CloudEngine 6800&5800 V100R001C00 Configuration Guide - Ethernet 04 PDF

CloudEngine 6800&5800 Series Switches
V100R001C00
Configuration Guide - Ethernet
Issue 04
Date 2013-07-10
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
About This Document
Intended Audience
This document describes the concepts and configuration procedures of Ethernet services on the
CE series switches, and provides the configuration examples.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
DANGER
Indicates a hazard with a high level or medium level of risk
which, if not avoided, could result in death or serious injury.
WARNING
Indicates a hazard with a low level of risk which, if not
avoided, could result in minor or moderate injury.
CAUTION
Indicates a potentially hazardous situation that, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
TIP
Provides a tip that may help you solve a problem or save time.
NOTE
Provides additional information to emphasize or supplement
important points in the main text.

Configuration Guide - Ethernet About This Document
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }
*
Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]
*
Optional items are grouped in brackets and separated by
vertical bars. You can select one or several items, or select
no item.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.

Interface Numbering Conventions
Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 04 (2013-07-10)
This version has the following updates:
The following information is modified:
l 6.8.2 Configuring the MSTP Protocol Packet Format on an Interface
iii
l 1.4.3 Adding Member Interfaces to an Eth-Trunk
l 1.4.5 (Optional) Configuring the Load Balancing Mode
l 2.2 VLAN Features Supported by the Device
The following information is added:
l 2.10.3 Enable GMAC ping to detect Layer 2 network connectivity
l 2.10.4 Enable GMAC trace to locate faults
l 1.4.5 (Optional) Configuring the Load Balancing Mode
l 2.5 Configuring VLANIF Interfaces for Inter-VLAN Communication
l 2.7.4 Enabling the MUX VLAN Function on a Port
l 4.2 MAC Address Features Supported by the Device
l 7.3.1 Enabling Loopback Detection
Initial commercial release.
iv
Contents
About This Document.....................................................................................................................ii
1 Link Aggregation Configuration................................................................................................1
1.1 Link Aggregation Overview...........................................................................................................................................2
1.2 Link Aggregation Features Supported by the Switch.....................................................................................................2
1.3 Default Settings..............................................................................................................................................................5
1.4 Configuring Link Aggregation in Manual Load Balancing Mode.................................................................................5
1.4.1 Creating an LAG.........................................................................................................................................................5
1.4.2 Setting the Manual Load Balancing Mode..................................................................................................................6
1.4.3 Adding Member Interfaces to an Eth-Trunk...............................................................................................................7
1.4.4 (Optional) Setting the Lower Threshold for the Number of Active Interfaces...........................................................8
1.4.5 (Optional) Configuring the Load Balancing Mode.....................................................................................................9
1.4.6 Checking the Configuration.......................................................................................................................................12
1.5 Configuring Link Aggregation in LACP Mode...........................................................................................................12
1.5.1 Creating an LAG.......................................................................................................................................................12
1.5.2 Setting the LACP Mode............................................................................................................................................12
1.5.3 Adding Member Interfaces to an Eth-Trunk.............................................................................................................13
1.5.4 (Optional) Limiting the Number of Active Interfaces...............................................................................................15
1.5.5 (Optional) Configuring the Load Balancing Mode...................................................................................................16
1.5.6 (Optional) Setting the LACP System Priority...........................................................................................................19
1.5.7 (Optional) Setting the LACP Priority for an Interface..............................................................................................19
1.5.8 (Optional) Configuring LACP Preemption...............................................................................................................20
1.5.9 (Optional) Setting the Timeout Interval for Receiving LACPDUs...........................................................................21
1.5.10 Checking the Configuration.....................................................................................................................................22
1.6 Configuring Forwarding Through Local Member Interfaces (in a Stack)...................................................................22
1.7 Maintaining Link Aggregation.....................................................................................................................................23
1.7.1 Clearing LACP Packet Statistics...............................................................................................................................23
1.7.2 Monitoring the Operating Status of an LAG.............................................................................................................24
1.8 Configuration Examples...............................................................................................................................................24
1.8.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode.......................................................24
1.8.2 Example for Configuring Link Aggregation in LACP Mode....................................................................................27
1.8.3 Example for Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through Local
Member Interfaces..............................................................................................................................................................30
1.9 Common Configuration Errors.....................................................................................................................................34
Configuration Guide - Ethernet Contents
v
1.9.1 Traffic Is Unevenly Load Balanced Between Eth-Trunk Member Interfaces Due to the Incorrect Load Balancing
Mode...................................................................................................................................................................................35
2 VLAN Configuration..................................................................................................................36
2.1 VLAN Overview..........................................................................................................................................................38
2.2 VLAN Features Supported by the Device....................................................................................................................38
2.3 Default Configuration...................................................................................................................................................44
2.4 Assigning a LAN to VLANs........................................................................................................................................45
2.5 Configuring VLANIF Interfaces for Inter-VLAN Communication.............................................................................46
2.6 Configuring VLAN Aggregation to Save IP Addresses...............................................................................................48
2.6.1 Creating a Sub-VLAN...............................................................................................................................................48
2.6.2 Creating a Super-VLAN............................................................................................................................................49
2.6.3 Assigning an IP Address to the VLANIF Interface of a Super-VLAN.....................................................................50
2.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN........................................................51
2.6.5 (Optional) Configuring an IP Address Pool for a Sub-VLAN..................................................................................52
2.7 Configuring a MUX VLAN to Separate Layer 2 Traffic.............................................................................................53
2.7.1 Configuring a Principal VLAN for a MUX VLAN..................................................................................................53
2.7.2 Configuring a Group VLAN for a Subordinate VLAN.............................................................................................54
2.7.3 Configuring a Separate VLAN for a Subordinate VLAN.........................................................................................54
2.7.4 Enabling the MUX VLAN Function on a Port..........................................................................................................55
2.8 Configuring an mVLAN to Implement Integrated Management.................................................................................56
2.9 Configuring an Interface to Discard Incoming Tagged Packets...................................................................................58
2.10 Maintaining VLAN.....................................................................................................................................................58
2.10.1 Collecting Statistics on VLAN Traffic....................................................................................................................58
2.10.2 Clearing the Statistics of VLAN Packets................................................................................................................59
2.10.3 Enable GMAC ping to detect Layer 2 network connectivity..................................................................................59
2.10.4 Enable GMAC trace to locate faults........................................................................................................................60
2.11 Configuration Examples.............................................................................................................................................61
2.11.1 Example for Assigning VLANs..............................................................................................................................61
2.11.2 Example for Implementing Inter-VLAN Communication Using VLANIF Interfaces...........................................63
2.11.3 Example for Configuring VLAN Aggregation........................................................................................................65
2.11.4 Example for Configuring a MUX VLAN to Separate Layer 2 Traffic...................................................................67
2.12 Common Configuration Errors...................................................................................................................................69
2.12.1 User Terminals in the Same VLAN Cannot Ping Each Other.................................................................................69
2.12.2 VLANIF Interface Goes Down...............................................................................................................................71
3 QinQ Configuration....................................................................................................................72
3.1 QinQ Overview.............................................................................................................................................................73
3.2 QinQ Features Supported by the Device......................................................................................................................74
3.3 Configuring Basic QinQ...............................................................................................................................................74
3.4 Configuring the TPID Value for an Outer VLAN Tag.................................................................................................75
3.5 Configuration Examples...............................................................................................................................................76
vi
3.5.1 Example for Configuring QinQ.................................................................................................................................76
4 MAC Address Table Configuration.........................................................................................81
4.1 MAC Address Table Overview....................................................................................................................................83
4.2 MAC Address Features Supported by the Device........................................................................................................85
4.3 Default Configuration...................................................................................................................................................90
4.4 Configuring the MAC Address Table..........................................................................................................................91
4.4.1 Configuring a Static MAC Address Entry.................................................................................................................91
4.4.2 Configuring a Blackhole MAC Address Entry..........................................................................................................92
4.4.3 Setting the Aging Time of Dynamic MAC Address Entries.....................................................................................92
4.4.4 Disabling MAC Address Learning............................................................................................................................93
4.4.5 Limiting the Number of Learned MAC Addresses...................................................................................................94
4.5 Configuring Port Security.............................................................................................................................................96
4.5.1 Configuring the Secure Dynamic MAC Function on an Interface............................................................................96
4.5.2 Configuring the Sticky MAC Function on an Interface............................................................................................97
4.6 Configuring MAC Address Anti-flapping....................................................................................................................99
4.6.1 Configuring the MAC Address Learning Priority of an Interface.............................................................................99
4.6.2 Forbidding MAC Address Flapping Between Interfaces with the Same Priority...................................................100
4.7 Configuring MAC Address Flapping Detection.........................................................................................................101
4.8 Configuring the Switch to Discard Packets with an All-0 MAC Address.................................................................102
4.9 Discarding Packets that Cannot Match MAC Address Entries..................................................................................103
4.10 Enabling Port Bridge................................................................................................................................................104
4.11 Configuration Examples...........................................................................................................................................105
4.11.1 Example for Configuring the MAC Address Table...............................................................................................105
4.11.2 Example for Configuring MAC Address Learning in a VLAN............................................................................107
4.11.3 Example for Configuring Port Security.................................................................................................................109
4.11.4 Example for Configuring MAC Address Anti-flapping........................................................................................110
4.11.5 Example for Configuring MAC Address Flapping Detection...............................................................................112
4.12 Common Configuration Errors.................................................................................................................................114
4.12.1 Correct MAC Address Entry Cannot Be Learned on the Device..........................................................................114
5 STP/RSTP Configuration.........................................................................................................118
5.1 STP/RSTP Overview..................................................................................................................................................120
5.2 STP/RSTP Features Supported by the CE series switches.........................................................................................123
5.3 Default Configuration.................................................................................................................................................125
5.4 Configuring Basic STP/RSTP Functions...................................................................................................................125
5.4.1 Configuring the STP/RSTP Mode...........................................................................................................................125
5.4.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge....................................................................126
5.4.3 (Optional) Configuring Switching Device Priorities...............................................................................................127
5.4.4 (Optional) Setting the Path Cost for a Port..............................................................................................................128
5.4.5 (Optional) Configuring Port Priorities.....................................................................................................................129
vii
5.4.6 Enabling STP/RSTP................................................................................................................................................130
5.5 Setting STP Parameters That Affect STP Convergence.............................................................................................130
5.5.1 Setting the STP Network Diameter.........................................................................................................................131
5.5.2 Setting the STP Timeout Interval............................................................................................................................131
5.5.3 Setting the Values of STP Timers...........................................................................................................................132
5.5.4 Setting the Maximum Number of Connections That Affect Spanning Tree Calculation........................................133
5.6 Setting RSTP Parameters That Affect RSTP Convergence.......................................................................................135
5.6.1 Setting the RSTP Network Diameter.......................................................................................................................135
5.6.2 Setting the RSTP Timeout Interval.........................................................................................................................136
5.6.3 Setting RSTP Timers...............................................................................................................................................137
5.6.5 Setting the Link Type of a Port...............................................................................................................................139
5.6.6 Setting the Maximum Transmission Rate of an Interface.......................................................................................140
5.6.7 Switching to the RSTP mode...................................................................................................................................140
5.6.8 Configuring a Port as an Edge Port and BPDU Filter Port.....................................................................................141
5.7 Configuring RSTP Protection Functions....................................................................................................................143
5.7.1 Configuring BPDU Protection on a Switching Device...........................................................................................143
5.7.2 Configuring TC Protection on a Switching Device.................................................................................................144
5.7.3 Configuring Root Protection on a Port....................................................................................................................144
5.7.4 Configuring Loop Protection on a Port...................................................................................................................145
5.8 Setting Parameters for Interworking Between the CE series switches and a Non-Huawei Device...........................146
5.9 Maintaining STP/RSTP..............................................................................................................................................147
5.9.1 Clearing STP/RSTP Statistics.................................................................................................................................147
5.10.1 Example for Configuring STP...............................................................................................................................148
5.10.2 Example for Configuring RSTP............................................................................................................................151
6 MSTP Configuration.................................................................................................................156
6.1 MSTP Introduction.....................................................................................................................................................158
6.2 MSTP Features Supported by the CE series switches................................................................................................166
6.4 Configuring Basic MSTP Functions...........................................................................................................................170
6.4.1 Configuring the MSTP Mode..................................................................................................................................171
6.4.2 Configuring an MST Region...................................................................................................................................171
6.4.4 (Optional) Configuring a Priority for a Switching Device in an MSTI...................................................................175
6.4.5 (Optional) Configuring a Path Cost of a Port in an MSTI.......................................................................................176
6.4.6 (Optional) Configuring a Port Priority in an MSTI.................................................................................................177
6.4.7 Enabling MSTP.......................................................................................................................................................177
viii
6.5 Configuring MSTP Multi-Process..............................................................................................................................178
6.5.1 Creating an MSTP Process......................................................................................................................................179
6.5.2 Adding a Port to an MSTP Process.........................................................................................................................179
6.5.4 (Optional) Configuring a Priority for a Switching Device in an MSTI...................................................................182
6.5.5 (Optional) Configuring a Path Cost of a Port in an MSTI.......................................................................................183
6.5.6 (Optional) Configuring a Port Priority in an MSTI.................................................................................................184
6.5.7 Configuring TC Notification in MSTP Multi-process............................................................................................185
6.5.8 Enabling MSTP.......................................................................................................................................................185
6.6 Configuring MSTP Parameters on an Interface.........................................................................................................186
6.6.1 Setting the MSTP Network Diameter......................................................................................................................186
6.6.2 Setting the MSTP Timeout Interval.........................................................................................................................187
6.6.3 Setting the Values of MSTP Timers........................................................................................................................188
6.6.5 Setting the Link Type of a Port...............................................................................................................................191
6.6.6 Setting the Maximum Transmission Rate of an Interface.......................................................................................192
6.6.7 Switching to the MSTP Mode.................................................................................................................................192
6.6.8 Configuring a Port as an Edge Port and BPDU Filter Port.....................................................................................193
6.6.9 Setting the Maximum Number of Hops in an MST Region....................................................................................195
6.6.10 Checking the Configuration...................................................................................................................................196
6.7 Configuring MSTP Protection Functions...................................................................................................................196
6.7.1 Configuring BPDU Protection on a Switching Device...........................................................................................196
6.7.2 Configuring TC Protection on a Switching Device.................................................................................................197
6.7.3 Configuring Root Protection on an Interface..........................................................................................................198
6.7.4 Configuring Loop Protection on an Interface..........................................................................................................199
6.7.5 Configuring Share-Link Protection on a Switching Device....................................................................................200
6.8 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices.......................................201
6.8.1 Configuring a Proposal/Agreement Mechanism.....................................................................................................201
6.8.2 Configuring the MSTP Protocol Packet Format on an Interface.............................................................................202
6.8.3 Enabling the Digest Snooping Function..................................................................................................................203
6.9 Maintaining MSTP.....................................................................................................................................................203
6.9.1 Clearing MSTP Statistics.........................................................................................................................................204
6.10.1 Example for Configuring MSTP...........................................................................................................................204
7 Loopback Detection Configuration....................................................................................... 213
7.1 Loopback Detection Overview...................................................................................................................................214
7.3 Configuring Loopback Detection...............................................................................................................................215
ix
7.3.1 Enabling Loopback Detection.................................................................................................................................216
7.3.2 (Optional) Configuring an Action to Perform After a Loopback Is Detected.........................................................217
7.3.3 (Optional) Setting the Interval Between Sending Loopback Detection Packets on an Interface............................217
7.4 Configuration Examples.............................................................................................................................................218
7.4.1 Example for Configuring Loopback Detection.......................................................................................................218
x
1 Link Aggregation Configuration
About This Chapter
Link aggregation is a technology that bundles multiple Ethernet links into a logical link to
increase bandwidth, improve reliability, and load balance traffic.
1.1 Link Aggregation Overview
Link aggregation is a technology that bundles a group of physical interfaces into a logical
interface to increase link bandwidth.
1.2 Link Aggregation Features Supported by the Switch
The Switch supports the manual load balancing mode and Link Aggregation Control Protocol
(LACP) mode. In a stack, local traffic is first forwarded by the Eth-Trunk.
1.3 Default Settings
This section describes default parameter settings of link aggregation.
1.4 Configuring Link Aggregation in Manual Load Balancing Mode
Link aggregation implements load balancing, increases interface bandwidth, and improves
transmission reliability.
1.5 Configuring Link Aggregation in LACP Mode
1.6 Configuring Forwarding Through Local Member Interfaces (in a Stack)
On a network where the stack and Eth-Trunk are used, configure the Eth-Trunk to preferentially
forward local interface traffic to increase bandwidth use efficiency between stack devices and
improves traffic forwarding efficiency.
1.7 Maintaining Link Aggregation
This section describes how to maintain link aggregation.
1.8 Configuration Examples
This section provides several configuration examples of link aggregation.
1.9 Common Configuration Errors
This section describes common configuration errors.
Configuration Guide - Ethernet 1 Link Aggregation Configuration
1
1.1 Link Aggregation Overview
Link aggregation is a technology that bundles a group of physical interfaces into a logical
interface to increase link bandwidth.
As the network scale expands increasingly, users propose increasingly higher requirements on
the bandwidth and reliability of backbone links. Traditional technologies often use devices
supporting high-speed interfaces to increase the bandwidth. This method, however, is costly and
inflexible.
Link aggregation bundles multiple physical interfaces into a logical interface to increase the
bandwidth without upgrading the hardware. The backup mechanism of link aggregation
improves reliability and loads balance traffic among different links.
As shown in Figure 1-1, DeviceA and DeviceB are connected through three Ethernet physical
links. These three Ethernet physical links are bound to an Eth-Trunk link. The bandwidth of the
Eth-Trunk link is the sum of bandwidth of the three Ethernet physical links, so bandwidth is
increased. The three Ethernet physical links back up each other, which improves reliability.
Figure 1-1 Networking diagram of link aggregation
DeviceA DeviceB
Eth-Trunk
1.2 Link Aggregation Features Supported by the Switch
The Switch supports the manual load balancing mode and Link Aggregation Control Protocol
(LACP) mode. In a stack, local traffic is first forwarded by the Eth-Trunk.
Link Aggregation in Manual Load Balancing Mode
In manual load balancing mode, you must manually create a Eth-Trunk interface and add member
interfaces to the Eth-Trunk interface. In this mode, all the member interfaces of an LAG share
the traffic evenly. If an active link fails, the other active links share the traffic evenly.
Figure 1-2 Link aggregation in manual load balancing mode
DeviceA DeviceB
Eth-Trunk
The manual load balancing mode is used when the peer device does not support LACP.
Link Aggregation in LACP Mode
LACP uses the LACP protocol to negotiate parameters and determine active and inactive
interfaces. In LACP mode, you must manually create an Eth-Trunk and add member interfaces
to the Eth-Trunk. LACP determines active and inactive interfaces by negotiating parameters
through LACPDUs.
2
The LACP mode is called M:N mode. The LACP mode can implement load balancing and
backup. In a link aggregation group (LAG), M links are in active state. They forward data and
implement load balancing. The other N links are in inactive state and do not forward data. When
a link among the M links is faulty, the link with the highest priority among the N links are selected
to replace the faulty link. This link enters the active state and starts to forward data.
Figure 1-3 LACP mode
DeviceA DeviceB
Eth-Trunk 1 Eth-Trunk 1
Eth-Trunk
Active link
Backup link
Difference between LACP and manual load balancing: LACP has backup links. In manual load
balancing mode, all member interfaces are in forwarding state.
Forwarding Local Interface Traffic Preferentially Through an Inter-device Eth-
Trunk in a Stack
A stack increases the total capacity of devices. An inter-device Eth-Trunk interface implements
backup between devices and improves reliability. However, an Eth-Trunk selects member
interfaces to forward traffic based on the hash algorithm. As a result, traffic flowing into a device
may be forwarded by another device. This increases bandwidth usage between devices and
reduces traffic forwarding efficiency. To prevent this problem, configure the Eth-Trunk to
preferentially forward local interface traffic.
3
Figure 1-4 Configuring an Eth-Trunk to preferentially forward local interface traffic
Eth-Trunk
iStack
DeviceB DeviceC
Data flow 1
a. The Eth-Trunk is not enabled to
Eth-Trunk
iStack
DeviceB DeviceC
DeviceA DeviceA
b. The Eth-Trunk is enabled to
Data flow 2
Stack cable

