network shown in Figure 9-6, multiple Layer 2 rings, Ring 1, Ring 2, and Ring 3 exists. STP must be enabled on these rings to prevent loops. SwitchA and SwitchB are connected to multiple access rings and these rings are isolated from each other and do not need intercommunication. STP then will not calculate out one spanning tree for all these access rings. Instead, STP on each access ring calculates the trees independently. MSTP supports multiple spanning tree instances (MSTIs) only when all devices support MSTP and the devices are configured with the same MST region. In the networking, the CEs connected to switching devices, however, support only STP/RSTP. According to MSTP, switching devices consider that they are in different regions with CEs after receiving STP/RSTP messages sent from the CEs. Therefore, only one spanning tree is calculated for the ring formed by switching devices and CEs and the access rings are not independent of each other. In this case, MSTP multi-process can be used. Multiple MSTP processes can be configured on SwitchA and SwitchB. Each MSTP process has the same function and supports MSTIs. Each MSTP process corresponds to one access ring. After MSTP multi-process is enabled, each MSTP process can manage some interfaces on a device. That is, Layer 2 interfaces on the device are divided and managed by multiple MSTP processes. Each MSTP process runs the standard MSTP.
NOTE
CEs that support MSTP can also be configured with MSTP multi-process. After a device properly starts, there is a default MSTP process with the ID 0. MSTP configurations in the system view and interface view both belong to this process.
Share link As shown in Figure 9-6, the link between SwitchA and SwitchB is a Layer 2 link running MSTP. The share link between SwitchA and SwitchB is different from the links connecting
Issue 01 (2011-10-26)
switching devices to CEs. The ports on the share link need to participate in the calculation for multiple access rings and MSTP processes. This allows SwitchA and SwitchB to identify from which MST BPDUs are sent. In addition, a port on the share link participates in the calculation for multiple MSTP processes, and obtains different status. As a result, the port cannot determine its status. To prevent this situation, it is defined that a port on a share link always adopts its status in MSTP process 0 when participating in the calculation for multiple MSTP processes.
NOTE
The S9300 does not support the Per-VLAN Spanning Tree (PVST) protocol and cannot process PVST packets. You can configure the S9300 to transparently transmit PVST packets. For details, see 11 Layer 2 Protocol Transparent Transmission Configuration.
9.2 Configuring Basic MSTP Functions

MSTP based on the basic STP/RSTP function divides a switching network into multiple regions, each of which has multiple spanning trees that are independent of each other. MSTP isolates user traffic and service traffic, and load-balances VLAN traffic. MSTP is commonly configured on a switching device to trim a ring network to a loop-free network. MSTP configurations on the switching device involve MSTP working mode configuration and MST region configuration and activation. If you need to interfere in the spanning tree calculation, the following methods are available: l Setting a priority for a switching device in an MSTI: The lower the numerical value, the higher the priority of the switching device and the more likely the switching device becomes a root bridge; the higher the numerical value, the lower the priority of the switching device and the less likely that the switching device becomes a root bridge. Setting a path cost for a port in an MSTI: With the same calculation method, the lower the numerical value, the smaller the cost of the path from the port to the root bridge and the more likely the port becomes a root port; the higher the numerical value, the larger the cost of the path from the port to the root bridge and the less likely that the port becomes a root port. Setting a priority for a port in an MSTI: The lower the numerical value, the more likely the port becomes a designated port; the higher the numerical value, the less likely that the port becomes a designated port.

Before configuring basic MSTP functions, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation. Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and thus damages MAC address entries.
MSTP can be deployed on a network to eliminate loops. If a loop is detected, MSTP blocks one or more ports to eliminate the loop. In addition, MSTIs can be configured to load-balance VLAN traffic. As shown in Figure 9-7, Switches A, B, C, and D all support MSTP. It is required to create MSTI 1 and MSTI 2, configure a root bridge for each MSTI, and set the ports to be blocked to load-balance traffic of VLANs 1 to 10 and VLANs 11 to 20 among different paths. Figure 9-7 Networking diagram of configuring basic MSTP functions
Network
MST Region SwitchA SwitchB
SwitchC
SwitchD
PC1
PC2 VLAN1~10 VLAN11~20 MSTI1 MSTI2
MSTI1:
Root Switch:SwitchA Blocked port MSTI2:
Root Switch:SwitchB Blocked port
Issue 01 (2011-10-26)
444

NOTE
If the current device supports MSTP, configuring MSTP is recommended.
Before configuring basic MSTP functions, complete the following task: l l Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up Configuring VLAN features of the ports
NOTE
After a hybrid interface is added to the default VLAN in tagged mode, SEP packets sent by the interface contain VLAN tags. In this case, configure the peer interface to allow packets of the default VLAN to pass.
Data Preparation
To configure basic MSTP functions, you need the following data. No. 1 2 3 4 5 6 Data MSTP working mode MST region name, VLAN-to-instance mapping, and MSTP revision number (Optional) ID of an MSTI (Optional) Priority of a switching device in an MSTI (Optional) Priority of a port in an MSTI (Optional) Path cost of a port in an MSTI
9.2.2 Configuring the MSTP Mode

Before configuring basic MSTP functions, you need to configure the working mode of a switching device to MSTP. MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run:
system-view

stp mode mstp
The working mode of the switching device is configured as MSTP. By default, the working mode is MSTP. STP and MSTP cannot recognize packets of each other but MSTP and RSTP can. If a switching device is configured to work in MSTP mode and is connected to some switching devices running STP, the switching device automatically transits the working mode of the interfaces connected
to the switching devices running STP to STP and other interfaces still run MSTP. This enables devices running different spanning tree protocols to interwork with each other. ----End
9.2.3 Configuring and Activating an MST Region

MSTP divides a switching network into multiple MST regions. After an MST region name, VLAN-to-instance mappings, and an MSTP revision number are configured, activating the MST region is necessary. After this step is done, MST region configuration is complete.
Context
An MST region contains multiple switching devices and network segments between them. These switching devices are directly connected and have the same region name, same VLAN-toinstance mapping, same configuration revision number after MSTP is enabled. One switching network can have multiple MST regions and multiple switching devices can be grouped into one MST region by using MSTP configuration commands.
CAUTION
Two switching devices belong to the same MST region when they have the same: l l l Name of the MST region Mapping between VLANs and MSTIs Revision level of the MST region
Do as follows on a switching device that needs to join an MST region:
Procedure
Step 1 Run:
system-view

stp region-configuration
The MST region view is displayed. Step 3 Run:

region-name name
The name of an MST region is configured. By default, the MST region name is the MAC address of the management network interface on the MPU of the switching device. Step 4 Perform either of the following steps to configure VLAN-to-instance mappings. l Run the instance instance-id vlan { vlan-id [ to vlan-id ] }&<1-10> command to configure VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping assignment based on a default algorithm. By default, all VLANs in an MST region are mapped to MSTI 0.
NOTE
l The instance instance-id vlan { vlan-id [ to vlan-id ] }&<1-10> command is recommended because VLAN-to-instance mapping assignments cannot meet actual mapping requirements. l In the command, vlan-mapping modulo indicates that the formula (VLAN ID-1)%modulo+1 is used. In the formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of modulo. This formula is used to map a VLAN to the corresponding MSTI. The calculation result of the formula is ID of the mapping MSTI.

revision-level level
The MSTP revision number is set. By default, the MSTP revision number is 0. If the revision number of the MST region is not 0, this step is necessary.
NOTE
The change of related MST region configurations (especially change of the VLAN mapping table) causes the recalculation of spanning trees and the route flapping in a network. Therefore, after an MST region name, VLAN-to-instance mappings, and an MSTP revision number is configured, activating the MST region is necessary. You can run the check region-configuration command in the MST region view to check whether region configurations are correct. After confirming that region configurations are correct, run the active region-configuration command to activate MST region configurations.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-instance mappings, and revision number can take effect. If this step is not done, the preceding configurations cannot take effect. If you have changed MST region configurations on the switching device after MSTP starts, run the active region-configuration command to activate the MST region so that the changed configurations can take effect. ----End
9.2.4 (Optional) Setting a Priority for a Switching Device in an MSTI

The lower the numerical value is, the higher priority a switching device has and the more likely the switching device will be selected as a root bridge.
Context
In an MSTI, there is only one root bridge and it is the logic center of the MSTI. In root bridge selection, the switching device with high performance and network hierarchy is generally selected as a root bridge; however, the priority of such a device may be not that high. Thus setting a high priority for the switching device is necessary so that the device can function as a root bridge. Other devices with low performance and network hierarchy are not fit to be a root bridge. Therefore, set low priorities for these devices.
CAUTION
If an S9300 is configured as the root switch or secondary root switch, the priority of the S9300 cannot be set. If you want to set the priority of the S9300, you must disable the root switch or secondary root switch.
Procedure
Step 1 Run:
system-view

stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI. The default priority value of the switching device is 32768. If the instance is not designated, a priority is set for the switching device in MSTI0.
NOTE
l To configure a switching device as a primary root bridge, you can run the stp [ instance instance-id ] root primary command directly. The priority value of this switching device is 0. l To configure a switching device as a secondary root bridge, run the stp [ instance instance-id ] root secondary command. The priority value of this switching device is 4096. In an MSTI, a switching device cannot act as a primary root bridge and a secondary root bridge at the same time.
----End
9.2.5 (Optional) Setting a Path Cost of a Port in an MSTI

The MSTP path cost determines root port selection in an MSTI. The port with the lowest path cost to the root bridge is selected as a root port.
Context
A path cost is port-specific, which is used by MSTP as a reference to select a link. Path costs of a port are an important basis for calculating spanning trees. If you set different path costs for a port in different MSTIs, you can make VLAN traffic be transmitted along different physical links and thus carry out VLAN load balancing. On a network where loops occur, you are recommended to set a relatively large path cost for the port at a low link rate. MSTP puts the port with the large path cost in the Blocking state and blocks the link where this port resides.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
448

stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured. By default, the IEEE 802.1t standard method is used to calculate the default path cost. All switching devices on a network must use the same path cost calculation method. Step 3 Run:

stp instance instance-id cost cost
A path cost is set for the port in the current MSTI. l When the Huawei proprietory calculation method is used, cost ranges from 1 to 200000. l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535. l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000. ----End
9.2.6 (Optional) Setting a Port Priority in an MSTI

The lower the numerical value, the more likely the port on a switching device becomes a designated port; the higher the numerical value, the more likely the port is to be blocked.
Context
In spanning tree calculation, priorities of ports on switching devices in MSTIs determine designated port selection. If you expect to block a port on a switching device in an MSTI to eliminate loops, set the port priority value to be larger than the default value. This port will be blocked in designated port selection.
Procedure
Step 1 Run:
system-view


stp instance instance-id port priority priority
A port priority is set in an MSTI. By default, the port priority is 128.

The value range of the priority is from 0 to 240, with the step 16. That is, the port priority can be 0, 16, or 32. ----End
9.2.7 Enabling MSTP

After basic MSTP functions are configured on a switching device, enabling the MSTP function is required so that MSTP can work properly.
Context
After MSTP is enabled on a ring network, MSTP immediately calculates spanning trees on the network. Configurations on the switching device, such as, the switching device priority and port priority, will affect spanning tree calculation. Any change of the configurations may cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view

stp enable
MSTP is enabled on the switching device. By default, the MSTP function is disabled on a S9300. ----End

After basic MSTP functions are configured, verify that the configurations take effect.
Prerequisite
All configurations of basic MSTP functions are complete.
Procedure
l l l Run the display stp [ instance instance-id ][ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics. Run the display stp region-configuration command to view configurations of activated MST regions. Run the display stp region-configuration [ digest ] command to view the digest configurations of activated MST regions.
----End
9.3 Configuring MSTP Multi-process

After an MSTP device binds its ports to different processes, the MSTP device performs the MSTP calculation based on processes, and only relevant ports in each process take part in MSTP calculation.

Before configuring MSTP multi-process, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
On the networking with both Layer 2 single-access rings and multi-access rings deployed, switching devices bear both Layer 2 and Layer 3 services. To enable different rings to bear different services, deploy MSTP multi-process. Spanning trees of different processes are calculated independently and do not affect each other. As shown in Figure 9-8, Switches A, B, and C are connected through Layer 2 links, and are all enabled with MSTP. The CEs on the on rings support only STP/RSTP. Multiple access rings exist and these rings access the MSTP region through different interfaces on Switches A and B. Figure 9-8 Networking diagram of MSTP multi-process
SwitchC
PE1 CE Ring1 CE Instance1:VLAN2~100 Process 1
SwitchA
SwitchB
PE2 CE Ring3
Ring2
CE Instance3:VLAN201~300 Process 3
CE
CE
Issue 01 (2011-10-26)
451
Before configuring MSTP multi-process, complete the following task: l Configuring basic MSTP functions
Data Preparation
To configure MSTP multi-process, you need the following data. No. 1 2 Data IDs of MSTP processes Priority of a switching device in an MSTI
9.3.2 Creating an MSTP Process

A process ID uniquely identifies an MSTP multi-process. After an MSTP device binds its ports to different processes, the MSTP device performs the MSTP calculation based on processes, and only relevant ports in each process take part in MSTP calculation.
Context
Do as follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view

stp process process-id
An MSTP process is created and the MSTP process view is displayed. Step 3 Run:
stp mode mstp
A working mode is configured for the MSTP process. The default mode is MSTP.
NOTE
l After a device starts, there is a default MSTP process with the ID 0. MSTP configurations in the system view and interface view belong to this process. The default working mode of this process is MSTP. l To add an interface to an MSTP process with the ID of non-zero, run the stp process command and then the stp binding process command.
----End
9.3.3 Adding an Interface to an MSTP Process - Access Links

The links connecting MSTP devices and access rings are called access links. After being added to MSTP processes, interfaces on the access links can participate in MSTP calculation.
Context
Procedure
Step 1 Run:
system-view


stp binding process process-id
The current interface is added to the MSTP process.

NOTE
If the interface added to the MSTP process has sub-interfaces configured with features other than MSTP such as VPLS, run the stp vpls-subinterface enable command on the main interface. The main interface can then notify its sub-interfaces to update MAC entries and ARP entries after receiving a TC-BPDU. This prevents services from being interrupted. In addition, root protection needs to be configured on the main interface.
----End
9.3.4 Adding an Interface to an MSTP Process - Share Link

The link shared by multiple access rings are called a share link. The interfaces on the share link need to participate in MSTP calculation in multiple access rings in different MSTP processes. After being added to MSTP processes, interfaces on the access links can participate in MSTP calculation.
Context
Procedure
Step 1 Run:
system-view

The Ethernet interface view is displayed.

The interface specified in this command must be an interface on the share link between the devices configured with MSTP multi-process but not the interfaces that connect an access ring and a device. Step 3 Run:
stp binding process process-id [ to process-id ] link-share
The interface is added to multiple MSTP processes to complete MSTP calculation.

NOTE
For a process with share links, you must run the stp enable command globally. For an interface that is added to the process in link-share mode, you must run the stp enable command in the interface view.
----End
9.3.5 Configuring Priorities and Root Protection in MSTP Multiprocess

You can configure priorities and root protection in MSTP multi-process to protect links over access rings.
Context
To prevent loops over the access ring after the share links fails, configure priorities and root protection in MSTP multi-process. Root protection is configured on the access interface of a device with second highest priority. l l For detailed configuration of priorities in MSTP multi-process, see 9.2.4 (Optional) Setting a Priority for a Switching Device in an MSTI. For detailed configuration of root protection in MSTP multi-process, see 9.5.4 Configuring Root Protection on an Interface.
NOTE
The MSTP priority of a downstream device must be lower than that of a UPE.
9.3.6 Configuring TC Notification in MSTP Multi-process

After the TC notification function is configured for MSTP multi-process, the current MSTP process can notify the MSTIs in other specified MSTP processes to refresh MAC address entries and ARP entries after receiving a TC-BPDU. Nonstop services are ensured.
Context
Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-26)
454
The view of the created MSTP process is displayed. Step 3 Run:

stp tc-notify process 0
TC notification is enabled in the MSTP process. After the stp tc-notify process 0 command is run, the current MSTP process notifies the MSTIs in MSTP process 0 to update MAC entries and ARP entries after receiving a TC-BPDU. This prevents services from being interrupted. ----End

After MSTP multi-process is configured, check whether the configurations take effect.
Prerequisite
All configurations of MSTP multi-process are complete.
Procedure
Step 1 Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and statistics. ----End
9.4 Configuring MSTP Parameters on an Interface

MSTP implements RSTP rapid convergence. To achieve rapid convergence, you need to configure proper MSTP parameters.

Before configuring basic MSTP parameters, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
In some specific networks, MSTP parameters will affect the speed of network convergence. Configuring proper MSTP parameters is required.
NOTE
The default parameters also can be used to complete MSTP rapid convergence. Therefore, the configuration procedures and steps in this command task are all optional.
Before configuring MSTP parameters, complete the following task: l
Issue 01 (2011-10-26)
Configuring basic MSTP functions

Data Preparation
To configure MSTP parameters, you need the following data. No. 1 2 3 4 5 6 7 8 9 10 11 Data Network diameter Hello time, forwarding delay time, maximum aging time, and timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor) Maximum hop count in an MST region Link type of a port Whether to Rapid transition mechanism Whether to transition to the RSTP mode Maximum number of sent BPDUs Whether a port needs to be configured as an edge port Whether auto recovery needs to be configured for an edge port being shut down Whether a port needs to clear statistics of the spanning tree Whether an edge port needs to be configured as a BPDU filter
9.4.2 Configuring System Parameters

MSTP parameters that may affect network convergence include the network diameter, hello time, and timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor). Configure proper MSTP parameters to implement rapid network convergence.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 (Optional) Run:

The MSTP process view is displayed.

NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you perform configurations in the MSTP process 0, skip is step.
Step 3 Run:
stp bridge-diameter diameter
The network diameter is configured. By default, the network diameter is 7.

l RSTP uses a single spanning tree instance on the entire network, which cannot prevent the performance from deteriorating when the network scale grows. Therefore, the network diameter cannot be larger than 7. l It is recommended that you run the stp bridge-diameter diameter command to set the network diameter. Then, the switching device calculates the optimal Forward Delay period, Hello time, and Max Age period based on the set network diameter. Step 4 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream of a switching device is set. By default, the timeout period of a switching device is 9 times as long as the Hello time. Step 5 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the following operations: l Run the stp timer forward-delay forward-delay command to set the Forward Delay period for a switching device. The default Forward Delay period of a switching device is 1500, in centiseconds. l Run the stp timer hello hello-time command to set the Hello time for a switching device. The default Hello time of a switching device is 200, in centiseconds. l Run the stp timer max-age max-age command to set the Max Age period for a switching device. The default Max Age period of a switching device is 2000, in centiseconds.
NOTE
The values of the Hello time, Forward Delay period, and Max Age period must comply with the following formulas. Otherwise, networking flapping occurs. l 2 (Forward Delay - 1.0 second) >= Max Age l Max Age >= 2 (Hello Time + 1.0 second)
Step 6 Run:
stp max-hops hop
The maximum hop count is set for the MST region. By default, the maximum hop count of the MST region is 20. Step 7 Run:
stp mcheck
MCheck is enabled. On a switching device running MSTP, if an interface is connected to a device running STP, the interface automatically transitions to the STP mode. Enabling MCheck on the interface is required because the interface may fail to automatically transition to the MSTP mode in the following situations: l The switching device running STP is shut down or moved. l The switching device running STP transitions to the MSTP mode.
Issue 01 (2011-10-26)
457

NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the interfaces.
----End
9.4.3 Configuring Port Parameters

Port parameters that may affect MSTP topology convergence include the link type and maximum number of sent BPDUs. Configure proper port parameters to implement rapid topology convergence.
Procedure
Step 1 Run:
system-view


stp point-to-point { auto | force-false | force-true }
The link type is configured for a port. By default, a port automatically determines whether to connect to a P2P link. The P2P link supports rapid network convergence. l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this case, force-true can be configured to implement rapid network convergence. l If the Ethernet port works in half-duplex mode, you can configure stp point-to-point forcetrue to forcibly set the link type to P2P to implement rapid network convergence. Step 4 Run:
stp mcheck
MCheck is enabled. On a switching device running MSTP, if an interface is connected to a device running STP, the interface automatically transitions to the STP mode. Enabling MCheck on the interface is required because the interface may fail to automatically transition to the MSTP mode in the following situations: l The switching device running STP is shut down or moved. l The switching device running STP transitions to the MSTP mode. Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port within each Hello time is set. By default, the maximum number of BPDUs that a port sends within each Hello time is 147.

stp edged-port enable
The port is configured as an edge port. If a device port is connected to a terminal, you can run this command to configure the port as an edge port. By default, the port is a non-edge port. Step 7 Run:
quit
Return to the system view. Step 8 (Optional) Run:

error-down auto-recovery cause cause-item interval interval-value
The auto recovery function on an edge port is configured. That is, enable the port in the errordown state to automatically go Up, and set the delay for the transition from Down to Up. There is no default value for the recovery time. Therefore, you must specify a delay when configuring this command. ----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are changed. Then, ARP entries corresponding to those VLANs on the switching device need to be updated. MSTP processes ARP entries in either fast or normal mode. l l In fast mode, ARP entries to be updated are directly deleted. In normal mode, ARP entries to be updated are rapidly aged. The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly processes these aged entries. If the number of ARP aging probe attempts is not set to 0, ARP implements aging probe for these ARP entries. In either fast or normal mode, MAC entries are directly deleted. You can run the stp converge { fast | normal } command in the system view to configure the MSTP convergence mode. By default, the MSTP convergence is configured as normal.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted, causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.

After MSTP parameters are configured, check whether the configurations take effect.
Prerequisite
The configurations of MSTP parameters are complete.
Procedure
l Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
9.5 Configuring MSTP Protection Functions

MSTP protection functions are as follows, and you can configure one or more functions as required.

Before configuring MSTP protection functions, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately.
MSTP provides the following protection functions, as listed in Table 9-6. Table 9-6 MSTP protection MSTP Protection BPDU protection Scenario An edge port changes to be a non-edge port after receiving a BPDU, which triggers spanning tree recalculation. If an attacker keeps sending bogus BPDUs to a switching device, network flapping occurs. Generally, after receiving TC BPDUs (packets for advertising network topology changes), a switching device needs to delete MAC entries and ARP entries. Frequent deletion operations will exhaust CPU resources. Configuration Impact After BPDU protection is enabled on the switching device, the switching device shuts down the edge port if the edge port receives an RST BPDU, and notifies the NMS of the shutdown event. The attributes of the edge port are not changed.
TC protection
TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are processed by a switching device within a given time period is configurable. If the number of TC-BPDUs that the switching device receives within the given time exceeds the specified threshold, the switching device handles TC-BPDUs only for the specified number of times. Excessive TC-BPDUs are processed by the switching device as a whole for once after the timeout period expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding over-burden.
Issue 01 (2011-10-26)
460
MSTP Protection Root protection
Scenario Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is illegitimately changed, triggering spanning tree recalculation. This may transfer traffic from high-speed links to low-speed links, causing traffic congestion. A root port or an alternate port will age if link congestion or a one-way link failure occurs. After the root port ages, a switching device may re-select a root port incorrectly and after the alternate port ages, the port enters the Forwarding state. Loops may occur in such a situation. In the scenario where a switching device is dualhomed to a network, when the share link of multiple processes fails, loops may occur.
Configuration Impact To address this issue, the root protection function can be configured to protect the root bridge by preserving the role of the designated port. With this function, when the designated port receives RST BPDUs with a higher priority, the port enters the Discarding state and does not forward the BPDUs. If the port does not receive any RST BPDUs with a higher priority for a certain period (double the Forward Delay), the port transitions to the Forwarding state.
Loop protection
The loop protection function can be used to prevent such network loops. If the root port or alternate port cannot receive RST BPDUs from the upstream switching device, the root port is blocked and the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after new RST BPDUs are received. Share-link protection can address such a problem. This function forcibly changes the working mode of the local switching device to RSTP. Share-link protection needs to be used together with root protection to avoid network loops.
Share-link protection
NOTE
l After a device normally starts, there is a default MSTP process with the ID 0. MSTP configurations in the system view and interface view both belong to this process. l For more information about MSTP multi-process configuration, see 9.3 Configuring MSTP Multiprocess.
Before configuring MSTP protection functions on a switching device, complete the following task: l
Issue 01 (2011-10-26)


NOTE
Configuring an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure MSTP protection functions on a switching device, you need the following data. No. 1 2 Data Number of the port on which root protection is to be enabled Number of the port on which loop protection is to be enabled
9.5.2 Configuring BPDU Protection on a Switching Device

After BPDU protection is enabled on a switching device, the switching device shuts down an edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminals and normally, the edge ports will not receive BPDUs. Some attackers may send pseudo BPDUs to attach the switching device. If the edge ports receive the BPDUs, the switching device automatically sets the edge ports as non-edge ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU protection can be used to protect switching devices against network attacks.
NOTE
Do as follows on a switching device having an edge port:
Procedure
Step 1 Run:
system-view

stp bpdu-protection
BPDU protection is enabled on the switching device. By default, BPDU protection is not enabled on the switching device. ----End
9.5.3 Configuring TC Protection on a Switching Device

After TC protection is enabled, you can set the number of times for an MSTP process to process TC-BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries and ARP entries, thereby protecting switching devices.
Context
An attacker may send pseudo TC-BPDUs to attack switching devices. Switching devices receive a large number of TC BPDUs in a short time and delete entries frequently, which burdens system processing and degrades network stability. TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are processed by a switching device within a given time period is configurable. If the number of TC-BPDUs that the switching device receives within a given time exceeds the specified threshold, the switching device handles TC-BPDUs only for the specified number of times. Excessive TC-BPDUs are processed by the switching device as a whole for once after the timer (that is, the specified time period) expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding over-burdened.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 (Optional) Run:

The MSTP process view is displayed.

NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you perform configurations in the MSTP process 0, skip is step.
Step 3 Run:
stp tc-protection
TC protection is enabled for the MSTP process. By default, TC protection is enabled on the switching device. Step 4 Run:
stp tc-protection threshold threshold
The threshold of the number of times the MSTP process handles the received TC-BPDUs and updates forwarding entries within a given time is set.
NOTE
The value of the given time is consistent with the MSTP Hello time set by using the stp timer hello hellotime command.
----End
9.5.4 Configuring Root Protection on an Interface

The root protection function on a switching device protects a root bridge by preserving the role of a designated port.
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge, and the network topology is illegitimately changed, triggering spanning tree recalculation. This also may cause the traffic that should be transmitted over high-speed links to be transmitted over low-speed links, leading to network congestion. The root protection function on a switching device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection is configured on a designated port. It takes effect only when being configured on the port that functions as a designated port on all MSTIs. If root protection is configured on other types of ports, it does not take effect.
Do as follows on a root bridge in an MST region:
Procedure
Step 1 Run:
system-view


The port is bound to an MSTP process.

NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID. If the interface belongs to process 0, skip this step.
Step 4 Run:
stp root-protection
Root protection is configured on the switching device. By default, root protection is disabled. ----End
9.5.5 Configuring Loop Protection on an Interface

The loop protection function suppresses the loops caused by link congestion.
Context
On a network running MSTP, a switching device maintains the root port status and status of blocked ports by receiving BPDUs from an upstream switching device. If the switching device cannot receive BPDUs from the upstream because of link congestion or unidirectional-link failure, the switching device re-selects a root port. The original root port becomes a designated port and the original blocked ports change to the Forwarding state. This may cause network loops. To address such a problem, configure loop protection. After loop protection is configured, if the root port or alternate port does not receive BPDUs from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to configure loop protection on both the root port and the alternate port.
Do as follows on a root port and an alternate port on a switching device in an MST region:
Procedure
Step 1 Run:
system-view


The port is bound to an MSTP process.

NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID. If the interface belongs to process 0, skip this step.
Step 4 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device. By default, loop protection is disabled. ----End
9.5.6 Configuring Share-Link Protection on a Switching Device

The share-link protection function on a switching device helps automatically transition to the RSTP working mode. It can also be used together with root protection to avoid network loops.
Context
Share-link protection is used in the scenario where a switching device is dual homed to a network. When a share link fails, share-link protection forcibly changes the working mode of a local switching device to RSTP. This function can also be used together with root protection to avoid network loops.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
465

The MSTP process view is displayed. Step 3 Run:

stp link-share-protection
Share-link protection is enabled. ----End

After MSTP protection functions are configured, check whether the configurations take effect.
Prerequisite
All configurations of MSTP protection functions are complete.
Procedure
----End
9.6 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices
To enable Huawei devices to interwork with non-Huawei devices, configure proper parameters and functions, including the BPDU format, MSTP protocol packet format, and digest snooping function, on the Huawei devices running MSTP.

Before configuring MSTP interoperability between Huawei devices and non-Huawei devices, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.
On an MSTP network, inconsistent protocol packet formats and BPDU keys may lead to a communication failure. Configuring proper MSTP parameters on Huawei devices ensures interoperability between Huawei devices and non-Huawei devices.
Before configuring MSTP interoperability between Huawei devices and non-Huawei devices, complete the following task:
Data Preparation
To configure MSTP interoperability between Huawei devices and non-Huawei devices, you need the following data. No. 1 2 Data BPDU format MSTP protocol packet format
9.6.2 Configuring a Proposal/Agreement Mechanism

To enable Huawei Datacom devices to communicate with non-Huawei devices, configure a proper rapid transition mechanism on Huawei devices according to the Proposal/Agreement mechanism on non-Huawei devices.
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching devices currently support the following modes: l Enhanced mode: The current interface counts a root port when it computes the synchronization flag bit. An upstream device sends a Proposal message to a downstream device, requesting rapid status transition. After receiving the message, the downstream device sets the port connected to the upstream device as a root port and blocks all non-edge ports. The upstream device then sends an Agreement message to the downstream device. After the downstream device receives the message, the root port transitions to the Forwarding state. The downstream device then responds to the Proposal message with an Agreement message. After receiving the message, the upstream device sets the port connected to the downstream device as a designated port, and the designated port transitions to the Forwarding state. l Common mode: The current interface ignores the root port when it computes the synchronization flag bit. An upstream device sends a Proposal message to a downstream device, requesting rapid status transition. After receiving the message, the downstream device sets the port connected to the upstream device as a root port and blocks all non-edge ports. The root port then transitions to the Forwarding state. The downstream device responds to the Proposal message with an Agreement message. After receiving the message, the upstream device sets the port connected to the downstream device as a designated port. The designated port then transitions to the Forwarding state. When Huawei Datacom devices are interworking with non-Huawei devices, select either mode depending on the Proposal/Agreement mechanism on non-Huawei devices.
Procedure
Step 1 Run:
system-view


The interface is bound to an MSTP process.