As shown in Figure 1-4, DeviceB and DeviceC constitute a stack, and the stack connects to
DeviceA through an Eth-Trunk. After configure the Eth-Trunk in the stack to preferentially
forward local interface traffic, the following functions are implemented:
l Forwarding received traffic by the local device
When DeviceB has member interfaces of the Eth-Trunk and the member interfaces function
properly, the Eth-Trunk forwarding table of DeviceB contains only local member
interfaces. In this manner, the hash algorithm selects a local member interface, and traffic
is forwarded through DeviceB.
l Forwarding received traffic by another device
When DeviceB does not have any member interface of the Eth-Trunk or all member
interfaces are faulty, the Eth-Trunk forwarding table of DeviceB contains all available
member interfaces. In this manner, the hash algorithm selects a member interface on
DeviceC, and traffic is forwarded through DeviceC.
4
1.3 Default Settings
This section describes default parameter settings of link aggregation.
Table 1-1 Default parameter settings of link aggregation
Parameter Value
Link aggregation mode Manual load balancing mode
max active-linknumber 16
least active-linknumber 1
LACP system priority 32768
LACP port priority 32768
LACP preemption Disabled
LACP preemption delay 30s
Timeout interval at which LACPDUs are
received
90s
Function that preferentially forwards local
interface traffic on an Eth-Trunk
Enabled

1.4 Configuring Link Aggregation in Manual Load
Balancing Mode
1.4.1 Creating an LAG
Context
Each LAG corresponds to a logical interface, that is, Eth-Trunk. Before configuring link
aggregation, create an Eth-Trunk.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface eth-trunk trunk-id
5
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
The value of trunk-id ranges from 0 to 127.
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk interface
view.
Step 3 Run:
commit
The configuration is committed.
----End
1.4.2 Setting the Manual Load Balancing Mode
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member
interfaces into the Eth-Trunk. All active links forward data and evenly load balance traffic. The
manual load balancing mode mode is used when the peer device does not support LACP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The Eth-Trunk interface view is displayed.
Step 3 Run:
mode manual [ load-balance ]
The working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the local
end works in manual load balancing mode, the peer end must use the manual load balancing
mode.
Step 4 Run:
commit
----End
6
1.4.3 Adding Member Interfaces to an Eth-Trunk
Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Procedure
l Adding member interfaces to an Eth-Trunk in the Eth-Trunk interface view
1. Run:
system-view
2. Run:
3. Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-16>
A member interface is added to the Eth-Trunk.
NOTE
When member interfaces are added to an Eth-Trunk in batches, if one interface cannot be added
to the Eth-Trunk, all the interfaces cannot be added to the Eth-Trunk.
4. Run:
commit
l Adding member interfaces to an Eth-Trunk in the member interface view
1. Run:
system-view
2. Run:
interface interface-type interface-number
The member interface view is displayed.
3. Run:
eth-trunk trunk-id
The member interface is added to an Eth-Trunk.
4. Run:
commit
When adding an interface to an Eth-Trunk, pay attention to the following points:
An Eth-Trunk contains a maximum of 16 member interfaces.
A member interface cannot be configured with any service or static MAC address.
7
When adding an interface to an Eth-Trunk, ensure that the interface is an Access
interface (default interface type).
An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk.
An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet interface
to another Eth-Trunk, delete it from the Eth-Trunk first.
An Eth-trunk contains member interfaces of the same type.
The peer interfaces directly connected to the local Eth-Trunk member interfaces must
also be bundled into an Eth-Trunk; otherwise, the two ends cannot communicate.
After interfaces are added to an Eth-Trunk, MAC addresses are learned on the Eth-
Trunk but not the member interfaces.
The rates at both ends of the Eth-Trunk must be the same. It is recommended that the
number of connected physical interfaces, and jumbo and flow control configuration at
both ends of the Eth-Trunk be the same.
----End
1.4.4 (Optional) Setting the Lower Threshold for the Number of
Active Interfaces
Context
The lower threshold for the number of active interfaces affects the status and bandwidth of the
trunk interface. To ensure that the trunk interface functions properly and is less affected by
changes in member link status, set the following thresholds.
When the number of active interfaces falls below this threshold, the Eth-Trunk goes Down. This
ensures that the Eth-Trunk has a minimum available bandwidth.
NOTE
The upper threshold for the number of active interfaces is inapplicable to the manual load balancing mode.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local switch can be different from
that on the remote switch. If the two values are different, the larger one is used.
8
Step 4 Run:
commit
----End
1.4.5 (Optional) Configuring the Load Balancing Mode
Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are forwarded
on different physical links to implement load balancing.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different and do not affect each other.
Table 1-2 describes load balancing modes for different types of packets.
Table 1-2 Load balancing modes for different types of packets
Packet (Inbound
Interface)
Default Load
Balancing Mode
Configurable
Load Balancing
Mode
Remarks
IPv4 packets src-ip, dst-ip, l4-src-
port and l4-dst-port
src-ip, dst-ip, l4-src-
port, l4-dst-port,
and protocol
The load balancing
mode is relevant to
the packet type and
irrelevant to the
packet forwarding
process.
For example, even if
the system provides
only Layer 2
forwarding for IPv4
packets, the IPv4
packets are load
balanced according
to the load balancing
mode for IPv4
packets. When the
system cannot
identify IPv4, IPv6,
or MPLS packets, the
system load balances
packets based on src-
mac, dst-mac, src-
interface, and eth-
type for Layer 2
packets.
IPv6 packets src-ip and dst-ip src-ip, dst-ip,
protocol, l4-src-
port, and l4-dst-port
MPLS packets top-label and 2nd-
label
top-label and 2nd-
label
Layer 2 packets
except IPv4, IPv6,
and MPLS packets
src-mac and dst-
mac
src-mac, dst-mac,
src-interface, and
eth-type
9
Packet (Inbound
Interface)
Default Load
Balancing Mode
Configurable
Load Balancing
Mode
Remarks
Trill packets (transit
and ingress sides)
src-mac, dst-mac,
vlan, and eth-type
Nonconfigurable At the ingress side,
load balancing
modes are the same
as those for common
Layer 2 and Layer 3
packets. The hash
algorithm can be
performed at the
transit side and
egress side only
when the load-
balance enhanced
profile profile-name
command is used.

Procedure
Step 1 Run:
system-view
Step 2 (Optional) Run:
load-balance profile profile-name
A load balancing profile is configured and its view is displayed. profile-name specifies the name
of the load balancing profile.
By default, there is a load balancing profile named default.
Run the following commands as required. You can configure load balancing modes for Layer
2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
l Run:
l2 [ src-mac | dst-mac | src-interface | eth-type ]
*
The load balancing mode of Layer 2 packets (non-IP packets) is set.
By default, load balancing of Layer 2 packets (non-IP packets) is based on the source MAC
address (src-mac) and destination MAC address (dst-mac).
l Run:
ip [ src-ip | dst-ip | l4-src-port | l4-dst-port | protocol ]
*
The load balancing mode of IPv4 packets is set.
By default, load balancing of IPv4 packets is based on the source IP address (src-ip),
destination IP address (dst-ip), transport-layer source port numbers (l4-src-port), and
transport-layer destination port numbers (l4-dst-port).
l Run:
ipv6 [ src-ip | dst-ip | protocol | l4-src-port | l4-dst-port ]
*
10
By default, load balancing of IPv6 packets is based on the source IP address (src-ip) and
destination IP address (dst-ip).
l Run:
mpls [ top-label | 2nd-label ]
*
The load balancing mode of MPLS packets is set.
By default, load balancing of MPLS packets is based on the two outer labels (top-label and
2nd-label) of each packet.
Step 3 Run:
quit
Return to the system view.
Step 4 Run the following commands as required.
l Configure a load balancing mode for known unicast traffic.
1. Run:
2. Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-
mac | enhanced profile profile-name }
A load balancing mode of the Eth-Trunk is set.
By default, the load balancing mode of the Eth-Trunk is enhanced profile.
dst-ip: Load balancing is performed based on destination IP addresses.
dst-mac: Load balancing is performed based on destination MAC addresses.
src-ip: Load balancing is performed based on source IP addresses.
src-mac: Load balancing is performed based on source MAC addresses.
src-dst-ip: Load balancing is performed based on the Exclusive-Or result of source
and destination IP addresses.
src-dst-mac: Load balancing is performed based on the Exclusive-Or result of source
and destination MAC addresses.
enhanced profile: Load balancing is performed based on the fields in the global load
balancing profile.
3. Run:
commit
l Configure a load balancing mode for unknown unicast traffic.
1. Run:
load-balance unknown-unicast { mac | enhanced }
A load balancing mode is configured.
By default, the load balancing mode is enhanced.
2. Run:
commit
----End
11
1.4.6 Checking the Configuration
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about member interfaces of the Eth-Trunk.
l Run the display load-balance profile [ profile-name ] command to check details of a load
balancing profile of the Eth-Trunk.
----End
1.5 Configuring Link Aggregation in LACP Mode
1.5.1 Creating an LAG
Context
Each LAG corresponds to a logical interface, that is, Eth-Trunk. Before configuring link
aggregation, create an Eth-Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
The value of trunk-id ranges from 0 to 127.
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk interface
view.
Step 3 Run:
commit
----End
1.5.2 Setting the LACP Mode
12
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In LACP mode, you must manually create an Eth-Trunk and add interfaces to the Eth-Trunk.
LACP determines active interfaces by negotiating parameters through LACPDUs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mode lacp-static
The working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the local
end works in LACP mode, the peer end must use the LACP mode.
Step 4 Run:
commit
----End
1.5.3 Adding Member Interfaces to an Eth-Trunk
Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Procedure
l Adding member interfaces to an Eth-Trunk in the Eth-Trunk interface view
1. Run:
system-view
2. Run:
3. Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-16>
13
A member interface is added to the Eth-Trunk.
NOTE
When member interfaces are added to an Eth-Trunk in batches, if one interface cannot be added
to the Eth-Trunk, all the interfaces cannot be added to the Eth-Trunk.
4. Run:
commit
l Adding member interfaces to an Eth-Trunk in the member interface view
1. Run:
system-view
2. Run:
3. Run:
eth-trunk trunk-id
The member interface is added to an Eth-Trunk.
4. Run:
commit
When adding an interface to an Eth-Trunk, pay attention to the following points:
An Eth-Trunk contains a maximum of 16 member interfaces.
A member interface cannot be configured with any service or static MAC address.
When adding an interface to an Eth-Trunk, ensure that the interface is an Access
interface (default interface type).
An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk.
An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet interface
to another Eth-Trunk, delete it from the Eth-Trunk first.
An Eth-trunk contains member interfaces of the same type.
The peer interfaces directly connected to the local Eth-Trunk member interfaces must
also be bundled into an Eth-Trunk; otherwise, the two ends cannot communicate.
After interfaces are added to an Eth-Trunk, MAC addresses are learned on the Eth-
Trunk but not the member interfaces.
The rates at both ends of the Eth-Trunk must be the same. It is recommended that the
number of connected physical interfaces, and jumbo and flow control configuration at
both ends of the Eth-Trunk be the same.
----End
14
1.5.4 (Optional) Limiting the Number of Active Interfaces
Context
The number of Up member links affects the status and bandwidth of the trunk interface. To
ensure that the trunk interface functions properly and is less affected by changes in member link
status, set the following thresholds.
l Lower threshold for the number of active interfaces: When the number of active interfaces
falls below this threshold, the trunk interface goes Down. This guarantees the trunk
interface a minimum available bandwidth.
l Upper threshold for the number of active interfaces: It is used for improving network
reliability with assured bandwidth. When the number of active interfaces reaches the
threshold, you can add new member interfaces to the Eth-Trunk, but excess member
interfaces enter the Down state.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the minimum number of active interfaces is 1.
The minimum number of active interfaces on the local switch can be different from that on the
remote switch. If the two values are different, the larger one is used.
Step 4 Run:
lacp max active-linknumber link-number
The upper threshold for the number of active interfaces is set.
By default, the maximum number of active interfaces is 16.
The maximum number of active interfaces on the local switch can be different from that on the
remote switch. If the two values are different, the smaller one is used.
NOTE
The upper threshold for the number of active interfaces must be greater than or equal to the lower threshold
for the number of active interfaces.
Step 5 Run:
commit
----End
15
1.5.5 (Optional) Configuring the Load Balancing Mode
Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are forwarded
on different physical links to implement load balancing.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different and do not affect each other.
Table 1-3 describes load balancing modes for different types of packets.
Table 1-3 Load balancing modes for different types of packets
Packet (Inbound
Interface)
Default Load
Balancing Mode
Configurable
Load Balancing
Mode
Remarks
IPv4 packets src-ip, dst-ip, l4-src-
port and l4-dst-port
src-ip, dst-ip, l4-src-
port, l4-dst-port,
and protocol
The load balancing
mode is relevant to
the packet type and
irrelevant to the
packet forwarding
process.
For example, even if
the system provides
only Layer 2
forwarding for IPv4
packets, the IPv4
packets are load
balanced according
to the load balancing
mode for IPv4
packets. When the
system cannot
identify IPv4, IPv6,
or MPLS packets, the
system load balances
packets based on src-
mac, dst-mac, src-
interface, and eth-
type for Layer 2
packets.
IPv6 packets src-ip and dst-ip src-ip, dst-ip,
protocol, l4-src-
port, and l4-dst-port
MPLS packets top-label and 2nd-
label
top-label and 2nd-
label
Layer 2 packets
except IPv4, IPv6,
and MPLS packets
src-mac and dst-
mac
src-mac, dst-mac,
src-interface, and
eth-type
16
Packet (Inbound
Interface)
Default Load
Balancing Mode
Configurable
Load Balancing
Mode
Remarks
Trill packets (transit
and ingress sides)
src-mac, dst-mac,
vlan, and eth-type
Nonconfigurable At the ingress side,
load balancing
modes are the same
as those for common
Layer 2 and Layer 3
packets. The hash
algorithm can be
performed at the
transit side and
egress side only
when the load-
balance enhanced
profile profile-name
command is used.

Procedure
Step 1 Run:
system-view
load-balance profile profile-name
A load balancing profile is configured and its view is displayed. profile-name specifies the name
of the load balancing profile.
By default, there is a load balancing profile named default.
Run the following commands as required. You can configure load balancing modes for Layer
2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
l Run:
l2 [ src-mac | dst-mac | src-interface | eth-type ]
*
The load balancing mode of Layer 2 packets (non-IP packets) is set.
By default, load balancing of Layer 2 packets (non-IP packets) is based on the source MAC
address (src-mac) and destination MAC address (dst-mac).
l Run:
ip [ src-ip | dst-ip | l4-src-port | l4-dst-port | protocol ]
*
By default, load balancing of IPv4 packets is based on the source IP address (src-ip),
destination IP address (dst-ip), transport-layer source port numbers (l4-src-port), and
transport-layer destination port numbers (l4-dst-port).
l Run:
ipv6 [ src-ip | dst-ip | protocol | l4-src-port | l4-dst-port ]
*
17
By default, load balancing of IPv6 packets is based on the source IP address (src-ip) and
destination IP address (dst-ip).
l Run:
mpls [ top-label | 2nd-label ]
*
The load balancing mode of MPLS packets is set.
By default, load balancing of MPLS packets is based on the two outer labels (top-label and
2nd-label) of each packet.
Step 3 Run:
quit
Step 4 Run the following commands as required.
l Configure a load balancing mode for known unicast traffic.
1. Run:
2. Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-
mac | enhanced profile profile-name }
A load balancing mode of the Eth-Trunk is set.
By default, the load balancing mode of the Eth-Trunk is enhanced profile.
dst-ip: Load balancing is performed based on destination IP addresses.
dst-mac: Load balancing is performed based on destination MAC addresses.
src-ip: Load balancing is performed based on source IP addresses.
src-mac: Load balancing is performed based on source MAC addresses.
src-dst-ip: Load balancing is performed based on the Exclusive-Or result of source
and destination IP addresses.
src-dst-mac: Load balancing is performed based on the Exclusive-Or result of source
and destination MAC addresses.
enhanced profile: Load balancing is performed based on the fields in the global load
balancing profile.
3. Run:
commit
l Configure a load balancing mode for unknown unicast traffic.
1. Run:
load-balance unknown-unicast { mac | enhanced }
A load balancing mode is configured.
By default, the load balancing mode is enhanced.
2. Run:
commit
----End
18
1.5.6 (Optional) Setting the LACP System Priority
Context
LACP system priority differentiates priorities of devices at both ends. In LACP mode, active
interfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be
set up. To keep active interfaces consistent at both ends, you can set the priority of one device
to be higher than that of the other device so that the other device can select active interfaces
according to those selected by the device with a higher priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
lacp priority priority
The LACP system priority is set.
A smaller LACP priority value indicates a higher priority. By default, the LACP system priority
is 32768.
The end with a smaller priority value functions as the Actor. If the two ends have the same
priority, the end with a smaller MAC address functions as the Actor.
Step 3 Run:
commit
----End
1.5.7 (Optional) Setting the LACP Priority for an Interface
Context
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.
Interfaces with higher priorities are selected as active interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
19
lacp priority priority
The LACP priority of the member interface is configured.
By default, the LACP interface priority is 32768. A smaller priority value indicates a higher
LACP priority.
NOTE
By default, the system selects active interfaces based on interface priorities. However, low-speed member
interfaces may be selected as active interfaces because of their high priorities. To select high-speed member
interfaces, run the lacp select { priority | speed } command to configure the system to select active
interfaces based on the interface rate.
Step 4 Run:
commit
----End
1.5.8 (Optional) Configuring LACP Preemption
Context
The LACP preemption function ensures that the interface with the highest LACP priority always
functions as an active interface. For example, when the interface with the highest priority
becomes inactive due to a failure, the LACP preemption function enables the interface to become
active again after it recovers. If the LACP preemption function is disabled, the interface cannot
become an active interface again.
The LACP preemption delay is the period during which an inactive interface waits before it
becomes active. The LACP preemption delay prevents instable data transmission on an Eth-
Trunk link due to frequent status changes of some links.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp preempt enable
The LACP preemption function is enabled.
By default, the LACP preemption function is disabled.
NOTE
To ensure normal running of an Eth-Trunk interface, enable or disable LACP preemption on both ends of
the Eth-Trunk interface.
20
Step 4 Run:
lacp preempt delay delay-time
The LACP preemption delay is set.
By default, the LACP preemption delay is 30 seconds.
Step 5 Run:
commit
----End
1.5.9 (Optional) Setting the Timeout Interval for Receiving
LACPDUs
Context
If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred on a member
interface in the LAG on the peer device, data on the local device is still load balanced among
original active interfaces. As a result, data traffic on the faulty link is discarded.
After the timeout interval at which LACPDUs are received is set, if a local member interface
does not receive any LACPDUs within the configured timeout interval, it becomes Down
immediately and no longer forwards data.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp timeout { fast | slow }
The timeout interval at which LACPDUs are received is set.
By default, the timeout interval for an Eth-Trunk to receive packets is 90 seconds.
NOTE
l After you run the lacp timeout command, the local end informs the peer end of the timeout interval
through LACP packets. If the fast keyword is used, the interval for sending LACP packets is 1 second.
If the slow keyword is used, the interval for sending LACP packets is 30 seconds.
l The timeout interval for receiving LACP packets is three times the interval for sending LACP packets.
In other words, when the fast keyword is used, the timeout interval for receiving LACP packets is 3
seconds. When the slow keyword is used, the timeout interval for receiving LACP packets is 90 seconds.
l You can select different keywords on the two ends. However, it is recommended that you select the
same keyword on both ends to facilitate the maintenance.
Step 4 Run:
21
commit
----End
Procedure
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about member interfaces of the Eth-Trunk.
l Run the display load-balance profile [ profile-name ] command to check details of a load
balancing profile of the Eth-Trunk.
----End
1.6 Configuring Forwarding Through Local Member
Interfaces (in a Stack)
On a network where the stack and Eth-Trunk are used, configure the Eth-Trunk to preferentially
forward local interface traffic to increase bandwidth use efficiency between stack devices and
improves traffic forwarding efficiency.
Context
You can configure the Eth-Trunk to or not to preferentially forward local interface traffic in the
following scenarios:
l If active interfaces in the local Eth-Trunk have sufficient bandwidth to forward traffic on
the local device, configure the Eth-Trunk to preferentially forward local interface traffic,
which improves traffic forwarding efficiency and increases bandwidth use efficiency
between stack devices.
l If active interfaces in the local Eth-Trunk do not have sufficient bandwidth to forward traffic
on the local device, configure the Eth-Trunk not to preferentially forward local interface
traffic. Some traffic on the local device is forwarded through member interfaces of Eth-
Trunk on another device. This prevents packet loss.
Pre-configuration Tasks
Before configuring an Eth-Trunk to preferentially forward local interface traffic, complete the
following tasks:
l Creating an Eth-Trunk and adding physical interfaces to the Eth-Trunk
l Connecting devices correctly and completing stack configurations so that a stack can be
established
l Ensure that member interfaces of the local Eth-Trunk have sufficient bandwidth to forward
local traffic; otherwise, traffic may be discarded.
22
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the Eth-Trunk that needs to be configured to preferentially forward local interface
traffic is displayed.
Step 3 Run:
undo local-preference disable
The Eth-Trunk is configured to preferentially forward local interface traffic.
By default, an inter-device Eth-Trunk forwards traffic preferentially through local member
interfaces.
NOTE
This function is only valid for known unicast packets, and is invalid for unknown unicast packets, broadcast
packets and multicast packets.
Step 4 Run:
commit
----End
1.7 Maintaining Link Aggregation
This section describes how to maintain link aggregation.
1.7.1 Clearing LACP Packet Statistics
Context
CAUTION
The LACP packet statistics cannot be restored after you clear them.
Procedure
l Run the reset lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command in user view to clear statistics about LACP packets received and sent.
----End
23
1.7.2 Monitoring the Operating Status of an LAG
Context
During daily maintenance, run the following commands in any view to check the operating status
of LAGs.
Procedure
verbose ] ] command to check the Eth-Trunk configuration and status.
l In LACP mode, run the display lacp statistics eth-trunk [ trunk-id [ interface interface-
type interface-number ] ] command to check the statistics about LACP packets sent and
received.
l Run the display interface eth-trunk [ trunk-id ] command to check the status of an Eth-
Trunk interface.
l Run the display trunkmembership eth-trunk trunk-id command to displays information
about member interfaces of an Eth-Trunk..
----End
This section provides several configuration examples of link aggregation.
1.8.1 Example for Configuring Link Aggregation in Manual Load
Balancing Mode
Networking Requirements
As shown in Figure 1-5, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Reliability of data transmission needs to be ensured.
Figure 1-5 Networking diagram for configuring link aggregation in manual load balancing mode
SwitchA
SwitchB
Eth-Trunk
10GE1/0/1
10GE1/0/2
10GE1/0/3
10GE1/0/1
10GE1/0/2
10GE1/0/3
10GE1/0/4
10GE1/0/5
VLAN10
VLAN20
10GE1/0/4
10GE1/0/5
VLAN10
VLAN20
24
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
NOTE
An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface or
remove the interface from VLAN1 before adding it to an Eth-Trunk interface.
2. Create VLANs and add interfaces to the VLANs.
3. Set the load balancing mode to ensure that traffic is load balanced between member
interfaces of the Eth-Trunk.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and add member interfaces to the Eth-Trunk. The configuration
of SwitchB is similar to the configuration of SwitchA, and the configuration details are not
mentioned here.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[~HUAWEI] commit
[~SwitchA] interface Eth-Trunk1
[~SwitchA-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/3
[~SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs. The configuration of SwitchB is similar to the
configuration of SwitchA, and the configuration details are not mentioned here.
# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20.
[~SwitchA] vlan batch 10 20
[~SwitchA] interface 10ge 1/0/4
[~SwitchA-10GE1/0/4] port link-type trunk
[~SwitchA-10GE1/0/4] port trunk allow-pass vlan 10
[~SwitchA-10GE1/0/4] quit
[~SwitchA-10GE1/0/5] port trunk allow-pass vlan 20
[~SwitchA] commit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through.
[~SwitchA] interface Eth-Trunk1
[~SwitchA-Eth-Trunk1] port link-type trunk
[~SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is similar to the
configuration of SwitchA, and the configuration details are not mentioned here.
[~SwitchA-Eth-Trunk1] load-balance src-dst-mac
Step 4 Verify the configuration.
Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created
and whether member interfaces are added.
[~SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
25
WorkingMode: NORMAL Hash arithmetic: src-dst-mac
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 16
Operate status: up Number Of Up Ports In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
10GE1/0/1 Up 1
10GE1/0/2 Up 1
10GE1/0/3 Up 1
The preceding command output shows that Eth-Trunk 1 has three member interfaces:
10GE1/0/1, 10GE1/0/2, and 10GE1/0/3. The member interfaces are both in Up state.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
port trunk allow-pass vlan 10
#
interface 10GE1/0/5
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
26
#
interface 10GE1/0/5
#
return
1.8.2 Example for Configuring Link Aggregation in LACP Mode
To improve bandwidth and connection reliability, configure a link aggregation group on two
directly connected Switches, as shown in Figure 1-6. The requirements are as follows:
l Two active links implement load balancing.
l One link function as the backup link. When a fault occurs on an active link, the backup link
replaces the faulty link to maintain reliable data transmission.
Figure 1-6 Networking diagram for configuring link aggregation in LACP mode
SwitchA SwitchB
Eth-Trunk
10GE1/0/1
10GE1/0/2
10GE1/0/3
10GE1/0/1
10GE1/0/2
10GE1/0/3
Active link
Backup link
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
NOTE
An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface or
remove the interface from VLAN1 before adding it to an Eth-Trunk interface.
3. Set the system priority and determine the Actor so that the Partner selects active interfaces
based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set interface priorities and determine active interfaces so that interfaces with higher
priorities are selected as active interfaces.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
configuration of SwitchB is similar to the configuration of SwitchA, and the configuration details
are not mentioned here.
27
[~HUAWEI] commit
[~SwitchA] interface eth-trunk 1
[~SwitchA-Eth-Trunk1] mode lacp-static
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is similar to
the configuration of SwitchA, and the configuration details are not mentioned here.
[~SwitchA-10GE1/0/1] eth-trunk 1
[~SwitchA] commit
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[~SwitchA] lacp priority 100
[~SwitchA] commit
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[~SwitchA-Eth-Trunk1] lacp max active-linknumber 2
Step 5 Set the priority of the interface and determine active links on SwitchA.
[~SwitchA-10GE1/0/1] lacp priority 100
[~SwitchA-10GE1/0/2] lacp priority 100
[~SwitchA] commit
# Check information about the Eth-Trunk of the Switchs and check whether negotiation is
successful on the link.
[~SwitchA] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: profile default
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
10GE1/0/1 Selected 10GE 100 6145 2865 11111100
1
10GE1/0/2 Selected 10GE 100 6146 2865 11111100
1
10GE1/0/3 Unselect 10GE 32768 6147 2865 11100000
1
Partner:
------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
10GE1/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
10GE1/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
10GE1/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000
28
[~SwitchB] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: profile default
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 16
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
10GE1/0/1 Selected 10GE 32768 6145 2609 11111100
1
10GE1/0/2 Selected 10GE 32768 6146 2609 11111100
1
10GE1/0/3 Unselect 10GE 32768 6147 2609 11100000
1
Partner:
------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
10GE1/0/1 100 00e0-fca8-0417 100 6145 2865 11111100
10GE1/0/2 100 00e0-fca8-0417 100 6146 2865 11111100
10GE1/0/3 100 00e0-fca8-0417 32768 6147 2865 11110000
The preceding information shows that the system priority of SwitchA is 100, which is higher
than the system priority of SwitchB. Member interfaces 10GE1/0/1 and 10GE1/0/2 become the
active interfaces and are in Selected state. Interface 10GE1/0/3 is in Unselect state. Two links
are active and working in load balancing mode, and one link is the backup links.
----End
Configuration Files
#
sysname SwitchA
#
lacp priority 100
#
mode lacp-static
lacp max active-linknumber 2
#
interface 10GE1/0/1
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/2
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/3
eth-trunk 1
#
return
#
sysname SwitchB
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 1
#
29
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
return
1.8.3 Example for Configuring an Inter-Chassis Eth-Trunk Interface
to Forward Traffic Preferentially Through Local Member Interfaces
As shown in Figure 1-7, SwitchB and SwitchC are connected through stack cables to increase
the total capacity of devices. The two switches functions as a logical switch. SwitchB functions
as the master switch and SwitchC functions as the backup switch.
To implement backup between devices and improve reliability, physical interfaces on the two
switches are added to an Eth-Trunk. When the network runs properly, check member interface
information on SwitchA. Traffic from VLAN 2 is forwarded through 10GE1/0/2 and 10GE1/0/1,
and traffic from VLAN 3 is forwarded through 10GE1/0/2 and 10GE1/0/1. This increases
bandwidth use efficiency between devices and reduces traffic forwarding efficiency.
To ensure that traffic from VLAN 2 is forwarded through 10GE1/0/1 and traffic from VLAN 3
is forwarded through 10GE1/0/2, you can configure the Eth-Trunk to preferentially forward
local interface traffic.
30
Figure 1-7 Preferentially forwarding local interface traffic
VLAN 3 data flow
Eth-Trunk 1
SwitchD SwitchE
SwitchB SwitchC
10GE1/0/1
10GE1/0/1
10GE1/0/2 10GE1/0/2
10GE1/0/2 10GE2/0/2
10GE1/0/1 10GE2/0/1
VLAN 2 VLAN 3
SwitchA
VLAN 2 data flow
10GE1/0/1 10GE1/0/2