NOTE
This step binds an interface to an MSTP process with a non-zero ID. If the interface belongs to process 0, skip this step.
Step 4 Run:
stp no-agreement-check
The common rapid transition mechanism is configured. By default, the interface uses the enhanced rapid transition mechanism. ----End
9.6.3 Configuring the MSTP Protocol Packet Format on an Interface

MSTP protocol packets can be transmitted in auto, dot1s, or legacy mode. The default mode is auto.
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy (proprietary protocol packets). The auto mode is introduced to allow an interface to automatically use the format of MSTP protocol packets sent from the remote interface. In this manner, the two interfaces use the same MSTP protocol packet format. Do as follows on a switching device in an MST region:
Procedure
Step 1 Run:
system-view


Issue 01 (2011-10-26)
468

NOTE
Step 4 Run:
stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface. The auto mode is used by default.
NOTE
If the format of MSTP packets is set to dot1s on one end and legacy on the other end, the negotiation fails.
----End
9.6.4 Enabling the Digest Snooping Function

When a Huawei device is connected to a non-Huawei device, if the region names, revision numbers, and VLAN-to-instance mappings configured on the two devices are consistent but the BPDU keys are different, the two devices cannot communicate. To address this problem, enable the digest snooping function on the Huawei device.
Context
Do as follows on a switching device in an MST region:
Procedure
Step 1 Run:
system-view



NOTE
Step 4 Run:
stp config-digest-snoop
The digest snooping function is enabled. ----End


After MSTP parameters are configured for the interoperability between Huawei devices and non-Huawei devices, check whether the configurations take effect.
Prerequisite
All the configurations for the interoperability between Huawei devices and non-Huawei devices are complete.
Procedure
----End
9.7 Maintaining MSTP

MSTP maintenance includes resetting MSTP statistics.
9.7.1 Clearing MSTP Statistics

You can run the reset commands to reset MSTP statistics to 0.
Context
CAUTION
MSTP statistics cannot be restored after you clear them. Therefore, exercise caution when using the reset commands. After you confirm that MSTP statistics need to be cleared, run the following command in the user view.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear spanning-tree statistics. ----End

This section provides a configuration example of MSTP.
9.8.1 Example for Configuring Basic MSTP Functions

SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. In this example, MSTP runs on Layer 2 interfaces of the Switches. Figure 9-9 Networking diagram of basic MSTP configurations
SwitchA GE1/0/1 GE2/0/1 SwitchC GE1/0/1
GE1/0/2
GE1/0/2
SwitchB GE1/0/1 GE2/0/1 SwitchD
GE1/0/2
GE1/0/2
GE1/0/1
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Add SwitchA and SwitchC to MST region RG1, and create MSTI1. Add SwitchB and SwitchD to MST region RG2, and create MSTI1. Configure SwitchA as the CIST root. In RG1, configure SwitchA as the CIST regional root and regional root of MSTI1. Configure the root protection function on GE 1/0/2 and the GE 1/0/1 on SwitchA. In RG2, configure SwitchB as the CIST regional root and SwitchD as the regional root of MSTI1. On SwitchC and SwitchD, connect GE 1/0/1 to a PC and configure GE 1/0/1 as an edge port. Enable BPDU protection on SwitchC and SwitchD. Configure the Switches to calculate the path cost by using the algorithm of Huawei.
Data Preparation
To complete the configuration, you need the following data: l l l l Region that SwitchA and SwitchC belong to: RG1 Region that SwitchB and SwitchD belong to: RG2 Numbers of the GE interfaces, as shown in Figure 9-9 VLAN IDs: 1-20
Procedure
Step 1 Configure SwitchA.
# Configure the MST region on SwitchA.

<SwitchA> system-view [SwitchA] stp region-configuration [SwitchA-mst-region] region-name RG1 [SwitchA-mst-region] instance 1 vlan 1 to 10
# Activate the configuration of the MST region.

[SwitchA-mst-region] active region-configuration [SwitchA-mst-region] quit
# Set the priority of SwitchA in MSTI0 to 0 to ensure that SwitchA functions as the CIST root.
[SwitchA] stp instance 0 priority 0
# Set the priority of SwitchA in MSTI1 to 1 to ensure that SwitchA functions as the regional root of MSTI1.
[SwitchA] stp instance 1 priority 0
# Configure SwitchA to use Huawei private algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Create VLANs 2 to 20.

[SwitchA] vlan batch 2 to 20
# Add GE 1/0/2 to the VLANs.

[SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 1 to 20 [SwitchA-GigabitEthernet1/0/2] quit

[SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type trunk [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 1 to 20 [SwitchA-GigabitEthernet1/0/1] quit
# Enable root protection on the GE 1/0/1.

[SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] stp root-protection [SwitchA-GigabitEthernet1/0/1] quit
# Enable root protection on the GE 1/0/2.

[SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] stp root-protection [SwitchA-GigabitEthernet1/0/2] quit
# Enable MSTP.
Step 2 Configure SwitchB. # Configure the MST region on SwitchB.

[SwitchB] stp region-configuration [SwitchB-mst-region] region-name RG2 [SwitchB-mst-region] instance 1 vlan 1 to 10


[SwitchB-mst-region] active region-configuration [SwitchB-mst-region] quit
# Set the priority of SwitchB in MSTI0 to 4096 to ensure that SwitchB functions as the CIST root.
[SwitchB] stp instance 0 priority 4096
# Configure SwitchB to use Huawei private algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy

[SwitchB] vlan batch 2 to 20

[SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 1 to 20 [SwitchB-GigabitEthernet1/0/1] quit

[SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 1 to 20 [SwitchB-GigabitEthernet1/0/2] quit
# Enable MSTP.
Step 3 Configure SwitchC. # Configure the MST region on SwitchC.

[SwitchC] stp region-configuration [SwitchC-mst-region] region-name RG1 [SwitchC-mst-region] instance 1 vlan 1 to 10

[SwitchC-mst-region] active region-configuration [SwitchC-mst-region] quit
# Configure SwitchC to use Huawei private algorithm to calculate the path cost.
[SwitchC] stp pathcost-standard legacy
# Enable BPDU protection.

[SwitchC] stp bpdu-protection

[SwitchC] vlan batch 2 to 20

[SwitchC] interface GigabitEthernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] port link-type trunk [SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 1 to 20 [SwitchC-GigabitEthernet1/0/2] quit

[SwitchC] interface GigabitEthernet 2/0/1 [SwitchC-GigabitEthernet2/0/1] port link-type trunk
Issue 01 (2011-10-26)
473
[SwitchC-GigabitEthernet2/0/1] port trunk allow-pass vlan 1 to 20 [SwitchC-GigabitEthernet2/0/1] quit
# Configure GE 1/0/1 as an edge port.

[SwitchC] interface GigabitEthernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] stp edged-port enable [SwitchC-GigabitEthernet1/0/1] port hybrid pvid vlan 20 [SwitchC-GigabitEthernet1/0/1] port hybrid untagged vlan 20 [SwitchC-GigabitEthernet1/0/1] quit
# Enable MSTP.
Step 4 Configure SwitchD. # Configure the MST region on SwitchD.

[SwitchD] stp region-configuration [SwitchD-mst-region] region-name RG2 [SwitchD-mst-region] instance 1 vlan 1 to 10

[SwitchD-mst-region] active region-configuration [SwitchD-mst-region] quit
# Set the priority of SwitchD in MSTI1 to 0 to ensure that SwitchD functions as the regional root of MSTI1.
[SwitchD] stp instance 1 priority 0
# Configure SwitchD to use Huawei private algorithm to calculate the path cost.
[SwitchD] stp pathcost-standard legacy
# Enable BPDU protection.

[SwitchD] stp bpdu-protection

[SwitchD] vlan batch 2 to 20

[SwitchD] interface gigabitEthernet 1/0/2 [SwitchD-GigabitEthernet1/0/2] port link-type trunk [SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 1 to 20 [SwitchD-GigabitEthernet1/0/2] quit

[SwitchD] interface GigabitEthernet 2/0/1 [SwitchD-GigabitEthernet2/0/1] port link-type trunk [SwitchD-GigabitEthernet2/0/1] port trunk allow-pass vlan 1 to 20 [SwitchD-GigabitEthernet2/0/1] quit
# Configure GE 1/0/1 as an edge port.

[SwitchD] interface GigabitEthernet 1/0/1 [SwitchD-GigabitEthernet1/0/1] stp edged-port enable [SwitchD-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [SwitchD-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [SwitchD-GigabitEthernet1/0/1] quit
# Enable MSTP.

Step 5 Verify the configuration. After the preceding configurations are complete and the network topology becomes stable, perform the following operations to verify the configuration. # Run the display stp brief command on SwitchA to view the status and protection type on the interfaces. The displayed information is as follows:
<SwitchA> display stp brief MSTID Port 0 GigabitEthernet1/0/2 0 GigabitEthernet1/0/1 1 GigabitEthernet1/0/2 1 GigabitEthernet1/0/1 Role DESI DESI DESI DESI STP State FORWARDING FORWARDING FORWARDING FORWARDING Protection ROOT ROOT ROOT ROOT
The priority of SwitchA is the highest in the CIST; therefore, SwitchA is elected as the CIST root and regional root of RG1. GE 1/0/2 and GE 1/0/1 of SwitchA are designated ports in the CIST. The priority of SwitchA in MSTI1 is the highest in RG1; therefore, SwitchA is elected as the regional root of SwitchA. GE 1/0/2 and GE 1/0/1 of SwitchA are designated ports in MSTI1. # Run the display stp interface brief commands on SwitchC. The displayed information is as follows:
<SwitchC> display stp interface GigabitEthernet 2/0/1 brief MSTID Port Role STP State Protection 0 GigabitEthernet2/0/1 ROOT FORWARDING NONE 1 GigabitEthernet2/0/1 ROOT FORWARDING NONE <SwitchC> display stp interface GigabitEthernet 1/0/2 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/2 DESI FORWARDING NONE 1 GigabitEthernet1/0/2 DESI FORWARDING NONE
GE 2/0/1 of SwitchC is the root port in the CIST and MSTI1. GE 1/0/2 of SwitchC is a designated port in the CIST and MSTI1. # Run the display stp brief command on SwitchB. The displayed information is as follows:
<SwitchB> display stp brief MSTID Port 0 GigabitEthernet1/0/2 0 GigabitEthernet1/0/1 1 GigabitEthernet1/0/2 1 GigabitEthernet1/0/1 Role ROOT DESI MAST ROOT STP State FORWARDING FORWARDING FORWARDING FORWARDING Protection NONE NONE NONE NONE
The priority of SwitchB in the CIST is lower than that of SwitchA; therefore, GE 1/0/2 of SwitchB functions as the root port in the CIST. SwitchA and SwitchB belong to different regions; therefore, GE 1/0/2 of SwitchB functions as the master port in MSTI1. In MSTI1, the priority of SwitchB is lower than that of SwitchD; therefore, GE 1/0/1 of SwitchB functions as the root port. The priority of SwitchB in the CIST is higher than that of SwitchB; therefore, GE 1/0/1 of SwitchB functions as the designated port in the CIST. # Run the display stp interface brief commands on SwitchD. The displayed information is as follows:
<SwitchD> display stp interface GigabitEthernet 2/0/1 brief MSTID Port Role STP State Protection 0 GigabitEthernet2/0/1 ROOT FORWARDING NONE 1 GigabitEthernet2/0/1 DESI FORWARDING NONE <SwitchD> display stp interface GigabitEthernet 1/0/2 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/2 ALTE DISCARDING NONE 1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
Issue 01 (2011-10-26)
475
On SwitchD, GE 1/0/2 functions as the alternate port in the CIST. SwitchD and SwitchC are in different regions; therefore, GE 1/0/2 of SwitchD also functions as the alternate port in MSTI1. GE 2/0/1 of SwitchD is the root port in the CIST. The priority of SwitchD is higher than that of SwitchB in MSTI1; therefore, GE 2/0/1 also functions as the designated port in MSTI1. ----End
Configuration Files
# sysname SwitchA # vlan batch 2 to 20 # stp instance 0 priority 0 stp instance 1 priority 0 stp pathcost-standard legacy stp region-configuration region-name RG1 instance 1 vlan 1 to 10 active region-configuration # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 stp root-protection # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 stp root-protection # return
# sysname SwitchB # vlan batch 2 to 20 # stp instance 0 priority 4096 stp pathcost-standard legacy stp region-configuration region-name RG2 instance 1 vlan 1 to 10 active region-configuration # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 # return
# sysname SwitchC # vlan batch 2 to 20 # stp bpdu-protection stp pathcost-standard legacy
Issue 01 (2011-10-26)
476

stp region-configuration region-name RG1 instance 1 vlan 1 to 10 active region-configuration # interface GigabitEthernet1/0/1 port hybrid pvid vlan 20 port hybrid untagged vlan 20 stp edged-port enable # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 # return
# sysname SwitchD # vlan batch 2 to 20 # stp instance 1 priority 0 stp bpdu-protection stp pathcost-standard legacy stp region-configuration region-name RG2 instance 1 vlan 1 to 10 active region-configuration # interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 stp edged-port enable # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 # return
9.8.2 Example for Connecting CEs to the VPLS in Dual-Homing Mode Through MSTP
As shown in Figure 9-10, each CE is dual-homed to PEs. The PEs establish a VPLS full mesh. The CEs and PEs run the MSTP protocol. Generally, traffic is forwarded through the primary link. When the primary link fails, traffic is switched to the secondary link.
Issue 01 (2011-10-26)
477
Figure 9-10 Network diagram for connecting CEs to the VPLS in dual-homing mode
1.1.1.1/32 PE1 GE1/0/0 GE1/0/0 GE2/0/0 CE1 PC1 GE1/0/1 10.1.1.1/24 GE1/0/0 PE4
2.2.2.2/32 PE2
GE2/0/0 GE2/0/0 GE3/0/0 GE3/0/0
VPLS
GE1/0/0 GE1/0/0 GE2/0/0 CE2 GE1/0/1 PC2 GE1/0/0 10.1.1.2/24 PE3
GE2/0/0 GE3/0/0 GE2/0/0 GE3/0/0
4.4.4.4/32
Switch PE1 Interface GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 Loopback1 PE2 GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 Loopback1 PE3 GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 Loopback1 PE4 GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 Loopback1 CE1 GigabitEthernet1/0/0 GigabitEthernet1/0/1 GigabitEthernet2/0/0 CE2 GigabitEthernet1/0/0 GigabitEthernet1/0/1 GigabitEthernet2/0/1
3.3.3.3/32
VLANIF interface GigabitEthernet1/0/0.1 VLANIF 10 VLANIF 40 GigabitEthernet1/0/0.1 VLANIF 10 VLANIF 20 GigabitEthernet1/0/0.1 VLANIF 20 VLANIF 30 GigabitEthernet1/0/0.1 VLANIF 30 VLANIF 40 VLANIF 100 VLANIF 100 VLANIF 100 VLANIF 100 VLANIF 100 VLANIF 100 IP address 172.1.1.1/24 172.4.1.2/24 1.1.1.1/32 172.1.1.2/24 172.2.1.1/24 2.2.2.2/32 172.2.1.2/24 172.3.1.1/24 3.3.3.3/32 172.3.1.2/24 172.4.1.1/24 4.4.4.4/32 -
Issue 01 (2011-10-26)
478
The configuration roadmap is as follows: 1. 2. 3. 4. Configure the routing protocol on the backbone network to implement interworking. Set up a remote LDP session between the PEs. Establish a VPLS full mesh between PEs, Configure MSTP. Configure PE1 and PE2 as the primary roots, and configure PE3 and PE4 as the secondary roots.
Data Preparation
To complete the configuration, you need the following data: l l l l l VSI name and VSI ID IP addresses of peers and tunnel policy used for setting up the peer relationship Interfaces to which the VSI is bound Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to STP region name and priority
NOTE
When associating VPLS with MSTP, you can bind a dot1q sub-interface, QinQ sub-interface, or VLANIF interface to a VSI. Dot1q sub-interfaces are used in this example.
Procedure
Step 1 Configure the VLAN to which each interface belongs according to Figure 9-10. The configuration procedure is not mentioned.
NOTE
l Do not add AC-side physical interface and PW-side physical interface of a PE to the same VLAN; otherwise, a loop occurs. l Packets sent from the CEs to the PEs must contain VLAN tags.
Step 2 Configure the IGP protocol. OSPF is used in this example. When configuring OSPF, advertise 32-bit loopback interface addresses (LSR IDs) of PE1, PE2, PE3, and PE4. The configuration procedure is not mentioned. After the configuration is complete, run the display ip routing-table command on PE1, P, and PE2. You can view the routes learned by PE1, P, and PE2 from each other. Step 3 Configure basic MPLS functions and LDP. The configuration procedure is not mentioned. After the configuration, run the display mpls ldp session command on PE1, P and PE2. You can see that the peer relationship is set up between PE1 and P, and between P and PE2. The status of the peer relationship is Operational. Run the display mpls lsp command. You can view the information about the established LSP. Step 4 Create a remote LDP session between PEs.
# Configure PE1.
# Configure PE2.
# Configure PE3.
# Configure PE4.
After the configuration, run the display mpls ldp session command on the PEs. You can see that the status of the remote LDP peer relationship is Operational. This indicates that remote LDP sessions are set up. Take the display on PE1 as an example.
[PE1] display mpls ldp session LDP Session(s) in Public Network -----------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv -----------------------------------------------------------------------------2.2.2.2:0 Operational DU Passive 000:00:08 33/33 3.3.3.3:0 Operational DU Passive 000:00:07 29/29 4.4.4.4:0 Operational DU Passive 000:00:00 1/1 -----------------------------------------------------------------------------TOTAL: 3 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
Step 5 Enable MPLS L2VPN on PE1. # Configure PE1.

[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE3.
[PE3] mpls l2vpn
# Configure PE4.
[PE4] mpls l2vpn
Step 6 Configure a VSI on the PEs. # Configure PE1.

[PE1] vsi a2 static [PE1-vsi-a2] pwsignal ldp [PE1-vsi-a2-ldp] vsi-id 2 [PE1-vsi-a2-ldp] peer 2.2.2.2 [PE1-vsi-a2-ldp] peer 3.3.3.3 [PE1-vsi-a2-ldp] peer 4.4.4.4
# Configure PE2.

[PE2] vsi a2 static [PE2-vsi-a2] pwsignal ldp [PE2-vsi-a2-ldp] vsi-id 2 [PE2-vsi-a2-ldp] peer 1.1.1.1 [PE2-vsi-a2-ldp] peer 3.3.3.3 [PE2-vsi-a2-ldp] peer 4.4.4.4
Configurations of PE3 and PE3 are similar to configurations of PE1 and PE2, and are not mentioned. Step 7 Bind the VSI to interfaces on the PEs. # Configure PE1.
# Configure PE2.
# Configure PE3.
# Configure PE4.
Step 8 Configure STP. 1. Configure the MST region and activate the region. # Configure PE1.
[PE1] stp region-configuration [PE1-mst-region] region-name RG1 [PE1-mst-region] active region-configuration [PE1-mst-region] quit
# Configure PE4.
# Configure CE1.
[CE1] stp region-configuration [CE1-mst-region] region-name RG1 [CE1-mst-region] active region-configuration [CE1-mst-region] quit
# Configure PE2.
[PE2] stp region-configuration [PE2-mst-region] region-name RG1
Issue 01 (2011-10-26)
481

[PE2-mst-region] active region-configuration [PE2-mst-region] quit
# Configure PE3.
# Configure CE2.
[CE2] stp region-configuration [CE2-mst-region] region-name RG1 [CE2-mst-region] active region-configuration [CE2-mst-region] quit
2.
Configure the priorities of the PEs to make PE1 and PE2 the primary roots and PE3 and PE4 the secondary roots. # Configure PE1.
[PE1] stp instance 0 priority 0
# Configure PE2.
# Configure PE3.
# Configure PE4.
3.
Enable association between MSTP and VPLS on the CEs and PEs, and configure root protection on the secondary roots. # Configure CE1.
[CE1] stp enable [CE1] interface gigabitethernet 1/0/1 [CE1-GigabitEthernet1/0/1] stp enable [CE1-GigabitEthernet1/0/1] quit [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] stp enable [CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
[CE2] stp enable [CE2] interface gigabitethernet 1/0/1 [CE2-GigabitEthernet1/0/1] stp enable [CE2-GigabitEthernet1/0/1] quit [CE2] interface gigabitethernet 1/0/0 [CE2-GigabitEthernet1/0/0] stp enable [CE2-GigabitEthernet1/0/0] quit
# Configure PE1.
[PE1] stp enable [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] stp vpls-subinterface enable [PE1-GigabitEthernet1/0/0] stp enable [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] stp disable [PE1-GigabitEthernet2/0/0] quit [PE1] interface gigabitethernet 3/0/0 [PE1-GigabitEthernet3/0/0] stp disable [PE1-GigabitEthernet3/0/0] quit
# Configure PE2.
[PE2] stp enable [PE2] interface gigabitethernet 1/0/0 [PE2-GigabitEthernet1/0/0] stp vpls-subinterface enable
Issue 01 (2011-10-26)
482

[PE2-GigabitEthernet1/0/0] stp enable [PE2-GigabitEthernet1/0/0] quit [PE2] interface gigabitethernet 2/0/0 [PE2-GigabitEthernet2/0/0] stp disable [PE2-GigabitEthernet2/0/0] quit [PE2] interface gigabitethernet 3/0/0 [PE2-GigabitEthernet3/0/0] stp disable [PE2-GigabitEthernet3/0/0] quit
# Configure PE3.
[PE3] stp enable [PE3] interface gigabitethernet 1/0/0 [PE3-GigabitEthernet1/0/0] stp vpls-subinterface enable [PE3-GigabitEthernet1/0/0] stp root-protection [PE3-GigabitEthernet1/0/0] stp enable [PE3-GigabitEthernet1/0/0] quit [PE3] interface gigabitethernet 2/0/0 [PE3-GigabitEthernet2/0/0] stp disable [PE3-GigabitEthernet2/0/0] quit [PE3] interface gigabitethernet 3/0/0 [PE3-GigabitEthernet3/0/0] stp disable [PE3-GigabitEthernet3/0/0] quit
# Configure PE4.
[PE4] stp enable [PE4] interface gigabitethernet 1/0/0 [PE4-GigabitEthernet1/0/0] stp vpls-subinterface enable [PE4-GigabitEthernet1/0/0] stp root-protection [PE4-GigabitEthernet1/0/0] stp enable [PE4-GigabitEthernet1/0/0] quit [PE4] interface gigabitethernet 2/0/0 [PE4-GigabitEthernet2/0/0] stp disable [PE4-GigabitEthernet2/0/0] quit [PE4] interface gigabitethernet 3/0/0 [PE4-GigabitEthernet3/0/0] stp disable [PE4-GigabitEthernet3/0/0] quit
Step 9 Verify the configuration. Run the display vsi name a2 verbose command on PE1. You can see that the VSI state is Up.
<PE1> display vsi name a2 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style PW MAC Learn Style Encapsulation Type MTU Mode Service Class Color DomainId Domain Name VSI State VSI ID *Peer Router ID VC Label Peer Type Session Tunnel ID *Peer Router ID VC Label Peer Type Session Tunnel ID : : : : : : : : : : : : : : : : : : : : : : : : : : a2 no disable 0 ldp static unqualify vlan 1500 uniform --0 up 2 2.2.2.2 27648 dynamic up 0x10001, 3.3.3.3 27649 dynamic up 0x10002,
Issue 01 (2011-10-26)
483

*Peer Router ID VC Label Peer Type Session Tunnel ID Interface Name State **PW Information: *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID : : : : : : : : : : : : : : : : : : 2.2.2.2 up 27648 27648 label 0x10001, 3.3.3.3 up 27649 27649 label 0x10002, 4.4.4.4 up 27650 27650 label 0x10003, : : : : : 4.4.4.4 27650 dynamic up 0x10003,
: GigabitEthernet 1/0/0.1 : up
PC1 (10.1.1.1) can ping PC2 (10.1.1.2).

<PC1> ping 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=90 Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=77 Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=34 Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=46 Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=94 --- 10.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/68/94 ms
ms ms ms ms ms
When the link between CE1 and PE1 fails or PE1 is faulty, PE4 becomes the primary root. In this case, PC1 and PE2 can still ping each other. ----End
Configuration Files
# sysname CE1 # vlan batch 100 # stp enable # interface Vlanif100 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet1/0/1 port link-type trunk
Issue 01 (2011-10-26)
484

port trunk allow-pass vlan 100 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return

# sysname CE2 # vlan batch 100 # stp enable # interface Vlanif100 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return

# sysname PE1 # vlan batch 10 40 # stp enable # mpls lsr-id 1.1.1.1 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 2.2.2.2 peer 3.3.3.3 peer 4.4.4.4 # mpls ldp # mpls ldp remote-peer 3.3.3.3 remote-ip 3.3.3.3 # interface Vlanif 10 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif 40 ip address 172.4.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 stp vpls-subinterface enable #
Issue 01 (2011-10-26)
485

interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination dot1q termination vid 100 l2 binding vsi a2 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 10 port hybrid tagged vlan 10 stp disable # interface GigabitEthernet3/0/0 port hybrid pvid vlan 40 port hybrid tagged vlan 40 stp disable # interface LoopBack1 ip address 1.1.1.1 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.1 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.4.1.0 0.0.0.255 # return

# sysname PE2 # vlan batch 10 20 # stp enable # mpls lsr-id 2.2.2.2 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.1 peer 3.3.3.3 peer 4.4.4.4 # mpls ldp # mpls ldp remote-peer 4.4.4.4 remote-ip 4.4.4.4 # interface Vlanif10 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif20 ip address 172.2.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 stp vpls-subinterface enable # interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination dot1q termination vid 100 l2 binding vsi a2 # interface GigabitEthernet2/0/0
Issue 01 (2011-10-26)
486

port link-type trunk port trunk allow-pass vlan 10 stp disable # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 20 stp disable # interface LoopBack1 ip address 2.2.2.2 255.255.255.255 # ospf 1 area 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255 network 2.2.2.2 0.0.0.0 # return

# sysname PE3 # vlan batch 20 30 # stp enable # mpls lsr-id 3.3.3.3 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.1 peer 2.2.2.2 peer 4.4.4.4 # mpls ldp # mpls ldp remote-peer 1.1.1.1 remote-ip 1.1.1.1 # interface Vlanif20 ip address 172.2.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif30 ip address 172.3.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 stp root-protection stp vpls-subinterface enable # interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination dot1q termination vid 100 l2 binding vsi a2 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 stp disable # interface GigabitEthernet3/0/0
Issue 01 (2011-10-26)
487

port link-type trunk port trunk allow-pass vlan 30 stp disable # interface LoopBack1 ip address 3.3.3.3 255.255.255.255 # ospf 1 area 0.0.0.0 network 172.2.1.0 0.0.0.255 network 172.3.1.0 0.0.0.255 network 3.3.3.3 0.0.0.0 # return

# sysname PE4 # vlan batch 30 40 # stp enable # mpls lsr-id 4.4.4.4 mpls # mpls l2vpn # vsi a2 static pwsignal ldp vsi-id 2 peer 1.1.1.1 peer 2.2.2.2 peer 3.3.3.3 # mpls ldp # mpls ldp remote-peer 2.2.2.2 remote-ip 2.2.2.2 # interface Vlanif30 ip address 172.3.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif40 ip address 172.4.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 stp root-protection stp vpls-subinterface enable # interface GigabitEthernet1/0/0.1 control-vid 1000 dot1q-termination dot1q termination vid 100 l2 binding vsi a2 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 30 stp disable # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 40 stp disable # interface LoopBack1
Issue 01 (2011-10-26)
488

ip address 4.4.4.4 255.255.255.255 # ospf 1 area 0.0.0.0 network 172.3.1.0 0.0.0.255 network 172.4.1.0 0.0.0.255 network 4.4.4.4 0.0.0.0 # return
9.8.3 Example for Configuring MSTP Multi-Process for Layer 2 Single-Access Rings and Layer 2 Multi-Access Rings
MSTP multi-process enables different Layer 2 access rings to transmit different services.
On the network with both Layer 2 single-access rings and multi-access rings deployed, switching devices transmit both Layer 2 and Layer 3 services. To enable different rings to transmit different services, configure MSTP multi-process. Spanning trees of different processes are calculated independently. As shown in Figure 9-11, both Layer 2 single-access rings and dual-access rings are deployed and switches A and B carry both Layer 2 and Layer 3 services. In this networking, switches A and B connected to dual-access rings are also connected to a single-access ring.
NOTE
In the ring where MSTP multi-process is configured, you are advised not to block the interface directly connected to the root protection-enabled designated port.
Issue 01 (2011-10-26)
489
Figure 9-11 Networking for MSTP multi-process for Layer 2 single-access rings and multiaccess rings
Network
GE1/0/5 PE1 CE GE1/0/4 GE1/0/3 CE Instance1:VLAN2~100 Process 1 CE SwitchA
SwitchC Region name:RG1 SwitchB GE1/0/1 GE1/0/2
GE1/0/5 PE2 GE1/0/4 GE1/0/3 CE Instance3:VLAN201~300 Process 3 CE CE
GE1/0/1 GE1/0/2
The configuration roadmap is as follows: 1. Configure basic MSTP functions, add devices to MST regions, and create MSTIs.
NOTE
l Each ring can belong to only one region. l Each CE can join only one ring.
2.
Configure multiple MSTP processes, including: (1) Create multiple MSTP processes and add interfaces to relevant processes. (2) Configure a share-link.
3.
Configure MSTP protection functions, including: l Configure priorities of MSTP processes and enable root protection. l Configure share-link protection.
4.
Configure the Layer 2 forwarding function on devices.
Data Preparation
To complete the configuration, you need the following data:
l l l
Name of an MST region and names of MSTIs (MSTI 1, MSTI 2, and MSTI 3) VLAN IDs (2 to 300) IDs of MSTP processes
Procedure
Step 1 Configure basic MSTP functions, add devices to an MST region, and create MSTIs. 1. Configure MST regions and create MSTIs. # Configure an MST region and create MSTIs on Switch A.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] stp region-configuration [SwitchA-mst-region] region-name RG1 [SwitchA-mst-region] instance 1 vlan 2 to 100 [SwitchA-mst-region] instance 2 vlan 101 to 200 [SwitchA-mst-region] instance 3 vlan 201 to 300 [SwitchA-mst-region] active region-configuration [SwitchA-mst-region] quit
# Configure an MST region and create MSTIs on Switch B.