Network
iStack
Stack cable
1. Create an Eth-Trunk to implement link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Enable the Eth-Trunk to preferentially forward local interface traffic so that traffic is
forwarded by member interfaces on the local device.
4. Configure Layer 2 forwarding to implement Layer 2 connectivity.
Procedure
Step 1 Create an Eth-Trunk interface and specify the allowed VLANs.
# Configure the stack. In this example, SwitchB is the master switch.
31
[~HUAWEI] sysname SwitchB
[~HUAWEI] commit
[~SwitchB] vlan batch 2 3
[~SwitchB] interface eth-trunk 1
[~SwitchB-Eth-Trunk1] port link-type trunk
[~SwitchB-Eth-Trunk1] port trunk allow-pass vlan 2 3
[~SwitchB-Eth-Trunk1] commit
[~SwitchB-Eth-Trunk1] quit
# Configure SwitchA.
[~HUAWEI] commit
[~SwitchA-Eth-Trunk1] port link-type trunk
[~SwitchA-Eth-Trunk1] port trunk allow-pass vlan 2 3
Step 2 Add member interfaces to the Eth-Trunk.
# Configure the stack.
[~SwitchB] interface 10GE 1/0/1
[~SwitchB-10GE1/0/1] eth-trunk 1
[~SwitchB-10GE1/0/1] quit
[~SwitchB-10GE2/0/1] eth-trunk 1
[~SwitchB] commit
# Configure SwitchA.
[~SwitchA] interface 10GE 1/0/1
[~SwitchA] interface 10GE 1/0/2
[~SwitchA] commit
Step 3 In the stack, configure the Eth-Trunk to preferentially forward local interface traffic.
[~SwitchB] interface eth-trunk 1
[~SwitchB-Eth-Trunk1] undo local-preference disable
[~SwitchB-Eth-Trunk1] commit
[~SwitchB-Eth-Trunk1] quit
Step 4 Configure Layer 2 forwarding.
# Configure the stack.
[~SwitchB-10GE1/0/2] port link-type trunk
[~SwitchB-10GE1/0/2] port trunk allow-pass vlan 2
[~SwitchB-10GE2/0/2] port trunk allow-pass vlan 3
[~SwitchB] commit
# Configure SwitchD.
[~HUAWEI] sysname SwitchD
[~HUAWEI] commit
[~SwitchD] vlan 2
32
[~SwitchD-vlan2] quit
[~SwitchD] interface 10GE 1/0/1
[~SwitchD-10GE1/0/1] port link-type trunk
[~SwitchD-10GE1/0/1] port trunk allow-pass vlan 2
[~SwitchD-10GE1/0/1] quit
[~SwitchD] interface 10GE 1/0/2
[~SwitchD-10GE1/0/2] port trunk allow-pass vlan 2
[~SwitchD] commit
# Configure SwitchE.
[~HUAWEI] sysname SwitchE
[~HUAWEI] commit
[~SwitchE] vlan 3
[~SwitchE-vlan3] quit
[~SwitchE] interface 10GE 1/0/1
[~SwitchE-10GE1/0/1] port link-type trunk
[~SwitchE-10GE1/0/1] port trunk allow-pass vlan 3
[~SwitchE-10GE1/0/1] quit
[~SwitchE] interface 10GE 1/0/2
[~SwitchE-10GE1/0/2] port link-type trunk
[~SwitchE-10GE1/0/2] port trunk allow-pass vlan 3
[~SwitchE-10GE1/0/2] quit
[~SwitchE] commit
After the configuration is complete, run the display trunkmembership eth-trunk command in
any view. You can view information about member interfaces of the Eth-Trunk.
Use the display on the stack device as an example.
<SwitchB> display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Normal
Working State: Normal
Number Of Ports in Trunk = 2
Number Of UP Ports in Trunk = 2
operate status: up
Interface 10GE1/0/1, valid, operate up, weight=1,
Interface 10GE2/0/1, valid, operate up, weight=1,
----End
Configuration Files
l Configuration file of the stack
#
sysname SwitchB
#
vlan batch 2 to 3
#
port trunk allow-pass vlan 2 to 3
#
interface 10GE1/0/2
#
interface 10GE2/0/2
33
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE2/0/1
eth-trunk 1
#
return
#
sysname SwitchA
#
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
return
l Configuration file of SwitchD
#
sysname SwitchD
#
vlan batch 2
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
l Configuration file of SwitchE
#
sysname SwitchE
#
vlan batch 3
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
This section describes common configuration errors.
34
1.9.1 Traffic Is Unevenly Load Balanced Between Eth-Trunk
Member Interfaces Due to the Incorrect Load Balancing Mode
Fault Description
Traffic is unevenly load balanced between Eth-Trunk member interfaces due to the incorrect
load balancing mode.
Procedure
1. Run the display eth-trunk command to check whether the load balancing mode of the Eth-
Trunk meets networking requirements. For example, source or destination IP address-based
load balancing is not recommended in Layer 2 networking.
2. Run the load-balance command to set the proper load balancing mode.
35
2 VLAN Configuration
About This Chapter
Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security
hardening, flexible networking, and good extensibility.
2.1 VLAN Overview
The VLAN technology enables a physical LAN to be divided into multiple broadcast domains,
each of which is called a VLAN.
2.2 VLAN Features Supported by the Device
VLAN features supported by the device include VLAN assignment, communication between
VLANs, VLAN aggregation, MUX VLAN, and VLAN management.
2.3 Default Configuration
This section describes the default configuration of VLAN.
2.4 Assigning a LAN to VLANs
VLANs can isolate the hosts that require no communication with each other, which improves
network security, reduces broadcast traffic, and suppresses broadcast storms.
2.5 Configuring VLANIF Interfaces for Inter-VLAN Communication
A VLANIF interface is a Layer 3 logical interface. After VLANIF interfaces are created on the
device, communication between VLANs is allowed.
2.6 Configuring VLAN Aggregation to Save IP Addresses
VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN
communication.
2.7 Configuring a MUX VLAN to Separate Layer 2 Traffic
Configuring a MUX VLAN allows users in different VLANs to communicate with each other,
and separates users in a certain VLAN.
2.8 Configuring an mVLAN to Implement Integrated Management
Management VLAN (mVLAN) configuration allows users to use the VLANIF interface of the
mVLAN to log in to the management switch to manage devices in a centralized manner.
2.9 Configuring an Interface to Discard Incoming Tagged Packets
Configuration Guide - Ethernet 2 VLAN Configuration
36
If a user connects a switch to a user-side interface without permission, the user-side interface
may receive tagged packets. To prevent unauthorized access, you can configure the user-side
interface to discard incoming tagged packets.
2.10 Maintaining VLAN
This section describes how to view and clear VLAN and VLANIF statistics.
This section provides several configuration examples of VLANs including networking
requirements, configuration roadmap, and configuration procedure.
This section describes common VLAN configuration errors.
37
2.1 VLAN Overview
The VLAN technology enables a physical LAN to be divided into multiple broadcast domains,
each of which is called a VLAN.
The Ethernet technology is used to share communication media and data based on the Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). If there are a large number of hosts on
an Ethernet network, collision becomes a serious problem and can lead to broadcast storms.
Switches can be used to connect LANs, preventing collision. However, broadcast packets cannot
be isolated.
The VLAN technology divides a physical LAN into multiple broadcast domains, each of which
is called a VLAN. Hosts within a VLAN can communicate with each other, while hosts in
different VLANs cannot communicate with each other directly. Therefore, the broadcast packets
are limited in each VLAN.
Figure 2-1 Networking diagram for a typical VLAN application
VLAN2
VLAN3
Router
SwitchA SwitchB
Figure 2-1 shows the networking diagram for a typical VLAN application. Two switches are
placed in different locations. Each switch is connected to two servers that respectively belong
to different VLANs. In the diagram, each dotted box indicates a VLAN.
2.2 VLAN Features Supported by the Device
VLAN features supported by the device include VLAN assignment, communication between
VLANs, VLAN aggregation, MUX VLAN, and VLAN management.
38
Logical Relationships Among VLAN Features
The VLAN technology helps isolate broadcast domains and implement both intra-VLAN and
inter-VLAN communication.
1. VLAN assignment: Users in a VLAN can communicate with each other.
2. Inter-VLAN communication: To implement communication between users in different
VLANs, configure VLANIF interfaces.
3. Extended VLAN functions are as follows:
l VLAN aggregation: prevents the waste of IP addresses and implements inter-VLAN
communication.
l MUX VLAN: provides a mechanism to isolate Layer 2 traffic between interfaces in a
VLAN.
l VLAN management: helps implement integrated management using a remote device.
A user can log in to a switch by accessing the IP address of the VLANIF interface
corresponding to the mVLAN.
VLAN Assignment
The device supports port-based VLAN assignment. A VLAN mapping table recording the
mapping between ports and VLANs is maintained on the switch.
Port-based VLAN assignment supports different types of ports, as described in Table 2-1.
Table 2-1 Port Types
Port
Type
Untagged Frame
Processing
Tagged Frame
Processing
Frame
Transmission
Usage
Acces
s
Accepts an untagged
frame and adds a tag
with the default
VLAN ID to the
frame.
l Accepts the
tagged frame if
the frame's
VLAN ID
matches the
default VLAN
ID.
l Discards the
tagged frame if
the frame's
VLAN ID differs
from the default
VLAN ID.
After the PVID
tag is stripped,
the frame is
transmitted.
An access port
can belong to
only one VLAN.
The access
interface is
directly
connected to a
computer.
39
Port
Type
Untagged Frame
Processing
Tagged Frame
Processing
Frame
Transmission
Usage
Trunk l Adds a tag with
the default
VLAN ID to the
untagged frame
and then
transmits it if the
default VLAN ID
is permitted by
the port
l Adds a tag with
the default
VLAN ID to the
untagged frame
and then discards
it if the default
VLAN ID is
denied by the
port.
l Accepts the
tagged frame if
the frame's
VLAN ID is
permitted by the
port.
l Discards the
tagged frame if
the frame's
VLAN ID is
denied by the
port.
l If the frame's
VLAN ID
matches the
default
VLAN ID
and the
VLAN ID is
permitted by
the port, the
device
removes the
tag and
transmits the
frame.
l If the frame's
VLAN ID
differs from
the default
VLAN ID,
but the
VLAN ID is
still
permitted by
the port, the
switch will
directly
transmit the
frame.
A trunk port
allows packets of
multiple VLANs
to pass through.
It usually
connects
network devices.
Hybri
d
If the frame's
VLAN ID is
permitted by the
port, the frame is
transmitted. The
port can be
configured
whether to
transmit frames
with tags.
A hybrid port
allows packets of
multiple VLANs
to pass through.
It can be used to
connect network
devices or
network devices
and user devices.
QinQ QinQ ports are enabled with the IEEE 802.1QinQ protocol. A QinQ port can add
double VLAN tags to a data frame, that is, a QinQ port can add a tag to a single-
tagged frame. Therefore, a QinQ port supports a maximum of 4063 x 4063 VLAN
tags, which meets the requirement on the number of VLANs. For details, see QinQ
Overview.

Each access, trunk, hybrid, or QinQ port can be configured with a default VLAN, namely, the
port default VLAN ID (PVID) to specify the VLAN to which the port belongs.
40
l The PVID of an access port indicates the VLAN to which the port belongs.
l As a trunk or hybrid port can be added to multiple VLANs, the port must be configured
with PVIDs.
NOTE
Because all interfaces join VLAN 1 by default, broadcast storms may occur if unknown unicast, multicast,
or broadcast packets exist in VLAN 1. To prevent loops, delete interfaces that do not need to be added to
VLAN 1 from VLAN 1.
Inter-VLAN Communication
After VLANs are configured, users in the same VLAN can communication with each other while
users in different VLANs cannot. To implement inter-VLAN communication, configure the
VLANIF interfaces which are Layer 3 logical interfaces, as shown in Figure 2-2.
Layer 3 switching combines routing and switching techniques to implement routing on a switch,
improving the overall performance of the network. After sending the first data flow, a Layer 3
switch generates a mapping table on which it records the mapping between the MAC address
and the IP address for the data flow. If the switch needs to send the same data flow again, it
directly sends the data flow at Layer 2 (not Layer 3) based on the mapping table.
In order to ensure that new data flows can be correctly forwarded, the routing table must have
the correct routing entries. Therefore, VLANIF interfaces are used to configure routing protocols
on the switch in order to implement IP route reachability.
Figure 2-2 Inter-VLAN communication using VLANIF interfaces
Switch
VLAN2 VLAN3
VLANIF2 VLANIF3
As shown in Figure 2-2, VLANIF interfaces are configured on the switch. IP addresses of the
VLANIF interfaces are the addresses of default gateways for hosts in VLANs. Packets sent from
hosts in VLAN 2 are all sent to the gateway first to implement Layer 3 forwarding.
41
VLAN Aggregation
As networks expand, address resources become insufficient. VLAN aggregation is developed
to save IP addresses.
In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical ports
cannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and an
IP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN but
no VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use the
same IP address with the VLANIF interface of the super-VLAN. This saves subnet IDs, default
gateway addresses of the subnets, and directed broadcast addresses of the subnets. In addition,
different broadcast domains can use the addresses in the same subnet segment. As a result, subnet
differences are eliminated, addressing becomes flexible, and the number of idle addresses is
reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain and
reduces the waste of IP addresses to be assigned to ordinary VLANs.
Figure 2-3 Networking diagram of typical VLAN aggregation
Super
VLAN4
Switch
Sub-VLAN 2
Switch1
Sub-VLAN 3
Switch2
Figure 2-3 shows a typical networking diagram of VLAN aggregation. Sub-VLANs are
associated with the super-VLAN on the switch so that VLAN 2 and VLAN 3 use the same subnet
segment, which saves IP addresses.
MUX VLAN
The MUX VLAN function isolates Layer 2 traffic and implements interworking between
interfaces in a VLAN. This function involves a MUX VLAN and several subordinate VLANs.
Subordinate VLANs are classified into subordinate group VLANs and subordinate separate
VLANs. Subordinate VLANs can communicate with the principal VLAN but cannot
communicate with each other. Interfaces in a subordinate group VLAN can communicate with
each other, and interfaces in a subordinate separate VLAN are isolated from each other.
On an enterprise network, all users of the enterprise can access the enterprise's server. It is
required that some users can communicate with each other while others cannot communicate
with each other. You can configure MUX VLAN. As shown in Figure 2-4, the principal port
42
connects the switch to the enterprise's server; separate ports connect the switch to users that do
not communicate with each other; group ports connect the switch to users that need to
communicate with each other. This saves VLAN IDs on the network and facilitates network
management.
Figure 2-4 Networking of the MUX VLAN application
Switch
Group Port Separate Port
Principal Port
Group VLAN Separate VLAN
Network
Table 2-2 describes the MUX VLAN assignment based on the port type.
Table 2-2 MUX VLAN assignment
MUX VLAN VLAN Type Port Type Communication
Rights
Principal VLAN - Principal port A principal port can
communicate with
every port in the
MUX VLAN.
Subordinate VLAN Separate VLAN Separate port A separate port can
only communicate
with principal ports.
Each separate VLAN
must be associated
with a principal
VLAN.
43
MUX VLAN VLAN Type Port Type Communication
Rights
Group VLAN Group port A group port can
communicate with
both principal ports
and other group ports
in the same group
VLAN but cannot
communicate with
group ports in other
group VLANs or
separate ports. Each
group VLAN must
be associated with a
principal VLAN.

VLAN Management
To use a network management system to manage multiple devices, create a VLANIF interface
on each device and configure a management IP address for the VLANIF interface. You can then
log in to a device and manage it using its management IP address. If a user-side interface is
added to the VLAN, users connected to the interface can also log in to the device. This brings
security risks to the device.
After a VLAN is configured as a management VLAN, no access interface or dot1q-tunnel
interface can be added to the VLAN. An access interface or a dot1q-tunnel interface is connected
to users. The management VLAN forbids users connected to access and dot1q-tunnel interfaces
to log in to the device, improving device performance.
This section describes the default configuration of VLAN.
Table 2-3 Default configuration of VLAN
Parameter Default Setting
Port connection mode Access
Default VLAN ID 1
Damping time 0s
Traffic statistics function of VLAN Disabled
Traffic statistics function of the VLANIF
interface
Disabled

44
2.4 Assigning a LAN to VLANs
VLANs can isolate the hosts that require no communication with each other, which improves
network security, reduces broadcast traffic, and suppresses broadcast storms.
Context
Ports on a Layer 2 switching device can be bound to a specific VLAN. After a port is added to
a VLAN, packets of the user that is connected to the port can only be forwarded within the
VLAN, but not forwarded to another VLAN. This implementation ensures that broadcast packets
are forwarded only within a single VLAN.
You must create VLANs, configure the port type, and associate ports with VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094(VLANs 4064 to 4094 are default reserved VLANs. You
can run the vlan reserved command to configure the reserved VLAN range). If VLANs need
to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to
create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified
VLAN.
TIP
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
Step 3 Run:
quit
Step 4 Configure the port type and features.
1. Run the interface interface-type interface-number command to enter the view of an
Ethernet port to be added to the VLAN.
2. Run the port link-type { access | hybrid | trunk } command to configure the port type.
By default, the port type is Access.
l If an Ethernet port is directly connected to a terminal, set the port type to access or
hybrid.
l If an Ethernet port is connected to another switch, set the port type to trunk or hybrid.
3. (Optional) Run the port priority priority-value command to configure the port priority.
45
By default, the port priority value is 0. The value ranges from 0 to 7. A larger value indicates
a higher priority.
Step 5 Add ports to the VLAN.
Run either of the following commands as needed:
l For access or QinQ ports:
Run the port default vlan vlan-id command to add a port to a specified VLAN.
To add ports to a VLAN in batches, run the port interface-type { interface-number1 [ to
interface-number2 ] } &<1-10> command in the VLAN view.
l For trunk ports:
Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add the port to specified VLANs.
(Optional) Run the port trunk pvid vlan vlan-id command to specify the default VLAN
for a trunk interface.
l For hybrid ports:
Run either of the following commands to add a port to VLANs in untagged or tagged
mode:
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add a port to VLANs in untagged mode.
In untagged mode, a port removes tags from frames and then forwards the frames.
This is applicable to scenarios in which Ethernet ports are connected to terminals.
Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add a port to VLANs in tagged mode.
In tagged mode, a port forwards frames without removing their tags. This is applicable
to scenarios in which Ethernet ports are connected to switches.
(Optional) Run the port hybrid pvid vlan vlan-id command to specify the default VLAN
of a hybrid interface.
By default, all ports are added to VLAN 1.
Step 6 Run:
commit
----End
Checking the Configuration
l Run the display vlan [ vlan-id [ verbose ] ] command to view information about all VLANs
or a specified VLAN.
l Run the display vlan reserved command to view information about reserved VLANs.
2.5 Configuring VLANIF Interfaces for Inter-VLAN
Communication
A VLANIF interface is a Layer 3 logical interface. After VLANIF interfaces are created on the
device, communication between VLANs is allowed.
46
Context
After VLANs are configured, users in the same VLAN can communication with each other while
users in different VLANs cannot. To implement inter-VLAN communication, configure
VLANIF interfaces which are Layer 3 logical interfaces.
If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports
the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF
interface to go Down. To prevent network flapping caused by changes of VLANIF interface
status, enable VLAN damping on the VLANIF interface. After the last Up port in a VLAN goes
Down, the system starts a delay timer and informs the corresponding VLANIF interface of the
VLAN Down event after the timer expires. If a port in the VLAN goes Up during the delay
period, the VLANIF interface remains Up.
MTU is short for maximum transmission unit. An MTU value determines the maximum number
of bytes each time a sender can send. If the size of packets exceeds the MTU supported by a
transit node or a receiver, the transit node or receiver fragments the packets or even discards
them, aggravating the network transmission load. To avoid this problem, set the MTU value of
the VLANIF interface.
After configuring bandwidth for VLANIF interfaces, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Before creating a VLANIF interface, complete the following tasks:
l Create a VLAN.
l Associate the VLAN with the physical interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
A VLANIF interface is created and the VLAIF interface view is displayed.
The VLAN ID specified in this command must be the ID of an existing VLAN.
A VLANIF interface is Up only when at least one physical port added to the corresponding
VLAN is Up.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
An IP address is assigned to the VLANIF interface for communication at the network layer.
47
If IP addresses assigned to VLANIF interfaces belong to different network segments, a routing
protocol must be configured on the switch to provide reachable routes. Otherwise, VLANIF
interfaces cannot communicate with each other at the network layer.
damping time delay-time
The delay period of VLAN damping is configured.
The delay-time value ranges from 0 to 20, in seconds. By default, the delay is 0 second, indicating
that VLAN damping is disabled.
mtu (VLANIF interface view) mtu
The MTU value of the VLANIF interface is configured.
The mtu value ranges from 128 to 9216. By default, the value is 1500.
NOTE
l After changing the maximum transmission unit (MTU) using the mtu (VLANIF interface view)
command on a VLANIF interface, you need to restart the VLANIF interface to make the new MTU
take effect. To restart the VLANIF interface, run the shutdown command and then the undo
shutdown command, or run the restart (interface view) command in the VLANIF interface view.
l The mtu value plus the Layer 2 frame header of a VLANIF interface must be smaller than the
jumboframe value of the peer interface; otherwise, some packets may be discarded.
bandwidth bandwidth
The bandwidth of the VLANIF interface is configured.
Step 7 Run:
commit
----End
Run the display interface vlanif [ vlan-id ] command to verify that the VLANIF interface and
protocol are enabled and view the interface description and IP address.
2.6 Configuring VLAN Aggregation to Save IP Addresses
VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN
communication.
2.6.1 Creating a Sub-VLAN
Context
In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF interface
can be created for the sub-VLAN. All the interfaces in the sub-VLAN use the same IP address
48
with the VLANIF interface of the super-VLAN. Some subnet IDs, default gateway addresses
of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast
domains can use the addresses in the same subnet segment. As a result, subnet differences are
eliminated, addressing becomes flexible and idle addresses are reduced. VLAN aggregation
allows each sub-VLAN to function as a broadcast domain to implement broadcast isolation and
saves IP address resources.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interface view is displayed.
Step 3 Run:
port link-type access
The link type of the interface is set to access.
Step 4 Run:
quit
Step 5 Run:
vlan vlan-id
A sub-VLAN is created and the sub-VLAN view is displayed.
TIP
Step 6 Run:
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
A port is added to the sub-VLAN.
Step 7 Run:
commit
----End
2.6.2 Creating a Super-VLAN
Context
A super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN,
but a VLANIF interface can be configured for the super-VLAN and an IP address can be assigned
to the VLANIF interface.
49
NOTE
Before configuring a super-VLAN, ensure that sub-VLANs have been configured.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed.
The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.
Step 3 Run:
aggregate-vlan
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
VLAN 1 cannot be configured as a super-VLAN.
Step 4 Run:
access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN.
Before adding sub-VLANs to a super-VLAN in batches, ensure that these sub-VLANs are not
configured with VLANIF interfaces.
The device supports 32 sub-VLANs in a super-VLAN.
Step 5 Run:
commit
----End
2.6.3 Assigning an IP Address to the VLANIF Interface of a Super-
VLAN
Context
The IP address of the VLANIF interface of a super-VLAN must contain the subnet segments
where users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIF
interface of the super-VLAN, saving IP addresses.
Procedure
Step 1 Run:
system-view
50
Step 2 Run:
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run:
An IP address is assigned to the VLANIF interface.
Step 4 Run:
commit
----End
2.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface of a
Super-VLAN
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in ordinary VLANs can communicate with each other at the network layer by using different
gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address
and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate
with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer
2. Consequently, PCs in different sub-VLANs cannot communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another sub-
VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,
proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and
reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network
layer.
NOTE
An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.
Otherwise, proxy ARP cannot take effect.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view
Step 2 Run:
51
The view of the VLANIF interface of the super-VLAN is displayed.
Step 3 Run:
arp proxy inter-vlan enable
Inter-sub-VLAN proxy ARP is enabled.
Step 4 Run:
commit
----End
2.6.5 (Optional) Configuring an IP Address Pool for a Sub-VLAN
Specifying an IP address range for users in a sub-VLAN filters out unauthorized users of which
IP addresses are beyond the range.
Context
Specifying an IP address range for users in a sub-VLAN filters out unauthorized users of which
IP addresses are beyond the range.
After configuring an IP address pool for a sub-VLAN, note the following points:
l The sub-VLAN processes only packets carrying IP addresses in this address pool, such as
ARP Request, ARP Reply, Proxy ARP, and ARP Miss packets.
l If the super VLAN is enabled with proxy ARP, the device directly sends an ARP Request
packet from a user in the sub-VLAN to the sub-VLAN based on the IP address carried in
the packet. This reduces broadcast traffic.
l When sending an ARP Miss packet carrying the IP address in the address pool, the device
directly broadcasts the packet in the sub-VLAN to ensure that traffic is properly forwarded.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
The view of a created sub-VLAN is displayed.
Step 3 Run:
ip pool start-address [ to end-address ]
An IP address pool is configured for the sub-VLAN.
Step 4 Run:
commit
----End
52
Procedure
l Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN information.
l Run the display interface vlanif [ vlan-id ] command to check information about a specific
VLANIF interface.
----End
2.7 Configuring a MUX VLAN to Separate Layer 2 Traffic
Configuring a MUX VLAN allows users in different VLANs to communicate with each other,
and separates users in a certain VLAN.
Before configuring a MUX VLAN, complete the following task:
l Creating VLANs
2.7.1 Configuring a Principal VLAN for a MUX VLAN
Context
Ports added to a principal VLAN can communicate with every port in the MUX VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094(VLANs 4064 to 4094 are default reserved VLANs. You
can run the vlan reserved command to configure the reserved VLAN range). If VLANs need
to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to
create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified
VLAN.
TIP
Step 3 Run:
mux-vlan
53
The VLAN is configured as a principal VLAN.
The VLAN ID assigned to a principal VLAN can no longer be used to configure any VLANIF
interface, super-VLAN, or sub-VLAN.
Step 4 Run:
commit
----End
2.7.2 Configuring a Group VLAN for a Subordinate VLAN
Context
A VLAN associated with a group port is called a group VLAN. Group ports in a group VLAN
can communicate with each other.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
The view of a created principal VLAN is displayed.
Step 3 Run:
subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>
A group VLAN is configured for the subordinate VLAN.
A maximum of 128 group VLANs can be configured for a principal VLAN.
The VLAN ID assigned to a group VLAN can be assigned to no other VLANIF interface, Super-
VLAN, or Sub-VLAN.
Step 4 Run:
commit
----End
2.7.3 Configuring a Separate VLAN for a Subordinate VLAN
Context
A VLAN associated with separate ports is called a separate VLAN. Ports in a separate VLAN
cannot communicate with each other.
54
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
The view of a created principal VLAN is displayed.
Step 3 Run:
subordinate separate vlan-id
A separate VLAN is configured for a subordinate VLAN.
Only one separate VLAN can be configured for a principal VLAN.
Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.
The VLAN ID assigned to a group VLAN can be assigned to no other VLANIF interface, Super-
VLAN, or Sub-VLAN.
Step 4 Run:
commit
----End
2.7.4 Enabling the MUX VLAN Function on a Port
Context
After the MUX VLAN function is enabled on a port, the principal VLAN and subordinate VLAN
can communicate with each other; ports in a group VLAN can communicate with each other;
ports in a separate VLAN cannot communicate with each other.
Before enable MUX VLAN function, complete the following task:
l The port has been added to only a VLAN. If the port has been added to multiple VLANs,
the MUX VLAN function cannot be enabled on this port.
l The port has been added to a principal or subordinate VLAN in untagged mode as an access
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
55
The view of an port connecting users is displayed.
Step 3 Run:
port mux-vlan enable
The MUX VLAN function is enabled.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
affects the MUX VLAN function on the interface.
l The MUX VLAN and port security functions cannot be enabled on the same interface.
Step 4 Run:
commit
----End
Procedure
l Run the display mux-vlan command to check information about the MUX VLAN.
----End
2.8 Configuring an mVLAN to Implement Integrated
Management
Management VLAN (mVLAN) configuration allows users to use the VLANIF interface of the
mVLAN to log in to the management switch to manage devices in a centralized manner.
Context
To use a network management system to manage multiple devices, create a VLANIF interface
on each device and configure a management IP address for the VLANIF interface. You can then
log in to a device and manage it using its management IP address. If a user-side interface is
added to the VLAN, users connected to the interface can also log in to the device. This brings
security risks to the device.
After a VLAN is configured as a management VLAN, no access interface or dot1q-tunnel
interface can be added to the VLAN. An access interface or a dot1q-tunnel interface is connected
to users. The management VLAN forbids users connected to access and dot1q-tunnel interfaces
to log in to the device, improving device performance.
Before creating a VLANIF interface, complete the following tasks:
l Create a VLAN.
l Associate the VLAN with the physical interface.
56
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
The VLAN view is displayed.
TIP
Step 3 Run:
management-vlan
An mVLAN is configured.
After an mVLAN is configured, an interface added to the mVLAN must be a trunk or hybrid
interface.
VLAN 1 cannot be configured as an mVLAN.
Step 4 Run:
quit
The VLAN view is quit.
Step 5 Run:
A VLANIF interface is created and the VLANIF interface view is displayed.
Step 6 Run:
The IP address of the VLANIF interface is configured.
After assigning an IP address to the VLANIF interface, you can run the telnet command to log
in to a management switch to manage attached devices.
Step 7 Run:
commit
----End
l Run the display vlan command to check information about the mVLAN. The command
output shows information about the mVLAN in the line started with an asterisk sign (*).
57
2.9 Configuring an Interface to Discard Incoming Tagged
Packets
If a user connects a switch to a user-side interface without permission, the user-side interface
may receive tagged packets. To prevent unauthorized access, you can configure the user-side
interface to discard incoming tagged packets.
Context
All packets sent from user devices are untagged, so user-side interfaces on a switch does not
receive tagged packets. If a user connects a switch to a user-side interface without permission,
the user-side interface may receive tagged packets. To prevent unauthorized access, you can
configure the user-side interface to discard incoming tagged packets.
Only interfaces that are connected to user devices and do not receive tagged packets can be
configured to discard incoming tagged packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port discard tagged-packet
The interface is configured to discard incoming tagged packets.
By default, an interface does not discard incoming tagged packets.
Step 4 Run:
commit
----End
2.10 Maintaining VLAN
This section describes how to view and clear VLAN and VLANIF statistics.
2.10.1 Collecting Statistics on VLAN Traffic
58
Context
You can enable the traffic statistics function on VLANs or VLANIF interfaces to view traffic
statistics on VLANs or VLANIF interfaces, which implements VLAN traffic policing.
Procedure
l View traffic statistics on VLANs.
1. Run the statistic enable (VLAN view) command in the VLAN view to enable the
traffic statistics function on VLANs.
2. Run the display vlan vlan-id statistics command in any view to view traffic statistics
on a specified VLAN.
l View traffic statistics on VLANIF interfaces.
1. Run the statistic enable (VLANIF view) command in the VLAN view to enable the
traffic statistics function on VLANIF interfaces.
2. Run the display interface vlanif [ vlan-id ] command in any view to view the traffic
statistics on a VLAN interface.
----End
2.10.2 Clearing the Statistics of VLAN Packets
Context
Before collecting traffic statistics in a specified time period on an interface, you need to reset
the original statistics on the interface.
CAUTION
Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before
you use the command.
To clear the Statistics of VLAN Packets, run the following reset vlan statistics command in the
user view:
Procedure
l Run the reset vlan [ vlan-id ] statistics command to clear packets of a specified VLAN
statistics.
----End
2.10.3 Enable GMAC ping to detect Layer 2 network connectivity
Context
Similar to IP ping, GMAC ping detects whether a fault occurs on an Ethernet link or monitors
the link quality. GMAC ping efficiencly detects and locates Ethernet faults.
59
Procedure
Step 1 Run:
system-view
Step 2 Run:
ping mac enable
GMAC ping is enabled globally.
By default, GMAC ping is disabled.
After GMAC ping is enabled on the device, the device can ping the remote device and respond
to received GMAC ping packets.
Step 3 Run:
commit
Step 4 Run:
ping mac mac-address vlan vlan-id [ interface interface-type interface-number | -c
count | -s packetsize | -t timeout ]
*
GMAC ping is performed to check connectivity of the link between the local device and the
remote device.
----End
2.10.4 Enable GMAC trace to locate faults
Context
Similar to IP traceroute, GMAC ping detects whether a fault occurs on an Ethernet link or
monitors the link quality. GMAC trace efficiencly detects and locates Ethernet faults.
Procedure
Step 1 Configuring the devices at both ends of a link and intermediate device
Perform the following operations on the devices at both ends of the link to be tested and
intermediate device.
1. Run:
system-view
2. Run:
trace mac enable
GMAC trace is enabled globally.
By default, GMAC trace is disabled.
60
After GMAC ping is enabled on the device, the device can ping the remote device and
respond to received GMAC ping packets.
3. Run:
commit
Step 2 Performing GMAC trace
Perform the following operations on the device at one end of the link to be tested.
1. Run:
system-view
2. Run:
trace mac mac-address vlan vlan-id [ interface interface-type interface-
number | -t timeout ]
*
A connectivity fault between the local device and the remote device is located.
----End
This section provides several configuration examples of VLANs including networking
2.11.1 Example for Assigning VLANs
As shown in Figure 2-5, multiple user terminals are connected to switches in a data center. Users
who use the same service access the network using different devices.
To ensure the communication security and avoid broadcast storms, the administrator wants to
allow users who use the same service to communicate with each other but isolate users who use
different services.
Configure port-based VLANs on the switch and add ports connecting to terminals of users who
use the same service to the same VLAN. Users in different VLANs cannot perform Layer 2
communication. Users in the same VLAN can communicate directly.
Figure 2-5 Networking diagram for assigning VLANs
10GE1/0/2 10GE1/0/1
SwitchA
User3
VLAN3
User1
VLAN2
10GE1/0/3
10GE1/0/2 10GE1/0/1
User4
VLAN3
User2
VLAN2
10GE1/0/3
SwitchB
61
1. Create VLANs and add ports connecting to user terminals to VLANs to isolate Layer 2
traffic between users who use different services.
2. Configure the type of link between SwitchA and SwitchB and VLANs to allow users who
use the same service to communicate.
Procedure
Step 1 Create VLAN2 and VLAN3 on SwitchA, and add ports connecting to user terminals to different
VLANs. Configuration of SwitchB is similar to that of SwitchA.
[~HUAWEI] commit
[~SwitchA-10GE1/0/1] port default vlan 2
[~SwitchA] commit
Step 2 Configure the type of port connecting to SwitchB on SwitchA and VLANs. Configuration of
SwitchB is similar to that of SwitchA.
[~SwitchA-10GE1/0/3] port trunk allow-pass vlan 2 3
[~SwitchA-10GE1/0/3] commit
Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24. Add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
Only User1's and User2's terminals can ping each other. Only User3's and User4's terminals can
ping each other.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
#
return
62
Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
#
return
2.11.2 Example for Implementing Inter-VLAN Communication
Using VLANIF Interfaces
Users in an enterprise use different services and locate at different network segments. Users who
use the same service belong to different VLANs and they want to communicate with each other.
As shown in Figure 2-6, User 1 and User 2 use the same service but belong to different VLANs
and locate at different network segments. User 1 wants to communicate with User 2.
Figure 2-6 Networking diagram for implementing inter-VLAN communication using VLANIF
interfaces
Switch
VLAN 10 VLAN 20
10.10.10.3/24 20.20.20.3/24
User1 User2
10GE1/0/1
VLANIF10
10.10.10.2/24
10GE1/0/2
VLANIF20
20.20.20.2/24
1. Create VLANs on the switches for different users.
2. Add interfaces to VLANs so that packets of the VLANs can pass through the interfaces.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 communication.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
63
Procedure
Step 1 Configure the Switch.
# Create VLANs.
[~HUAWEI] vlan batch 10 20
[~HUAWEI] commit
# Add interfaces to VLANs.
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] port default vlan 10
[~HUAWEI-10GE1/0/1] quit
[~HUAWEI] commit
# Assign IP addresses to the VLANIF interfaces.
[~HUAWEI] interface vlanif 10
[~HUAWEI-Vlanif10] ip address 10.10.10.2 24
[~HUAWEI-Vlanif10] quit
[~HUAWEI-Vlanif20] ip address 20.20.20.2 24
[~HUAWEI] commit
Configure the IP address 10.10.10.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 10.10.10.2/24 as the gateway address.
Configure the IP address 20.20.20.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 20.20.20.2/24 as the gateway address.
After the preceding configurations are complete, User 1 in VLAN 10 and User 2 in VLAN 20
can communicate.
----End
Configuration Files
Configuration file of the Switch
#
sysname HUAWEI
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.2 255.255.255.0
#
interface 10GE1/0/1
port default vlan 10
#
interface 10GE1/0/2
#
return
64
2.11.3 Example for Configuring VLAN Aggregation
Multiple departments in an enterprise locate at the same network segment. To improve the
service security, assign departments to different VLANs. Some departments need to
communicate.
As shown in Figure 2-7, departments in VLAN 2 and VLAN 3 want to communicate with each
other.
You can configure VLAN aggregation on the switch to isolate VLAN 2 from VLAN 3 at Layer
2 and allow them to communicate at Layer 3. VLAN 2 and VLAN 3 use the same subnet segment,
saving IP addresses.
Figure 2-7 Networking diagram for configuring VLAN aggregation
VLAN 2 VLAN 3
VLAN4
Switch
VLAN3 VLAN2
VLANIF4:100.1.1.12/24

10GE1/0/1
10GE1/0/2

10GE1/0/3

10GE1/0/4
1. Add interfaces of the Switch to sub-VLANs to isolate sub-VLANs at Layer 2.
2. Add the sub-VLANs to a super-VLAN.
3. Configure the IP address for the VLANIF interface.
4. Configure proxy ARP for the super-VLAN to allow sub-VLANs to communicate at Layer
3.
Procedure
Step 1 Create VLAN 2 and add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
[~HUAWEI] vlan 2
65
[~HUAWEI-vlan2] port 10ge 1/0/1 1/0/2
[~HUAWEI-vlan2] quit
[~HUAWEI] commit
Step 2 Create VLAN 3 and add 10GE1/0/3 and 10GE1/0/4 to VLAN 3.
[~HUAWEI] vlan 3
[~HUAWEI-vlan3] port 10ge 1/0/3 1/0/4
[~HUAWEI] commit
Step 3 Configure VLAN 4.
# Configure the super-VLAN.
[~HUAWEI] vlan 4
[~HUAWEI-vlan4] aggregate-vlan
[~HUAWEI-vlan4] access-vlan 2 to 3
# Configure the VLANIF interface.
[~HUAWEI-Vlanif4] ip address 100.1.1.12 255.255.255.0
[~HUAWEI] commit
Step 4 Configure the PCs.
Configure an IP address for each PC. Ensure that the PC IP addresses are in the same network
segment as VLAN 4.
When the configuration is complete, the PCs and the Switch can ping each other, but the PCs in
VLAN 2 and the PCs in VLAN 3 cannot ping each other. You need to configure proxy ARP on
the switch.
Step 5 Configure proxy ARP.
[~HUAWEI-Vlanif4] arp proxy inter-vlan enable
[~HUAWEI-Vlanif4] commit
When the configuration is complete, the PCs in VLAN 2 and VLAN 3 can ping each other.
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 100.1.1.12 255.255.255.0
arp proxy inter-vlan enable
#
interface 10GE1/0/1
port default vlan 2
#
66
interface 10GE1/0/2
port default vlan 2
#
interface 10GE1/0/3
port default vlan 3
#
interface 10GE1/0/4
port default vlan 3
#
return
2.11.4 Example for Configuring a MUX VLAN to Separate Layer 2
Traffic
In the data center network, all users can access external networks. The administrator allows some
users to communicate but expects to isolate other users from one another.
To solve this problem, configure the MUX VLAN function on the switch connecting to user
terminals. As shown in Figure 2-8, the switch is connected to the external network using the
principal port, to isolated users using the separate port, to users who can communicate with each
other using the group port. This saves VLAN IDs on the network and facilitates network
management.
Figure 2-8 MUX VLAN configuration
VLAN3(Group VLAN) VLAN4(Separate VLAN)
VLAN2
(Principal VLAN)
UserE UserD UserC UserB
10GE1/0/2
10GE1/0/1
10GE1/0/3 10GE1/0/4
10GE1/0/5
Switch
Network
1. Configure the principal VLAN.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function.
67
Procedure
Step 1 Configure a MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
[~HUAWEI] vlan batch 2 3 4
[~HUAWEI] commit
# Configure the principal VLAN and subordinate VLANs.
[~HUAWEI] vlan 2
[~HUAWEI-vlan2] mux-vlan
[~HUAWEI-vlan2] subordinate group 3
[~HUAWEI-vlan2] subordinate separate 4
[~HUAWEI] commit
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[~HUAWEI-10GE1/0/1] port mux-vlan enable
[~HUAWEI] commit
l User B, User C, User D, and User E can access external networks.
l User B and User C can ping each other.
l User D and User E cannot ping each other.
l User B and User C cannot ping User D or host E. User D and User E cannot ping User B or
User C.
----End
Configuration File
#
sysname HUAWEI
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
68
subordinate separate 4
subordinate group 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
port default vlan 3
#
interface 10GE1/0/4
port default vlan 4
#
interface 10GE1/0/5
port default vlan 4
#
return
This section describes common VLAN configuration errors.
2.12.1 User Terminals in the Same VLAN Cannot Ping Each Other
Fault Description
User terminals in the same VLAN cannot ping each other.
Procedure
Step 1 Check that the interfaces connected to the user terminals are in Up state.
Run the display interface interface-type interface-number command in any view to check the
status of the interfaces.
l If the interface is Down, rectify the interface fault.
l If the interface is Up, go to Step 2.
Step 2 Check whether the IP addresses of user terminals are in the same network segment.
l If they are in different network segments, change the IP addresses of the user terminals.
l If they are in the same network segment, go to Step 3
Step 3 Check that the MAC address entries on the Switch are correct.
Run the display mac-address command on the Switch to check whether the MAC addresses,
interfaces, and VLANs in the learned MAC address entries are correct. If the learned MAC
address entries are incorrect, run the undo mac-address mac-address vlan vlan-id command
on the system view to delete the current entries so that the Switch can learn MAC address entries
again.
After the MAC address table is updated, check the MAC address entries again.
69
l If the MAC address entries are incorrect, go to Step 4.
l If the MAC address entries are correct, go to Step 5.
Step 4 Check that the VLAN is properly configured.
l Check the VLAN configuration according to the following table.
Check Item Method
Whether the
VLAN has been
created
Run the display vlan vlan-id command in any view to check whether
the VLAN has been created. If not, run the vlan command in system
view to create the VLAN.
Whether the
interfaces are
added to the
VLAN
Run the display vlan vlan-id command in any view to check whether
the VLAN contains the interfaces. If not, add the interfaces to the
VLAN.
NOTE
If the interfaces are located on different devices, add the interfaces connecting
the devices to the VLAN.
The default type of an Switch interface is Access. You can run the port link-
type command to change the interface type.
l Add an access interface to the VLAN using either of the
following methods:
1. Run the port default vlan command in the interface view.
2. Run the port command in the VLAN view.
l Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the interface
view.
l Add a hybrid interface to the VLAN using either of the following
methods:
1. Run the port hybrid tagged vlan command in the interface
view.
2. Run the port hybrid untagged vlan command in the
interface view.
Whether
connections
between interfaces
and user terminals
are correct
Check the connections between interfaces and user terminals
according to the network plan. If any user terminal is connected to
an incorrect interface, connect it to the correct interface.