<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] stp region-configuration [SwitchB-mst-region] region-name RG1 [SwitchB-mst-region] instance 1 vlan 2 to 100 [SwitchB-mst-region] instance 2 vlan 101 to 200 [SwitchB-mst-region] instance 3 vlan 201 to 300 [SwitchB-mst-region] active region-configuration [SwitchB-mst-region] quit
2.
Enable MSTP. # Configure Switch A.

# Configure Switch B.
Step 2 Configure multiple MSTP processes. 1. Create multiple MSTP processes and add interfaces to relevant processes. # Create MSTP processes 1 and 2 on Switch A.
[SwitchA] stp process 1 [SwitchA-mst-process-1] quit [SwitchA] stp process 2 [SwitchA-mst-process-2] quit
# Create MSTP processes 2 and 3 on Switch B.

[SwitchB] stp process 2 [SwitchB-mst-process-2] quit [SwitchB] stp process 3 [SwitchB-mst-process-3] quit
# Add GE 1/0/3 and GE 1/0/4 on Switch A to MSTP process 1 and GE 1/0/2 to MSTP process 2.
[SwitchA] interface gigabitethernet 1/0/4 [SwitchA-GigabitEthernet1/0/4] stp binding process 1 [SwitchA-GigabitEthernet1/0/4] quit [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] stp binding process 1 [SwitchA-GigabitEthernet1/0/3] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] stp binding process 2
Issue 01 (2011-10-26)
491

[SwitchA-GigabitEthernet1/0/2] quit
# Add GE 1/0/3 and GE 1/0/4 on Switch B to MSTP process 3 and GE 1/0/2 to MSTP process 2.
[SwitchB] interface gigabitethernet 1/0/4 [SwitchB-GigabitEthernet1/0/4] stp binding process 3 [SwitchB-GigabitEthernet1/0/4] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] stp binding process 3 [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] stp binding process 2 [SwitchB-GigabitEthernet1/0/2] quit
2.
Configure a share-link. # Configure Switch A.

[SwitchA] interface gigabitethernet1/0/1 [SwitchA-GigabitEthernet1/0/1] stp binding process 2 link-share [SwitchA-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet1/0/1 [SwitchB-GigabitEthernet1/0/1] stp binding process 2 link-share [SwitchB-GigabitEthernet1/0/1] quit
3.
Enable the MSTP function in MSTP multi-process. # Configure Switch A.

[SwitchA] stp process 1 [SwitchA-stp-process-1] [SwitchA-stp-process-1] [SwitchA] stp process 2 [SwitchA-stp-process-2] [SwitchA-stp-process-2] stp enable quit stp enable quit
[SwitchB] stp process 3 [SwitchB-stp-process-3] [SwitchB-stp-process-3] [SwitchB] stp process 2 [SwitchB-stp-process-2] [SwitchB-stp-process-2] stp enable quit stp enable quit
Step 3 Configure MSTP protection functions. l Configure priorities of MSTP processes and enable root protection. # Configure Switch A.
[SwitchA] stp process 1 [SwitchA-stp-process-1] stp instance 0 root primary [SwitchA-stp-process-1] stp instance 1 root primary [SwitchA-stp-process-1] quit [SwitchA] stp process 2 [SwitchA-stp-process-2] stp instance 0 root primary [SwitchA-stp-process-2] stp instance 2 root primary [SwitchA-stp-process-2] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] stp root-protection [SwitchA-GigabitEthernet1/0/2] quit
[SwitchB] stp process 3 [SwitchB-stp-process-3] [SwitchB-stp-process-3] [SwitchB-stp-process-3] [SwitchB] stp process 2 [SwitchB-stp-process-2] [SwitchB-stp-process-2] stp instance 0 root primary stp instance 3 root primary quit stp instance 0 root secondary stp instance 2 root secondary
Issue 01 (2011-10-26)
492

[SwitchB-stp-process-2] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] stp root-protection [SwitchB-GigabitEthernet1/0/2] quit
NOTE
l In each ring, the priority of the MSTP process on the downstream CE must be lower than the priority of the MSTP process on the switching device. l For switches A and B on the dual-access ring, you are recommended to configure them as the primary root bridges of different MSTIs.
l Configure share-link protection. # Configure Switch A.

[SwitchA] stp process 2 [SwitchA-stp-process-2] stp link-share-protection [SwitchA-stp-process-2] quit
[SwitchB] stp process 2 [SwitchB-stp-process-2] stp link-share-protection [SwitchB-stp-process-2] quit
Step 4 Create VLANs and add interfaces to VLANs. # Create VLANs 2to 200 on Switch A. Add GE 1/0/3 and GE 1/0/4 to VLANs 2 to 100, and add GE 1/0/1 and GE 1/0/2 to VLANs 101 to 200.
[SwitchA] vlan batch 2 to 200 [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/3] port [SwitchA-GigabitEthernet1/0/3] port [SwitchA-GigabitEthernet1/0/3] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/4] port [SwitchA-GigabitEthernet1/0/4] port [SwitchA-GigabitEthernet1/0/4] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] port [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet [SwitchA-GigabitEthernet1/0/2] port [SwitchA-GigabitEthernet1/0/2] port [SwitchA-GigabitEthernet1/0/2] quit 1/0/3 link-type trunk trunk allow-pass vlan 2 to 100 1/0/4 link-type trunk trunk allow-pass vlan 2 to 100 1/0/1 link-type trunk trunk allow-pass vlan 101 to 200 1/0/2 link-type trunk trunk allow-pass vlan 101 to 200
# Create VLANs 101 to 300 on Switch B. Add GE 1/0/3 and GE 1/0/4 to VLANs 201 to 300, and add GE 1/0/1 and GE 1/0/2 to VLANs 101 to 200.
[SwitchB] vlan batch 101 to 300 [SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet1/0/3] port [SwitchB-GigabitEthernet1/0/3] port [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet1/0/4] port [SwitchB-GigabitEthernet1/0/4] port [SwitchB-GigabitEthernet1/0/4] quit [SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] port [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet [SwitchB-GigabitEthernet1/0/2] port [SwitchB-GigabitEthernet1/0/2] port [SwitchB-GigabitEthernet1/0/2] quit 1/0/3 link-type trunk trunk allow-pass vlan 201 to 300 1/0/4 link-type trunk trunk allow-pass vlan 201 to 300 1/0/1 link-type trunk trunk allow-pass vlan 101 to 200 1/0/2 link-type trunk trunk allow-pass vlan 101 to 200
Issue 01 (2011-10-26)
493
Step 5 Verify the configuration. l Run the display stp interface brief command on Switch A, and you can view the following information: # GE 1/0/4 is a designated port in the CIST of MSTP process 1 and in MSTI 1.
[SwitchA] display stp process 1 interface giabitethernet 1/0/4 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/4 DESI FORWARDING NONE 1 GigabitEthernet1/0/4 DESI FORWARDING NONE
# GE 1/0/2 is a designated port in the CIST of MSTP process 2 and in MSTI 2.

[SwitchA] display stp process 2 interface giabitethernet 1/0/2 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/2 DESI FORWARDING ROOT 2 GigabitEthernet1/0/2 DESI FORWARDING ROOT
l Run the display stp interface brief command on Switch B, and you can view the following information: # GE 1/0/4 is a designated port in the CIST of MSTP process 3 and in MSTI 3.
[SwitchB] display stp process 3 interface giabitethernet 1/0/4 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/4 DESI FORWARDING NONE 3 GigabitEthernet1/0/4 DESI FORWARDING NONE
# GE 1/0/2 is a designated port in the CIST of MSTP process 2 and in MSTI 2.

[SwitchB] display stp process 2 interface giabitethernet 1/0/2 brief MSTID Port Role STP State Protection 0 GigabitEthernet1/0/2 DESI FORWARDING ROOT 2 GigabitEthernet1/0/2 DESI FORWARDING ROOT
----End
Configuration Files
Only the MSTP-related configuration files are listed. l Configuration file of Switch A
# sysname SwitchA # vlan batch 2 to 200 # stp regionconfiguration region-name RG1 instance 1 vlan 1 to 100 instance 2 vlan 101 to 200 active regionconfiguration # stp process 1 stp instance 0 root primary stp instance 1 root primary stp enable stp process
Issue 01 (2011-10-26)
494

2 stp instance 0 root primary stp instance 2 root primary stp link-shareprotection stp enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass 200 stp binding process 2 share # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass 200 stp binding process 2 stp rootprotection # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass 100 stp binding process 1 # interface GigabitEthernet1/0/4 port link-type trunk port trunk allow-pass 100 stp binding process 1 # return
vlan 101 to link-
vlan 101 to
vlan 2 to
vlan 2 to

# sysname SwitchB # vlan batch 101 to 300 # stp regionconfiguration region-name RG1 instance 2 vlan 101 to 200 instance 3 vlan 1 to 100 active regionconfiguration # stp process 2 stp instance 0 root secondary stp instance 2 root
Issue 01 (2011-10-26)
495

secondary stp link-shareprotection stp enable stp process 3 stp instance 0 root primary stp instance 3 root primary stp enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass 200 stp binding process 2 share # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass 200 stp binding process 2 stp rootprotection # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass 300 stp binding process 3 # interface GigabitEthernet1/0/4 port link-type trunk port trunk allow-pass 300 stp binding process 3 # return
vlan 101 to link-
vlan 101 to
vlan 201 to
vlan 201 to
Issue 01 (2011-10-26)
496
10 SEP Configuration
10
About This Chapter
SEP Configuration
As a link layer protocol dedicated to Ethernet rings, SEP blocks redundant links on a network to prevent logical loops. 10.1 SEP Overview The Smart Ethernet Protection (SEP) protocol is a dedicated link layer protocol for use on Ethernet rings. It boasts the high convergence speed, supports diverse topologies, and is able to display the network topology on any device. 10.2 Configuring Basic SEP Functions When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the Ethernet. When a link fault occurs on a ring network running SEP, SEP can immediately restore the communication links between the nodes. 10.3 Specifying an Interface to Block By default, the blocked interface is one of the last two interfaces that complete neighbor negotiation. Sometimes, the negotiated blocked interface, however, may not be the expected one. An interface can be selected to block as required. 10.4 Configuring SEP Multi-Instance SEP multi-instance allows two SEP segments to be configured on a physical ring network. After different protected instances are configured for the SEP segments and VLANs are mapped to specified protected instances, load balancing and link backup can be implemented for service traffic. 10.5 Configuring the Topology Change Notification Function The function of advertising topology changes is configured on the device connecting a lowerlevel network to an upper-level network. With this function, the device can notify the remote device of topology changes of the lower-level and upper-level networks. After being notified of these topology changes, all the devices on the network where the remote device resides delete associated MAC addresses and ARP entry in time and relearn the MAC address of the remote device. This ensures nonstop traffic forwarding. 10.6 Maintaining SEP This section describes the commands for maintaining SEP, including the commands for clearing SEP statistics.
10.7 Configuration Examples This section describes the networking requirements, configuration roadmap, and data preparation for a typical SEP application and provides the configuration examples.
Issue 01 (2011-10-26)
498
10.1 SEP Overview

The Smart Ethernet Protection (SEP) protocol is a dedicated link layer protocol for use on Ethernet rings. It boasts the high convergence speed, supports diverse topologies, and is able to display the network topology on any device.
10.1.1 SEP Overview

SEP supports open-ring, closed-ring, single-ring, and multi-ring topologies and meets the requirements of various topologies for redundant protection.
Introduction
Generally, redundant links are used on an Ethernet switching network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, the communication quality deteriorates, and communication services may even be interrupted. To solve the loop problem, Huawei datacom devices support the ring network protocols shown in Table 10-1. Table 10-1 Ring Network Protocol Ring Network Protocol STP/ RSTP/ MSTP Advantage Disadvantage Deployment Scenario
The Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and MultiSpanning Tree Protocol (MSTP) are standard protocols for breaking loops on Ethernet networks. They are mature and widely applied. Huawei devices running one of them can communicate with non-Huawei devices.
The network convergence time is at the second level, which cannot meet the requirements of some real-time services. The convergence time is affected by the network topology.
They are applicable to Layer 2 networks that have a low requirement on convergence time.
Issue 01 (2011-10-26)
499
Ring Network Protocol RRPP
Advantage
Disadvantage
Deployment Scenario
The Rapid Ring Protection Protocol (RRPP) is a private protocol of Huawei. It features short convergence time (less than 50 ms) and supports load balancing for different types of traffic.
l A Huawei device running RRPP cannot communicate with any nonHuawei device. l RRPP has a high requirement on network topologies. Logical topologies need to be configured for a physical topology, and primary rings and sub-rings need to be defined for these logical topologies. Therefore, RRPP is not applicable to complex networks.
It is applicable to single rings, tangent rings, and intersecting rings that have a high requirement on the convergence time.
Issue 01 (2011-10-26)
500
Ring Network Protocol SEP
Advantage
Disadvantage
Deployment Scenario
l SEP is a private protocol of Huawei. It boasts short convergence time (less than 50 ms). Huawei devices running SEP can communicate with non-huawei devices running other types of ring protocols. l SEP supports various types of networking modes. For example, a network running SEP can communicate with a network running STP, RSTP, MSTP, or RRPP. SEP supports all topologies and the display of network topologies. The blocked interface, therefore, can be quickly located. When a fault occurs, SEP can quickly locate the fault, improving network maintainability. l SEP supports various policies for specifying an interface to block. This allows the implementation of traffic load balancing.
l The devices on a SEP-enabled network must be Huawei datacom devices. l On a SEP network, after network convergence, a specified interface is blocked to prevent data traffic from passing through the interface, even if the link where the interface resides is a direct link.
It is applicable to Layer 2 networks that have a high requirement on convergence time.
Definitions
The SEP protocol is a dedicated link layer protocol for use on Ethernet ring networks. A SEP segment is the basic unit of the protocol. A SEP segment is composed of multiple interconnected
Layer 2 switching devices that are configured with the same SEP segment ID and control VLAN ID. Only two interfaces on a Layer 2 switching device can be added to the same SEP segment. In a SEP segment, loops can be prevented by starting a protection mechanism to selectively block certain interfaces and eliminate Ethernet redundant links. When a fault occurs on a ring network, a device running SEP can quickly unblock the blocked interface to perform link switching. This maintains normal communication between nodes on the ring network. Figure 10-1 shows a typical SEP application. CE1 is connected to NPEs through a closed-ring formed by switches. A VRRP backup group is deployed on the NPEs. Initially, the status of NPE1 is master and the status of NPE2 is backup. When the link between NPE1 and LSW5 or a node on the link becomes faulty (it is assumed that the link between LSW1 and LSW5 becomes faulty), the following situations occur: l l If SEP is not deployed on the closed-ring, CE1 still forwards traffic along the original path, causing traffic interruption. If SEP is deployed on the closed-ring, the blocked interface on LSW5 becomes unblocked and enters the forwarding state. In addition, it sends Link Status Advertisements (LSAs) to instruct other nodes on the SEP segment to refresh their LSA databases. CE1 sends traffic along the backup link LSW5->LSW2->LSW4->LSW3->NPE1. This ensures proper traffic transmission.
Issue 01 (2011-10-26)
502
Figure 10-1 Schematic diagram for SEP

Access Aggregation LSW1 LSW3 Core Master
CE1
NPE1 VRRP+peer BFD NPE2 LSW5 LSW2 LSW4 Backup
IP/MPLS Core
Access
a,SEP is not deployed on the closed-ring Aggregation Core LSW1 LSW3 Master
CE1
SEP NPE1 Segment VRRP+peer BFD NPE2 LSW5 LSW2 LSW4 Backup
IP/MPLS Core
Access
Aggregation LSW1 LSW3
Core Master
SEP Segment CE1 LSW5 LSW2
NPE1 VRRP+peer BFD NPE2
IP/MPLS Core
LSW4
Backup
b,SEP is deployed on the closed-ring Primary Edge Node Secondary Edge Node Block Port
Basic Concepts
Basic SEP concepts are introduced by using Figure 10-1 and Figure 10-2.
Figure 10-2 Networking diagram for an open ring running SEP
VLAN/VPLS
VLAN/VPLS
LSW1
LSW5
LSW1
LSW5
SEP Segment LSW2 LSW3 LSW4 LSW2
SEP Segment LSW4 LSW3
CE
CE No-Neighbor Primary Edge Node No-Neighbor Secondary Edge Node Primary Edge Node Secondary Edge Node Block Port
SEP segment A SEP segment is the basic unit of SEP. A SEP segment is composed of multiple interconnected Layer 2 switching devices configured with the same SEP segment ID and the same control VLAN ID. A SEP segment corresponds to a ring-shaped or line-shaped Ethernet topology. Each SEP segment has a control VLAN, edge interfaces, and common interfaces.
Control VLAN In a SEP segment, the control VLAN is used to transmit only SEP packets. Each SEP segment must be configured with a control VLAN. After being added to a SEP segment configured with a control VLAN, an interface is added to the control VLAN automatically. Different SEP segments can use the same control VLAN. Unlike a control VLAN, a data VLAN is used to transmit data packets.
Node A node is a Layer 2 switching device added to a SEP segment. Only two interfaces on a node can be added to the same SEP segment.
Interface role As defined by SEP, interfaces are classified into common interfaces and edge interfaces.
Issue 01 (2011-10-26)
504
As shown in Table 10-2, edge interfaces are further classified into primary edge interfaces, secondary edge interfaces, no-neighbor primary edge interfaces, and no-neighbor secondary edge interfaces.
NOTE
Normally, an edge interface and a no-neighbor edge interface belong to different SEP segments.
Table 10-2 Interface roles Interfac e roles Common port Sub-role Description In a SEP segment, all interfaces except edge interfaces and the blocked interface are common interfaces. A common interface monitors the status of its directly connected SEP link and notifies its neighboring interface of link status changes in time. The neighboring interface constantly floods the notification message to other interfaces in the SEP segment until the message reaches the primary edge interface. The primary edge interface then processes the message. Edge port Primary Edge Port A SEP segment has only one primary edge interface. It can either be configured or be elected. The primary edge interface initiates blocked-interface preemption, terminates packets, and sends packets about topology changes to other networks. Secondary edge port A SEP segment has only one secondary edge interface. It can either be configured or be elected. A secondary edge interface terminates packets, and sends topology change notification messages to other networks. Noneighbor primary edge port The interface at the most marginal edge of a SEP segment is a no-neighbor primary edge interface, as shown in Figure 10-2. It is configured by users. A no-neighbor primary interface initiates blocked-interface preemption, terminates packets, and sends topology change notification messages to other networks. No-neighbor primary edge interfaces are used to interconnect Huawei devices and non-Huawei devices or devices that do not support SEP. Hybrid SEP +MSTP ring networking Open ring network Closed ring network Multiple-ring networking Hybrid SEP +RRPP ring networking Deployment Scenario -
Issue 01 (2011-10-26)
505
Interfac e roles
Sub-role Noneighbor secondary edge port
Description A no-neighbor secondary edge interface terminates packets and sends topology change notification messages to other networks. No-neighbor secondary edge interfaces are used to interconnect non-Huawei devices and devices that do not support SEP.
Deployment Scenario
Blocked interface In a SEP segment, an interface is blocked to prevent loops. If you do not specify the interface as a blocked interface, any interface in a SEP segment may be blocked. Only one interface is blocked in a SEP segment that works properly.
Status of SEP-enabled interfaces Table 10-3 shows the status of SEP-enabled interfaces in a SEP segment. Table 10-3 Interface status Interface Status Forwarding Discarding Description An interface in the forwarding state can forward user traffic, and receive and send SEP packets. An interface in the discarding state only receives and sends SEP packets.
The interface status does not depend on the interface role. An interface may be in forwarding or discarding state regardless of its role.
The process of breaking a loop by using SEP

1. 2. After a SEP segment is created, the interfaces on each node of the ring network are added to the SEP segment, and a role is configured for each interface. The neighbor negotiation mechanism is started after the interfaces are added to the SEP segment. One of the last two interfaces that complete neighbor negotiation becomes a blocked interface. The blocked interface sends LSAs to instruct other nodes in the SEP segment to update their LSA databases. The blocked interface does not allow data packets but SEP protocol packets to pass through. 4. After receiving the LSAs, the nodes update their LSA databases, and then determine forwarding paths. The loop is successfully broken.
3.
Typical SEP Topologies

l
Issue 01 (2011-10-26)
Open ring network

Figure 10-3 Networking diagram for an open ring running SEP
NPE1
Core
NPE2 IP/MPLS Core
VRRP+peer BFD
Aggregation
PE-AGG1
PE-AGG2 VLAN/VPLS
LSW1 SEP Segment

Access
LSW5
LSW2 LSW3
LSW4
CE Primary Edge Node Secondary Edge Node Block Port
As shown in Figure 10-3, the networking consists of the access layer, aggregation layer, and core layer. The CE is dual-homed to the upstream Layer 2 network through LSW1 to LSW5. LSW1 to LSW5 form an open ring network. The open ring network is deployed at the access layer to implement Layer 2 transparent transmission of unicast and multicast packets. SEP runs at the access layer to implement link redundancy. On a closed ring network, an edge interface is deployed on each of the two edge devices. l Closed ring network
Issue 01 (2011-10-26)
507
Figure 10-4 Networking diagram for a closed ring running SEP
IP/MPLS Core
Core
NPE1
VRRP+peer BFD
NPE2
LSW1
Aggregation
LSW5 SEP Segment
LSW2 LSW3
LSW4
Access
CE1
CE2
CE3
Primary Edge Node Secondary Edge Node Block Port
As shown in Figure 10-4, the CEs are dual-homed to the upstream Layer 2 network through LSW1 to LSW5. The edge devices LSW1 and LSW5 are directly connected to each other. LSW1 to LSW5 form a closed ring network. The closed ring network is deployed at the aggregation layer to aggregate unicast and multicast services. SEP runs at the aggregation layer to implement link redundancy. On a closed ring network, two edge interfaces are deployed on one edge device. l Multiple-ring networking
Issue 01 (2011-10-26)
508
Figure 10-5 Networking diagram for multiple rings running SEP
Core
IP/MPLS Core
NPE1
VRRP+peer BFD
NPE2
Aggregation
LSW1 SEP Segment 1 LSW2 LSW3
LSW5
LSW4
Se
P t3 SE en gm
S gm EP en t2
Se
LSW6
Access
LSW8 LSW7 LSW10
LSW12 SEP Segment 5
SEP Segment 4
LSW9
LSW14 LSW13
LSW11 Block Port
As shown in Figure 10-5, LSW1 to LSW14 form multiple rings. LSW1 to LSW5 are at the aggregation layer, and LSW6 to LSW14 are at the access layer. Layer 2 services are transparently transmitted at the access layer and the aggregation layer. SEP runs at the aggregation layer and access layer to implement link redundancy. If the topology of a SEP segment at the access layer changes, a node in the SEP segment sends a Flush-FDB packet to instruct the other nodes in the SEP segment to refresh their MAC address forwarding tables and ARP tables. The edge devices in the SEP segment send TC packets to notify devices at the upper layer that the topology of the SEP segment has changed. In multi-ring networking, topology change notification among ring networks needs to be configured. l Hybrid networking Hybrid SEP+MSTP ring networking
Issue 01 (2011-10-26)
509
Figure 10-6 Networking diagram for hybrid rings running SEP+MSTP
Core
IP/MPLS Core
NPE1
VRRP+peer BFD
NPE2
Aggregation
PE3 MSTP PE1
PE4
PE2
Do not Support SEP

Access
SEP Segment LSW1 LSW3 No-neighbor Primary Edge Node No-neighbor Secondary Edge Node Block Port LSW2
As shown in Figure 10-6, LSW1 to LSW3 form a SEP segment to access an MSTP ring. The networking is called hybrid SEP+MSTP ring networking. LSW1 to LSW3 are at the access layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at the access layer to implement link redundancy. If the topology of the SEP segment at the access layer changes, a node in the SEP segment sends a Flush-FDB packet to instruct the other nodes in the SEP segment to refresh their MAC forwarding tables and ARP tables. LSW1 and LSW2 in the SEP segment send TC packets to notify devices at the upper-layer that the topology of the SEP segment has changed. In hybrid SEP+MSTP ring networking, no-neighbor edge interfaces need to be deployed on the edge devices of SEP networks, and the SEP networks need to report topology changes to STP networks. Hybrid SEP+RRPP ring networking
Issue 01 (2011-10-26)
510
Figure 10-7 Networking diagram for hybrid rings running SEP+RRPP
Core
IP/MPLS Core
NPE1
VRRP+peer BFD
NPE2
Aggregation
PE3 RRPP PE1
PE4
PE2
Access
SEP Segment LSW1 LSW3 Primary Edge Node Secondary Edge Node Block Port LSW2
As shown in Figure 10-7, PE1, PE2 and LSW1 to LSW3 form a SEP segment to access an RRPP ring. The networking is called hybrid SEP+RRPP ring networking. PE1, PE2 and LSW1 to LSW3 are at the access layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at the access layer to implement link redundancy. If the topology of the SEP segment at the access layer changes, a node in the SEP segment sends a Flush-FDB packet to instruct the other nodes in the SEP segment to refresh their MAC forwarding tables and ARP tables. PE1 and PE2 in the SEP segment send TC packets to notify devices at the upper-layer that the topology of the SEP segment has changed. In hybrid SEP+RRPP ring networking, the SEP networks need to report topology changes to RRPP networks on the edge devices of SEP networks.
NOTE
The basic SEP configurations in the preceding topologies are the same, except for the locations and configurations of the primary edge interface, no-neighbor primary edge interface, secondary edge interface, and no-neighbor secondary edge interface. For details about these interfaces, see Table 10-2.
Issue 01 (2011-10-26)
511
10.1.2 SEP Features Supported by the S9300

This section describes SEP features supported by the S9300 from the perspective of SEP configuration logic. Familiarizing yourself with SEP configuration logic helps you complete configuration tasks quickly and efficiently. SEP configuration roadmap is as follows: 1. After basic SEP functions are configured on devices, the devices start the SEP negotiation. One of the last two interfaces that complete neighbor negotiation is blocked to eliminate redundant links.
NOTE
When logging in to nodes on a SEP semi-ring through Telnet to configure them, note the following points: l VLANIF interfaces and their IP address need to be configured, because these nodes are Layer 2 devices. The VLANs to which these VLANIF interfaces correspond must be mapped to the SEP protection instance. l Basic SEP functions need to be configured from the node at one end of the semi-ring to the node at the other end of the semi-ring.
2. 3.
In some cases, however, the blocked interface obtained through the SEP calculation may not be the one you expect to be blocked. You can specify an interface to block as needed. To implement load balancing and make efficient use of bandwidth, protected instances need to be deployed on a network running SEP and mappings between protected instances and VLANs need to be worked out. A SEP network usually needs to work together with another network deployed with other features. To ensure network reliability, if the topology of either of the networks changes, the other network must be able to detect the topology change and take measures to implement reliable data transmission. Therefore, the topology change notification function needs to be enabled on the network running SEP.
4.
Specifying an Interface to Block

In general, a blocked interface is one of the last two interfaces that complete neighbor negotiation. In some cases, however, the negotiated blocked interface may not be the one you expect to be blocked. You specify an interface to block as needed. The designated blocking does not, however, become effective immediately. A preemption mechanism allows a designated interface to be blocked instead of a previously blocked interface. l Interface blocking mode You can configure an interface blocking mode in order to specify the location of a blocked interface. Table 10-4 lists interface blocking modes. Table 10-4 Interface blocking mode Interface Blocking Mode Specifying the interface with the highest priority as the blocked interface Description Is applicable to a large-scale network. After fault recovery, the interface with the highest priority in a SEP segment is designated as the blocked interface. In this mode, the priorities of the interfaces on the SEP segment need to be set in advanced.
512
Issue 01 (2011-10-26)
Interface Blocking Mode Specifying the interface in the middle of a SEP segment as the blocked interface Specifying the blocked interface based on the configured hop count
Description Is applicable to a network where traffic is symmetrically distributed. After fault recovery, the interface in the middle of a SEP segment is designated as the blocked interface. Is applicable to a small-scale network. After fault recovery, a specified interface can be blocked based on the hop count. A network planner needs to be familiar with the topology of the entire SEP segment and the number of hops from the blocked interface to the primaryedge interface. Is applicable to a small-scale network. After fault recovery, a specified interface can be blocked based on the device name and the interface name. A network planner needs to be familiar with the names of devices and interfaces on the entire SEP segment and ensures that each device name is unique.
Specifying the blocked interface based on the device name and interface name
Preemption After the interface blocking mode is specified, whether the specified interface will be blocked is determined by the preemption mode. Table 10-5 lists the preemption modes. Table 10-5 Preemption mode Preemption Mode Non-preemption mode Advantage SEP is in the nonpreemption mode by default. In this mode, blocking an interface does not disconnect any link in a SEP segment. Preemp tion mode Delaye d preemp tion Each time a fault is rectified, the system automatically completes preemption and ensures that the specified interface is blocked. l Related commands need to be used to specify the delayed preemption mode in advance. The preemption delay does not have a default value, and therefore related commands must be used to set the preemption delay. l After delayed preemption is configured successfully, a fault needs to be simulated to ensure that the specified interface is blocked. Disadvantage The blocked interface is one of the last two interfaces that complete neighbor negotiation.
Issue 01 (2011-10-26)
513
Preemption Mode Manual preemp tion
Advantage Whether the specified interface will be blocked can be controlled manually.
Disadvantage l The manual preemption mode needs to be specified in advance. l After related faults are rectified and the preemption action is taken, manual preemption does not take effect. Manual preemption needs to be configured so that the specified interface is blocked after the next fault is rectified. This increases the maintenance workload.
NOTE
In preemption mode, blocking an interface temporarily disconnects a link in a SEP segment.
SEP Multi-Instance
As shown in Figure 10-8, in regular SEP networking, a physical ring network can be configured with only one SEP segment in which only one interface can be blocked. If an interface in the SEP segment in the complete state is blocked, all user data is transmitted only along the path where the primary edge interface is located. The path where the secondary edge interface is located is idle, which leads to a waste of bandwidth.
Issue 01 (2011-10-26)
514
Figure 10-8 Networking diagram for SEP multi-instance
IP/MPLS Core group 1:Master group 2:Backup NPE1 VRRP+peer BFD group 2:Master group 1:Backup NPE2
Core Aggregation
LSW2 SEP Segment1
LSW4
Access
LSW1 VLAN 100~200
LSW3 VLAN 201~400
CE1
CE2 Primary Edge Node Secondary Edge Node Block Port
SEP multi-instance allows two SEP segments to be configured on one physical ring network. All devices, interface roles, and control VLANs in each SEP segment must be configured by conforming to basic SEP configurations principles. Each SEP segment has one blocked interface. Each blocked interface detects whether the physical ring network is complete. The blocked interfaces in the two SEP segments are independent of each other. A physical ring network can be configured with one or two SEP segments. Each SEP segment needs to be configured with a protected instance and each protected instance represents a VLAN range. The topology calculated by a SEP segment is valid only for that SEP segment. After different protected instances are configured for SEP segments and the mapping between protected instances and VLANs is set, a blocked interface is valid only for the VLANs protected by the SEP segment where the blocked interface resides. Data traffic of different VLANs can be transmitted along different paths. This implements traffic load balancing and link backup.
Issue 01 (2011-10-26)
515
IP/MPLS Core
Core
group 1:Master group 2:Backup NPE1 VRRP+peer BFD
group 2:Master group 1:Backup NPE2
Aggregation
LSW2 SEP Segment2 P2 SEP Segment1 LSW1 LSW3
LSW4
P1
Access
Instance1: VLAN 100~200
CE1
As shown in Figure 10-9, the SEP multi-instance ring network that consists of LSW1 to LSW4 has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the blocked interface in SEP segment 2. l Protected instance 1 is configured in SEP segment 1 to protect the data of VLAN 100 to VLAN 200. The data is transmitted along path LSW1->LSW2->NPE1. As the blocked interface in SEP segment 2, P2 blocks only the data of VLAN 201 to VLAN 400. Protected instance 2 is configured in SEP segment 2 to protect the data of VLAN 201 to VLAN 400. The data is transmitted along path LSW3->LSW4->NPE2. As the blocked interface in SEP segment 1, P1 blocks only the data of VLAN 100 to VLAN 200.
In the case of a node or a link failure, each SEP segment calculates its own topology independently, and the nodes in each SEP segment update their LSA databases.
SEP Topology Change Notification

Table 10-6 lists the situations in which the topology of a SEP segment changes.
Issue 01 (2011-10-26)
516
Table 10-6 SEP topology changes SEP Topology Change Topology change caused by an interface fault Topology change caused by a fault being rectified and the preemption function taking effect Description If an interface on a device in a complete SEP segment becomes faulty, the topology of the SEP segment changes. An interface fault can be a link fault or a neighboring interface fault. One or more faults occur in the SEP segment. When the last fault is rectified and the blocked interface is preempted, the topology is considered changed.
Table 10-7 list the situations in which topology changes are reported. Table 10-7 SEP topology change notification SEP Topology Change Notification Topology change notification from a lowerlayer network to an upperlayer network Scenario Description Solution
Networking where a SEP network is connected to an upper-layer network running other features such as SEP, STP, RRPP and SmartLink
l If the blocked interface in a lower-layer SEP network is manually changed, the topology of the SEP segment changes. Because the upper-layer network cannot detect the topology change, traffic is interrupted. l If an interface in a lower-layer SEP network becomes faulty, the topology of the SEP segment changes but the upper-layer network cannot detect the change. As a result, traffic is interrupted.
Configure the SEP topology change notification function.
Issue 01 (2011-10-26)
517
SEP Topology Change Notification
Scenario
Description
Solution
Networking scenario where a host is connected to a SEP network by using a SmartLink group
During an active/standby switchover of member interfaces in the SmartLink group, the host sends a SmartLink Flush packet to notify the connected devices in the SEP segment of the switchover. If the connected devices in the SEP segment cannot identify the SmartLink Flush packet (that is, if these connected devices in the SEP segment cannot detect any topology change of the lower-layer network), traffic will be interrupted.
Enable the edge devices in the SEP segment to process SmartLink Flush packets.
Topology change notification from an upperlayer network to a lower-layer network
Networking scenario where a SEP network is connected to an upper-layer network configured with CFM.
If a fault occurs on the upper-layer network, the topology of that network changes but the lowerlayer network cannot detect the change. As a result, traffic is interrupted.
Configure association between SEP and CFM.
10.2 Configuring Basic SEP Functions

When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the Ethernet. When a link fault occurs on a ring network running SEP, SEP can immediately restore the communication links between the nodes.

Before configuring basic SEP functions, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and efficiently.
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, the communication quality deteriorates, and communication services may even be interrupted. SEP can be deployed on the ring network to block redundant links and unblock them if a link fault occurs.
Issue 01 (2011-10-26)
518
Before configuring basic SEP functions, complete the following tasks: l l Establishing the ring networking Ensuring that the devices are powered on correctly and operate properly
Data Preparation
To configure basic SEP functions, you need the following data. No. 1 2 3 Data SEP segment ID ID of the control VLAN in the SEP segment Role of each interface added to the SEP segment
10.2.2 Configuring an SEP Segment

SEP takes an SEP segment as a basic unit. An SEP segment is composed of multiple interconnected Layer 2 switching devices configured with the same SEP segment ID and the same control VLAN ID.
Procedure
Step 1 Run:
system-view

sep segment segment-id
An SEP segment is created and the view of the SEP segment is displayed. Before deleting a created SEP segment, you need to check whether there is any interface added to the SEP segment. If there is an interface added to the SEP segment, run the undo sep segment segment-id command in the interface view to delete the interface from the SEP segment. Otherwise, the SEP segment cannot be deleted. ----End
10.2.3 Configuring a Control VLAN

In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets, enhancing the security of SEP. Each SEP segment must be configured with a control VLAN. After being added to a SEP segment configured with a control VLAN, an interface is added to the control VLAN automatically.
Issue 01 (2011-10-26)
519
Context
NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be added to the control VLAN of the SEP segment. Otherwise, a loop will be caused on the network.
Procedure
Step 1 Run:
system-view

A SEP segment is created and the view of the SEP segment is displayed. Step 3 Run:
control-vlan vlan-id
The control VLAN of the SEP segment is configured for transmitting SEP packets. The control VLAN specified by vlan-id must be newly created and must not have been used by RRPP or used in port trunk, default, mapping, or stacking mode. l Different SEP segments can use the same control VLAN. l If there is an interface added to the SEP segment, you cannot directly delete the control VLAN of the SEP segment. To delete the control VLAN, run the undo sep segment segment-id command in the interface view to delete the interface from the SEP segment, and then run the undo control-vlan command to delete the control VLAN. l If there is no interface added to the SEP segment, you can run the control-vlan vlan-id command for multiple times. Only the latest configuration takes effect. l After the control VLAN is created successfully, the command used to create a common VLAN will be displayed in the configuration file. Each SEP segment must be configured with a control VLAN. After an interface is added to a SEP segment configured with a control VLAN, the interface will be automatically added to the control VLAN. If the interface type is Trunk, in the configuration file, the port trunk allow-pass vlan command is displayed in the view of the interface added to the SEP segment. If the interface type is Hybrid, in the configuration file, the port hybrid tagged vlan command is displayed in the view of the interface added to the SEP segment. ----End
10.2.4 Creating a Protected Instance

Interfaces can be added to an SEP segment only after the SEP segment is configured with protected instances.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
520

protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
A protected instance is created in a SEP segment. By default, no protected instance is configured in a SEP segment. ----End
10.2.5 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface
To ensure the normal forwarding of SEP packets in a SEP segment, add Layer 2 interfaces to the SEP segment and configure different roles for the interfaces.
Context
After an interface is added to SEP segment, the interface sets its interface role to the primary edge interface if the interface has the right to participate in the election of the primary edge interface. Then, the interface periodically sends a primary edge interface-election packet without waiting for the success of neighbor negotiation. The primary edge interface-election packet contains the role of the interface (primary edge interface, secondary edge interface, or common interface), the bridge MAC address of the interface, interface ID, and the status of the topology database. Table 10-8 lists interface roles. Table 10-8 Interface roles Interface roles Common port Sub-role Description In a SEP segment, all interfaces except edge interfaces and the blocked interface are common interfaces. A common interface monitors the status of its directly connected SEP link and notifies its neighboring interface of link status changes in time. The neighboring interface constantly floods the notification message to other interfaces in the SEP segment until the message reaches the primary edge interface. The primary edge interface then processes the message. Deployment Scenario -
Issue 01 (2011-10-26)
521
Interface roles Edge port
Sub-role Primary Edge Port
Description A SEP segment has only one primary edge interface. It can either be configured or be elected. The primary edge interface initiates blockedinterface preemption, terminates packets, and sends packets about topology changes to other networks.
Deployment Scenario Open ring network Closed ring network Multiple-ring networking Hybrid SEP +RRPP ring networking
Secondary edge port
A SEP segment has only one secondary edge interface. It can either be configured or be elected. A secondary edge interface terminates packets, and sends topology change notification messages to other networks.
Noneighbor primary edge port
The interface at the most marginal edge of a SEP segment is a no-neighbor primary edge interface, as shown in Figure 10-2. It is configured by users. A no-neighbor primary interface initiates blocked-interface preemption, terminates packets, and sends topology change notification messages to other networks. No-neighbor primary edge interfaces are used to interconnect Huawei devices and nonHuawei devices or devices that do not support SEP.
Hybrid SEP +MSTP ring networking
Noneighbor secondary edge port
A no-neighbor secondary edge interface terminates packets and sends topology change notification messages to other networks. No-neighbor secondary edge interfaces are used to interconnect non-Huawei devices and devices that do not support SEP.
NOTE
Normally, an edge interface and a no-neighbor edge interface belong to different SEP segments. Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the interface. Before adding an interface to a SEP segment,configure a protected instance or a range of protected instances .
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
522

The view of an Ethernet interface added to the SEP segment is displayed. Step 3 Run:
stp disable
STP is disabled on the interface. Step 4 Run:

sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]
The Ethernet interface is added to a specified SEP segment and a role is configured for it.
NOTE
An interface can be added to only two SEP segments.
----End

After basic SEP functions are configured, you can view the information such as the names and roles of interfaces added to an SEP segment, status of the interfaces on neighbors, and forwarding status of the local interface.
Prerequisite
The configurations of basic SEP functions are complete.
Procedure
l Run the display sep interface [ interface-type interface-number | segment segment-id ] [ verbose ] command to check the information about interfaces that reside on the device and are added to a specified SEP segment. Run the display sep topology [ segment segment-id ] [ verbose ] command to check the topology status of a specified SEP segment.
----End
10.3 Specifying an Interface to Block

By default, the blocked interface is one of the last two interfaces that complete neighbor negotiation. Sometimes, the negotiated blocked interface, however, may not be the expected one. An interface can be selected to block as required.

Before specifying an interface to block, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and efficiently.
In general, a blocked interface is one of the last two interfaces that complete neighbor negotiation. In some cases, however, the negotiated blocked interface may not be the one you expect to be blocked. You specify an interface to block as needed. The designated blocking does not, however, become effective immediately. A preemption mechanism allows a designated interface to be blocked instead of a previously blocked interface.
Before specifying an interface to block, complete the following task: l Configuring Basic SEP Functions
Data Preparation
To specify an interface to block, you need the following data. No. 1 2 Data Interface blocking mode SEP preemption mode
10.3.2 Setting an Interface Blocking Mode

Each interface in a SEP segment may become a blocked interface. You can specify an interface to block by configuring an interface blocking mode.
Context
In a SEP segment, an interface is blocked to prevent loops. You can configure an interface blocking mode in order to specify the location of a blocked interface. Table 10-9 lists interface blocking modes. Table 10-9 Interface blocking mode Interface Blocking Mode Specifying the interface with the highest priority as the blocked interface Description Is applicable to a large-scale network. After fault recovery, the interface with the highest priority in a SEP segment is designated as the blocked interface. In this mode, the priorities of the interfaces on the SEP segment need to be set in advanced. Is applicable to a network where traffic is symmetrically distributed. After fault recovery, the interface in the middle of a SEP segment is designated as the blocked interface.
524
Specifying the interface in the middle of a SEP segment as the blocked interface
Issue 01 (2011-10-26)
Interface Blocking Mode Specifying the blocked interface based on the configured hop count
Description Is applicable to a small-scale network. After fault recovery, a specified interface can be blocked based on the hop count. A network planner needs to be familiar with the topology of the entire SEP segment and the number of hops from the blocked interface to the primary-edge interface. Is applicable to a small-scale network. After fault recovery, a specified interface can be blocked based on the device name and the interface name. A network planner needs to be familiar with the names of devices and interfaces on the entire SEP segment and ensures that each device name is unique.
Specifying the blocked interface based on the device name and interface name
Do as follows on the device where the primary edge interface or the no-neighbor primary edge interface is located:
Procedure
Step 1 Run:
system-view

block port { optimal | middle | hop hop-id | sysname sysname interface interfacetype interface-number }
An interface blocking mode is set. By default, one of the interfaces at both ends of the last link that is set up or the last link that recovers from a fault is blocked. l optimal specifies the interface with the highest priority as the blocked interface. l middle specifies the interface in the middle of the SEP segment as the blocked interface. l hop specifies the interface that is hop-id hops away from the primary edge interface as the blocked interface. If hop-id is set to 1, it indicates that the blocked interface is the primary edge interface. If hop-id is set to 2, it indicates that the blocked interface is the neighboring interface of the primary edge interface. The hop count increases along with the number of downstream neighbors of the primary edge interface. l sysname+interface specifies the name of the device where the interface to be blocked resides.
For information on how to select an interface blocking mode, see the preceding table. ----End
Follow-up Procedure
If the interface that has the highest priority is specified to block, run the sep segment segmentid priority priority command in the view of the interface to be blocked to increase its priority. When a fault is rectified, the specified interface will be blocked. The default priority of an interface added to a SEP segment is 64. The priority value of an interface is an integer ranging from 1 to 128. The greater the priority value, the higher the priority.
10.3.3 Configuring the Preemption Mode

The SEP preemption mode is classified into delay preemption and manual preemption.
Context
After the interface blocking mode is specified, whether the specified interface will be blocked is determined by the preemption mode. Table 10-10 lists the preemption modes. Table 10-10 Preemption mode Preemption Mode Non-preemption mode Advantage SEP is in the nonpreemption mode by default. In this mode, blocking an interface does not disconnect any link in a SEP segment. Preempt ion mode Delayed preempt ion Each time a fault is rectified, the system automatically completes preemption and ensures that the specified interface is blocked. l Related commands need to be used to specify the delayed preemption mode in advance. The preemption delay does not have a default value, and therefore related commands must be used to set the preemption delay. l After delayed preemption is configured successfully, a fault needs to be simulated to ensure that the specified interface is blocked. Disadvantage The blocked interface is one of the last two interfaces that complete neighbor negotiation.
Issue 01 (2011-10-26)
526
Preemption Mode Manual preempt ion
Advantage Whether the specified interface will be blocked can be controlled manually.
Disadvantage l The manual preemption mode needs to be specified in advance. l After related faults are rectified and the preemption action is taken, manual preemption does not take effect. Manual preemption needs to be configured so that the specified interface is blocked after the next fault is rectified. This increases the maintenance workload.
The following conditions must be met to trigger preemption: l l l The topology of the SEP segment must be normal. The primary edge interface or no-neighbor primary edge interface has been elected in the SEP segment. The function of flexibly specifying a blocked interface is enabled on the device where the primary edge interface or no-neighbor primary edge interface resides.
Do as follows on the Layer 2 switching device where the primary edge interface or the noneighbour primary edge interface is elected.
Procedure
Step 1 Run:
system-view

preempt { manual | delay seconds }
The preemption mode is configured on the primary edge interface. By default, the primary edge interface is not configured with the preemption mode, that is, the non-preemption mode is adopted. ----End

After specifying an interface to block, you can view information about a specified blocked interface.
Prerequisite
The configurations of specifying an interface to block are complete.
Procedure
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the topology status of a specified SEP segment.
----End
10.4 Configuring SEP Multi-Instance

SEP multi-instance allows two SEP segments to be configured on a physical ring network. After different protected instances are configured for the SEP segments and VLANs are mapped to specified protected instances, load balancing and link backup can be implemented for service traffic.

Before configuring SEP multi-instance, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and efficiently.
in regular SEP networking, a physical ring network can be configured with only one SEP segment in which only one interface can be blocked. If an interface in the SEP segment in the complete state is blocked, all user data is transmitted only along the path where the primary edge interface is located. The path where the secondary edge interface is located is idle, which leads to a waste of bandwidth.
Issue 01 (2011-10-26)
528
IP/MPLS Core
Core
group 1:Master group 2:Backup NPE1 VRRP+peer BFD
group 2:Master group 1:Backup NPE2
Aggregation
LSW2 SEP Segment2 P2 SEP Segment1 LSW1 LSW3
LSW4
P1
Access
CE1
To solve the problem of bandwidth waste and to implement traffic load balancing and link backup, multi-instance can be deployed in the SEP network and mappings between protected instances and user VLANs need to be set, as shown in Figure 10-10. Data traffic of different VLANs can be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring network.
Before configuring SEP multi-instance, complete the following tasks: l l Configuring Basic SEP Functions Specifying an Interface to Block
Data Preparation
To configure SEP multi-instance, you need the following data.
No. 1 2
Data ID of a protected instance in a SEP segment ID of a VLAN mapped to a protected instance
10.4.2 Configuring and Activating Mappings Between Protected Instances and VLANs
A physical ring network can be configured with one or two SEP segments. To ensure proper traffic transmission, each SEP segment needs to be configured with a protected instance. After mappings between protected instances and specified VLANs are configured, load balancing and link backup can be implemented.
Context
After mappings between protected instances and VLANs are configured, the mappings need to be activated to implement load balancing and link backup.
Procedure
Step 1 Run:
system-view

stp region-configuration
The MST region view is displayed. Step 3 Run:

instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
Mappings between protected instances and VLANs are configured. The value of instance-id specified in this command must be consistent with that of instance-id specified in the protected-instance command. Step 4 Run:
active region-configuration
Mappings between protected instances and VLANs are activated. After mappings between protected instances and VLANs take effect, topology changes of a SEP segment affect only corresponding VLANs. This ensures reliable transmission of user data. ----End

After configuring SEP multi-instance on a ring network, you can view the blocked interface in each SEP segment.
Prerequisite
The configurations of SEP multi-instance are complete.
Procedure
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the topology status of a specified SEP segment.
----End
10.5 Configuring the Topology Change Notification Function

The function of advertising topology changes is configured on the device connecting a lowerlevel network to an upper-level network. With this function, the device can notify the remote device of topology changes of the lower-level and upper-level networks. After being notified of these topology changes, all the devices on the network where the remote device resides delete associated MAC addresses and ARP entry in time and relearn the MAC address of the remote device. This ensures nonstop traffic forwarding.

Before configuring the topology change notification function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and efficiently.
Currently, the S9300 can report topology changes in two modes, as shown in Table 10-11. You can select a mode as needed.
Issue 01 (2011-10-26)
531
Table 10-11 SEP topology change notification SEP Topology Change Notification Topology change notification from a lowerlayer network to an upperlayer network Scenario Description Solution
Networking where a SEP network is connected to an upper-layer network running other features such as SEP, STP, RRPP and SmartLink
l If the blocked interface in a lower-layer SEP network is manually changed, the topology of the SEP segment changes. Because the upper-layer network cannot detect the topology change, traffic is interrupted. l If an interface in a lower-layer SEP network becomes faulty, the topology of the SEP segment changes but the upper-layer network cannot detect the change. As a result, traffic is interrupted.
Configure the SEP topology change notification function.
Networking scenario where a host is connected to a SEP network by using a SmartLink group
During an active/standby switchover of member interfaces in the SmartLink group, the host sends a SmartLink Flush packet to notify the connected devices in the SEP segment of the switchover. If the connected devices in the SEP segment cannot identify the SmartLink Flush packet (that is, if these connected devices in the SEP segment cannot detect any topology change of the lower-layer network), traffic will be interrupted.
Enable the edge devices in the SEP segment to process SmartLink Flush packets.
Topology change notification from an upperlayer network to a lower-layer network
Networking scenario where a SEP network is connected to an upper-layer network configured with CFM.
If a fault occurs on the upper-layer network, the topology of that network changes but the lowerlayer network cannot detect the change. As a result, traffic is interrupted.
Configure association between SEP and CFM.
Before configuring the topology change notification function, complete the following tasks: l l
Issue 01 (2011-10-26)
Configuring Basic SEP Functions Specifying an Interface to Block

Data Preparation
To configure the topology change notification function, you need the following data. No. 1 2 Data SEP segment ID Mode of reporting topology changes Names of the Maintenance Domain (MD) and the Maintenance Association (MA), ID and type of a MEP, name of the interface on which the Maintenance association End Point (MEP) resides, name of the interface enabled with Ethernet CFM, and name of the interface associated with Ethernet CFM
10.5.2 Reporting Topology Changes of a Lower-Layer Network SEP Topology Change Notification
SEP runs at the access layer. To help an upper-layer network to detect whether the topology of the network at the access layer changes, configure the SEP topology change notification function on the device connecting the lower-layer network to the upper-layer network.
Context
If the topology of a specified SEP segment changes but the topology change is not reported to the upper-layer network in time, the MAC address tables of the devices on the upper-layer network retain the MAC address entries generated before the topology of the lower-layer network changes. As a result, user traffic is interrupted. To ensure nonstop traffic forwarding, configure the device on the lower-layer network to report topology changes to the upper-layer network. The objects that are notified of topology changes can be specified as needed.
NOTE
Currently, topology changes of a SEP segment can be reported to other SEP segments, STP networks, RRPP networks and SmartLink networks
After receiving a packet indicating topology changes of a lower-layer network, a device on an upper-layer network sends TC packets locally to instruct the other devices on this network to clear associated MAC addresses and relearn MAC addresses after the topology of the lowerlayer network changes. This ensures nonstop traffic forwarding.
Procedure
Step 1 Run:
system-view

tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp | rrpp | smartlink send-packet vlan vlan-id }
The topology change of a specified SEP segment is reported to another SEP segment or a network running other ring protocols such as STP or RRPP. By default, the topology change of a SEP segment is not reported. ----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a TC notification packet is sent through multiple links, the upper-layer network will receive it multiple times. This reduces the efficiency for processing packets on the upper-layer network. Therefore, TC notification packets need to be suppressed. Suppressing TC notification packets frees the upperlayer network from processing multiple duplicate packets and protects the devices in the SEP segment against TC notification packet attacks. Run the tc-protection interval interval-value command in the SEP-segment view to set the interval for suppressing TC notification packets. By default, the interval for suppressing TC notification packets is 2s, and three TC notification packets with different source addresses are processed within 2s.
NOTE
l In the networking scenario where three or more SEP ring networks exist, this command must be run. If this command is not run, the default interval for suppressing TC notification packets is used. l A longer interval ensures stable SEP operating but deteriorates the convergence performance.
10.5.3 Reporting Topology Changes of a Lower-Layer Network Enabling the Edge Devices in a SEP Segment to Process SmartLink Flush Packets
In the networking where a host is connected to a SEP network by using a SmartLink group , if the active/standby switchover of member interfaces in the SmartLink group occurs, the host sends SmartLink Flush packets to inform the edge devices in the SEP segment of the switchover. Therefore, the edge devices in the SEP segment must be able to process SmartLink Flush packets.
Procedure
Step 1 Run:
system-view

deal smart-link-flush
An edge device in a SEP segment is enabled to process SmartLink Flush packets.

After receiving a SmartLink Flush packet, the edge device in a SEP segment floods FLUSHFDB packets to notify the other devices in the SEP segment of topology changes. By default, no device in a SEP segment is enabled to process SmartLink Flush packets. ----End
10.5.4 Reporting Topology Changes of an Upper-Layer Network Configuring Association Between SEP and CFM
SEP runs at the access layer or aggregation layer. To help SEP networks to detect whether the topology of an upper-layer network changes, you must configure association between SEP and CFM on the device connecting the lower-layer network to the upper-layer network.
Context
When CFM detects a fault on the upper-layer network, the edge device notifies the OAM module of the fault by sending a CFM packet. Then, on the edge device, the SEP status of the interface associated with CFM changes to Down. After the SEP status of the interface associated with CFM on the edge device is Down, an interface on the peer device of the edge device in the SEP segment needs to send a Flush-FDB packet to notify other nodes that the topology changes. After a device in the SEP segment receives the Flush-FDB packet, the blocked interface on the device is unblocked and enters the Forwarding state. Then, the interface sends a Flush-FDB packet to instruct the other nodes in the SEP segment to refresh the MAC address forwarding table and the ARP table. Therefore, the lower-layer network can sense the fault of the upper-layer network, and the reliable transmission of services is ensured.
NOTE
IEEE 802.1ag defines protocols and practices for Operations, Administration and Maintenance (OAM). IEEE 802.1ag Ethernet CFM protocols comprise three protocols that work together to help administrators debug Ethernet networks. These protocols are continuity check, link trace and loopback protocols. CFM provides network-level OAM and is applicable to large-scaled end-to-end networking.
Procedure
Step 1 Run:
system-view

oam-mgr
The OAM management view is displayed. Step 3 Run:

oam-bind ingress cfm md md-name ma ma-name egress sep segment segment-id interface interface-type interface-number
Association between SEP and CFM is configured. l md md-name: specifies a maintenance domain (MD). The total length of md-name and maname cannot be greater than 44 characters.
l ma ma-name: specifies a maintenance association (MA). The total length of md-name and ma-name cannot be greater than 44 characters. l interface must have been added to the SEP segment. ----End

After configuring the topology change notification function, you can view the objects that are notified of topology changes.
Prerequisite
The configurations of the topology change notification function are complete.
Procedure
l l Run the display sep interface verbose command to check the configuration of reporting changes in the lower-layer network topology. Run the display this command in the OAM management view to check the configuration of reporting changes in the upper-layer network topology.
----End
10.6 Maintaining SEP

This section describes the commands for maintaining SEP, including the commands for clearing SEP statistics.
10.6.1 Clearing SEP Statistics

You can run the reset command to reset the SEP statistics before recollecting SEP statistics.
Context
CAUTION
SEP statistics cannot be restored after being cleared. Therefore, perform the action with caution.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user view to clear SEP statistics. ----End
10.6.2 Debugging SEP

When a fault occurs during the running of SEP, run the following debugging command in the user view to display the debugging information and locate the fault.
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately.
Procedure
Step 1 Run the debugging sep { all | common | error | machine | message | pdu [ [ epa | lsa | nbr | preempt ] [ transmit | receive ] ] } [ segment segment-id | interface interface-type interfacenumber ] command in the user view to debug SEP. ----End

This section describes the networking requirements, configuration roadmap, and data preparation for a typical SEP application and provides the configuration examples.
10.7.1 Example for Configuring SEP on a Closed Ring Network

In the closed ring networking, CE1 is dual homed to a Layer 2 network through multiple Layer 2 switching devices. The two edge devices connected to the upper-layer Layer 2 network are directly connected to each other. The closed ring network is deployed at the aggregation layer to implement Layer 2 transparent transmission of unicast and multicast packets. SEP runs at the aggregation layer to implement link redundancy.
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, the communication quality deteriorates, and communication services may even be interrupted. SEP can be deployed on the ring network to block redundant links and unblock them if a link fault occurs. As shown in Figure 10-11, Layer 2 switching devices LSW1 to LSW5 form a ring network. In this networking mode: l SEP runs at the aggregation layer. When the ring network is functioning properly, SEP blocks the redundant Ethernet links. When a link on the ring fails, SEP can quickly restore communication between the nodes on the ring.
Issue 01 (2011-10-26)
537
Figure 10-11 Networking diagram of a closed ring SEP network
GE1/0/2 LSW1 GE1/0/1

Aggregation
GE1/0/3 GE1/0/3 SEP Segment1
GE1/0/2 LSW5 GE1/0/1
GE1/0/1 LSW2 GE1/0/2 GE1/0/1 GE1/0/1
GE1/0/1 LSW4 LSW3 GE1/0/2 GE1/0/3 Primary Edge Node Secondary Edge Node Block Port GE1/0/2
Access
CE1 VLAN 100
The configuration roadmap is as follows: 1. Configure basic SEP functions. (1) Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN of SEP segment 1. (2) Add all devices on the ring to SEP segment 1, and configure the roles of GE1/0/1 and GE1/0/3 of LSW1 in SEP segment 1. (3) On the device where the primary edge port is located, specify that the port with the highest priority will be blocked. (4) Set priorities of the ports in the SEP segment. Set the highest priority for GE1/0/2 of LSW3 and retain the default priority of the other ports so that GE1/0/2 of LSW3 will be blocked. (5) Configure delayed preemption on the device where the primary edge port is located. 2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
Data Preparation
Issue 01 (2011-10-26)
SEP segment ID Control VLAN of the SEP segment Port roles in the SEP segment
l l l
Preemption mode Method of selecting the port to block Priorities of the ports in the SEP segment
Procedure
Step 1 Configure basic SEP functions. 1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN of SEP segment 1. # Configure LSW1.
<Quidway> system-view [Quidway] sysname LSW1 [LSW1] sep segment 1 [LSW1-sep-segment1] control-vlan 10 [LSW1-sep-segment1] protected-instance all [LSW1-sep-segment1] quit
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
NOTE
l The control VLAN must be a VLAN that has not been created or used, but the configuration file automatically displays the command for creating the VLAN. l Each SEP segment must be configured with a control VLAN. After an interface is added to the SEP segment configured with a control VLAN, the interface is automatically added to the control VLAN.
2.
Add all devices on the ring to SEP segment 1 and configure port roles on the devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to the SEP segment, disable STP on the interface.
# On LSW1, configure GE1/0/1 as the primary edge port and GE1/0/3 as the secondary edge port.

[LSW1] interface gigabitethernet 1/0/1 [LSW1-GigabitEthernet1/0/1] stp disable [LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary [LSW1-GigabitEthernet1/0/1] quit [LSW1] interface gigabitethernet 1/0/3 [LSW1-GigabitEthernet1/0/3] stp disable [LSW1-GigabitEthernet1/0/3] sep segment 1 edge secondary [LSW1-GigabitEthernet1/0/3] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1 [LSW2-GigabitEthernet1/0/1] stp disable [LSW2-GigabitEthernet1/0/1] sep segment 1 [LSW2-GigabitEthernet1/0/1] quit [LSW2] interface gigabitethernet 1/0/2 [LSW2-GigabitEthernet1/0/2] stp disable [LSW2-GigabitEthernet1/0/2] sep segment 1 [LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
3.
Specify a port to block. # On LSW1 where the primary edge port is located, specify that the port with the highest priority is blocked.
[LSW1] sep segment 1 [LSW1-sep-segment1] block port optimal
4.
Set the priority of GE1/0/2 on LSW3.