After the preceding operations, if the MAC address entries are correct, go to Step 5.
Step 5 Check whether port isolation is configured.
Run the interface interface-type interface-number command in the system view to enter the
interface view, and then run the display this command to check whether port isolation is
configured on the interface.
l If port isolation is not configured, go to Step 6.
70
l If port isolation is configured, run the undo port-isolate enable command on the interface
to disable port isolation. If the fault persists, go to Step 6.
Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on the
user terminals. If the static ARP entries are incorrect, modify them.
----End
2.12.2 VLANIF Interface Goes Down
Fault Symptom
A VLANIF interface is in Down state.
Common causes and solutions
Table 2-4 lists the common causes and solutions.
Table 2-4 Common causes and solutions
Common Cause Solution
No interface is added to the corresponding
VLAN.
Add interfaces to the corresponding VLAN.
All interfaces added to the VLAN are
physically Down.
Rectify the fault. A VLANIF interface is Up
as long as an interface in the corresponding
VLAN is Up.
No IP address is assigned to the VLANIF
interface.
Run the ip address command in the view of
the VLANIF interface to assign an IP address
to the VLANIF interface.
The VLANIF interface is shut down. Run the undo shutdown (interface view)
command in the view of the VLANIF
interface to enable the VLANIF interface.
71
3 QinQ Configuration
About This Chapter
This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ),
and provides configuration examples.
3.1 QinQ Overview
The QinQ technology improves usage of VLANs and provides a simple Layer 2 VPN tunnel for
users.
3.2 QinQ Features Supported by the Device
The device supports interface-based basic QinQ and modification of the TPID value in the outer
VLAN tag.
3.3 Configuring Basic QinQ
After basic QinQ is configured, the device adds a public VLAN tag to an incoming packet so
that the user packet can be forwarded on the public network.
3.4 Configuring the TPID Value for an Outer VLAN Tag
To ensure that devices from different vendors can communicate with each other, set the TPID
value of an outer VLAN tag.
This section provides several configuration examples of QinQ.
Configuration Guide - Ethernet 3 QinQ Configuration
72
3.1 QinQ Overview
The QinQ technology improves usage of VLANs and provides a simple Layer 2 VPN tunnel for
users.
The 12-bit VLAN tag defined in IEEE 802.1Q identifies only a maximum of 4063 VLANs except
for the reserved VLANs. In practice, 4063 VLANs cannot meet the requirements of isolating
the large numbers of users.
QinQ is designed to expand the number of VLANs by adding an 802.1Q tag to an 802.1Q packet.
With this extra tag, the number of VLANs is increased to 4063 x 4063. Packets are forwarded
based on their outer VLAN tags on the public network, and devices on the public network add
the outer VLAN IDs to MAC address tables of the matching VLANs. Inner VLAN tags of
packets are transmitted as data on the public network. QinQ provides a simplified Layer 2 VPN
tunnel.
Figure 3-1 Typical networking for QinQ application
VLAN 10 to 50
VLAN 10 to 50
VLAN 20 to 60
VLAN 20 to 60
Public
Network Switch A Switch B
VLAN 200
VLAN 100
VLAN 200
VLAN100
Production service
Office service
Office service
Production service
As shown in Figure 3-1, the private VLANs of two services are VLAN 10 to VLAN 50 and
VLAN 20 to VLAN 60 respectively. The public VLANs are VLAN 100 and VLAN 200
respectively. When tagged packets from production services and office services are sent to the
public network, VLAN tags of VLAN 100 and VLAN 200 are tagged to packets respectively.
In this way, packets from different user networks are isolated during transmission. Even if
VLANs of user networks overlap, conflicts are prevented during transmission on the public
network.
73
3.2 QinQ Features Supported by the Device
The device supports interface-based basic QinQ and modification of the TPID value in the outer
VLAN tag.
Basic QinQ
Basic QinQ, also called QinQ Layer 2 tunneling, is implemented based on interfaces. Basic QinQ
enables the device to add the default VLAN tag of an interface to a received packet. After
encapsulation, the received tagged packet has double VLAN tags or the received untagged packet
has the default VLAN tag of the interface.
TPID Value in an Outer VLAN Tag
Figure 3-2 shows the IEEE 802.1Q Ethernet frame format. The Tag Protocol Identifier (TPID)
in a VLAN tag specifies the protocol type of the tag. The TPID value is 0x8100 defined in IEEE
802.1Q.
Figure 3-2 802.1Q Encapsulation
DA
6 Bytes
802.1 Q Encapsulation
TPID 2 Bytes TCI 2 Bytes
0X8100 Priority CFI VLAN ID
3bits 1bit 12bits
SA
6 Bytes
802.1Q Header
4 Bytes
Length/Type
2 Bytes
Data
46 Bytes~1500 Bytes
FCS
4 Bytes

Devices of different vendors may set the TPID field in a QinQ packet's outer VLAN tag to
different values. To communicate with devices of other vendors, the device supports
modification of the TPID value. You can set the TPID value in outer VLAN tags to be the same
as the TPID value used by devices of other vendors so that the device can communicate with
these devices.
3.3 Configuring Basic QinQ
After basic QinQ is configured, the device adds a public VLAN tag to an incoming packet so
that the user packet can be forwarded on the public network.
Background Information
To separate private networks from the public network and save VLAN resources, configure
double 802.1Q tags on QinQ interfaces of the device. Private VLAN tags are used on private
networks such as enterprise networks, and public VLAN tags are used on external networks such
74
as ISP networks. QinQ expands the VLAN space to 4063x4063 and allows packets on different
private networks with same VLAN IDs to be transparently transmitted.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
The outer VLAN is created.
Step 3 Run:
quit
Step 4 Run:
Step 5 Run:
port link-type dot1q-tunnel
The link type of the interface is set to dot1q-tunnel.
By default, the link type of an interface is Access.
Dot1q-tunnel interfaces do not support Layer 2 multicast.
Step 6 Run:
port default vlan vlan-id
The VLAN ID (default VLAN) in the outer VLAN tag is specified.
By default, all ports are added to VLAN 1.
Step 7 Run:
commit
----End
l Run the display current-configuration interface interface-type interface-number
command to check the QinQ configuration on the interface.
3.4 Configuring the TPID Value for an Outer VLAN Tag
To ensure that devices from different vendors can communicate with each other, set the TPID
value of an outer VLAN tag.
75
Context
Devices from different vendors or different network plans may use different values for TPID
fields in outer VLAN tags of QinQ packets. To be compatible with an existing network plan,
the AR router supports configuration of the TPID value. You can set the TPID value on the AR
router to be the same as the TPID value in the network plan so that the AR router can be
compatible on the existing network.
NOTE
l To implement the connectivity between the devices of different vendors, ensure that the protocol type
in the outer VLAN tag can be identified by the peer device.
l The qinq protocol command identifies incoming packets, and adds or changes the TPID value of
outgoing packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port link-type { hybrid | trunk | access }
The link type is configured.
By default, the link type of an interface is Access.
Step 4 Run:
qinq protocol protocol-id
The protocol type in the outer VLAN tag is set.
The qinq protocol command cannot be used on a QinQ interface.
The TPID value can be 0x8100, 0x9100, or 0x88a8.
By default, the TPID value in the outer VLAN tag is 0x8100.
Step 5 Run:
commit
----End
This section provides several configuration examples of QinQ.
3.5.1 Example for Configuring QinQ
76
As shown in Figure 3-3, two branches of a data center locate in different places and have
production services and office services. SwitchA and SwitchB are at the edge of the data center
and connected through the public network. A non-Huawei device with the TPID value 0x9100
exists on the public network.
The requirements are as follows:
l Production services and office services plans their VLANs independently.
l Traffic of the two branches is transparently transmitted on the public network. Users using
the same services in the two branches are allowed to communicate and users using different
services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 provided by the public
network can be used to implement communication of production services in the two branches
and VLAN 200 is used for office services. You can set the TPID value in the outer VLAN on
the interface that connects the non-Huawei device to implement communication between
devices.
Figure 3-3 Networking diagram for configuring QinQ
VLAN 10 to 50
VLAN 10 to 50
VLAN 20 to 60
VLAN 20 to 60
Production service
Office service
Office service
Production service
Network
VLAN 100,200
TPID=0x9100
Switch A Switch B
10GE1/0/3 10GE1/0/3
10GE1/0/2
10GE1/0/1
10GE1/0/2
10GE1/0/1
1. Configure VLAN 100 and VLAN 200 on both SwitchA and SwitchB. Set the link type of
the interface to QinQ and add the interfaces to VLAN. In this way, different outer VLAN
tags are added to different services.
2. Add interfaces connecting to the public network on SwitchA and SwitchB to VLAN 100
and VLAN 200 to permit packets from these VLANs to pass through.
77
3. Set the TPID values in the outer VLAN tag on interfaces connecting to the public network
on SwitchA and SwitchB to implement communication between the device with devices
from other vendors.
Procedure
Step 1 Create VLANs.
# Create VLAN 100 and VLAN 200 on SwitchA.
[~HUAWEI] commit
[~SwitchA] commit
# Create VLAN 100 and VLAN 200 on SwitchB.
[~HUAWEI] commit
[~SwitchB] vlan batch 100 200
[~SwitchB] commit
Step 2 Set the link type of the interface to QinQ.
# Configure 10GE1/0/1 and 10GE1/0/2 of SwitchA as QinQ interfaces. Set the VLAN of
10GE1/0/1 to VLAN 100 and the VLAN of 10GE1/0/2 to VLAN 200.
[~SwitchA-10GE1/0/1] port link-type dot1q-tunnel
[~SwitchA-10GE1/0/2] port link-type dot1q-tunnel
# Configure 10GE1/0/1 and 10GE1/0/2 of SwitchB as QinQ interfaces. Set the VLAN of
10GE1/0/1 to VLAN 100 and the VLAN of 10GE1/0/2 to VLAN 200. The configuration
procedure of SwitchB is the same as that of SwitchA.
Step 3 Configure the interface connecting to the public network on the switch.
# Add 10GE1/0/3 of SwitchA to VLAN 100 and VLAN 200.
[~SwitchA-10GE1/0/3] port trunk allow-pass vlan 100 200
# Add 10GE1/0/3 of SwitchB to VLAN 100 and VLAN 200. The configuration procedure of
SwitchB is the same as that of SwitchA.
Step 4 Configure the TPID value for an outer VLAN tag
# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchA.
[~SwitchA-10GE1/0/3] qinq protocol 9100
# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchB.
78
[~SwitchB] interface 10ge 1/0/3
[~SwitchB-10GE1/0/3] qinq protocol 9100
[~SwitchB-10GE1/0/3] commit
Ping a server in a VLAN of production services in a branch from a service in the same VLAN
of production services in the other branch. If the two servers can ping each other, production
services can communicate.
Ping a server in a VLAN of office services in a branch from a service in the same VLAN of
office services in the other branch. If the two servers can ping each other, office services can
communicate.
Ping a server in a VLAN of office services in a branch from a service in the same VLAN of
production services in the other branch. If the two servers cannot ping each other, different
services are isolated.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
qinq protocol 9100
#
return
Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 100 200
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
qinq protocol 9100
79
#
return
80
4 MAC Address Table Configuration
About This Chapter
This chapter provides the basics for MAC address table configuration, configuration procedure,
and configuration examples.
4.1 MAC Address Table Overview
A MAC address table records the MAC address, interface number, and VLAN ID of the device
connected to the device.
4.2 MAC Address Features Supported by the Device
This section describes the MAC address features supported by the switch and provides usage
scenarios of the features to help you complete configuration.
This section describes the default configuration of the MAC address table.
4.4 Configuring the MAC Address Table
This section describes procedures to configure static, blackhole, and dynamic MAC address
entries, prevent an interface from learning MAC addresses, limit the number of learned MAC
addresses.
4.5 Configuring Port Security
The port security function changes MAC addresses learned on an interface into secure MAC
addresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hosts
using secure MAC addresses or static MAC addresses can communicate with the device through
the interface. This function enhances security of the device.
4.6 Configuring MAC Address Anti-flapping
You can configure MAC address anti-flapping to ensure that the device learns MAC addresses
on correct interfaces, preventing unauthorized users to access the device.
4.7 Configuring MAC Address Flapping Detection
MAC address flapping detection detects all MAC addresses on the device. If MAC address
flapping occurs, the device sends an alarm to the NMS.
4.8 Configuring the Switch to Discard Packets with an All-0 MAC Address
A faulty network device may send a packet with an all-0 source or destination MAC address to
the switch. You can configure the switch to discard such packets.
Configuration Guide - Ethernet 4 MAC Address Table Configuration
81
4.9 Discarding Packets that Cannot Match MAC Address Entries
This function enables the device to discard packets that cannot match MAC address entries,
which reduces workload on the device and improve packet security.
4.10 Enabling Port Bridge
The port bridge function enables an interface to forward packets in which the source and
destination MAC addresses are the same.
This section provides several configuration examples of MAC address.
This section describes how to process common configuration errors in MAC address entries.
82
4.1 MAC Address Table Overview
A MAC address table records the MAC address, interface number, and VLAN ID of the device
Each device maintains a MAC address table. A MAC address table records the MAC address,
interface number, and VLAN ID of the connected devices. When forwarding a data frame, the
device searches the MAC table for the outbound interface according to the destination MAC
address in the frame. This helps the device reduce broadcasting.
Categories of MAC Address Entries
The MAC address entry can be classified into the dynamic entry, the static entry and the
blackhole entry.
l The dynamic entry is created by learning the source MAC address. It has aging time.
l The static entry is set by users. It does not age.
l The blackhole entry is used to discard the frame with the specified source MAC address or
destination MAC address. Users manually set the blackhole entries. Blackhole entries have
no aging time.
The dynamic entry will be lost after the system is reset. The static entry and the blackhole entry,
however, will not be lost.
Generation of a MAC address entry
MAC address entries are generated automatically or configured manually.
l Automatically Generated MAC Address Entries
MAC address entries are learned by the system automatically. For example, SwitchA and
SwitchB are connected. When SwitchB sends a frame to SwitchA, SwitchA obtains the
source MAC address (the MAC address of SwitchB) from the frame and adds the source
MAC address and the interface number to the MAC address table. When SwitchA receives
a frame sent to SwitchB again, SwitchA can search the MAC address table to find the
correct outbound interface.
The device updates the MAC table at intervals to adapt to the changes of network. The
entries in the MAC table will not be valid all the time. Each entry has its own lifetime. If
the entry has not been refreshed at the expiration of its lifetime, the device will delete that
entry from the MAC table. That lifetime is called aging time. If the entry is refreshed before
its lifetime expires, the device resets the aging time for it.
l Manually Configured MAC Address Entries
When creating MAC address entries by itself, the device cannot identify whether the
packets are from the legal users or the hackers. This threatens the network safety.
Hackers can fake the source MAC address in attack packets. The packet with a forged
address enters the device from the other port. Then the device learns a fault MAC table
entry. That is why the packets sent to the legal users are forwarded to the hackers.
For security, the network administrator can add static entries to the MAC table manually
to bind the user's device and the port of the device. In this way, the device can stop the
illegal users from stealing data.
83
By configuring blackhole MAC address entries, you can configure the specified user traffic
not to pass through a device to prevent attacks from unauthorized users.
The priority of MAC entries set up by users is higher than that generated by the device
itself.
Aging Time of MAC Addresses
To adapt to the changes of networks, the MAC table needs to be updated constantly. The dynamic
entries automatically created in a MAC address table are not always valid. Each entry has a life
cycle. The entry that has never been updated till its life cycle ends will be deleted. This life cycle
is called aging time. If the entry is updated before its life cycle ends, the aging time of the entry
is recalculated.
Dynamic learned MAC address entries age, whereas static MAC address entries do not age.
Figure 4-1 Aging of MAC addresses
Time
1
T
2
T
3
T
4
T
t
1
0
t
2
t
3
As shown in the preceding figure, the aging time of MAC addresses is set to T. At t
1
, packets
with the source MAC address 00e0-fc00-0001 and VLAN ID 1 reach an interface. Assume that
the interface is added to VLAN 1. If no entry with the MAC address as 00e0-fc00-0001 and the
VLAN ID as 1 exists in the MAC address table, the MAC address is added to the MAC address
table as a dynamic MAC address entry and the flag of the matching entry is set to 1.
The device checks all learned dynamic MAC address entries at an interval of T. For example,
at t
2
, if the device discovers that the flag of the matching dynamic MAC address entry with the
MAC address as 00e0-fc00-0001 and the VLAN ID as 1 is 1, the flag of the matching MAC
address entry is set to 0 and the MAC address entry is not deleted. If packets with the source
MAC address as 00e0-fc00-0001 and the VLAN ID as 1 enter the device between t
2
and t
3
, the
flag of the matching MAC address entry is set to 1 again. If no packet with the source MAC
address as 00e0-fc00-0001 and the VLAN ID as 1 enters the device between t
2
and t
3
, the flag
of the matching MAC address entry is always 0. At t
3
, after discovering that the flag of the
matching MAC address entry is 0, the device assumes that the aging time of the MAC address
entry expires and deletes the MAC address entry.
As stated above, the minimum holdtime of a dynamic MAC address entry in the MAC address
table ranges from the aging time T to 2 T configured on the device through automatic aging.
The aging time of MAC addresses is configurable. By setting the aging time of MAC addresses,
you can flexibly control the holdtime of learned dynamic MAC address entries in the MAC
address table.
Packet Forwarding Based on the MAC Address Table
The device forwards packets based on the MAC address table in either of the following modes:
84
l Unicast mode: If the destination MAC address of a packet can be found in the MAC address
table, the device forwards the packet through the outbound interface specified in the
matching entry.
l Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC
address cannot be found in the MAC address table, the device broadcasts the packet to all
the interfaces in the VLAN except the inbound interface.
4.2 MAC Address Features Supported by the Device
This section describes the MAC address features supported by the switch and provides usage
scenarios of the features to help you complete configuration.
1. You can configure the following MAC address features to improve device security and
control the number of entries in the MAC address table.
Table 4-1 Basic functions of MAC address entries
Function Usage Scenario
Static
MAC
address
entry
Create static MAC address entries for MAC addresses of fixed upstream
devices or trusted user devices to improve communication security.
Blackhole
MAC
address
entry
It can prevent hackers from attacking a network using bogus MAC
addresses.
Aging time
of a
dynamic
MAC
address
entry
Set a proper aging time for dynamic MAC addresses to prevent sharp
increase of dynamic MAC address entries.
Disabling
MAC
address
learning
This method can be used on a network where the topology seldom changes
or forwarding paths are specified in static MAC address entries. This
method prevents users with unknown MAC addresses from accessing the
network, protects the network from MAC address attacks, and improves
network security.
Limiting
the number
of MAC
addresses
that can be
learned
MAC address limiting protects the switch from MAC address attacks on
an insecure network.