[LSW3] interface gigabitethernet 1/0/2 [LSW3-GigabitEthernet1/0/2] sep segment 1 priority 128 [LSW3-GigabitEthernet1/0/2] quit
5.
Configure the preemption mode. # Configure the delayed preemption mode on LSW1.
[LSW1-sep-segment1] preempt delay 30 [LSW1-sep-segment1] quit
Issue 01 (2011-10-26)
540

NOTE
l You must set the preemption delay when delayed preemption is adopted because there is no default delay time. l After all the faulty ports recover, the edge ports no longer receive fault notification packets. If the primary edge port does not receive any fault notification packet, it starts the delay timer. When the delay timer expires, nodes in the SEP segment start blocked port preemption. To implement delayed preemption in this example, you need to simulate a port fault and then rectify the fault. For example: Run the shutdown command on GE1/0/2 of LSW2 to simulate a port fault, and then run the undo shutdown command on GE1/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5. For details about the configuration, see the configuration files. Step 3 Verify the configuration. l Run the shutdown command on GE1/0/1 of LSW3 to simulate a port fault, and then run the display sep interface command on LSW3 to check whether GE1/0/2 of LSW3 has switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2 SEP segment 1 ---------------------------------------------------------------Interface Port Role Neighbor Status Port Status ---------------------------------------------------------------GE1/0/2 common up forwarding
----End
Configuration Files
l Configuration file of LSW1
# sysname LSW1 # vlan batch 10 100 200 # sep segment 1 control-vlan 10 block port optimal preempt delay 30 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 edge primary # interface GigabitEthernet1/0/2 port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 edge secondary # return
Configuration file of LSW2

# sysname LSW2 #
Issue 01 (2011-10-26)
541

vlan batch 10 100 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 stp disable sep segment 1 # return

# sysname LSW3 # vlan batch 10 100 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 stp disable sep segment 1 sep segment 1 priority 128 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 100 # return

# sysname LSW4 # vlan batch 10 100 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 stp disable sep segment 1 # return

# sysname LSW5 #
Issue 01 (2011-10-26)
542

vlan batch 10 100 200 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 # return

# sysname CE1 # vlan batch 100 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 # return
10.7.2 Example for Configuring SEP on a Multi-ring Network

In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to implement link redundancy.
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, the communication quality deteriorates, and communication services may even be interrupted. SEP can be deployed on the ring network to block redundant links and unblock them if a link fault occurs. As shown in Figure 10-12, multiple Layer 2 switching devices form ring networks at the access layer and aggregation layer. In this networking mode: l SEP runs at the access layer and aggregation layer. When the ring network is functioning properly, SEP blocks the redundant Ethernet links. When a link on the ring fails, SEP can quickly restore communication between the nodes on the ring.
Issue 01 (2011-10-26)
543
Figure 10-12 Networking diagram of a multi-ring SEP network
LSW1
Aggregation
GE1/0/3 GE1/0/3 SEP Segment 1
LSW5 GE1/0/1 GE1/0/3 LSW4 GE1/0/1
GE1/0/1 GE1/0/1 LSW2 GE1/0/2 GE1/0/1 LSW6 GE1/0/2 GE1/0/1
G GE1/0/2 E1 /0 LSW3 /3 GE1/0/4 GE1/0/2 GE1/0/1 Se S gm EP GE1/0/2 en t3 LSW8
Se S gm EP en t2
GE1/0/2 LSW11 GE1/0/1 GE1/0/2
GE1/0/1 GE1/0/2
GE1/0/1 LSW9 GE1/0/1
Access
LSW7 GE1/0/3 GE1/0/1 CE2 VLAN 200
LSW10 GE1/0/3 GE1/0/1 CE1 VLAN 100
Primary Edge Node Secondary Edge Node Block Port
Control VLAN 10 Control VLAN 20 Control VLAN 30
The configuration roadmap is as follows: 1. Configure basic SEP functions. (1) Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their control VLANs. l Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN of SEP segment 1. l Configure SEP segment 2 on LSW2, LSW3, and LSW6 to LSW8, and configure VLAN 20 as the control VLAN of SEP segment 2. l Configure SEP segment 3 on LSW3, LSW4, and LSW9 to LSW11, and configure VLAN 30 as the control VLAN of SEP segment 3. (2) Add devices on the rings to the SEP segments and configure port roles on the edge devices of the SEP segments.
l On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEP segment 1. Configure the roles of GE1/0/1 and GE1/0/3 of LSW1 in SEP segment 1. l Add GE1/0/2 of LSW2, GE1/0/1 and GE1/0/2 of LSW6 to LSW8, and GE1/0/2 of LSW3 to SEP segment 2. Configure the roles of GE1/0/2 of LSW2 and GE1/0/2 of LSW3 in SEP segment 2. l Add GE1/0/1 of LSW3, GE1/0/1 and GE1/0/2 of LSW9 to LSW11, and GE1/0/1 of LSW4 to SEP segment 3. Configure the roles of GE1/0/1 of LSW2 and GE1/0/1 of LSW3 in SEP segment 3. (3) Specify the port to block on the device where the primary edge port is located. l In SEP segment 1, specify that the port with the highest priority will be blocked. l In SEP segment 2, specify the device name and port name to block the specified port. l In SEP segment 3, specify that the blocked port be selected according to the configured hop counts of ports. (4) Configure the preemption mode on the device where the primary edge port is located. Configure delayed preemption in SEP segment 1 and manual preemption in SEP segment 2 and SEP segment 3. (5) Configure the topology change notification function on the edge devices between SEP segments, namely, LSW2, LSW3, and LSW4. 2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.
Data Preparation
To complete the configuration, you need the following data: l l l l l l SEP segment ID Control VLAN of the SEP segment Port roles in the SEP segment Preemption mode Method of selecting the port to block Priorities of the ports in the SEP segment
Procedure
Step 1 Configure basic SEP functions. 1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their control VLANs, as shown in Figure 10-12. # Configure LSW1.
# Configure LSW2.
<Quidway> system-view [Quidway] sysname LSW2 [LSW2] sep segment 1
Issue 01 (2011-10-26)
545

[LSW2-sep-segment1] control-vlan 10 [LSW2-sep-segment1] protected-instance all [LSW2-sep-segment1] quit [LSW2] sep segment 2 [LSW2-sep-segment2] control-vlan 20 [LSW2-sep-segment2] protected-instance all [LSW2-sep-segment2] quit
# Configure LSW3.
<Quidway> system-view [Quidway] sysname LSW3 [LSW3] sep segment 1 [LSW3-sep-segment1] control-vlan 10 [LSW3-sep-segment1] protected-instance all [LSW3-sep-segment1] quit [LSW3] sep segment 2 [LSW3-sep-segment2] control-vlan 20 [LSW3-sep-segment2] protected-instance all [LSW3-sep-segment2] quit [LSW3] sep segment 3 [LSW3-sep-segment3] control-vlan 30 [LSW3-sep-segment3] protected-instance all [LSW3-sep-segment3] quit
# Configure LSW4.
<Quidway> system-view [Quidway] sysname LSW4 [LSW4] sep segment 1 [LSW4-sep-segment1] control-vlan 10 [LSW4-sep-segment1] protected-instance all [LSW4-sep-segment1] quit [LSW4] sep segment 3 [LSW4-sep-segment3] control-vlan 30 [LSW4-sep-segment3] protected-instance all [LSW4-sep-segment3] quit
# Configure LSW5.
# Configure LSW6 to LSW11. The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to LSW5 except for the control VLANs of different SEP segments. For details about the configuration, see the configuration files.
NOTE
2.
Add devices on the rings to the SEP segments and configure port roles according to Figure 10-12.
NOTE
# On LSW1, configure GE1/0/1 as the primary edge port and GE1/0/3 as the secondary edge port.
[LSW1] interface gigabitethernet 1/0/1 [LSW1-GigabitEthernet1/0/1] stp disable
Issue 01 (2011-10-26)
546

[LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary [LSW1-GigabitEthernet1/0/1] quit [LSW1] interface gigabitethernet 1/0/3 [LSW1-GigabitEthernet1/0/3] stp disable [LSW1-GigabitEthernet1/0/3] sep segment 1 edge secondary [LSW1-GigabitEthernet1/0/3] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1 [LSW2-GigabitEthernet1/0/1] stp disable [LSW2-GigabitEthernet1/0/1] sep segment 1 [LSW2-GigabitEthernet1/0/1] quit [LSW2] interface gigabitethernet 1/0/3 [LSW2-GigabitEthernet1/0/3] stp disable [LSW2-GigabitEthernet1/0/3] sep segment 1 [LSW2-GigabitEthernet1/0/3] quit [LSW2] interface gigabitethernet 1/0/2 [LSW2-GigabitEthernet1/0/2] stp disable [LSW2-GigabitEthernet1/0/2] sep segment 2 edge primary [LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/3 [LSW3-GigabitEthernet1/0/3] stp disable [LSW3-GigabitEthernet1/0/3] sep segment [LSW3-GigabitEthernet1/0/3] quit [LSW3] interface gigabitethernet 1/0/4 [LSW3-GigabitEthernet1/0/4] stp disable [LSW3-GigabitEthernet1/0/4] sep segment [LSW3-GigabitEthernet1/0/4] quit [LSW3] interface gigabitethernet 1/0/2 [LSW3-GigabitEthernet1/0/2] stp disable [LSW3-GigabitEthernet1/0/2] sep segment [LSW3-GigabitEthernet1/0/2] quit [LSW3] interface gigabitethernet 1/0/1 [LSW3-GigabitEthernet1/0/1] stp disable [LSW3-GigabitEthernet1/0/1] sep segment [LSW3-GigabitEthernet1/0/1] quit 1
2 edge secondary
3 edge secondary
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/2 [LSW4-GigabitEthernet1/0/2] stp disable [LSW4-GigabitEthernet1/0/2] sep segment 1 [LSW4-GigabitEthernet1/0/2] quit [LSW4] interface gigabitethernet 1/0/3 [LSW4-GigabitEthernet1/0/3] stp disable [LSW4-GigabitEthernet1/0/3] sep segment 1 [LSW4-GigabitEthernet1/0/3] quit [LSW4] interface gigabitethernet 1/0/1 [LSW4-GigabitEthernet1/0/1] stp disable [LSW4-GigabitEthernet1/0/1] sep segment 3 edge primary [LSW4-GigabitEthernet1/0/1] quit
# Configure LSW5.
# Configure LSW6 to LSW11. The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to LSW5 except for the port roles. For details about the configuration, see the configuration files.
3.
Specify the port to block. # On LSW1 where the primary edge port of SEP segment 1 is located, specify that the port with the highest priority be blocked.
[LSW1] sep segment 1 [LSW1-sep-segment1] block port optimal [LSW1-sep-segment1] quit
# On LSW3, set the priority of GE1/0/4 to 128, which is the highest priority among the ports so that GE1/0/4 will be blocked.
[LSW3] interface gigabitethernet 1/0/4 [LSW3-GigabitEthernet1/0/4] sep segment 1 priority 128 [LSW3-GigabitEthernet1/0/4] quit
Use the default priority for the other ports in SEP segment 1. # On LSW2 where the primary edge port of SPE segment 2 is located, specify the device name and port name so that the specified port will be blocked. Before specifying the port to block, you can use the display sep topology command to view the current topology information and obtain information about all the ports in the topology. Then you can select the device name and port name.
[LSW2] sep segment 2 [LSW2-sep-segment2] block port sysname LSW7 interface gigabitethernet 1/0/1 [LSW2-sep-segment2] quit
# On LSW4 where the primary edge port of SEP segment 3 is located, specify that the blocked port be selected according to the configured hop counts of ports.
[LSW4] sep segment 3 [LSW4-sep-segment3] block port hop 5 [LSW4-sep-segment3] quit
NOTE
SEP sets the hop count of the primary edge port to 1 and the hop count of the secondary edge port to 2. Hop counts of other ports increase at a step of 1 in the downstream direction of the primary port.
4.
Configure the preemption mode. # Configure the delayed preemption mode on LSW1.
[LSW1] sep segment 1 [LSW1-sep-segment1] preempt delay 30
NOTE
l You must set the preemption delay when delayed preemption is adopted because there is no default delay time. l After all the faulty ports recover, the edge ports no longer receive fault notification packets. If the primary edge port does not receive any fault notification packet, it starts the delay timer. When the delay timer expires, nodes in the SEP segment start blocked port preemption. To implement delayed preemption in this example, you need to simulate a port fault and then rectify the fault. For example: Run the shutdown command on GE1/0/2 of LSW2 to simulate a port fault, and then run the undo shutdown command on GE1/0/2 to rectify the fault.
# Configure the manual preemption mode on LSW2.

[LSW2] sep segment 2 [LSW2-sep-segment2] preempt manual
# Configure the manual preemption mode on LSW4.

[LSW4] sep segment 3 [LSW4-sep-segment3] preempt manual
5.
Configure the topology change notification function. # Configure SEP segment 2 to notify SEP segment 1 of topology changes.
Issue 01 (2011-10-26)
548
# Configure LSW2.
[LSW2] sep segment 2 [LSW2-sep-segment2] tc-notify segment 1 [LSW2-sep-segment2] quit
# Configure LSW3.
# Configure SEP segment 3 to notify SEP segment 1 of topology changes. # Configure LSW3.
# Configure LSW4.
NOTE
The topology change notification function is configured on edge devices between SEP segments so that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11. For details about the configuration, see the configuration files. Step 3 Verify the configuration. After completing the preceding configurations, do as follows to verify the configuration. LSW1 is used as an example. l Run the shutdown command on GE1/0/1 of LSW2 to simulate a port fault, and then run the display sep interface command on LSW3 to check whether GE1/0/4 of LSW3 has switched from the Discarding state to the Forwarding state.
----End
Configuration Files
# sysname LSW1 # vlan batch 10 100 200 300 # sep segment 1 control-vlan 10 block port optimal preempt delay 30 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 edge primary
Issue 01 (2011-10-26)
549

# interface GigabitEthernet1/0/2 port hybrid pvid vlan 300 port hybrid tagged vlan 100 200 port hybrid untagged vlan 300 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 200 300 stp disable sep segment 1 edge secondary # return

# sysname LSW2 # vlan batch 10 20 100 200 # sep segment 1 control-vlan 10 protected-instance 0 to 48 sep segment 2 control-vlan 20 block port sysname LSW7 interface GigabitEthernet1/0/1 tc-notify segment 1 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 20 200 stp disable sep segment 2 edge primary # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 # return

# sysname LSW3 # vlan batch 10 20 30 100 200 # sep segment 1 control-vlan 10 protected-instance 0 to 48 sep segment 2 control-vlan 20 tc-notify segment 1 protected-instance 0 to 48 sep segment 3 control-vlan 30 tc-notify segment 1 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 30 100 stp disable sep segment 3 edge secondary # interface GigabitEthernet1/0/2 port hybrid tagged vlan 20 200
Issue 01 (2011-10-26)
550

stp disable sep segment 2 edge secondary # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 # interface GigabitEthernet1/0/4 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 sep segment 1 priority 128 # return

# sysname LSW4 # vlan batch 10 30 100 200 # sep segment 1 control-vlan 10 protected-instance 0 to 48 sep segment 2 control-vlan 30 protected-instance 0 to 48 sep segment 3 control-vlan 30 block port hop 5 tc-notify segment 1 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 30 100 stp disable sep segment 3 edge primary # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 # return

# sysname LSW5 # vlan batch 10 100 200 300 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 200 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port hybrid pvid vlan 300 port hybrid tagged vlan 100 200 port hybrid untagged vlan 300
Issue 01 (2011-10-26)
551

# interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 200 300 stp disable sep segment 1 # return


# sysname LSW7 # vlan batch 20 200 # sep segment 2 control-vlan 20 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 20 200 stp disable sep segment 2 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 20 200 stp disable sep segment 2 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 200 # return

# sysname LSW8 # vlan batch 20 200 # sep segment 2 control-vlan 20 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 20 200 stp disable sep segment 2 #
Issue 01 (2011-10-26)
552

interface GigabitEthernet1/0/2 port hybrid tagged vlan 20 200 stp disable sep segment 2 # return


# sysname LSW10 # vlan batch 30 100 # sep segment 3 control-vlan 30 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 30 100 stp disable sep segment 3 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 30 100 stp disable sep segment 3 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 100 # return

# sysname LSW11 # vlan batch 30 100 # sep segment 3 control-vlan 30 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 30 100 stp disable sep segment 3 # interface GigabitEthernet1/0/2
Issue 01 (2011-10-26)
553

port hybrid tagged vlan 30 100 stp disable sep segment 3 # return


10.7.3 Example for Configuring a Hybrid SEP+MSTP Ring Network

In the networking of this configuration example, the two devices where the access layer and the aggregation layer are intersected do not support SEP. You can configure SEP at the access layer to implement redundancy protection switching and configure the function of advertising topology changes on an edge device in a SEP segment. This helps an upper-layer network to detect topology changes of a lower-layer network in time.
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, the communication quality deteriorates, and communication services may even be interrupted. SEP can be deployed on the ring network to block redundant links and unblock them if a link fault occurs.
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 10-13, multiple Layer 2 switching devices form a ring at the access layer, and multiple Layer 3 devices form a ring at the aggregation layer. In this case, SEP needs to run at the access layer to implement the following functions: l l l When there is no faulty link on the ring network, SEP helps to eliminate loops. When a link fault occurs on the ring network, SEP helps to rapidly restore the communication between nodes. The function of advertising topology changes should be configured on an edge device in a SEP segment. This helps an upper-layer network to detect topology changes of a lowerlayer network in time.
After receiving a message indicating topology changes of a lower-layer network, a device on an upper-layer network sends TC packets locally to instruct the other devices to clear associated
MAC addresses and relearn MAC addresses after the topology of the lower-layer network changes. This ensures nonstop traffic forwarding. Figure 10-13 Networking diagram of a hybrid-ring SEP network
GE1/0/3
Aggregation
GE1/0/2 GE1/0/2
PE3 GE1/0/1
GE1/0/3 PE4 GE1/0/1
MSTP GE1/0/2 PE1 PE2 GE1/0/2
GE1/0/1 GE1/0/1 LSW1
GE1/0/3 Do not Support SEP SEP Segment1
GE1/0/1 GE1/0/1 LSW2
GE1/0/2
Access
GE1/0/2 GE1/0/1 GE1/0/3LSW3
GE1/0/2 GE1/0/1 CE VLAN100
No-neighbor Primary Edge Node No-neighbor Secondary Edge Node Block Port(SEP) Block Port(MSTP)
The configuration roadmap is as follows: 1. Configure basic SEP functions. (1) Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control VLAN of SEP segment 1. (2) Add LSW1 to LSW3 to SEP segment 1 and configure port roles on the edge devices of the SEP segment, namely, LSW1 and LSW2.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the ports of LSW1 and LSW2 connected to the PEs must be no-neighbor edge ports.
(3) On the device where the no-neighbor primary edge port is located, specify the port in the middle of the SEP segment as the port to block. (4) Configure manual preemption.
(5) Configure the topology change notification function so that the upper-layer network running MSTP can be notified of topology changes in the SEP segment. 2. Configure basic MSTP functions. (1) Add PE1 to PE4 to an MST region RG1. (2) Create VLANs on PE1 to PE4 and add interfaces on the STP ring to the VLANs. (3) Configure PE3 as the root bridge and PE4 as the backup root bridge. 3. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW3.
Data Preparation
To complete the configuration, you need the following data: l l l l l l SEP segment ID Control VLAN of the SEP segment Port roles in the SEP segment Preemption mode Method of selecting the port to block MST region name, MSTI ID, and priorities of the PEs in the region
Procedure
Step 1 Configure basic SEP functions. 1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN of SEP segment 1. # Configure LSW1.
# Configure LSW2.
# Configure LSW3.
NOTE
2.
Issue 01 (2011-10-26)
Add LSW1 to LSW3 to SEP segment 1 and configure port roles.


NOTE
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1 [LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary [LSW1-GigabitEthernet1/0/1] quit [LSW1] interface gigabitethernet 1/0/2 [LSW1-GigabitEthernet1/0/2] stp disable [LSW1-GigabitEthernet1/0/2] sep segment 1 [LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1 [LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary [LSW2-GigabitEthernet1/0/1] quit [LSW2] interface gigabitethernet 1/0/2 [LSW2-GigabitEthernet1/0/2] stp disable [LSW2-GigabitEthernet1/0/2] sep segment 1 [LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
3.
Specify the port to block. # On LSW1 where the no-neighbor primary edge port of SEP segment 1 is located, specify the port in the middle of the SEP segment as the port to block.
[LSW1] sep segment 1 [LSW1-sep-segment1] block port middle
4.
Configure the preemption mode. # Configure the manual preemption mode on LSW1.
[LSW1-sep-segment1] preempt maunal
5.
Configure the topology change notification function. # Configure SEP segment 1 to notify the MSTP network of topology changes. # Configure LSW1.
[LSW1-sep-segment1] tc-notify stp [LSW1-sep-segment1] quit
# Configure LSW2.
[LSW2] sep segment 1 [LSW2-sep-segment1] tc-notify stp [LSW2-sep-segment1] quit
Step 2 Configure basic MSTP functions. 1. Configure an MST region # Configure PE1.
<Quidway> system-view [Quidway] sysname PE1 [PE1] stp region-configuration [PE1-mst-region] region-name RG1 [PE1-mst-region] active region-configuration [PE1-mst-region] quit
Issue 01 (2011-10-26)
557
# Configure PE2.
# Configure PE3.
# Configure PE4.
2.
Create VLANs and add interfaces to VLANs. # On PE1, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
[PE1] vlan 100 [PE1-vlan100] quit [PE1] interface gigabitethernet [PE1-GigabitEthernet1/0/1] port [PE1-GigabitEthernet1/0/1] quit [PE1] interface gigabitethernet [PE1-GigabitEthernet1/0/2] port [PE1-GigabitEthernet1/0/2] quit [PE1] interface gigabitethernet [PE1-GigabitEthernet1/0/3] port [PE1-GigabitEthernet1/0/3] quit 1/0/1 hybrid tagged vlan 100 1/0/2 hybrid tagged vlan 100 1/0/3 hybrid tagged vlan 100
# On PE2, PE3, and PE4, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100. The configurations of PE2, PE3, and PE3 are similar to the configuration of PE1, and are not mentioned here. For details about the configuration, see the configuration files. 3. Enable MSTP. # Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
4.
Configure PE3 as the root bridge and PE4 as the backup root bridge. # Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.
[PE3] stp instance 0 priority 0 [PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup root bridge.

[PE4] stp instance 0 priority 4096 [PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3. For details about the configuration, see the configuration files. Step 4 Verify the configuration. After the configurations are complete and network become stable, run the following commands to verify the configuration. LSW1 is used as an example. l Run the shutdown command on GE1/0/1 of LSW2 to simulate a port fault, and then run the display sep interface command on LSW3 to check whether GE1/0/2 of LSW3 has switched from the Discarding state to the Forwarding state.
----End
Configuration Files
# sysname LSW1 # vlan batch 10 100 # sep segment 1 control-vlan 10 block port middle tc-notify stp protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 no-neighbor edge primary # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 stp disable sep segment 1 # return

# sysname LSW2 # vlan batch 10 100 # sep segment 1 control-vlan 10 tc-notify stp protected-instance 0 to 48 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 stp disable sep segment 1 #
Issue 01 (2011-10-26)
559

interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 no-neighbor edge secondary # return

# sysname LSW3 # vlan batch 10 100 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/3 port hybrid tagged vlan vlan 100 # return

# sysname PE1 # vlan batch 100 # stp region-configuration region-name RG1 active region-configuration # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 100 # return

# sysname PE2 # vlan batch 100 # stp region-configuration region-name RG1 active region-configuration # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/3
Issue 01 (2011-10-26)
560

port hybrid tagged vlan 100 # return

# sysname PE3 # vlan batch 100 200 # stp instance 0 root primary # stp region-configuration region-name RG1 active region-configuration # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 100 200 # interface GigabitEthernet1/0/3 port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200 # return

# sysname PE4 # vlan batch 100 200 # stp instance 0 root secondary # stp region-configuration region-name RG1 active region-configuration # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 100 200 # interface GigabitEthernet1/0/3 port hybrid pvid vlan 200 port hybrid tagged vlan 100 port hybrid untagged vlan 200 # return

10.7.4 Example for Configuring a Hybrid SEP+RRPP Ring Network

In the networking of this configuration example, you can configure SEP at the access layer to implement redundancy protection switching and configure the function of advertising topology
changes on an edge device in a SEP segment. This helps an upper-layer network to detect topology changes of a lower-layer network in time.
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, the communication quality deteriorates, and communication services may even be interrupted. SEP can be deployed on the ring network to block redundant links and unblock them if a link fault occurs. Figure 10-14 Networking diagram for hybrid rings running SEP+RRPP
Network NPE1 NPE2
GE1/0/3
Aggregation
GE1/0/2 GE1/0/2
PE3 GE1/0/1
GE1/0/3 PE4 GE1/0/1
RRPP GE1/0/2 PE1 GE1/0/3 GE1/0/1 GE1/0/1 LSW1 GE1/0/2 SEP Segment1 GE1/0/1 GE1/0/1 LSW2 GE1/0/2 GE1/0/1 GE1/0/3LSW3 PE2 GE1/0/2
Access
GE1/0/2 GE1/0/1 CE VLAN100
Primary Edge Node Secondary Edge Node Block Port(SEP) Block Port(RRPP)
Issue 01 (2011-10-26)
562
As shown in Figure 10-14, Multiple Layer 2 switching devices at the access layer and aggregation layer form a ring network to access the core layer. RRPP has been configured at the aggregation layer to eliminate loops. In this case, SEP needs to run at the access layer to implement the following functions: l l l When there is no faulty link on the ring network, SEP helps to eliminate loops. When a link fault occurs on the ring network, SEP helps to rapidly restore the communication between nodes. The function of advertising topology changes should be configured on an edge device in a SEP segment. This helps an upper-layer network to detect topology changes of a lowerlayer network in time. After receiving a message indicating topology changes of a lower-layer network, a device on an upper-layer network sends TC packets locally to instruct the other devices to clear associated MAC addresses and relearn MAC addresses after the topology of the lowerlayer network changes. This ensures nonstop traffic forwarding.
The configuration roadmap is as follows: 1. Configure basic SEP functions. (1) Configure the segment with the ID of 1 and the control VLAN with the ID of 10 on PE1, PE2 and LSW1 to LSW3. (2) Add PE1, PE2 and LSW1 to LSW3 to a SEP segment, and configure the roles of the interfaces that reside on PE1 and PE2 and are added to SEP segment. (3) Set an interface blocking mode on a primary edge interface to specify an interface to block. (4) Configure the SEP preemption mode to ensure that the user-defined blocked interface takes effect when a fault is cleared. (5) Configure the function of advertising the topology change of a SEP segment so that the topology change of the local SEP segment can be advertised to the upper-layer network where RRPP is enabled. 2. Configure basic RRPP functions. (1) Add PE1 to PE4 to a rrpp domain with the ID of 1, create a control VLAN with the ID of 5 on PE1 to PE4, and configure a protected VLAN. (2) Configure PE1 as the master node and PE2 to PE4 as the transmit node of the major ring, and configure the primary interface and secondary interface of the nodes. (3) Create a VLAN on PE1 to PE4, and then add the interfaces on the RRPP ring network to the VLAN. 3. Configure a VLAN on PE3 and PE4 to transmit VRRP packets and BFD packets.
Data Preparation
To complete the configuration, you need the following data. l l
Issue 01 (2011-10-26)
SEP segment ID, control VLAN ID, roles of interfaces added to the SEP segment, interface blocking mode, and SEP preemption mode. RRPP domain ID, RRPP ring ID and control VLAN ID.
Procedure
Step 1 Configure basic SEP functions. 1. Configure a SEP segment with the ID being 1 and a control VLAN with the ID being 10. # Configure PE1.
<Quidway> system-view [Quidway] sysname PE1 [PE1] sep segment 1 [PE1-sep-segment1] control-vlan 10 [PE1-sep-segment1] protected-instance all [PE1-sep-segment1] quit
# Configure PE2.
<Quidway> system-view [Quidway] sysname PE2 [PE2] sep segment 1 [PE2-sep-segment1] control-vlan 10 [PE2-sep-segment1] protected-instance all [PE2-sep-segment1] quit
# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
2.
Add PE1, PE2 and LSW1 to LSW3 to Segment1 and configure roles of interfaces.
NOTE
By default, STP is enabled on a interface. Before adding an interface to a SEP segment, disable STP on the interface.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/1 [PE1-GigabitEthernet1/0/1] stp disable [PE1-GigabitEthernet1/0/1] sep segment 1 edge primary [PE1-GigabitEthernet1/0/1] quit
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1 [LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary [LSW1-GigabitEthernet1/0/1] quit [LSW1] interface gigabitethernet 1/0/2 [LSW1-GigabitEthernet1/0/2] stp disable [LSW1-GigabitEthernet1/0/2] sep segment 1 [LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
Issue 01 (2011-10-26)
564
[LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary [LSW2-GigabitEthernet1/0/1] quit [LSW2] interface gigabitethernet 1/0/2 [LSW2-GigabitEthernet1/0/2] stp disable [LSW2-GigabitEthernet1/0/2] sep segment 1 [LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
# Configure PE2.
[PE2] interface gigabitethernet 1/0/1 [PE2-GigabitEthernet1/0/1] stp disable [PE2-GigabitEthernet1/0/1] sep segment 1 edge secondary [PE2-GigabitEthernet1/0/1] quit
After completing the preceding configurations, run the display sep topology command on PE1 to view the topology of the SEP segment. You can see that the blocked interface is one of the last two interfaces that complete neighbor negotiation.
[PE1] display sep topology SEP segment 1 ----------------------------------------------------------------System Name Port Name Port Role Port Status ----------------------------------------------------------------PE1 GE1/0/1 primary forwarding LSW1 GE1/0/1 common forwarding LSW1 GE1/0/2 common forwarding LSW3 GE1/0/2 common forwarding LSW3 GE1/0/1 common forwarding LSW2 GE1/0/2 common forwarding LSW2 GE1/0/1 common forwarding PE2 GE1/0/1 secondary discarding
3.
Set an interface blocking mode. # In Segment1, block the interface in the middle of the SEP segment on PE1 where the primary edge interface resides.
[PE1] sep segment 1 [PE1-sep-segment1] block port middle
4.
Set the preemption mode. # In Segment1, set the preemption mode on PE1 where the primary edge interface resides to manual preemption.
[PE1-sep-segment1] preempt maunal
5.
Advertise SEP topology changes. # In Segment1, advertise the topology change to RRPP. # Configure PE1.
[PE1-sep-segment1] tc-notify rrpp [PE1-sep-segment1] quit
# Configure PE2.
[PE2] sep segment 1 [PE2-sep-segment1] tc-notify rrpp [PE2-sep-segment1] quit
After the preceding configurations are successful, perform the following operations to verify the configurations. Take PE1 as an example.
l Run the display sep topology command on PE1 to view the information about the topology of the SEP segment. The command output shows that the forwarding status of GE 1/0/2 on LSW3 is discarding and the forwarding status of the other interfaces is forwarding.
[PE1] display sep topology SEP segment 1 ----------------------------------------------------------------System Name Port Name Port Role Port Status ----------------------------------------------------------------PE1 GE1/0/1 primary forwarding LSW1 GE1/0/1 common forwarding LSW1 GE1/0/2 common forwarding LSW3 GE1/0/2 common discarding LSW3 GE1/0/1 common forwarding LSW2 GE1/0/2 common forwarding LSW2 GE1/0/1 common forwarding PE2 GE1/0/1 secondary forwarding
l Run the display sep interface verbose command on PE1 to view the detailed information about the interfaces added to the SEP segment.
[PE1] display sep interface verbose SEP segment 1 Control-vlan :10 Preempt Delay Timer :0 TC-Notify Propagate to :rrpp ---------------------------------------------------------------Interface :GE1/0/1 Port Role :Config = primary / Active = primary Port Priority :64 Port Status :forwarding Neighbor Status :up Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000) NBR TLV rx :2124 tx :2126 LSP INFO TLV rx :2939 tx :135 LSP ACK TLV rx :113 tx :768 PREEMPT REQ TLV rx :0 tx :3 PREEMPT ACK TLV rx :3 tx :0 TC Notify rx :5 tx :3 EPA rx :363 tx :397
Step 2 Configure basic RRPP functions. 1. Add PE1 to PE4 to a rrpp domain with the ID of 1, create a control VLAN with the ID of 5 on PE1 to PE4, and configure a protected VLAN. # Configure PE1.
<Quidway> system-view [Quidway] sysname PE1 [PE1] rrpp domain 1 [PE1-rrpp-domain-region1] control-vlan 100 [PE1-rrpp-domain-region1] protected-vlan reference-instance all
# Configure PE2.
# Configure PE3.
# Configure PE4.
2.
Create a VLAN and add interfaces on the ring network to the VLAN. # Create VLAN 100 on PE1, and then add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN 100.
[PE1] vlan 100 [PE1-vlan100] quit [PE1] interface gigabitethernet 1/0/1 [PE1-GigabitEthernet1/0/1] stp disable [PE1-GigabitEthernet1/0/1] port link-type trunk [PE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 [PE1-GigabitEthernet1/0/1] quit [PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] stp disable [PE1-GigabitEthernet1/0/2] port link-type trunk [PE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 [PE1-GigabitEthernet1/0/2] quit [PE1] interface gigabitethernet 1/0/3 [PE1-GigabitEthernet1/0/3] stp disable [PE1-GigabitEthernet1/0/3] port link-type trunk [PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 [PE1-GigabitEthernet1/0/3] quit
# Create VLAN 100 on PE2, and then add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN 100.
[PE2] vlan 100 [PE2-vlan100] quit [PE2] interface gigabitethernet 1/0/1 [PE2-GigabitEthernet1/0/1] stp disable [PE2-GigabitEthernet1/0/1] port link-type trunk [PE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 [PE2-GigabitEthernet1/0/1] quit [PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] stp disable [PE2-GigabitEthernet1/0/2] port link-type trunk [PE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 [PE2-GigabitEthernet1/0/2] quit [PE2] interface gigabitethernet 1/0/3 [PE2-GigabitEthernet1/0/3] stp disable [PE2-GigabitEthernet1/0/3] port link-type trunk [PE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 [PE2-GigabitEthernet1/0/3] quit
# Create VLAN 100 on PE3, and then add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE3] vlan 100 [PE3-vlan100] quit [PE3] interface gigabitethernet 1/0/1 [PE3-GigabitEthernet1/0/1] stp disable [PE3-GigabitEthernet1/0/1] port link-type trunk [PE3-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 [PE3-GigabitEthernet1/0/1] quit [PE3] interface gigabitethernet 1/0/2 [PE3-GigabitEthernet1/0/2] stp disable [PE3-GigabitEthernet1/0/2] port link-type trunk [PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 [PE3-GigabitEthernet1/0/2] quit
# Create VLAN 100 on PE4, and then add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE4] vlan 100 [PE4-vlan100] quit [PE4] interface gigabitethernet 1/0/1 [PE4-GigabitEthernet1/0/1] stp disable [PE4-GigabitEthernet1/0/1] port link-type trunk [PE4-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
Issue 01 (2011-10-26)
567

[PE4-GigabitEthernet1/0/1] quit [PE4] interface gigabitethernet 1/0/2 [PE4-GigabitEthernet1/0/2] stp disable [PE4-GigabitEthernet1/0/2] port link-type trunk [PE4-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 [PE4-GigabitEthernet1/0/2] quit
3.
Configure PE1 as the master node and PE2 to PE4 as the transmit node of the major ring, and configure the primary interface and secondary interface of the nodes. # Configure PE1.
[PE1] rrpp domain 1 [PE1-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitEthernet1/0/2 secondary-port gigabitEthernet1/0/3 level 0 [PE1-rrpp-domain-region1] ring 1 enable
# Configure PE2.
[PE2] rrpp domain 1 [PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitEthernet1/0/2 secondary-port gigabitEthernet1/0/3 level 0 [PE2-rrpp-domain-region1] ring 1 enable
# Configure PE3.
# Configure PE4.
4.
Enable RRPP. # Configure PE1.

[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After completing the preceding configurations, run the display rrpp brief or display rrpp verbose domain command on PE1 to check the RRPP configuration.
[PE1] display rrpp brief Abbreviations for Switch Node Mode : M - Master , T - Transit , E - Edge , A - Assistant-Edge RRPP Protocol Status: Enable RRPP Working Mode: HW RRPP Linkup Delay Timer: 0 sec (0 sec default) Number of RRPP Domains: 1 Domain Index : 1 Control VLAN : major 5 sub 6 Protected VLAN : Reference Instance 1 Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec) Ring Ring Node Primary/Common Secondary/Edge Is ID Level Mode Port Port Enabled ---------------------------------------------------------------------------1 0 M GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
Issue 01 (2011-10-26)
568
You can view that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major control VLAN, VLAN 6 is the sub-control VLAN, Instance1 is the protected VLAN, and PE1 is the master node in major ring 1 with the primary interface and secondary interface respectively as GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
[PE1] display rrpp verbose domain 1 Domain Index : 1 Control VLAN : major 5 sub 6 Protected VLAN : Reference Instance 1 Hello Timer : 1 sec(default is 1 sec) RRPP Ring Ring Level Node Mode Ring State Is Enabled Primary port Secondary port : : : : : : : 1 0 Master Complete Enable GigabitEthernet1/0/2 GigabitEthernet1/0/3
Fail Timer : 6 sec(default is 6 sec)
Is Active: Yes Port status: UP Port status: BLOCKED
You can view that in domain 1, VLAN 5 is the major control VLAN, VLAN 6 is the sub-control VLAN, Instance1 is the protected VLAN, and PE1 is the master node in major ring 1 with the primary interface and secondary interface respectively as GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, and the node status is Complete. Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3 and PE1 to PE4. The configuration details are not mentioned here. For details, see configuration files in this example. Step 4 Verify the configuration. After the previous configurations, run the following commands to verify the configuration after the network is stable. Take LSW1 as an example. l Run the shutdown command on GE 1/0/1 on LSW2 to simulate an interface fault, and then run the display sep interface command on LSW3 to check whether the status of GE 1/0/2 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/2 SEP segment 1 ---------------------------------------------------------------Interface Port Role Neighbor Status Port Status ---------------------------------------------------------------GE1/0/2 common up forwarding
----End
Configuration Files
# sysname LSW1 # vlan batch 10 100 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable
Issue 01 (2011-10-26)
569

sep segment 1 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1 # return

# sysname LSW2 # vlan batch 10 100 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1 # return

# sysname LSW3 # vlan batch 10 100 # sep segment 1 control-vlan 10 protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 10 100 stp disable sep segment 1 # interface GigabitEthernet1/0/3 port link-type trunk
Issue 01 (2011-10-26)
570

port trunk allow-pass vlan 100 # return

# sysname PE1 # vlan batch 5 to 6 100 # rrpp enable # stp region-configuration instance 1 vlan 5 to 6 100 active region-configuration # rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode master primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3 level 0 ring 1 enable # sep segment 1 control-vlan 10 block port middle tc-notify rrpp protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 stp disable sep segment 1 edge primary # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100 stp disable # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 5 to 6 100 stp disable # return

# sysname PE2 # vlan batch 5 to 6 100 # rrpp enable # stp region-configuration instance 1 vlan 5 to 6 100 active region-configuration # rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode transit primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3 level 0
Issue 01 (2011-10-26)
571

ring 1 enable # sep segment 1 control-vlan 10 tc-notify rrpp protected-instance 0 to 48 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 stp disable sep segment 1 edge secondary # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100 stp disable # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 5 to 6 100 stp disable # return

# sysname PE3 # vlan batch 5 to 6 100 200 # rrpp enable # stp region-configuration instance 1 vlan 5 to 6 100 active region-configuration # rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode transit primary-port GigabitEthernet 1/0/1 secondary-port GigabitEthernet 1/0/2 level 0 ring 1 enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 stp disable # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100 200 stp disable # interface GigabitEthernet1/0/3 port default vlan 200 port trunk allow-pass vlan 5 to 6 100
Issue 01 (2011-10-26)
572

# return

# sysname PE4 # vlan batch 5 to 6 100 200 # rrpp enable # stp region-configuration instance 1 vlan 5 to 6 100 active region-configuration # rrpp domain 1 control-vlan 5 protected-vlan reference-instance 1 ring 1 node-mode transit primary-port GigabitEthernet 1/0/1 secondary-port GigabitEthernet 1/0/2 level 0 ring 1 enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 stp disable # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 5 to 6 100 200 stp disable # interface GigabitEthernet1/0/3 port default vlan 200 port trunk allow-pass vlan 5 to 6 100 # return

# sysname CE1 # vlan batch 100 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 100 # return
10.7.5 Example for Configuring SEP Multi-Instance

On a closed ring network, two SEP segments are configured to process different VLAN services, implement load balancing, and provide link backup.
In common SEP networking, a physical ring can be configured with only one SEP segment in which only one interface can be blocked. If an interface in the SEP segment in the complete state is blocked, all user data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located is idle, which leads to a waste of bandwidth. To solve the problem of bandwidth waste and to implement traffic load balancing, Huawei develops SEP multi-instance. Figure 10-15 Networking diagram for configuring SEP multi-instance on a closed ring network
Network
Aggregation
GE1/0/2 LSW1 GE1/0/1
/0/3 GE1
GE1
/0/3
GE1/0/2 LSW4 GE1/0/1
GE1/0/1 LSW2 GE1/0/3
P2
GE 1/0 /2
P1
/0/2 GE1
GE1/0/1 LSW3 GE1/0/3
GE1/0/1
Access
GE1/0/1 CE1 CE2 Instance2: VLAN 301~500
SEP Segment1 SEP Segment2 Primary Edge Node Secondary Edge Node Block Port
As shown in Figure 10-15, a ring network comprising Layer 2 switches LSW1 to LSW5 is connected to the network. SEP runs at the aggregation layer. SEP multi-instance is configured on LSW1 to LSW4. This allows two SEP segments to solve the problem of bandwidth waste, implement load balancing, and provide link backup.
Issue 01 (2011-10-26)
574
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Create two SEP segments and one control VLAN on LSW1 to LSW4. Different SEP segments can use the same control VLAN. Configure SEP protected instances, and set mappings between SEP protected instances and user VLANs to ensure that topology changes affect only corresponding VLANs. Add all the devices on the ring network to the SEP segments, and configure GE 1/0/1 as the primary edge interface and GE 1/0/3 as the secondary edge interface on LSW1. Enable the function of specifying an interface to block on the device where the primary edge interface resides. Configure the SEP preemption mode to ensure that the specified blocked interface takes effect when a fault is rectified. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
Data Preparation
To complete the configuration, you need the following data: l l l l l l ID of each SEP segment ID of a control VLAN role of each interface added to each SEP segment mode of blocking an interface preemption mode ID of each SEP protection instance
Procedure
Step 1 Configure basic SEP functions. l Configure a SEP segment with the ID of 1 and a control VLAN with the ID of 10. # Configure LSW1.
<Quidway> system-view [Quidway] sysname LSW1 [LSW1] sep segment 1 [LSW1-sep-segment1] control-vlan 10 [LSW1-sep-segment1] quit
# Configure LSW2.
<Quidway> system-view [Quidway] sysname LSW2 [LSW2] sep segment1 [LSW2-sep-segment1] control-vlan 10 [LSW2-sep-segment1] quit
# Configure LSW3.
<Quidway> system-view [Quidway] sysname LSW3 [LSW3] sep segment 1 [LSW3-sep-segment1] control-vlan 10 [LSW3-sep-segment1] quit
# Configure LSW4.
<Quidway> system-view [Quidway] sysname LSW4 [LSW4] sep segment 1
Issue 01 (2011-10-26)
575

[LSW4-sep-segment1] control-vlan 10 [LSW4-sep-segment1] quit
l Configure a SEP segment with the ID of 2 and a control VLAN with the ID of 10. # Configure LSW1.
[LSW1] sep segment 2 [LSW1-sep-segment2] control-vlan 10 [LSW1-sep-segment2] quit
# Configure LSW2.
[LSW2] sep segment2 [LSW2-sep-segment2] control-vlan 10 [LSW2-sep-segment2] quit
# Configure LSW3.
# Configure LSW4.
NOTE
l The control VLAN must be a new one. l The command used to create a common VLAN is automatically displayed in a configuration file. l Each SEP segment must be configured with a control VLAN. After being added to a SEP segment configured with a control VLAN, an interface is added to the control VLAN automatically. You do not need to run the port trunk allow-pass vlan command. In the configuration file, the port trunk allow-pass vlan command, however, is displayed in the view of the interface added to the SEP segment.
Step 2 Configure SEP protected instances, and then configure mappings between SEP protected instances and user VLANs. # Configure LSW1.
[LSW1] vlan batch 100 to 500 [LSW1] sep segment 1 [LSW1-sep-segment1] protected-instance 1 [LSW1-sep-segment1] quit [LSW1] sep segment 2 [LSW1-sep-segment2] protected-instance 2 [LSW1-sep-segment2] quit [LSW1] stp region-configuration [LSW1-mst-region] instance 1 vlan 100 to 300 [LSW1-mst-region] instance 2 vlan 301 to 500 [LSW1-mst-region] active region-configuration [LSW1-mst-region] quit
The configurations of LSW2 to LSW4 are similar to those of LSW1, and are not provided here. For details, see configuration files in this configuration example. Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable STP on the interface.
# On LSW1, configure GE 1/0/1 as the primary edge interface and GE 1/0/3 as the secondary edge interface.
[LSW1] interface gigabitethernet 1/0/1 [LSW1-GigabitEthernet1/0/1] stp disable [LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary [LSW1-GigabitEthernet1/0/1] sep segment 2 edge primary [LSW1-GigabitEthernet1/0/1] quit [LSW1] interface gigabitethernet 1/0/3
Issue 01 (2011-10-26)
576

[LSW1-GigabitEthernet1/0/3] [LSW1-GigabitEthernet1/0/3] [LSW1-GigabitEthernet1/0/3] [LSW1-GigabitEthernet1/0/3] stp disable sep segment 1 edge secondary sep segment 2 edge secondary quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1 [LSW2-GigabitEthernet1/0/1] stp disable [LSW2-GigabitEthernet1/0/1] sep segment [LSW2-GigabitEthernet1/0/1] sep segment [LSW2-GigabitEthernet1/0/1] quit [LSW2] interface gigabitethernet 1/0/2 [LSW2-GigabitEthernet1/0/2] stp disable [LSW2-GigabitEthernet1/0/2] sep segment [LSW2-GigabitEthernet1/0/2] sep segment [LSW2-GigabitEthernet1/0/2] quit 1 2
1 2
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1 [LSW3-GigabitEthernet1/0/1] stp disable [LSW3-GigabitEthernet1/0/1] sep segment [LSW3-GigabitEthernet1/0/1] sep segment [LSW3-GigabitEthernet1/0/1] quit [LSW3] interface gigabitethernet 1/0/2 [LSW3-GigabitEthernet1/0/2] stp disable [LSW3-GigabitEthernet1/0/2] sep segment [LSW3-GigabitEthernet1/0/2] sep segment [LSW3-GigabitEthernet1/0/2] quit 1 2
1 2
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/1 [LSW4-GigabitEthernet1/0/1] stp disable [LSW4-GigabitEthernet1/0/1] sep segment [LSW4-GigabitEthernet1/0/1] sep segment [LSW4-GigabitEthernet1/0/1] quit [LSW4] interface gigabitethernet 1/0/3 [LSW4-GigabitEthernet1/0/3] stp disable [LSW4-GigabitEthernet1/0/3] sep segment [LSW4-GigabitEthernet1/0/3] sep segment [LSW4-GigabitEthernet1/0/3] quit
1 2
1 2
Step 4 Specify an interface to block. # Configure delayed preemption and the mode of blocking an interface to be based on the device name and interface name on LSW1 where the primary edge interface is located.
[LSW1] sep segment 1 [LSW1-sep-segment1] block port sysname LSW3 interface gigabitethernet 1/0/1 [LSW1-sep-segment1] preempt delay 15 [LSW1-sep-segment1] quit [LSW1] sep segment 2 [LSW1-sep-segment2] block port sysname LSW2 interface gigabitethernet 1/0/1 [LSW1-sep-segment2] preempt delay 15 [LSW1-sep-segment2] quit
NOTE
l In this configuration example, an interface fault needs to be simulated and then rectified to implement delayed preemption. To ensure that delayed preemption takes effect on the two SEP segments, simulate an interface fault in the two SEP segment. For example: l In SEP segment 1, run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface fault. Then, run the undo shutdown command on GE 1/0/1 to simulate interface fault recovery. l In SEP segment 2, run the shutdown command on GE 1/0/1 of LSW3 to simulate an interface fault. Then, run the undo shutdown command on GE 1/0/1 to simulate interface fault recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
The configuration details are not provided here. For details, see configuration files in this example. Step 6 Verify the configuration. Simulate a fault, and then check whether the status of the blocked interface changes from blocked to forwarding. Run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface fault. Run the display sep interface command on LSW3 to check whether the status of GE1/0/1 in SEP segment 1 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/1 SEP segment 1 ---------------------------------------------------------------Interface Port Role Neighbor Status Port Status ---------------------------------------------------------------GE1/0/1 common up forwarding SEP segment 2 ---------------------------------------------------------------Interface Port Role Neighbor Status Port Status ---------------------------------------------------------------GE1/0/1 common up forwarding
The preceding command output shows that the status of GE 1/0/1 changes from blocked to forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding path in SEP segment 2. ----End
Configuration Files
# sysname LSW1 # vlan batch 10 100 to 500 # stp region-configuration instance 1 vlan 100 to 300 instance 2 vlan 301 to 500 active region-configuration # sep segment 1 control-vlan 10 block port sysname LSW3 interface GigabitEthernet1/0/1 preempt delay 15 protected-instance 1 sep segment 2 control-vlan 10 block port sysname LSW2 interface GigabitEthernet1/0/1 preempt delay 15 protected-instance 2 # interface GigabitEthernet1/0/1 port hybrid tagged vlan vlan 10 100 to 500 stp disable sep segment 1 edge primary sep segment 2 edge primary # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 to 500 stp disable sep segment 1 edge secondary sep segment 2 edge secondary
Issue 01 (2011-10-26)
578

# return

# sysname LSW2 # vlan batch 10 100 to 500 # stp region-configuration instance 1 vlan 100 to 300 instance 2 vlan 301 to 500 active region-configuration # sep segment 1 control-vlan 10 protected-instance 1 sep segment 2 control-vlan 10 protected-instance 2 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 to 500 stp disable sep segment 1 sep segment 2 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 to 500 stp disable sep segment 1 sep segment 2 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 100 to 300 # return

# sysname LSW3 # vlan batch 10 100 to 500 # stp region-configuration instance 1 vlan 100 to 300 instance 2 vlan 301 to 500 active region-configuration # sep segment 1 control-vlan 10 protected-instance 1 sep segment 2 control-vlan 10 protected-instance 2 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 to 500 stp disable sep segment 1 sep segment 2 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 10 100 to 500 stp disable sep segment 1 sep segment 2 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 301 to 500
Issue 01 (2011-10-26)
579

# return

# sysname LSW4 # vlan batch 10 60 100 to 500 # stp region-configuration instance 1 vlan 100 to 300 instance 2 vlan 301 to 500 active region-configuration # sep segment 1 control-vlan 10 protected-instance 1 sep segment 2 control-vlan 10 protected-instance 2 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 10 100 to 500 stp disable sep segment 1 sep segment 2 # interface GigabitEthernet1/0/3 port hybrid tagged vlan 10 100 to 500 stp disable sep segment 1 sep segment 2 # return

# sysname CE1 # vlan batch 100 to 300 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 to 300 # return

# sysname CE2 # vlan batch 301 to 500 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 301 to 500 # return
Issue 01 (2011-10-26)
580
11 Layer 2 Protocol Transparent Transmission Configuration
11
About This Chapter
Layer 2 Protocol Transparent Transmission Configuration
This chapter describes the concept, configuration procedure, and configuration examples of Layer 2 protocol transparent transmission. 11.1 Overview of Layer 2 Protocol Transparent Transmission This section describes the concept of Layer 2 protocol transparent transmission. 11.2 Layer 2 Protocol Transparent Transmission Features Supported by the S9300 This section describes the Layer 2 protocol transparent transmission features supported by the S9300. 11.3 Configuring Interface-based Layer 2 Protocol Transparent Transmission When each interface of a device on the backbone network is connected to only one user network and Layer 2 protocol packets sent from the user network do not need VLAN tags, you can configure interface-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets can be transparently transmitted on the backbone network. 11.4 Configuring VLAN-based Layer 2 Protocol Transparent Transmission When each interface of devices on the backbone network is connected to multiple user networks and Layer 2 protocol packets sent from user network contain VLAN tags, you can configure VLAN-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets are transparently transmitted on the backbone network. 11.5 Configuring QinQ-based Layer 2 Protocol Transparent Transmission When each interface of devices on the backbone network is connected to multiple user networks and Layer 2 protocol packets sent from user network contain VLAN tags, you can configure QinQ-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets can be transparently transmitted on the backbone network and that VLAN IDs of the carrier can be saved. 11.6 Maintaining Layer 2 Protocol Transparent Transmission This section describes how to debug Layer 2 protocol transparent transmission. 11.7 Configuration Examples
Issue 01 (2011-10-26)
581
This section provides examples for configuring interface, VLAN, and QinQ based Layer 2 protocol transparent transmission.
Issue 01 (2011-10-26)
582
11.1 Overview of Layer 2 Protocol Transparent Transmission

This section describes the concept of Layer 2 protocol transparent transmission.
Background
In certain network environments, packets of Layer 2 protocols such as MSTP, HGMP, and LACP need to be transmitted between user networks across the backbone network to complete calculation of the protocols. As shown in Figure 11-1, user network 1 and user network 2 run Layer 2 protocols, for example, MSTP. Layer 2 protocol packets of user network 1 must traverse the backbone network to reach user network 2 so that the spanning tree can be calculated. Packets of a Layer 2 protocol usually use the same destination MAC address. For example, MSTP packets are BPDUs that use 0180C200-0000 as the destination MAC address. Therefore, when the BPDUs reach a PE on the backbone network, the PE cannot identify whether the BPDUs are sent from a user network or the backbone network. As a result, the PE sends the BPDUs to the CPU for spanning tree calculation. In this case, the spanning tree is calculated between the devices of user network 1 and PE1, and the devices of user network 2 are not involved in the calculation. Therefore, BPDUs of user network 1 cannot be sent to user network 2 through the backbone network. Figure 11-1 Transparent transmission of Layer 2 protocol packets on an ISP network
ISP network PE1 CE1 User network1 PE2 CE2 User network2
Layer 2 protocol transparent transmission can solve this problem. To transparently transmit Layer 2 protocol packets on the backbone network, the following requirements must be met:
l l l
Each site on a user network can receive Layer 2 protocol packets from other sites. Layer 2 protocol packets sent from a user network are not processed by CPUs of devices on the backbone network. Layer 2 protocol packets of different user networks are separated from each other.
A Layer 2 protocol packet is transparently transmitted as follows: l l l A user-side device on the backbone network replaces the multicast destination MAC address of Layer 2 protocol packets with a specified multicast MAC address. Devices on the backbone network determine whether to add an outer VLAN tag to the packet according to the transparent transmission mode. The egress device on the backbone network restores the original multicast destination MAC address of the packet according to the mappings between multicast destination MAC addresses and Layer 2 protocols. The egress device also determines whether to remove the outer VLAN tag, and then forwards the packet to the user network.
11.2 Layer 2 Protocol Transparent Transmission Features Supported by the S9300

This section describes the Layer 2 protocol transparent transmission features supported by the S9300. Based on application scenarios, the S9300 supports the following Layer 2 protocol transparent transmission features: l l l Interface-based Layer 2 protocol transparent transmission VLAN-based Layer 2 protocol transparent transmission QinQ-based Layer 2 protocol transparent transmission
Currently, the S9300 can transparently transmit packets of the following Layer 2 protocols: l l l l l l l l l l l l l l
Issue 01 (2011-10-26)
Spanning Tree Protocol (STP) Link Aggregation Control Protocol (LACP) Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah) Link Layer Discovery Protocol (LLDP) Generic VLAN Registration Protocol (GVRP) Generic Multicast Registration Protocol (GMRP) HUAWEI Group Management Protocol (HGMP) VLAN Trunking Protocol (VTP) Unidirectional Link Detection (UDLD) Port Aggregation Protocol (PAGP) Cisco Discovery Protocol (CDP) Per VLAN Spanning Tree Plus (PVST+) Dynamic Trunking Protocol (DTP) User-defined protocols
Interface-based Layer 2 Protocol Transparent Transmission

Figure 11-2 Networking of interface-based Layer 2 protocol transparent transmission
Port based VLAN 200 LAN-B MSTP ISP Network Port based VLAN 200 LAN-B MSTP
PE1
BPDU Tunnel 200 BPDU Tunnel 300
PE2
Port based VLAN 300 LAN-A MSTP
PE3
Port based VLAN 300 LAN-A MSTP Port based VLAN 200 LAN-B MSTP
As shown in Figure 11-2, each interface of a PE is connected to one user network. The user networks connected to the same PE belong to different LANs, namely, LAN-A and LAN-B. BPDUs sent from user networks are not tagged, but the PE needs to identify the LAN that each BPDU belongs to. BPDUs of a user network on LAN-A must be forwarded to other user networks on LAN-A, but cannot be forwarded to user networks on LAN-B. In addition, BPDUs cannot be processed by network devices of the ISP. The following methods can be used to meet the proceeding requirements: l Replace the default multicast MAC address of Layer 2 protocol packets that can be identified by PEs on the backbone network with another multicast MAC address. 1. Configure all PEs as providers. Then the multicast destination MAC address of BPDUs sent from the backbone network is changed from 01-80-C2-00-00-00 to 01-80-C2-00-00-08. Configure all devices on user networks as customers. Then the multicast destination MAC address of BPDUs sent from user networks is 01-80-C2-00-00-00. On PEs, add the interfaces connected to the same user network to the same VLAN. Then PEs add VLAN tags to received BPDUs according to default VLANs of the interfaces. PEs (providers) do not consider these packets as Layer 2 protocol BPDUs and do not send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets according to the default VLANs of interfaces. Internal nodes on the backbone network forward the packets across the backbone network as common Layer 2 packets.
2. 3.
4.
5.
Issue 01 (2011-10-26)
6.
The egress device on the backbone network forwards the packets to user networks without modifying the packets.
NOTE
l This method is applicable only to STP, RSTP, and MSTP. To configure a device as the provider, run the bpdu-tunnel stp bridge role provider command.
Replace the original multicast MAC address of Layer 2 protocol packets from user networks with a specified multicast MAC address.
NOTE
This method is applicable to all Layer 2 protocols.
1.
PEs identify the type (such as STP) of the Layer 2 protocol packets sent from user networks and tag the packets with corresponding VLAN IDs according to default VLANs of interfaces. PEs replace the standard multicast destination MAC address of Layer 2 protocol packets with a specified multicast MAC address according to the mappings between multicast destination MAC addresses and Layer 2 protocols. Internal nodes on the backbone network forward the packets across the backbone network as common Layer 2 packets. The egress device of the backbone network restores the original destination MAC address of the packets according to the mappings between multicast destination MAC addresses and Layer 2 protocols, and then forwards the packets to user networks.
2.
3. 4.
VLAN-based Layer 2 Protocol Transparent Transmission

Figure 11-3 Networking of VLAN-based Layer 2 protocol transparent transmission
LAN-B MSTP
LAN-B MSTP
CE-VLAN 100
CE-VLAN 100
PE 1
ISP Network
BPDU Tunnel
PE 2
CE-VLAN 200
Trunk 100-200 PE 3
Trunk 100-200
CE-VLAN 100 LAN-A MSTP LAN-B MSTP
CE-VLAN 200
LAN-A MSTP
Issue 01 (2011-10-26)
586
A PE generally functions as an aggregation device. As shown in Figure 11-3, the aggregation interface on PE1 can receive BPDUs from LAN-A and LAN-B. To differentiate BPDUs from the two LANs, BPDUs sent from CEs to PEs must have VLAN tags. In Figure 11-3, packets sent from LAN-A contain VLAN 200 and packets sent from LAN-B contain VLAN 100. Packets of certain Layer 2 protocols such as STP, RSTP, and MSTP are untagged. When receiving Layer 2 protocol packets with VLAN tags, PEs consider the packets invalid and discard them. In this case, you can configure VLAN-based Layer 2 protocol transparent transmission on PEs so that Layer 2 protocol packets can traverse the backbone network through Layer 2 tunnels. Similar to interface-based Layer 2 protocol transparent transmission, you can use either of the following methods to implement VLAN-based Layer 2 protocol transparent transmission: l Replace the default multicast MAC address of the Layer 2 protocol that can be identified by PEs with another multicast MAC address. 1. Configure all PEs as providers. Then the multicast destination MAC address of BPDUs sent from the backbone network is changed from 01-80-C2-00-00-00 to 01-80-C2-00-00-08. Configure all devices on user networks as customers. Then the multicast destination MAC address of BPDUs sent from user networks is 01-80-C2-00-00-00. Configure devices on user networks to send Layer 2 protocol packets with the specified VLAN IDs to the backbone network. Enable PEs to identify Layer 2 protocol packets with the specified VLAN IDs and allow these packets to pass. PEs (providers) do not consider these packets as Layer 2 protocol BPDUs and do not send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets according to the default VLANs of interfaces. Internal nodes on the backbone network forward the packets across the backbone network as common Layer 2 packets. The egress device on the backbone network forwards the packets to user networks without modifying the packets.
NOTE
2. 3. 4. 5.
6. 7.
l This method is applicable only to STP, RSTP, and MSTP. To configure a device as the provider, run the bpdu-tunnel stp bridge role provider command.
Replace the original multicast MAC address of Layer 2 protocol packets from user networks with a specified multicast MAC address.
NOTE
This method is applicable to all Layer 2 protocols.
1. 2. 3.
Configure devices on user networks to send Layer 2 protocol packets with the specified VLAN IDs to the backbone network. Enable PEs to identify Layer 2 protocol packets with the specified VLAN IDs and allow these packets to pass. PEs replace the standard multicast destination MAC address of Layer 2 protocol packets with a specified multicast MAC address according to the mappings between multicast destination MAC addresses and Layer 2 protocols.
Issue 01 (2011-10-26)
4. 5.
Internal nodes on the backbone network forward the packets across the backbone network as common Layer 2 packets. The egress device of the backbone network restores the original destination MAC address of the packets according to the mappings between multicast destination MAC addresses and Layer 2 protocols, and then forwards the packets to user networks.
QinQ-based Layer 2 Protocol Transparent Transmission

l QinQ overview The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. The QinQ technology improves utilization of VLANs by adding another 802.1Q tag to a packet. In this manner, services on a private VLAN can be transparently transmitted to the public network. A packet transmitted on the backbone network is called a QinQ packet because it has two 802.1Q tags (a public tag and a private tag), that is, 802.1Q-in-802.1Q. Figure 11-4 shows the format of a QinQ packet. Compared with an 802.1Q packet, a QinQ packet contains an additional tag following the source address (SA) field. This tag is called an outer tag or a public tag and contains the VLAN ID of the public network. The inner tag is known as the private tag and contains the VLAN ID of the private network.
NOTE
The QinQ function configured on a Layer 2 interface is called VLAN stacking.
Figure 11-4 802.1Q encapsulation and QinQ encapsulation

802.1Q Encapsulation DA SA ETYPE TAG LEN/ETYPE DATA FCS 6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes 46 Byte~1500 Bytes 4 Bytes QinQ Encapsulation DA SA ETYPE TAG ETYPE TAG LEN/ETYPE DATA FCS 6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes 2 Bytes 2 Bytes 46 Byte~1500 Bytes 4 Bytes
0x8100
Priority
CFI VLAN ID
QinQ-based Layer 2 protocol transparent transmission
Issue 01 (2011-10-26)
588
Figure 11-5 Networking of QinQ-based Layer 2 protocol transparent transmission
LAN-B MSTP
PE-VLAN20:CE-VLAN 100~199
LAN-B MSTP
PE 1
CE-VLAN 100 CE-VLAN 200
ISP Network BPDU Tunnel BPDU Tunnel
PE 2
CE-VLAN 100 CE-VLAN 200
PE-VLAN30:CE-VLAN 200~299
LAN-A MSTP
LAN-A MSTP
When a great number of user networks are connected to the backbone network, considerable VLAN IDs of the ISP are required if packets are transparently transmitted based on VLANs. In this case, BPDUs can be forwarded in QinQ mode on the backbone network. As shown in Figure 11-5, QinQ-based Layer 2 protocol transparent transmission is configured on aggregation interfaces of PEs. Packets from different user networks are encapsulated in different outer VLAN tags. QinQ-based Layer 2 protocol transparent transmission is implemented as follows: 1. 2. 3. 4. Configure devices on user networks to send Layer 2 protocol packets with the specified VLAN IDs to the backbone network. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the ingress device on the backbone network. Configure PEs to add different outer VLAN tags (public VLAN IDs) to packets according to customer VLAN IDs. PEs select different Layer 2 tunnels according to outer VLAN tags of packets. Then the Layer 2 protocol packets are forwarded by internal nodes on the backbone network as common Layer 2 packets. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the egress device on the backbone network. The egress device removes outer VLAN tags of the packets and forwards the packets to user networks according to customer VLAN IDs.
5. 6.
As shown in Figure 11-5, PEs add outer VLAN 20 to Layer 2 protocol packets of VLAN 100 to VLAN 199 and add outer VLAN 30 to Layer 2 protocol packets of VLAN 200 to VLAN 299, and then forward the packets to other devices on the backbone network. In this
way, Layer 2 protocol packets of different user networks can be transparently transmitted on the backbone network, and VLAN IDs of the carrier are saved.
11.3 Configuring Interface-based Layer 2 Protocol Transparent Transmission

When each interface of a device on the backbone network is connected to only one user network and Layer 2 protocol packets sent from the user network do not need VLAN tags, you can configure interface-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets can be transparently transmitted on the backbone network.