2. You can use the following methods to improve security or meet special requirements:
85
Table 4-2 Extended functions of MAC address entries
Function Usage Scenario
Port
security
If a network requires high security, port security can be configured on the
interfaces connected to trusted devices. The port security function
prevents devices with untrusted MAC addresses from accessing these
interfaces and improves device security.
MAC
address
anti-
flapping
MAC address flapping occurs when a MAC address is learned on two
interfaces. If an interface is connected to a trusted upstream device or
server, you can set a high MAC address learning priority for the interface.
The MAC address learned by the interface will not be overridden by an
entry learned by another interface. This protects the switch from MAC
address attacks.
MAC
address
flapping
detection
This function reduces the impact of loops on the switch.
Discarding
packets
with an all-
zero MAC
address
A faulty device may send packets with an all-zero source or destination
MAC address to the switch. You can configure the switch to discard such
packets and send an alarm to the network management system (NMS).
You can locate the faulty device according to the trap message.
Port bridge This function enables an interface to process packets in which the source
and destination MAC addresses are the same. It can be configured on a
switch connected to a device without Layer 2 forwarding capability or a
switch functioning as an access device in a data center.

Static MAC Address Entries
As shown in Figure 4-2, an interface on the Switch is connected to an upstream device or a
server. Attackers may set the source MAC address of packets to the server MAC address and
send the packets to the Switch to intercept data of the server. To protect the server and ensure
communication between users and the server, you can configure a static MAC address entry in
which the destination MAC address is the server MAC address and the outbound interface is the
interface connected to the server.
86
Figure 4-2 Network diagram of static MAC address entry configuration
Network Server
Switch
User1 User2
SwitchA
Blackhole MAC Address Entry
To save the MAC address table space, protect user devices or network devices from MAC
address attacks, you can configure untrusted MAC addresses as blackhole MAC addresses.
Packets with source or destination MAC addresses matching the blackhole MAC address entries
are discarded.
MAC Address Aging
Dynamic MAC address entries are learned by the switch from source MAC addresses of received
packets. Dynamic MAC address entries are not always valid. An aging timer is configured for
each dynamic MAC address entry. If a dynamic MAC address entry is not updated within a
certain period (twice the aging time), the entry is deleted. If the entry is updated within this
period, the aging timer of this entry is reset.
The network topology changes frequently, and the switch will learn many MAC addresses. After
the aging time of dynamic MAC address entries is set, the device can delete unneeded MAC
address entries to prevent sharp increase of MAC address entries.
Disabling MAC Address Learning
When an switch with MAC address learning enabled receives an Ethernet frame, it records the
source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When
receiving other Ethernet frames destined for this MAC address, the switch forwards the frames
through the outbound interface according to the MAC address entry. The MAC address learning
function reduces broadcast packets on a network.
After MAC address learning is disabled on an interface, the switch does not learn source MAC
addresses of packets received by the interface.
Limiting the Number of Learned MAC Addresses
The switch can limit the number of MAC addresses learned on an interface, VLAN. When the
number of learned MAC address entries reaches the limit, the device stops learning MAC
87
addresses. You can configure the device to generate an alarm. This prevents hackers from
attacking user devices or the network using MAC addresses.
Port Security
MAC Address Anti-flapping
MAC address flapping occurs on a network when the network has a loop or is attacked. To
prevent MAC address flapping, you can set MAC address learning priorities for interfaces so
that MAC addresses can be learned by correct interfaces. When the same MAC address entries
are learned by interfaces of different priorities, the MAC address entries learned by the interface
with the highest priority overrides the MAC address entries learned by other interfaces. You can
also configure the device to forbid MAC address flapping between interfaces with the same
priority.
Figure 4-3 Networking diagram of MAC address anti-flapping
Switch
Server
MAC:11-22-33
Port1
MAC:11-22-33
unauthorized
user
As shown in Figure 4-3, you can set a high MAC address learning priority on Port1 to prevent
unauthorized users from using the server MAC address to access the switch.
MAC Address Flapping Detection
MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN. The MAC address entry learned later replaces the earlier one.
MAC address flapping occurs on a network when the network has a loop or is attacked. As shown
in Figure 4-4, a loop occurs on a user network because network cables between two devices are
incorrectly connected. The loop causes MAC address flapping and MAC address table flapping.
MAC address flapping detection enables the device to check all MAC addresses. If MAC address
flapping occurs, the device sends an alarm to the NMS. You can locate the faulty device
according to the alarm and MAC address flapping history records. This greatly improves network
maintainability. If the user network connected to the device does not support loop prevention
88
protocols, configure the device to shut down the interfaces where MAC address flapping occurs.
This reduces the impact of MAC address flapping on the user network.
Figure 4-4 Networking diagram of MAC address flapping detection
Switch
Network
Incorrect
connection
Port Bridge
By default, an interface does not forward packets whose source and destination MAC addresses
are both learned by this interface. When the interface receives such a packet, it discards the
packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards such a packet
if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
l As shown in Figure 4-5, the switch connects to a hub that does not provide Layer 2
forwarding capability. When User1 and User2 connected to the hub want to communicate,
the hub sends packets to the switch and the switch then forwards packets between User1
and User2. Because source and destination MAC addresses of the packets are learned by
Interface1 on the switch, enable the port bridge function on Interface1 so that Interface1
forwards packets with the same source and destination.
89
Figure 4-5 Networking of port bridge
Switch
User1 User2
Hub
Interface 1
l As shown in Figure 4-6, the switch functions as an access switch in a data center and is
connected to servers. Each server is configured with multiple virtual machines. The virtual
machines need to transmit data to each other. If virtual machines exchange data on servers,
data switching speed and server performance are reduced. To improve data switching speed
and server performance, enable the port bridge function on Interface1 so that Interface1
learns MAC addresses of virtual machines. The switch then exchanges data between virtual
machines.
Figure 4-6 Networking of port bridge
Hardware
Virtual Switch
VM1 VM2
Interface 1
Switch
VM3
This section describes the default configuration of the MAC address table.
Table 4-3 Default values of a MAC address entry
Parameter Default Value
Aging time of a dynamic MAC address entry 300 seconds
90
Parameter Default Value
Whether MAC address learning is enabled Enable
MAC address learning priority of an interface 0
Port security Disabled
Limit on the number of MAC addresses
learned by an interface
1
Action to be taken when the number of
learned MAC addresses reaches the limit
Restrict
MAC address flapping detection Enable
Aging time of flapping MAC addresses 300 seconds
Discarding packets with all-0 invalid MAC
addresses
Disabled
Port bridge Disabled

4.4 Configuring the MAC Address Table
This section describes procedures to configure static, blackhole, and dynamic MAC address
entries, prevent an interface from learning MAC addresses, limit the number of learned MAC
addresses.
4.4.1 Configuring a Static MAC Address Entry
Context
To ensure communication security, you can configure MAC addresses of trusted upstream
devices or users as static MAC address entries.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is configured.
NOTE
A static MAC address entry takes precedence over a dynamic MAC address entry. The system discards packets
with configured static MAC addresses that have been learned by other interfaces.
Step 3 Run:
commit
91
----End
4.4.2 Configuring a Blackhole MAC Address Entry
Context
To save the MAC address table space, protect user devices or network devices from MAC
address attacks, you can configure untrusted MAC addresses as blackhole MAC addresses.
Packets with source or destination MAC addresses matching the blackhole MAC address entries
are discarded.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address blackhole mac-address vlan vlan-id
A blackhole MAC address entry is configured.
Step 3 Run:
commit
----End
4.4.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
The network topology changes frequently, and the switch will learn many MAC addresses. After
the aging time of dynamic MAC address entries is set, the device can delete unneeded MAC
address entries to prevent sharp increase of MAC address entries. A shorter aging time is
applicable to networks where network topology changes frequently, and a longer aging time is
applicable to stable networks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address aging-time aging-time
The aging time of a dynamic MAC address entry is set.
The value of aging-time is 0 or an integer that ranges from 60 to 1000000, in seconds. The default
value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.
92
Step 3 Run:
commit
----End
4.4.4 Disabling MAC Address Learning
Context
When an switch with MAC address learning enabled receives an Ethernet frame, it records the
source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When
receiving other Ethernet frames destined for this MAC address, the switch forwards the frames
through the outbound interface according to the MAC address entry. The MAC address learning
function reduces broadcast packets on a network. After MAC address learning is disabled on an
interface, the switch does not learn source MAC addresses of packets received by the interface.
Procedure
l Disabling MAC address learning in the interface view
1. Run:
system-view
2. Run:
3. Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the switch performs the forward action after MAC address learning is
disabled. That is, the switch forwards packets according to the MAC address table.
When the action is configured to discard, the switch matches the source MAC
addresses of packets with the MAC address entries. If the inbound interface and source
MAC address of a packet matches a MAC address entry, the switch forwards the
packet. Otherwise, the switch discards the packet.
4. Run:
commit
l Disabling MAC address learning in the VLAN view
1. Run:
system-view
2. Run:
vlan vlan-id
93
3. Run:
mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
4. Run:
commit
----End
4.4.5 Limiting the Number of Learned MAC Addresses
Context
The network with low security may be attacked by MAC address attacks. The capacity of a MAC
address table is limited. Therefore, when hackers forge a large quantity of packets with different
source MAC addresses and send the packets to the switch, the MAC address table of the
switch may reach its full capacity. When the MAC address table is full, the switch cannot learn
source MAC addresses of valid packets.
You can limit the number of MAC addresses learned on the switch. When the number of learned
MAC address entries reaches the limit, the switch does not learn new MAC addresses. Packets
whose source MAC addresses are not in the MAC address table are forwarded, but their MAC
addresses are not recorded in the MAC address table. You can enable the device to send traps
to the NMS.. This prevents MAC address attacks and improves network security.
Procedure
l Limiting the number of MAC addresses learned by an interface
1. Run:
system-view
2. Run:
3. Run:
mac-address limit maximum max-num
The maximum number of MAC addresses learned on the interface is set.
By default, the number of MAC addresses learned on an interface is not limited.
4. Run:
mac-address limit alarm { disable | enable }
The switch is configured to (or not to) send a trap to the NMS when the number of
learned MAC addresses reaches the limit.
By default, the switch sends a trap to the NMS when the number of learned MAC
addresses reaches the limit.
94
5. Run:
commit
l Limiting the number of MAC addresses learned in a VLAN
1. Run:
system-view
2. Run:
vlan vlan-id
3. Run:
mac-address limit maximum max-num
The maximum number of MAC addresses learned in the VLAN is set.
By default, the number of MAC addresses learned in a VLAN is not limited.
4. Run:
mac-address limit alarm { disable | enable }
The switch is configured to (or not to) send a trap to the NMS when the number of
learned MAC addresses reaches the limit.
By default, the switch sends a trap to the NMS when the number of learned MAC
5. Run:
commit
----End
Procedure
l Run the display mac-address command to view all MAC address entries.
l Run the display mac-address static command to view static MAC address entries.
l Run the display mac-address dynamic command to view dynamic MAC address entries.
l Run the display mac-address blackhole command to view blackhole MAC address
entries.
l Run the display mac-address aging-time command to view the aging time of dynamic
MAC address entries.
l Run the display mac-address summary command to view statistics on all the MAC
address entries.
l Run the display mac-address total-number command to view the number of MAC
address entries.
l Run the display mac-address limit command to view the limit of the number of learned
MAC addresses.
----End
95
4.5 Configuring Port Security
Before configuring port security on an interface, complete the following tasks:
l Disabling MAC address limiting on the interface
l Disabling MUX VLAN on the interface
l Disabling MAC address security for DHCP snooping on the interface
4.5.1 Configuring the Secure Dynamic MAC Function on an
Interface
Context
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface
does not learn new MAC addresses and allows only the devices with the learned MAC addresses
to communicate with the switch. This prevents devices with untrusted MAC addresses from
accessing these interfaces, improving security of the switch and the network.
By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for
secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses
are lost after the device restarts and the device needs to learn the MAC addresses again.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port-security enable
Port security is enabled.
By default, port security is disabled on an interface.
port-security maximum max-number
The limit on the number of secure dynamic MAC addresses is set.
96
By default, the limit on the number of secure dynamic MAC addresses is 1.
port-security protect-action { protect | restrict | shutdown }
The protection action is configured.
The default action is restrict.
The protection actions are as follows:
l protect: discards packets with new source MAC addresses when the number of learned MAC
l restrict: discards packets with new source MAC addresses and sends a trap message when
the number of learned MAC addresses exceeds the limit.
l shutdown: set the interface status to error down and sends a trap message when the number
of learned MAC addresses exceeds the limit.
By default, an interface cannot automatically restore to Up state after it is shut down. To
restore the interface, run the shutdown and undo shutdown commands on the interface in
sequence. Alternatively, run the restart command on the interface to restart the interface.
To configure the interface to go Up automatically, before the error-down event occurs, run
the error-down auto-recovery cause portsec-reachedlimit command in the system view
to set a recovery delay. After the delay, the interface goes Up automatically.
port-security aging-time time [ type { absolute | inactivity } ]
The aging time of secure dynamic MAC addresses is set.
By default, secure dynamic MAC addresses will not be aged out.
Step 7 Run:
commit
----End
4.5.2 Configuring the Sticky MAC Function on an Interface
Context
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface
does not learn new MAC addresses and allows only the devices with the learned MAC addresses
to communicate with the switch. This prevents devices with untrusted MAC addresses from
accessing these interfaces, improving security of the switch and the network.
The sticky MAC function changes MAC addresses learned by an interface to sticky MAC
addresses. Sticky MAC addresses will not be aged out. After you save the configuration and
restart the switch, sticky MAC addresses still exist.
97
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Port security is enabled.
By default, port security is disabled on an interface.
Step 4 Run:
port-security mac-address sticky
The sticky MAC function is enabled on the interface.
By default, the sticky MAC function is disabled on an interface.
port-security maximum max-number
The limit on the number of sticky MAC addresses is set on the interface.
By default, the limit on the number of sticky MAC addresses is 1.
port-security protect-action { protect | restrict | shutdown }
The protection action is configured.
The default action is restrict.
The protection actions are as follows:
l protect: discards packets with new source MAC addresses when the number of learned MAC
l restrict: discards packets with new source MAC addresses and sends a trap message when
the number of learned MAC addresses exceeds the limit.
l shutdown: set the interface status to error down and sends a trap message when the number
of learned MAC addresses exceeds the limit.
By default, an interface cannot automatically restore to Up state after it is shut down. To
restore the interface, run the shutdown and undo shutdown commands on the interface in
sequence. Alternatively, run the restart command on the interface to restart the interface.
To configure the interface to go Up automatically, before the error-down event occurs, run
the error-down auto-recovery cause portsec-reachedlimit command in the system view
to set a recovery delay. After the delay, the interface goes Up automatically.
port-security mac-address sticky mac-address vlan vlan-id
A sticky MAC address entry is configured.
98
Step 8 Run:
commit
----End
Procedure
l Run the display current-configuration interface interface-type interface-number
command to view the current configuration of an interface.
l Run the display mac-address security [ vlan vlan-id | interface-type interface-number ]
*
command to view secure dynamic MAC address entries.
l Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ]
*
command to view sticky MAC address entries.
----End
4.6 Configuring MAC Address Anti-flapping
You can configure MAC address anti-flapping to ensure that the device learns MAC addresses
on correct interfaces, preventing unauthorized users to access the device.
4.6.1 Configuring the MAC Address Learning Priority of an
Interface
Context
To prevent MAC address flapping, configure different MAC address learning priorities for
interfaces. When interfaces learn the same MAC address, the MAC address entry learned by the
interface with the highest priority overrides the MAC address entries learned by the other
interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mac-learning priority priority-id
The MAC address learning priority of an interface is set.
99
By default, the MAC address learning priority of an interface is 0. A greater priority value
indicates a higher MAC address learning priority.
Step 4 Run:
commit
----End
4.6.2 Forbidding MAC Address Flapping Between Interfaces with
the Same Priority
Context
You can configure the device to forbid MAC address flapping between interfaces with the same
priority to improve network security.
The CE series switches are configured to forbid MAC address flapping between interfaces with
the same priority. After a device (such as the server) connected to CE series switches power off,
another interface on CE series switches learn the same MAC address as the device. The device
cannot learn the correct MAC address after it powers on.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo mac-learning priority priority-id allow-flapping
MAC address flapping between interfaces with the same priority is forbidden.
By default, MAC address flapping between interfaces with the same priority is allowed.
Step 3 Run:
commit
----End
Procedure
l Run the display current-configuration command to view the MAC address learning
priorities of interfaces.
----End
100
4.7 Configuring MAC Address Flapping Detection
MAC address flapping detection detects all MAC addresses on the device. If MAC address
flapping occurs, the device sends an alarm to the NMS.
Context
By default, the system performs MAC address flapping detection in all VLANs. In a data center
virtualization scenario (virtual terminal migration), MAC address flapping may occur. This is a
normal situation where MAC address flapping detection is not required. You can configure the
whitelist of VLANs in MAC address flapping detection to prevent MAC address flapping
detection from being performed in a specified VLAN.
Increasing the aging time of flapping MAC addresses will cause MAC address flapping again
and increase the error-down time. To ensure that the system performs MAC address flapping
detection in a timely manner, adjust the aging time of flapping MAC addresses correctly.
If the user network where the device is deployed does not support loop prevention protocols,
configure the device to shut down the interfaces where MAC address flapping occurs. This
reduces the impact of MAC address flapping on the user network.
NOTE
l To prevent uplink traffic interruption, you are not advised to configure the action performed when
MAC address flapping is detected on upstream interfaces.
l MAC address flapping detection can only detect loops on interfaces, but cannot obtain the entire
network topology. If the user network connected to the switch supports loop prevention protocols, use
the loop prevention protocols instead of MAC address flapping detection.
l The MAC address flapping detection function is not applicable to TRILL network scenarios.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address flapping detection
Global MAC address flapping detection is configured.
By default, global MAC address flapping detection is enabled.
mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The whitelist of VLANs in MAC address flapping detection is configured.
By default, the whitelist of VLANs in MAC address flapping detection is not configured.
mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.
101
By default, the aging time of flapping MAC addresses is 5 minutes.
Step 5 (Optional) Configure the action performed on the interface when MAC address flapping is
detected on the interface.
1. Run:
2. Run:
mac-address flapping trigger error-down
The interface is shut down when MAC address flapping is detected on the interface.
By default, the interface is not shut down when MAC address flapping is detected on the
interface.
Step 6 Run:
commit
----End
Run the display mac-address flapping command to check the MAC address flapping detection
configuration.
Follow-up Procedure
By default, an interface cannot automatically restore to Up state after it is shut down. To restore
the interface, run the shutdown and undo shutdown commands on the interface in sequence.
Alternatively, run the restart command on the interface to restart the interface.
To configure the interface to go Up automatically, run the error-down auto-recovery cause
mac-address-flapping interval interval-value command in the system view to set a recovery
delay. After the delay, the interface goes Up automatically.
4.8 Configuring the Switch to Discard Packets with an All-0
MAC Address
A faulty network device may send a packet with an all-0 source or destination MAC address to
the switch. You can configure the switch to discard such packets.
Context
You can configure the switch to discard packets with an all-0 source or destination MAC address.
Procedure
Step 1 Run:
system-view
102
Step 2 Run:
drop illegal-mac enable
The switch is configured to discard packets with an all-0 MAC address.
By default, the switch does not discard packets with an all-0 MAC address.
Step 3 Run:
commit
----End
Run the display current-configuration command to check whether the switch is configured to
discard packets with an all-0 MAC address.
4.9 Discarding Packets that Cannot Match MAC Address
Entries
This function enables the device to discard packets that cannot match MAC address entries,
which reduces workload on the device and improve packet security.
Context
When a DHCP user goes offline, the MAC address entry of the user ages. If there are packets
destined for this user, the system cannot find the MAC address entry. Therefore, it broadcasts
the packets to all interfaces in the VLAN. In this case, all users can receive the packets. This
affects packet security. This function enables the device to discard packets that cannot match
MAC address entries, which reduces workload on the device and improve packet security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
mac-address miss action discard
Packets that cannot match MAC address entries are discarded.
By default, the device broadcasts packets that cannot match MAC address entries in the VLAN.
Step 4 Run:
commit
103
----End
Run the display current-configuration command to check whether the device is configured to
discard packets that cannot match MAC address entries.
4.10 Enabling Port Bridge
The port bridge function enables an interface to forward packets in which the source and
destination MAC addresses are the same.
Context
By default, an interface does not forward packets whose source and destination MAC addresses
are both learned by this interface. When the interface receives such a packet, it discards the
packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards such a packet
if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
l The device connects to devices that do not support Layer 2 forwarding. When users
connected to these devices need to send packets, the packets are directly sent to the device
and forwarded by the device. These packets have the same source and destination MAC
address; therefore, you need to enable port bridge to forward packets with the same source
and destination MAC address.
l The device is used as an access device in a data center and is connected to servers. Each
server is configured with multiple virtual machines. The virtual machines need to transmit
data to each other. If data between virtual machines is transmitted on the server, the data
transmission rate and server performance may be affected. To improve the data
transmission rate and server performance, enable the port bridge function on the interfaces
connected to the servers so that the device forwards data packets between the virtual
machines.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port bridge enable
The port bridge function is enabled.
104
By default, the port bridge function is disabled on an interface.
Step 4 Run:
commit
----End
Run the display current-configuration command to check whether the port bridge function is
enabled.
This section provides several configuration examples of MAC address.
4.11.1 Example for Configuring the MAC Address Table
As shown in Figure 4-7, the MAC address of the user host PC1 is 0002-0002-0002 and that of
the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through the
LSW. The LSW is connected to 10GE1/0/1 of the Switch, which belongs to VLAN 2. The MAC
address of the server is 0004-0004-0004. The server is connected to 10GE1/0/2 of the Switch.
10GE1/0/2 belongs to VLAN 2.
l To prevent hackers from using MAC addresses to attack the network, configure two static
MAC address entries for each user host on the Switch.
l To prevent hackers from stealing user information by forging the MAC address of the
server, configure a static MAC address entry on the Switch for the server.
Figure 4-7 Configuring the MAC address table
Network
Switch
Server
PC1 PC2
MAC address: 2-2-2 MAC address: 3-3-3
LSW
10GE1/0/1
10GE1/0/2
MAC address: 4-4-4
105
1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent MAC address attacks.
3. Configure the aging time of dynamic MAC address entries to update the entries.
Procedure
Step 1 Configure static MAC address entries.
# Create VLAN 2 and add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
<Switch> system-view
[~Switch] vlan 2
[~Switch-vlan2] quit
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] port link-type trunk
[~Switch-10GE1/0/1] port trunk allow-pass vlan 2
[~Switch-10GE1/0/1] quit
[~Switch] commit
# Configure a static MAC address entry.
[~Switch] mac-address static 2-2-2 10GE 1/0/1 vlan 2
[~Switch] commit
Step 2 Set the aging time of a dynamic MAC address entry.
[~Switch] mac-address aging-time 500
[~Switch] commit
# Run the display mac-address command in any view to check whether the static MAC address
entries are successfully added to the MAC address table.
[~Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- 10GE1/0/1 static
0003-0003-0003 2/- 10GE1/0/1 static
0004-0004-0004 2/- 10GE1/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 3
# Run the display mac-address aging-time command in any view to check whether the aging
time of dynamic entries is set successfully.
[~Switch] display mac-address aging-time
Aging time: 500 second(s)
----End
106
Configuration Files
#
sysname Switch
#
vlan batch 2
#
mac-address aging-time 500
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
mac-address static 0002-0002-0002 10GE1/0/1 vlan 2
#
return
4.11.2 Example for Configuring MAC Address Learning in a VLAN
As shown in Figure 4-8, user network 1 is connected to Switch on the 10GE1/0/1 through an
LSW. User network 2 is connected to Switch on the 10GE1/0/2 through another LSW. Both
10GE1/0/1 and 10GE1/0/2 belong to VLAN 2. To prevent MAC address attacks and limit the
number of access users on the device, limit MAC address learning on all the interfaces in VLAN
2.
Figure 4-8 Networking diagram for MAC address limiting in a VLAN
Network
User
network 1
User
network 2
VLAN 2
10GE1/0/1 10GE1/0/2
Switch
LSW
LSW
107
2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC address
attacks and limit the number of access users.
Procedure
Step 1 Limit MAC address learning.
# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
[~Switch] vlan 2
[~Switch] commit
# Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC addresses reaches the limit, the
device and sends an alarm.
[~Switch] vlan 2
[~Switch-vlan2] mac-address limit maximum 100 alarm enable
[~Switch] commit
# Run the display mac-address limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Switch> display mac-address limit

MAC Limit is enabled
Total MAC Limit rule count : 1

PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm
----------------------------------------------------------------------------
- 2 - 100 0 forward disable
----End
Configuration Files
The following lists only the configuration file of Switch.
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-address limit maximum 100
#
108
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
4.11.3 Example for Configuring Port Security
As shown in Figure 4-9, a company wants to prevent computers of non-employees from
accessing the intranet of the company to protect information security. To achieve this goal, the
company needs to enable port security on the interface connected to computers of employees
and set the maximum number of MAC addresses learned by the interface to be the same as the
number of trusted computers.
Figure 4-9 Network diagram of port security
Switch
Intranet
User1 User2 User3
VLAN 10
10GE1/0/1
1. Configure a VLAN to implement Layer 2 forwarding.
2. Configure port security to prevent the learned MAC addresses from aging.
Procedure
Step 1 Create a VLAN and set the link type of the interface.
[~HUAWEI] sysname Switch
[~HUAWEI] commit
109
[~Switch] vlan 10
[~Switch-10GE1/0/1] commit
Step 2 Configure port security.
# Enable port security.
[~Switch-10GE1/0/1] port-security enable
# Enable the sticky MAC function.
[~Switch-10GE1/0/1] port-security mac-address sticky
# Configure the security protection action.
[~Switch-10GE1/0/1] port-security protect-action protect
# Set the limit on the number of MAC addresses that can be learned on the interface.
[~Switch-10GE1/0/1] port-security maximum 4
To enable the port security function on other interfaces, repeat the preceding steps.
NOTE
Assume that MAC addresses of four devices (three PCs and one access switch) connected to the Switch
have been learned. The maximum number of MAC addresses to be learned is 4.
If User1 is replaced by another device, the device cannot access the intranet of the company.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
interface 10GE1/0/1
port-security protect-action protect
port-security maximum 4
port-security mac-address sticky
#
return
4.11.4 Example for Configuring MAC Address Anti-flapping
Employees of an enterprise need to access the enterprise server. If an attacker uses the server
MAC address as the source MAC address to send packets to another interface, the server MAC
address is learned on the interface. Packets sent to the server are sent to unauthorized users. In
110
this case, employees cannot access the server, and important data will be intercepted by the
attacker.
As shown in Figure 4-10, MAC address anti-flapping can be configured to protect the server
from attacks.
Figure 4-10 Networking diagram of MAC address anti-flapping
LSW
Server
10GE1/0/1
PC1
PC4
PC2 PC3
VLAN10
VLAN 10
Switch
10GE1/0/2
MAC:11-22-33
MAC:11-22-33
2. Configure MAC address anti-flapping on the server-side interface.
Procedure
Step 1 Create a VLAN and add the interfaces to the VLAN.
# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 10.
[~Switch] vlan 10
[~Switchvlan10] quit
[~Switch-10GE1/0/1] port default vlan 10
Step 2 # Set the MAC address learning priority of 10GE1/0/1 to 2.
[~Switch-10GE1/0/1] mac-learning priority 2
111
# Run the display current-configuration command in any view to check whether the MAC
address learning priority of the interface is set correctly.
<Switch> display current-configuration interface 10ge 1/0/1
#
interface 10GE1/0/1
mac-learning priority 2
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
interface 10GE1/0/1
mac-learning priority 2
#
interface 10GE1/0/2
#
return
4.11.5 Example for Configuring MAC Address Flapping Detection
As shown in Figure 4-11, a loop occurs on a user network because network cables between two
LSWs are incorrectly connected. The loop causes MAC address flapping and bridge table
flapping.
You can enable MAC address flapping detection on the Switch to detect MAC address flapping
and discover loops.
112
Figure 4-11 Networking diagram of MAC address flapping detection
Switch
Network
10GE1/0/1 10GE1/0/2
LSW2 LSW1
Incorrect connection
1. Enable MAC address flapping detection.
2. Set the aging time of flapping MAC addresses.
3. Configure the action performed on the interface when MAC address flapping is detected
on the interface to prevent loops.
Procedure
Step 1 Enable MAC address flapping detection.
[~Switch] mac-address flapping detection
[~Switch] commit
Step 2 Set the aging time of flapping MAC addresses.
[~Switch] mac-address flapping aging-time 500
[~Switch] commit
Step 3 Shut down 10GE1/0/1 and 10GE1/0/2 when MAC address flapping is detected.
[~Switch-10GE1/0/1] mac-address flapping trigger error-down
[~Switch-10GE1/0/2] mac-address flapping trigger error-down
[~Switch] commit
Step 4 Configure automatic recovery and set the automatic recovery time for the shutdown interface.
[~Switch] error-down auto-recovery cause mac-address-flapping interval 500
[~Switch] commit
After the configuration is complete, when the MAC address on 10GE1/0/1 flaps to 10GE1/0/2,
10GE1/0/2 is shut down. Run the display mac-address flapping command to view the flapping
records.
113
<Switch> display mac-address flapping
Mac-address Flapping Configurations :
-------------------------------------------------------------------------------
Flapping detection : Enable
Aging time(s) : 300
Quit-vlan Recover time(m) : --
Exclude vlan-list : --
-------------------------------------------------------------------------------
S : start time E : end time (D) : error down
-------------------------------------------------------------------------------
Time VLAN MAC-Address Original-Port Move-Ports MoveNum
-------------------------------------------------------------------------------
S:2011-12-11 11:00:08 1 0000-0000-0007 10GE1/0/1 10GE1/0/2(D) 83
E:2011-12-11 11:33:13
-------------------------------------------------------------------------------
Total items on slot 1: 1
----End
Configuration Files
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
This section describes how to process common configuration errors in MAC address entries.
4.12.1 Correct MAC Address Entry Cannot Be Learned on the Device
Fault Description
MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.
Procedure
Step 1 Check that the configurations on the interface are correct.
Run the display mac-address command in the system view to check whether the binding
relationships between the MAC address, VLAN, and interface are correct.
<HUAWEI> display mac-address
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0025-9e80-2494 1/- 10GE1/0/1 dynamic
114

-------------------------------------------------------------------------------
If not, re-configure the binding relationships between the MAC address, VLAN, and interface.
If yes, go to step 2.
Step 2 Check whether a loop on the network causes MAC address flapping.
l Remove the loop from the network.
l Run the mac-address flapping detection command in the System view to enable the MAC
flapping detection function. The switch checks whether a MAC address moves from one
interface to another in the VLAN.
If no loop exists, go to step 3.
Step 3 Check that MAC address learning is enabled.
Check whether MAC address learning is enabled in the interface view and the VLAN view.
[~HUAWEI-10GE1/0/1] display this
#
interface 10GE1/0/1
#
return
[~HUAWEI-vlan10] display this
#
vlan 10
#
return
If the command output contains mac-address learning disable, MAC address learning is
disabled on the interface or VLAN.
l If MAC address learning is disabled, run the undo mac-address learning disable
command in the interface view or VLAN view to enable MAC address learning.
l If MAC address learning is enabled on the interface, go to step 4.
Step 4 Check whether any blackhole MAC address entry or MAC address limiting is configured.
If a blackhole MAC address entry or MAC address limiting is configured, the interface discards
packets.
l Blackhole MAC address entry
Run the display mac-address blackhole command to check whether any blackhole MAC
address entry is configured.
[~HUAWEI] display mac-address blackhole
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
0001-0001-0001 3333/- - blackhole
------------------------------------------------------------------------------
-
If a blackhole MAC address entry is displayed, run the undo mac-address blackhole
command to delete it.
l MAC address limiting on the interface or VLAN
115
Run the display this command in the interface view or VLAN view. If the command
output contains mac-address limit maximum, the number of learned MAC addresses
is limited. Run either of the following commands:
Run the undo mac-address limit command in the interface view or VLAN view to
disable MAC address limiting.
Run the mac-address limit command in the interface view or VLAN view to
increase the maximum number of learned MAC addresses.
Run the display this command in the interface view. If the command output contains
port-security maximum or port-security enable, the number of secure dynamic MAC
addresses is limited on the interface. Run either of the following commands:
NOTE
By default, the limit on the number of secure dynamic MAC addresses is 1 after port security is enabled.
Run the undo port-security enable command in the interface view to disable port
security.
Run the port-security maximum command in the interface view to increase the
maximum number of secure dynamic MAC addresses on the interface.
If the fault persists, go to step 5.
Step 5 Check whether the number of learned MAC addresses has reached the maximum supported by
the switch.
Run the display mac-address summary command to check the number of MAC addresses in
the MAC address table.
l If the number of learned MAC addresses has reached the maximum supported by the
switch, no MAC address entry can be created. Run the display mac-address command to
view all MAC address entries.
If the number of MAC addresses learned on an interface is much greater than the number
of devices on the network connected to the interface, a user on the network may
maliciously update the MAC address table. Check the device connected to the interface:
If the interface is connected to a device, run the display mac-address command on
the device to view its MAC address table. Locate the interface connected to the
malicious user according to the displayed MAC address entries. If the interface that
you find is connected to another device, repeat this step until you find the user of
the malicious user.
If the interface is connected to a computer, perform either of the following operations
after obtaining permission of the administrator:
Disconnect the computer. When