When each interface of a device on the backbone network is connected to only one user network and Layer 2 protocol packets sent from the user network do not need VLAN tags, you can configure interface-based Layer 2 protocol transparent transmission. In this way, Layer 2 protocol packets from user networks are transmitted to destination user networks through different Layer 2 tunnels on the backbone network to implement calculation of Layer 2 protocols.
Before configuring interface-based Layer 2 protocol transparent transmission, complete the following tasks: l l Connecting interfaces correctly Configuring VLANs on Layer 2 interfaces
Data Preparation
To configure interface-based Layer 2 protocol transparent transmission, you need the following data. No. 1 2 3 Data Name of the user-defined protocol Destination MAC address of Layer 2 protocol packets and multicast MAC address that replaces the destination MAC address Names of the user-side interfaces on PEs and their default VLANs
11.3.2 (Optional) Defining Characteristic Information About a Layer 2 Protocol

Context
When non-standard Layer 2 protocol packets with a certain multicast destination address need to be transparently transmitted on the backbone network, you can define characteristic information about the Layer 2 protocol. Do as follows on PEs.
Procedure
Step 1 Run:
system-view

l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac [ encape-type { { ethernetii | snap } protocol-type protocol-type | llc dsap dsapvalue ssap ssap-value } ] group-mac { group-mac | default-group-mac }
The characteristic information about the Layer 2 protocol is defined, including the protocol name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets, and MAC address that replaces the destination MAC address. When defining characteristic information about a Layer 2 protocol, do not use the following multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets: l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F l Destination MAC address of Smart Link packets: 010F-E200-0004 l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD l Common multicast MAC addresses that have been used on the device ----End
11.3.3 Configuring the Transparent Transmission Mode of Layer 2 Protocol Packets

Context
To implement transparent transmission of Layer 2 protocol packets, replace the default multicast MAC address of the Layer 2 protocol that can be identified by PEs with another multicast MAC address or replace the original multicast destination MAC address of Layer 2 protocol packets from user networks with a specified multicast MAC address. Use either of the following methods on PEs according to the Layer 2 protocol type and the required transparent transmission mode.
Procedure
l Replace the default multicast MAC address of the Layer 2 protocol that can be identified by PEs with another multicast MAC address. 1. Run:
system-view
Issue 01 (2011-10-26)
591

bpdu-tunnel stp bridge role provider
The PE is configured as a provider.

NOTE
l This method is applicable only to STP, RSTP, and MSTP.
Replace the original multicast MAC address of Layer 2 protocol packets from user networks with a specified multicast MAC address. 1. Run:
system-view

l2protocol-tunnel protocol-type group-mac group-mac
The original multicast destination MAC address of Layer 2 protocol packets is replaced with a specified multicast MAC address.
NOTE
This method is applicable to all Layer 2 protocols. When configuring Layer 2 protocol transparent transmission, do not use the following multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets: l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F l Destination MAC address of Smart Link packets: 010F-E200-0004 l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD l Common multicast MAC addresses that have been used on the device
----End
11.3.4 Enabling Layer 2 Protocol Transparent Transmission on an Interface

Context
Do as follows on PEs according to the type of Layer 2 protocol packets to be transparently transmitted.
Procedure
Step 1 Run:
system-view

The user-side interface view is displayed. Step 3 Run:

port hybrid pvid vlan vlan-id
Issue 01 (2011-10-26)
592
The default VLAN of the interface is configured. Step 4 Run:

The interface is added to the default VLAN in untagged mode. Step 5 Run:
port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLANs in tagged mode.

NOTE
The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from user networks.
Step 6 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } enable
Layer 2 protocol transparent transmission is enabled on the interface.

NOTE
l For details on how to add an interface to VLANs, see the VLAN configuration in the S9300 Configuration Guide- Ethernet. l Before specifying a user-defined protocol in the l2protocol-tunnel command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2 protocol. STP packets have a default MAC address for replacing the original destination MAC address. For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the destination MAC address. For details, see l2protocol-tunnel group-mac. l The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same protocol type on the same interface; otherwise, the configurations conflict.
----End
11.3.5 Checking Configuration

Context
Configurations of interface-based Layer 2 protocol transparent transmission are complete.
Procedure
l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-definedprotocol protocol-name } command to check information about transparent transmission of specified or all Layer 2 protocol packets.
----End
11.4 Configuring VLAN-based Layer 2 Protocol Transparent Transmission

When each interface of devices on the backbone network is connected to multiple user networks and Layer 2 protocol packets sent from user network contain VLAN tags, you can configure
VLAN-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets are transparently transmitted on the backbone network.

When each interface of devices on the backbone network is connected to multiple user networks and Layer 2 protocol packets sent from user networks contain VLAN tags, you can configure VLAN-based Layer 2 protocol transparent transmission. In this way, Layer 2 protocol packets from user networks are transmitted to destination user networks through different Layer 2 tunnels on the backbone network to implement calculation of Layer 2 protocols.
Before configuring VLAN-based Layer 2 protocol transparent transmission, complete the following task: l Connecting interfaces correctly
Data Preparation
To configure VLAN-based Layer 2 protocol transparent transmission, you need the following data. No. 1 2 3 Data Name of the user-defined protocol Destination MAC address of Layer 2 protocol packets and multicast MAC address that replaces the destination MAC address Names of user-side interfaces on PEs and VLANs allowed by user-side interfaces

Context
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
594

The characteristic information about the Layer 2 protocol is defined, including the protocol name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets, and MAC address that replaces the destination MAC address. When defining characteristic information about a Layer 2 protocol, do not use the following multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets: l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F l Destination MAC address of Smart Link packets: 010F-E200-0004 l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD l Common multicast MAC addresses that have been used on the device ----End

Context
Procedure
system-view


NOTE
system-view
Issue 01 (2011-10-26)
595

NOTE
This method is applicable to all Layer 2 protocols. When configuring Layer 2 protocol transparent transmission, do not use the following multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets: l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F l Destination MAC address of Smart Link packets: 010F-E200-0004 l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD l Common multicast MAC addresses that have been used on the device
----End
11.4.4 Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an Interface

Context
Procedure
Step 1 Run:
system-view


port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLANs in tagged mode.

NOTE
The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from user networks.
Step 4 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } { vlan low-id [ to high-id ] } &<1-10>
VLAN-based Layer 2 protocol transparent transmission is enabled on the interface.


NOTE
l For details on how to add an interface to VLANs in tagged mode, see the VLAN configuration in the S9300 Configuration Guide- Ethernet. l Before specifying a user-defined protocol in the l2protocol-tunnel vlan command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2 protocol. STP packets have a default MAC address for replacing the original destination MAC address. For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the destination MAC address. For details, see l2protocol-tunnel group-mac. l The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on the same interface; otherwise, the configurations conflict.
----End

Context
Configurations of Layer 2 protocol transparent transmission are complete.
Procedure
----End
11.5 Configuring QinQ-based Layer 2 Protocol Transparent Transmission

When each interface of devices on the backbone network is connected to multiple user networks and Layer 2 protocol packets sent from user network contain VLAN tags, you can configure QinQ-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets can be transparently transmitted on the backbone network and that VLAN IDs of the carrier can be saved.

When each interface of devices on the backbone network is connected to multiple user networks and Layer 2 protocol packets sent from user networks contain VLAN tags, you can configure QinQ-based Layer 2 protocol transparent transmission to save VLAN IDs of the carrier. In this way, devices on the backbone network select tunnels for Layer 2 protocol packets according to outer VLAN IDs of packets so that Layer 2 protocol packets of different VLANs are transmitted across the backbone network through different tunnels.
Before configuring QinQ-based Layer 2 protocol transparent transmission, complete the following task:
Connecting interfaces correctly
Data Preparation
To configure QinQ-based Layer 2 protocol transparent transmission, you need the following data. No. 1 2 3 4 Data Name of the user-defined protocol Destination MAC address and group MAC address of Layer 2 protocol packets Names of user-side interfaces on PEs, default VLAN IDs, and VLANs allowed by user-side interfaces Outer VLAN IDs added to Layer 2 protocol packets

Context
Procedure
Step 1 Run:
system-view

The characteristic information about the Layer 2 protocol is defined, including the protocol name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets, and MAC address that replaces the destination MAC address. When defining characteristic information about a Layer 2 protocol, do not use the following multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets: l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F l Destination MAC address of Smart Link packets: 010F-E200-0004 l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device ----End

Context
Procedure
system-view


NOTE
system-view

NOTE
When configuring Layer 2 protocol transparent transmission, do not use the following multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets: l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F l Destination MAC address of Smart Link packets: 010F-E200-0004 l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD l Common multicast MAC addresses that have been used on the device
----End
11.5.4 Enabling QinQ-based Layer 2 Transparent Transmission on an Interface

Context
Procedure
Step 1 Run:
system-view


port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLANs in untagged mode. Step 4 Run:
port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
The interface is configured to add an outer VLAN tag to the Layer 2 protocol packets. Step 5 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } { vlan low-id [ to high-id ] } &<1-10>
VLAN-based Layer 2 protocol transparent transmission is enabled on the interface.

NOTE
l The outer VLAN tag (vlan-id3) specified in step 5 must be included in the VLAN range specified in step 6. l For details on how to add an interface to VLANs in untagged mode, see the VLAN configuration in the S9300 Configuration Guide- Ethernet. l Before specifying a user-defined protocol in the l2protocol-tunnel vlan command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2 protocol. STP packets have a default MAC address for replacing the original destination MAC address. For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the destination MAC address. For details, see l2protocol-tunnel group-mac. l The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on the same interface; otherwise, the configurations conflict.
----End

Context
Configurations of Layer 2 protocol transparent transmission are complete.
Procedure
----End
11.6 Maintaining Layer 2 Protocol Transparent Transmission

This section describes how to debug Layer 2 protocol transparent transmission.
11.6.1 Debugging Layer 2 Protocol Transparent Transmission

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during Layer 2 protocol transparent transmission, run the following debugging command in the user view to locate the fault.
Procedure
l Run the debugging l2protocol-tunnel [ msg | error | event ] command in the user view to enable Layer 2 protocol transparent transmission.
----End

This section provides examples for configuring interface, VLAN, and QinQ based Layer 2 protocol transparent transmission.
11.7.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission

As shown in Figure 11-6, CEs on user networks communicate with each other through PEs and STP runs on user networks; therefore, STP packets sent from CEs must be transmitted through the backbone network between PEs. Each PE interface is connected to only one CE and receives STP packets from the CE. In this scenario, configure interface-based Layer 2 protocol transparent transmission.
In this example, PEs on the backbone network transparently transmit STP packets sent from CEs by replacing the original multicast destination MAC address of STP packets with a specified MAC address. By default, the destination MAC address of STP packets is 0180-C200-0000. Figure 11-6 Networking of interface-based Layer 2 protocol transparent transmission
VLAN100
VLAN100
CE1
GE 1/0/0
CE2 PE1 PE2

GE 1/0/2 GE 1/0/2 GE 1/0/0 GE 1/0/0 GE 1/0/1 GE 1/0/0
GE 1/0/0 GE 1/0/1 GE 1/0/0
CE3
CE4
VLAN200
VLAN200
The configuration roadmap is as follows: 1. 2. 3. 4. Configure STP on CEs. Add user-side interfaces of PEs to the specified VLANs. Configure interface-based Layer 2 protocol transparent transmission on PEs. Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200 to pass.
Data Preparation
To complete the configuration, you need the following data: l l IDs of VLANs that user-side interfaces of PEs belong to IDs of VLANs allowed by network-side interfaces of PEs
Procedure
Step 1 Enable STP on CEs and PEs. # Configure CE1.
<Quidway> system-view [Quidway] sysname CE1
Issue 01 (2011-10-26)
602
[CE1] vlan 100 [CE1-vlan100] quit [CE1] stp enable [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] port hybrid pvid vlan 100 [CE1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
# Configure CE2.
<Quidway> system-view [Quidway] sysname CE2 [CE2] vlan 100 [CE2-vlan100] quit [CE2] stp enable [CE2] interface gigabitethernet 1/0/0 [CE2-GigabitEthernet1/0/0] port hybrid pvid vlan 100 [CE2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
# Configure CE3.
# Configure CE4.
# Configure PE1.
<Quidway> system-view [Quidway] sysname PE1 [PE1]
# Configure PE2.
<Quidway> system-view [Quidway] sysname PE2 [PE2]
Step 2 On PE1 and PE2, add GE 1/0/0 to VLAN 100, add GE 1/0/1 to VLAN 200, and enable Layer 2 protocol transparent transmission. # Configure PE1.
[PE1] vlan 100 [PE1-vlan100] quit [PE1] interface GigabitEthernet 1/0/0 [PE1-GigabitEthernet1/0/0] port hybrid pvid vlan 100 [PE1-GigabitEthernet1/0/0] port hybrid untagged vlan 100 [PE1-GigabitEthernet1/0/0] l2protocol-tunnel stp enable [PE1-GigabitEthernet1/0/0] quit [PE1] vlan 200 [PE1-vlan200] quit [PE1] interface GigabitEthernet 1/0/1 [PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 200 [PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 200
Issue 01 (2011-10-26)
603
[PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp enable [PE1-GigabitEthernet1/0/1] quit
# Configure PE2.
[PE2] vlan 100 [PE2-vlan100] quit [PE2] interface GigabitEthernet 1/0/0 [PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 100 [PE2-GigabitEthernet1/0/0] port hybrid untagged vlan 100 [PE2-GigabitEthernet1/0/0] l2protocol-tunnel stp enable [PE2-GigabitEthernet1/0/0] quit [PE2] vlan 200 [PE2-vlan200] quit [PE2] interface GigabitEthernet 1/0/1 [PE2-GigabitEthernet1/0/1] port hybrid pvid vlan 200 [PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 200 [PE2-GigabitEthernet1/0/1] l2protocol-tunnel stp enable [PE2-GigabitEthernet1/0/1] quit
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs. # Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.
Step 4 On PE1 and PE2, configure network-side interface GE 1/0/2 to allow packets of VLAN 100 and VLAN 200 to pass. # Configure PE1.
[PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] port hybrid tagged vlan 100 200 [PE1-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] port hybrid tagged vlan 100 200 [PE2-GigabitEthernet1/0/2] quit
Step 5 Verify the configuration. After the configuration, run the display l2protocol-tunnel group-mac command, and you can view the protocol type or name, original destination MAC address, new destination MAC address, and priority of Layer 2 protocol packets to be transparently transmitted. Take the display on PE1 as an example.
<PE1> display l2protocol-tunnel group-mac stp Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri ----------------------------------------------------------------------------stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0 ssap 0x42
Run the display stp command on CE1 and CE2 to view the root in the MST region. You can find that a spanning tree is calculated between CE1 and CE2. GE 1/0/0 of CE1 is a root port, and CE 1/0/0 of CE2 is a designated port.
<CE1> display stp -------[CIST Global CIST Bridge Bridge Times CIST Root/ERPC Info] [Mode MSTP] ------:32768.00e0-fc9f-3257 :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 :32768.00e0-fc9a-4315 / 199999
Issue 01 (2011-10-26)
604
CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0 CIST RootPortId :128.82 BPDU-Protection :disabled TC or TCN received :6 TC count per hello :6 STP Converge Mode :Normal Share region-configuration :enabled Time since last TC received :0 days 2h:24m:36s ----[Port1(GigabitEthernet1/0/0)] [FORWARDING] ---Port Protocol :enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :6 TCN: 0, Config: 0, RST: 0, MST: 6 BPDU Received :4351 TCN: 0, Config: 0, RST: 0, MST: 4351 <CE2> display stp -------[CIST Global Info] [Mode MSTP] ------CIST Bridge :32768.00e0-fc9a-4315 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.00e0-fc9a-4315 / 0 CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0 CIST RootPortId :0.0 BPDU-Protection :disabled TC or TCN received :3 TC count per hello :3 STP Converge Mode :Normal Time since last TC received :0 days 2h:26m:42s ----[Port1(GigabitEthernet1/0/0)] [FORWARDING] ---Port Protocol :enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :4534 TCN: 0, Config: 0, RST: 0, MST: 4534 BPDU Received :6 TCN: 0, Config: 0, RST: 0, MST: 6
<CE3> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.000b-0967-58a0 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Issue 01 (2011-10-26)
605
CIST Root/ERPC :32768.000b-0952-f13e / 199999 CIST RegRoot/IRPC :32768.000b-0967-58a0 / 0 CIST RootPortId :128.82 BPDU-Protection :disabled TC or TCN received :0 TC count per hello :0 STP Converge Mode :Normal Time since last TC received :0 days 10h:54m:37s ----[Port1(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.000b-0952-f13e / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :114 TCN: 0, Config: 0, RST: 0, MST: 114 BPDU Received :885 TCN: 0, Config: 0, RST: 0, MST: 885 <CE4> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.000b-0952-f13e Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.000b-0952-f13e / 0 CIST RegRoot/IRPC :32768.000b-0952-f13e / 0 CIST RootPortId :0.0 BPDU-Protection :disabled TC or TCN received :4 TC count per hello :4 STP Converge Mode :Normal Time since last TC received :0 days 8h:59m:18s ----[Port1(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.000b-0952-f13e / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :1834 TCN: 0, Config: 0, RST: 0, MST: 1834 BPDU Received :1 TCN: 0, Config: 0, RST: 0, MST: 1
----End
Configuration Files
# sysname CE1
Issue 01 (2011-10-26)
606
# vlan batch 100 # stp enable # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return

# sysname CE2 # vlan batch 100 # stp enable # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return



# sysname PE1 # vlan batch 100 200 # l2protocol-tunnel stp group-mac 0100-5e00-0011 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 l2protocol-tunnel stp enable # interface GigabitEthernet1/0/1 port hybrid pvid vlan 200 port hybrid untagged vlan 200
Issue 01 (2011-10-26)
607
l2protocol-tunnel stp enable # interface GigabitEthernet1/0/2 port hybrid tagged vlan 100 200 # return

# sysname PE2 # vlan batch 100 200 # l2protocol-tunnel stp group-mac 0100-5e00-0011 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 l2protocol-tunnel stp enable # interface GigabitEthernet1/0/1 port hybrid pvid vlan 200 port hybrid untagged vlan 200 l2protocol-tunnel stp enable # interface GigabitEthernet1/0/2 port hybrid tagged vlan 100 200 # return
11.7.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission

As shown in Figure 11-7, CEs on user networks communicate with each other through PEs and STP runs on user networks; therefore, STP packets sent from CEs must be transmitted through the backbone network between PEs. Each PE interface is an aggregation interface. PEs identify STP packets from different user networks according to VLAN tags of STP packets. In this scenario, configure VLAN-based Layer 2 protocol transparent transmission to ensure that: l l All the devices in VLAN 100 participate in calculation of a spanning tree. All the devices in VLAN 200 participate in calculation of a spanning tree.
In this example, PEs transparently transmit STP packets sent from user networks by replacing the original multicast destination MAC address of STP packets with a specified multicast MAC address. By default, the destination MAC address of STP packets is 0180-C200-0000.
Issue 01 (2011-10-26)
608
Figure 11-7 Networking of VLAN-based Layer 2 protocol transparent transmission
PE1
GE1/0/0 GE1/0/0 GE1/0/1 GE1/0/0 GE1/0/2 GE1/0/0
P
GE1/0/0 GE1/0/1 GE1/0/1 GE1/0/0
PE2
GE1/0/2 GE1/0/0
CE1
VLAN 100
CE3
VLAN 200
CE2
VLAN 100
CE4
VLAN 200
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Enable STP on the CEs. Configure CEs to send STP packets with specified VLAN tags to PEs. Configure VLAN-based Layer 2 protocol transparent transmission on PEs. Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200 to pass. Configure the Layer 2 forwarding function on the P device so that packets sent from PEs can be transmitted on the backbone network.
Data Preparation
To complete the configuration, you need the following data: l l VLAN tags in STP packets sent from CEs to PEs IDs of the VLANs that interfaces of PEs and CEs belong to
Procedure
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Issue 01 (2011-10-26)
609
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs and configure CE3 and CE4 to send STP packets with VLAN tag 200 to PEs. # Configure CE1.
[CE1] vlan 100 [CE1-vlan100] quit [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100 [CE1-GigabitEthernet1/0/0] stp bpdu vlan 100
# Configure CE2.
# Configure CE3.
# Configure CE4.
Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the P device. # Configure PE1.
[PE1] vlan 100 [PE1-vlan100] quit [PE1] vlan 200 [PE1-vlan200] quit [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100 200 [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet 1/0/1 [PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 100 [PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 100 [PE1-GigabitEthernet1/0/1] quit [PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] port hybrid tagged vlan 200 [PE1-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 200 [PE1-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] vlan 100 [PE2-vlan100] quit [PE2] vlan 200 [PE2-vlan200] quit [PE2] interface gigabitethernet 1/0/0 [PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 100 200 [PE2-GigabitEthernet1/0/0] quit [PE2] interface gigabitethernet 1/0/1 [PE2-GigabitEthernet1/0/1] port hybrid tagged vlan 100 [PE2-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 100 [PE2-GigabitEthernet1/0/1] quit [PE2] interface gigabitethernet 1/0/2
Issue 01 (2011-10-26)
610
[PE2-GigabitEthernet1/0/2] port hybrid tagged vlan 200 [PE2-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 200 [PE2-GigabitEthernet1/0/2] quit
# Configure PE2.
Step 5 Configure the Layer 2 forwarding function on the P device and configure it to allow packets of VLAN 100 and VLAN 200 to pass.
[P] vlan 100 [P-vlan100] quit [P] vlan 200 [P-vlan200] quit [P] interface gigabitethernet [P-GigabitEthernet1/0/0] port [P-GigabitEthernet1/0/0] quit [P] interface gigabitethernet [P-GigabitEthernet1/0/1] port [P-GigabitEthernet1/0/1] quit
1/0/0 hybrid tagged vlan 100 200 1/0/1 hybrid tagged vlan 100 200
Step 6 Verify the configuration. After the configuration, run the display l2protocol-tunnel group-mac command. You can view the protocol type or name, original destination MAC address, new destination MAC address, and priority of Layer 2 protocol packets to be transparently transmitted. Take the ouput on PE1 as an example.
<CE1> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.000b-09f0-1b91 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.000b-09d4-b66c / 199999 CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0 CIST RootPortId :128.82 BPDU-Protection :disabled TC or TCN received :2 TC count per hello :2 STP Converge Mode :Normal Share region-configuration :enabled Time since last TC received :0 days 3h:53m:43s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None
Issue 01 (2011-10-26)
611
Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :237 TCN: 0, Config: 0, RST: 0, MST: 237 BPDU Received :9607 TCN: 0, Config: 0, RST: 0, MST: 9607 <CE2> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.000b-09d4-b66c Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.000b-09d4-b66c / 0 CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0 CIST RootPortId :0.0 BPDU-Protection :disabled TC or TCN received :1 TC count per hello :1 STP Converge Mode :Normal Time since last TC received :0 days 5h:29m:6s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7095 TCN: 0, Config: 0, RST: 0, MST: 7095 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2
<CE3> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.00e0-fc9f-3257 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999 CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0 CIST RootPortId :128.82 BPDU-Protection :disabled TC or TCN received :4 TC count per hello :4 STP Converge Mode :Normal Time since last TC received :0 days 3h:57m:0s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None
Issue 01 (2011-10-26)
612
Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :238 TCN: 0, Config: 0, RST: 0, MST: 238 BPDU Received :9745 TCN: 0, Config: 0, RST: 0, MST: 9745 <CE4> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.00e0-fc9a-4315 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.00e0-fc9a-4315 / 0 CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0 CIST RootPortId :0.0 BPDU-Protection :disabled TC or TCN received :2 TC count per hello :2 STP Converge Mode :Normal Time since last TC received :0 days 5h:33m:17s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7171 TCN: 0, Config: 0, RST: 0, MST: 7171 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2
----End
Configuration Files
# sysname CE1 # vlan batch 100 # stp enable # interface GigabitEthernet1/0/0 port hybrid tagged vlan 100 stp bpdu vlan 100 # return

# sysname CE2 # vlan batch 100 # stp enable
Issue 01 (2011-10-26)
613
# interface GigabitEthernet1/0/0 port hybrid tagged vlan 100 stp bpdu vlan 100 # return


# sysname CE4 # vlan batch 200 # stp enable # interface GigabitEthernet1/0/0 port hybrid tagged vlan 200 stp bpdu vlan 200 # Return

# sysname PE1 # vlan batch 100 200 # l2protocol-tunnel stp group-mac 0100-5e00-0011 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 100 200 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 l2protocol-tunnel stp vlan 100 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 200 l2protocol-tunnel stp vlan 200 # return
# sysname P # vlan batch 100 200 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 100 200 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 200 # return
Issue 01 (2011-10-26)
614

# sysname PE2 # vlan batch 100 200 # l2protocol-tunnel stp group-mac 0100-5e00-0011 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 100 200 # interface GigabitEthernet1/0/1 port hybrid tagged vlan 100 l2protocol-tunnel stp vlan 100 # interface GigabitEthernet1/0/2 port hybrid tagged vlan 200 l2protocol-tunnel stp vlan 200 # return
11.7.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission

As shown in Figure 11-8, CEs on user networks communicate with each other through PEs. STP runs on user networks. CE1 and CE2 send STP packets with VLAN tag 100 to PEs; CE3 and CE4 send STP packets with VLAN tag 200 to PEs. In this scenario, configure QinQ-based Layer 2 protocol transparent transmission to ensure that: l l All the devices in VLAN 100 participate in calculation of a spanning tree. All the devices in VLAN 200 participate in calculation of a spanning tree.
To save VLAN IDs on the public network, configure VLAN stacking on PEs to add outer VLAN tag 10 to STP packets with VLAN tag 100 and VLAN tag 200. Then STP packets contain double tags and are transparently transmitted on the backbone network. In this example, PEs transparently transmit STP packets sent from user networks by replacing the original multicast destination MAC address of STP packets with a specified multicast MAC address. By default, the destination MAC address of STP packets is 0180-C200-0000.
Issue 01 (2011-10-26)
615
Figure 11-8 Networking of QinQ-based Layer 2 protocol transparent transmission
VLAN100
GE1/0/0 GE1/0/0 GE1/0/1 GE1/0/1 GE1/0/0 GE1/0/2 GE1/0/0 GE1/0/2 GE1/0/0 GE1/0/0
VLAN100
CE1 PE1 CE3
CE2 PE2 CE4
VLAN200
VLAN200
The configuration roadmap is as follows: 1. 2. 3. 4. Enable STP on the CEs. Configure CEs to send STP packets with specified VLAN tags to PEs. Configure VLAN-based Layer 2 protocol transparent transmission on PEs. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP packets sent from CEs.
Data Preparation
To complete the configuration, you need the following data: l l l VLAN tags in STP packets sent from CEs to PEs Outer VLAN tag that PEs add to STP packets IDs of the VLANs that interfaces of PEs and CEs belong to
Procedure
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.

[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs and configure CE3 and CE4 to send STP packets with VLAN tag 200 to PEs. # Configure CE1.
[CE1] vlan 100 [CE1-vlan100] quit [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100 [CE1-GigabitEthernet1/0/0] stp bpdu vlan 100 [CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
# Configure CE3.
# Configure CE4.
Step 3 Configure QinQ-based transparent transmission on PEs so that PEs add outer VLAN tag 10 to STP packets with VLAN tag 100 and VLAN tag 200. # Configure PE1.
[PE1] vlan 10 [PE1-Vlan10] quit [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] port hybrid tagged vlan 10 [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet 1/0/1 [PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [PE1-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 10 [PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 10 [PE1-GigabitEthernet1/0/1] quit [PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] port hybrid untagged vlan 10 [PE1-GigabitEthernet1/0/2] port vlan-stacking vlan 200 stack-vlan 10 [PE1-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 10 [PE1-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] vlan 10 [PE2-Vlan10] quit [PE2] interface gigabitethernet 1/0/0 [PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 10 [PE2-GigabitEthernet1/0/0] quit
Issue 01 (2011-10-26)
617
[PE2] interface gigabitethernet 1/0/1 [PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [PE2-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 10 [PE2-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 10 [PE2-GigabitEthernet1/0/1] quit [PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] port hybrid untagged vlan 10 [PE2-GigabitEthernet1/0/2] port vlan-stacking vlan 200 stack-vlan 10 [PE2-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 10 [PE2-GigabitEthernet1/0/2] quit
# Configure PE2.
Step 5 Verify the configuration. After the configuration, run the display l2protocol-tunnel group-mac command. You can view the protocol type or name, original destination MAC address, new destination MAC address, and priority of Layer 2 protocol packets to be transparently transmitted. Take the output on PE1 as an example.
<CE1> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.000b-09f0-1b91 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.000b-09d4-b66c / 199999 CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0 CIST RootPortId :128.82 BPDU-Protection :disabled TC or TCN received :2 TC count per hello :2 STP Converge Mode :Normal Share region-configuration :enabled Time since last TC received :0 days 3h:53m:43s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0
Issue 01 (2011-10-26)
618

BPDU Sent
:237 TCN: 0, Config: 0, RST: 0, MST: 237 BPDU Received :9607 TCN: 0, Config: 0, RST: 0, MST: 9607 <CE2> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.000b-09d4-b66c Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.000b-09d4-b66c / 0 CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0 CIST RootPortId :0.0 BPDU-Protection :disabled TC or TCN received :1 TC count per hello :1 STP Converge Mode :Normal Time since last TC received :0 days 5h:29m:6s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.000b-09d4-b66c / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7095 TCN: 0, Config: 0, RST: 0, MST: 7095 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2
<CE3> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.00e0-fc9f-3257 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999 CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0 CIST RootPortId :128.82 BPDU-Protection :disabled TC or TCN received :4 TC count per hello :4 STP Converge Mode :Normal Time since last TC received :0 days 3h:57m:0s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Root Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0
Issue 01 (2011-10-26)
619

BPDU Sent
:238 TCN: 0, Config: 0, RST: 0, MST: 238 BPDU Received :9745 TCN: 0, Config: 0, RST: 0, MST: 9745 <CE4> display stp -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.00e0-fc9a-4315 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.00e0-fc9a-4315 / 0 CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0 CIST RootPortId :0.0 BPDU-Protection :disabled TC or TCN received :2 TC count per hello :2 STP Converge Mode :Normal Time since last TC received :0 days 5h:33m:17s ----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol :enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=200000000 Desg. Bridge/Port :32768.00e0-fc9a-4315 / 128.82 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port Stp Mode :MSTP Port Protocol Type :Config=auto / Active= dot1s BPDU Encapsulation :Config=stp / Active=stp PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :0 TC or TCN received :0 BPDU Sent :7171 TCN: 0, Config: 0, RST: 0, MST: 7171 BPDU Received :2 TCN: 0, Config: 0, RST: 0, MST: 2
Run the display vlan command on PEs to view the QinQ configuration. Take the output on PE1 as an example.
<PE1> display vlan 10 verbose VLAN ID : 10 VLAN Type : Common Description : VLAN 0010 Status : Enable Broadcast : Enable MAC learning : Enable Statistics : Disable ---------------Tagged Port: GigabitEthernet1/0/0 ---------------QinQ-stack Port: GigabitEthernet1/0/1
GigabitEthernet1/0/2
----End
Configuration Files
# sysname CE1 # vlan batch 100 # stp enable # interface GigabitEthernet1/0/0 port hybrid tagged vlan 100
Issue 01 (2011-10-26)
620

stp bpdu vlan 100 # return




# sysname PE1 # vlan batch 10 # l2protocol-tunnel stp group-mac 0100-5e00-0011 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 10 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 10 port vlan-stacking vlan 100 stack-vlan 10 l2protocol-tunnel stp vlan 10 # interface GigabitEthernet1/0/2 port hybrid untagged vlan 10 port vlan-stacking vlan 200 stack-vlan 10 l2protocol-tunnel stp vlan 10 # return
Issue 01 (2011-10-26)
621

# sysname PE2 # vlan batch 10 # l2protocol-tunnel stp group-mac 0100-5e00-0011 # interface GigabitEthernet1/0/0 port hybrid tagged vlan 10 # interface GigabitEthernet1/0/1 port hybrid untagged vlan 10 port vlan-stacking vlan 100 stack-vlan 10 l2protocol-tunnel stp vlan 10 # interface GigabitEthernet1/0/2 port hybrid untagged vlan 10 port vlan-stacking vlan 200 stack-vlan 10 l2protocol-tunnel stp vlan 10 # return
Issue 01 (2011-10-26)
622
12 HVRP Configuration
12
About This Chapter
HVRP Configuration
This chapter describes the principle, configuration procedure, and configuration examples of HVRP. 12.1 HVRP Overview This section describes the principle of the Hierarchy VLAN Register Protocol (HVRP). 12.2 HVRP Features Supported by the S9300 This section describes the HVRP features supported by the S9300. 12.3 Enabling HVRP This section describes how to enable HVRP. 12.4 Maintaining HVRP This section describes how to maintain HVRP. 12.5 Configuration Examples This section provides a configuration example of HVRP.
Issue 01 (2011-10-26)
623
12.1 HVRP Overview

This section describes the principle of the Hierarchy VLAN Register Protocol (HVRP).
Background of HVRP
When constructing a metropolitan area network (MAN), carriers usually adopt the ring topology or tree topology. Regardless of the topology, devices on the convergence layer must support a large number of MAC address entries to meet the requirements of users. The number of users on the network increases quickly, and the MAC addresses supported by a switch may be insufficient for the users connected to the switch. As a result, the switch cannot learn the MAC addresses of some users. In this case, packets are broadcast in the VLAN, which wastes network bandwidth and degrades the network performance. The HVRP protocol can be used when the number of MAC addresses supported by a switch is smaller than the total number of users connected to the switch. HVRP can identify user VLANs (that is, local VLANs) and non-user VLANs. In special networking, HVRP can dynamically register and age VLANs to save MAC addresses and increase the number of users that the switch supports.
Terms of HVRP
l HVRP interface An HVRP interface is an interface that is configured with HVRP attributes and can send, receive, and process HVRP packets. l HVRP root interface An HVRP root interface is an HVRP interface that functions as the root interface in an STP region. l HVRP designated interface An HVRP designated interface is an HVRP interface that functions as the designated interface in an STP region. l l Local VLAN A local VLAN is a VLAN that does not contain any HVRP interface. VLAN registration VLAN registration is a process of adding HVRP interfaces to VLANs meeting certain conditions in tagged mode. l l l VLAN aging VLAN aging is a process of deleting a VLAN from an HVRP interface. Permanent VLAN A permanent VLAN is a VLAN that are never aged by an HVRP interface. Sending local VLAN information After STP and HVRP are enabled, the HVRP root interface sends HVRP packets containing the local VLAN information. l VLAN registration timer The VLAN registration timer specifies the interval for the HVRP root interface to send HVRP VLAN registration packets.
Aging timer of registered VLANs The aging timer of registered VLAN specifies the aging time of registered VLANs. If the HVRP designated interface does not receive the registration packet of a VLAN within the aging time, the VLAN is aged on the HVRP designated interface.
12.2 HVRP Features Supported by the S9300

This section describes the HVRP features supported by the S9300.
Working Mechanism of HVRP

Through the dynamic VLAN registration and aging mechanism, HVRP ages the VLANs on the interfaces that do not forward packets and saves only necessary VLANs. When a VLAN contains 0 to 2 interfaces, the interfaces do not learn MAC addresses. When the VLAN contains two interfaces, data packets are broadcast on the VLAN and no extra network bandwidth is consumed. Figure 12-1 shows the networking of HVRP. The working mechanism of HVRP is described based on this networking. l l l STP is enabled on the entire network, and the HVRRP root interface and HVRRP designated interfaces are calculated through STP. The Switches are connected through trunk interfaces. The trunk interfaces are all enabled with HVRP and can forward packets of VLAN 101 to VLAN 500. HVRRP is disabled on the interfaces outside the STP network, that is, edge interfaces.
Figure 12-1 Networking diagram of HVRP
ME60
VLAN:101-500
VLAN:301-400
SwitchA
VLAN:401-500
SwitchB SwitchD
SwitchC SwitchE
VLAN:101-200
VLAN:201-300
Issue 01 (2011-10-26)
625
The HVRP application involves the following operations: 1. Registering VLANs l Each Switch periodically sends the local VLAN information through the HVRP root interface. l Each Switch forwards the received local VLAN information through the HVRP root interface. In addition, each Switch registers local VLANs on the HVRP designated interface according to the local VLAN information received from the HVRP designated interface. l VLAN registration and aging can be performed only on HVRP designated interfaces. l A VLAN can be registered on an interface only after the interface is added to the VLAN statically. For example, if an HVRP designated interface does not belong to VLAN 999, VLAN 999 cannot be registered on the HVRP designated interface even if the interface receives an HVRP packet with local VLAN 999. 2. Aging VLANs If an HVRP designated interface does not receive any VLAN registration packet within the aging time, the VLANs on the HVRP designated interface are aged. By default, only local VLANs are aged. You can configure the S9300 to age all the VLANs. 3. Sending and maintaining local VLAN information The HVRP root interface periodically sends local VLAN registration packets according to the VLAN registration timer. When the role of a local VLAN changes, for example, the VLAN is not a local VLAN any more because the configuration is changed, the Switch sends the local VLAN information through the HVRP root interface immediately. 4. Re-registering VLANs when the status of an HVRP interface changes to Up or Down When the status of an HVRP interface changes to Up or Down, the aged VLANs may interrupt forwarding of Layer 2 packets on the entire network. Therefore, when a Switch detects that the status of an HVRP interface changes, the Switch immediately sends a restore packet to notify all the other Switches on the network. Then the Switches re-register the aged VLANs on the original interfaces. 5. Re-registering VLANs when the STP role of an HVRP interface changes When the STP role of an HVRP interface changes, the aged VLANs on this interface are re-registered on the interface. 6. Counting interfaces in a VLAN l A Switch updates the number of interfaces in a VLAN every time an interface is added to or deleted from the VLAN, the VLAN is registered, or the VLAN is aged. l A trunk interface is counted as one interface. 7. MAC address learning mode in a VLAN l When a VLAN contains more than two non-aged interfaces, the interfaces learn MAC addresses. l When a VLAN contains two or less than two non-aged interfaces, the interfaces do not learn MAC addresses. In addition, the dynamic MAC addresses learned before are deleted.
Issue 01 (2011-10-26)
626
Network Topology Supported by HVRP

Figure 12-2 Networking diagram of a single-ring network supported by HVRP
ME60
SwitchA
SwitchB SwitchD
SwitchC SwitchE
The single-ring network supported by HVRP has the following characteristics: l l l STP is enabled on the entire network. SwitchA is the root bridge and other Switches connect to the Layer 3 device through SwitchA. The link between SwitchD and SwitchE is blocked by STP.
Issue 01 (2011-10-26)
627
Figure 12-3 Networking diagram of a multi-ring network supported by HVRP
ME60
SwitchA
SwitchB
SwitchC
SwitchN
SwitchN+1
The multi-ring network supported by HVRP has the following characteristics: l l MSTP is enabled on the entire network. Each ring maps an MSTP instance, and all the devices on the ring belong to the same region. SwitchA is the root bridge and other Switches connect to the Layer 3 device (the ME60) through SwitchA.
12.3 Enabling HVRP

This section describes how to enable HVRP.

A switch on a Layer 2 network needs to learn a large number of MAC addresses. To reduce the MAC addresses that the switch needs to learn, you can enable HVRP on the switch. As shown in Figure 12-4, through the dynamic VLAN registration and aging mechanism, HVRP ages the VLANs on the interfaces that do not forward packets and saves only necessary VLANs. When a VLAN contains two or less than two interfaces, the interfaces do not need to learn MAC addresses. Instead, the interfaces broadcast data packets in the VLAN without affecting the bandwidth.
Figure 12-4 Networking diagram of HVRP application
ME60
VLAN:101-500
VLAN:301-400
SwitchA
VLAN:401-500
SwitchB SwitchD
SwitchC SwitchE
VLAN:101-200
VLAN:201-300
Before enabling HVRP, complete the following tasks: l l l l Configuring the interfaces where HVRP needs to be enabled as trunk interfaces Enabling STP globally Creating VLANs that need to be configured as permanent VLANs Deleting MSTP multi-instance
Data Preparation
To enable HVRP, you need the following data. No. 1 2 3 4 Data Type and number of the interface where HVRP needs to be enabled Value of the VLAN registration timer Aging time of registered VLANs IDs of the VLANs that need to be configured as permanent VLANs
Issue 01 (2011-10-26)
629
12.3.2 Enabling HVRP Globally

Context
Do as follows on the S9300 where HVRP needs to be enabled globally.
Procedure
Step 1 Run:
system-view

hvrp enable
HVRP is enabled globally. By default, HVRP is disabled globally. ----End
12.3.3 Enabling HVRP on an Interface

Context
Do as follows on the S9300 where HVRP needs to be enabled on an interface.
Procedure
Step 1 Run:
system-view



hvrp enable
HVRP is enabled on the interface. By default, HVRP is disabled on an interface.


NOTE
l HVRP can be enabled only on trunk interfaces. l When you configure HVRP attributes, it is recommended that you delete the default VLAN (VLAN 1) from the interface. l HVRP can be enabled on an interface only after HVRP is enabled globally. l After HVRP is disabled globally, this function is disabled on all the interfaces.
----End
12.3.4 (Optional) Setting the VLAN Registration Timer

Context
Do as follows on the S9300 where the VLAN registration timer needs to be set.
Procedure
Step 1 Run:
system-view

hvrp timer registervlan timer-interval
The VLAN registration timer is set. By default, the value of the VLAN registration timer is 5 seconds.
NOTE
l The value of the VLAN registration timer must be smaller than the aging time of registered VLANs. It is recommended that the aging time of registered VLANs be three times the value of the VLAN registration timer or larger. l In a ring topology, the same VLAN registration timer and the same aging time of registered VLANs must be set for all the devices on the ring.
----End
12.3.5 (Optional) Setting the Aging Time of Registered VLANs

Context
Do as follows on the S9300 where the aging time of registered VLANs needs to be set.
Procedure
Step 1 Run:
system-view

hvrp timer registervlan-age timer-interval
Issue 01 (2011-10-26)
631
The aging time of registered VLANs is set. By default, the aging time of registered VLANs is 15 seconds.
NOTE
The value of the VLAN registration timer must be smaller than the aging time of registered VLANs. It is recommended that the aging time of registered VLANs be three times the value of the VLAN registration timer or larger.
----End
12.3.6 (Optional) Configuring Permanent VLANs

Context
Do as follows on the S9300 where permanent VLANs need to be configured.
Procedure
Step 1 Run:
system-view

hvrp permanent-vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
Permanent VLANs are configured. By default, no VLAN is the permanent VLAN. Ordinary VLANs on an HVRP interface may be aged, whereas permanent VLANs are never aged. You can configure a VLAN as a permanent VLAN only after the VLAN is created. ----End
12.3.7 (Optional) Configuring the S9300 to Age All the VLANs

Context
Do as follows on the S9300 where all the VLANs need to be aged.
Procedure
Step 1 Run:
system-view

hvrp vlan-age all
The S9300 is enabled to age all the VLANs.

By default, only local VLANs are aged. On a network with one or more rings, you can enable the S9300 to age all the VLANs or only the local VLANs. ----End

Procedure
l l Run the display hvrp verbose command to view detailed information about HVRP. Run the display hvrp local-vlan command to view information about local VLANs.
----End
Example
Run the display hvrp verbose command, and you can heck whether HVRP is enabled, whether the function of aging all VLANs is enabled, whether permanent VLANs are configured, and whether HVRP is enabled on each interface. In addition, you can view the VLAN registration timer and aging timer of registered VLANs.
<Quidway> display hvrp verbose HVRP is enabled globally. HVRP registervlan timer :5s. HVRP registervlan age timer :15s. HVRP age all VLAN :Disabled. HVRP Permanent-vlan : HVRP statistics on port GigabitEthernet1/0/0 Mstp Role : 0 - designated HVRP statistics on port GigabitEthernet2/0/0 Mstp Role : 0 - root
(PORT_LINK_UP) (PORT_LINK_UP)
Run the display hvrp local-vlan command, and you can view information about the local VLANs.
<Quidway> display hvrp local-vlan Local Vlan : 3 7 10 40 64
12.4 Maintaining HVRP

This section describes how to maintain HVRP.
12.4.1 Debugging HVRP

Context
When an HVRP fault occurs, run the following debugging commands in the user view to locate the fault.
Procedure
l l Run the debugging hvrp error command to enable the debugging of HVRP errors. Run the debugging hvrp info command to enable the debugging of HVRP-enabled VLANs.
----End

This section provides a configuration example of HVRP.
12.5.1 Example for Configuring HVRP

A switch on a Layer 2 network needs to learn a large number of MAC addresses. To reduce the MAC addresses that the switch needs to learn, you can enable HVRP on the switch. As shown in Figure 12-5, HVRP needs to be configured on a single-ring network. Through the dynamic VLAN registration and aging mechanism, HVRP ages the VLANs on the interfaces that do not forward packets and saves only necessary VLANs. When a VLAN contains two or less than two interfaces, the interfaces do not need to learn MAC addresses. Instead, the interfaces broadcast data packets in the VLAN without affecting the bandwidth. Figure 12-5 Networking diagram of HVRP application
ME60
VLAN:101-500
VLAN:301-400
SwitchA
VLAN:401-500
SwitchB GE2/0/0 SwitchD GE1/0/0 GE3/0/0
SwitchC SwitchE
VLAN:101-200
VLAN:201-300
Issue 01 (2011-10-26)
634
The configuration roadmap is as follows: 1. 2. 3. Enable STP globally. Then SwitchA, which is connected to a Layer 3 device, becomes the root bridge. The link between SwitchD and SwitchE is blocked by STP. Configure interfaces on SwitchD as trunk interfaces and add the interfaces to VLANs. Enable HVRP globally and on the interfaces of SwitchD.
Data Preparation
To complete the configuration, you need the following data: l l l Type of GE 1/0/0, GE 2/0/0, and GE 3/0/0 of SwitchD: trunk VLANs that GE 1/0/0 and GE 2/0/0 belong to: VLAN 101 to VLAN 500 VLANs that GE 3/0/0 belongs to: VLAN 101 to VLAN 200
Procedure
Step 1 Configure SwitchD. # Enable STP globally.
<Quidway> system-view [Quidway] stp enable
# Create VLANs.
<Quidway> system-view [Quidway] vlan batch 101 to 500
# Configure the interfaces as trunk interfaces and add the interfaces to VLANs.
[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] port [Quidway-GigabitEthernet1/0/0] port [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet2/0/0] port [Quidway-GigabitEthernet2/0/0] port [Quidway-GigabitEthernet2/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet3/0/0] port [Quidway-GigabitEthernet3/0/0] port [Quidway-GigabitEthernet3/0/0] quit 1/0/0 link-type trunk trunk allow-pass vlan 101 to 500 2/0/0 link-type trunk trunk allow-pass vlan 101 to 500 3/0/0 link-type trunk trunk allow-pass vlan 101 to 200
# Enable HVRP.
[Quidway] hvrp enable [Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] hvrp [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet2/0/0] hvrp [Quidway-GigabitEthernet2/0/0] quit 1/0/0 enable 2/0/0 enable
Configure the other Switches on the STP ring in the same manner. Step 2 Verify the configuration. Run the display hvrp verbose command to view detailed information about HVRP.
<Quidway> display hvrp verbose HVRP is enabled globally.
Issue 01 (2011-10-26)
635

HVRP registervlan timer :5s. HVRP registervlan age timer :15s. HVRP age all VLAN :Disabled. HVRP Permanent-vlan : HVRP statistics on port GigabitEthernet1/0/0 Mstp Role : 0 - designated HVRP statistics on port GigabitEthernet2/0/0 Mstp Role : 0 - root
(PORT_LINK_UP) (PORT_LINK_UP)
----End
Configuration Files
# sysname Quidway # vlan batch 101 to 500 # stp enable # hvrp enable # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 101 to 500 hvrp enable # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 101 to 500 hvrp enable # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 101 to 200 # return
Issue 01 (2011-10-26)
636
13 Loop Detection Configuration
13
About This Chapter
Loop Detection Configuration
This chapter describes the concepts, configuration procedures, and configuration examples of loop detection. 13.1 Introduction to Loop Detection This section describes the concept of loop detection. 13.2 Configuring Loop Detection This section describes how to configure the loop detection function. 13.3 Configuration Examples This section provides an example for configuring the loop detection function.
Issue 01 (2011-10-26)
637
13.1 Introduction to Loop Detection

This section describes the concept of loop detection. After the loop detection function is configured on an interface, the interface sends loop detection packets to detect loops in the local VLAN. If the S9300 detects that the broadcast packets sent from a port can be received by other ports on the S9300, it considers that loops exist on the network of this port. In this case, the S9300 sends a trap message to the user and records the event in the log. In addition, the S9300 sets the status of the port according to the working mode of the port so that the port can forward only BPDUs. By default, the S9300 sets the port to the Blocking state. The influence of loops on the entire network is minimized.
13.2 Configuring Loop Detection

This section describes how to configure the loop detection function.

As shown in Figure 13-1, when packets sent from an interface are sent back to local device through another interface, a loop exists on the interface. Loops may cause broadcast storms. The loop detection function is used to detect loops on the interfaces of the Switch. After loop detection is enabled for Ethernet interfaces on the Switch, the Switch periodically detects loops on each Ethernet interface. If a loop is detected on an Ethernet interface, the Switch sets the state of the interface to loop detection. Figure 13-1 Networking diagram of loop detection application
Switch GE1/0/0 GE2/0/0
Issue 01 (2011-10-26)
638
Loop detection and STP are mutual exclusive. To enable loop detection on an interface, you need to disable STP first.
Data Preparation
To configure loop detection, you need the following data. No. 1 2 3 4 Data ID of the VLAN where loop detection is to be configured Type and number of each interface to be detected (Optional) Interval for detecting loops on an interface (Optional) Recovery time of a blocked interface
13.2.2 Enabling Loop Detection Globally

Context
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view

loop-detection enable
Loop detection is enabled globally. ----End
13.2.3 Enabling Loop Detection in a VLAN

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
loop-detection enable vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> | all }
Loop detection is enabled in a VLAN. By default, loop detection is disabled in all VLANs.
NOTE
Currently, loopback detection does not take effect in dynamic VLANs.
----End
13.2.4 Enabling Loop Detection Control on an Interface

Context
Procedure
Step 1 Run:
system-view


stp disable
STP is disabled. Step 4 Run the following commands as required to add the interface to VLANs. l To add the hybrid interface to VLANs in tagged mode, run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }. l To add the hybrid interface to VLANs in untagged mode, run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }. Step 5 Run:
loop-detection mode { port-trap | port-blocking | port-nolearning | port-shutdown }
Loop detection control is enabled on the interface. When a loop is detected on the interface, the S9300 sets the state of the interface to Trap, Blocking, No learning, or Shutdown. l Trap: The S9300 sends a trap message but does not perform any operation on the interface. l Blocking: The interface is blocked and allows only BPDUs to pass through. l No learning: The interface does not learn MAC addresses of packets. l Shutdown: The interface is disabled. By default, an interface turns to the Blocking state when a loop is detected on the interface. ----End
13.2.5 (Optional) Disabling Loop Detection on an Interface

Context
Procedure
Step 1 Run:
system-view


loop-detection disable
Loop detection is disabled on the interface. By default, loop detection is enabled on an interface. ----End
13.2.6 (Optional) Setting the Loop Detection Interval on an Interface

Context
Procedure
Step 1 Run:
system-view

loop-detection interval-time interval-time
The loop detection interval is set on the interface. By default, the loop detection interval is 5 seconds. ----End
13.2.7 (Optional) Setting the Recovery Time of a Blocked Interface

Context
Procedure
Step 1 Run:
system-view

interface { ethernet | gigabitethernet } interface-number

loop-detection recovery-time recovery-time
The recovery time of the blocked interface is set. The blocked interface is unblocked after the recovery time. By default, the recovery time of a blocked interface is 255 seconds.
NOTE
The recovery time of an interface must be longer than or equal to the loop detection interval on the interface.
----End

Procedure
Step 1 Run the display loop-detection [ interface interface-type interface-number ] command to view the configuration of the loop detection function. ----End
Example
Run the display loop-detection, and you can check whether loop detection is enabled. If loop detection is enabled, the system displays the interval for detecting loops, ID of the VLAN where loop detection is enabled, loops detected, and information about the ports that turn to the Shutdown state because of the loops.
<Quidway> display loop-detection Loop Detection is enable. Detection interval time is 5 seconds. Following vlans enable loop-detection: vlan 17 Following ports are blocked for loop: NULL Following ports are shutdown for loop: NULL Following ports are nolearning for loop: NULL
If you run the display loop-detection command on a single port, the following information is displayed:
<Quidway> display loop-detection interface GigabitEthernet 1/0/0 The port is enable. The port's status list: Status WorkMode Recovery-time EnabledVLAN
Issue 01 (2011-10-26)
642
----------------------------------------------------------------------Normal Shutdown 0 17

This section provides an example for configuring the loop detection function.
13.3.1 Example for Configuring Loop Detection

As shown in Figure 13-2, when packets sent from a port are sent back to the local device through another port of the device, a loop exists on the device. Loops may cause broadcast storms. The loop detection function is used to detect loops on ports of a device. Figure 13-2 Networking diagram of loop detection application
Switch GE1/0/0 GE2/0/0
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Enable loop detection globally. Enable loop detection in a VLAN. Enable loop detection control on an interface. Set the loop detection interval on the interface. Set the recovery time of a blocked interface.
Data Preparation
To complete the configuration, you need the following data: l
Issue 01 (2011-10-26)
ID of the VLAN where loop detection is enabled

Number of the interface where loop detection control is enabled
Procedure
Step 1 Enable loop detection globally.
<Quidway> system-view [Quidway] loop-detection enable
Step 2 Enable loop detection in a VLAN.

[Quidway] loop-detection enable vlan 200
Step 3 Enable loop detection control on an interface.

[Quidway] interface GigabitEthernet 1/0/0 [Quidway-GigabitEthernet1/0/0] stp disable [Quidway-GigabitEthernet1/0/0] port hybrid pvid vlan 200 [Quidway-GigabitEthernet1/0/0] port hybrid untagged vlan 200 [Quidway-GigabitEthernet1/0/0] loop-detection mode port-shutdown
Step 4 Set the loop detection interval on the interface.

[Quidway] loop-detection interval-time 50
Step 5 Set the recovery time of a blocked interface.

[Quidway] interface GigabitEthernet 1/0/0 [Quidway-GigabitEthernet1/0/0] loop-detection recovery-time 20
Step 6 Verify the configuration. GE 1/0/0 is automatically disabled when a loop is detected. ----End
Configuration Files
# sysname Quidway # vlan batch 200 # loop-detection enable loop-detection interval-time 50 loop-detection enable vlan 200 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 200 port hybrid untagged vlan 200 stp disable loop-detection mode port-shutdown loop-detection recovery-time 20 # return
Issue 01 (2011-10-26)
644

Configuration Guide - Ethernet (V100R006C01 - 01)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - Ethernet (V100R006C01 - 01)

Uploaded by

Copyright:

Available Formats

Quidway S9300 Terabit Routing Switch V100R006C01

Configuration Guide - Ethernet

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

About This Document

Changes in Issue 01 (2011-10-26)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

2 Link Aggregation Configuration..............................................................................................18

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

4 VLAN Mapping Configuration..............................................................................................169

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

7 MAC Address Table Configuration.......................................................................................353

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

11 Layer 2 Protocol Transparent Transmission Configuration............................................581

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

13 Loop Detection Configuration..............................................................................................637

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

1 Ethernet Interface Configuration

Ethernet Interface Configuration

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

1 Ethernet Interface Configuration

1.1 Introduction to Ethernet Interfaces

Ethernet electrical interface

Ethernet optical interface

100 1000 10000

1.2 Ethernet Interface Features Supported by the S9300

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

1 Ethernet Interface Configuration

1.3 Configuring Basic Attributes of the Ethernet Interface

1.3.1 Establishing the Configuration Task

1.3.2 (Optional) Configuring a Description for an Interface

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

1 Ethernet Interface Configuration

The system view is displayed. Step 2 Run:

The interface view is displayed. Step 3 Run:

1.3.3 (Optional) Configuring the Cable Type on an Interface

The system view is displayed. Step 2 Run:

The Ethernet electrical interface view is displayed. Step 3 Run:

Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet

1 Ethernet Interface Configuration

1.3.4 (Optional) Setting the Duplex Mode

The system view is displayed. Step 2 Run:

The Ethernet electrical interface view is displayed. Step 3 Run: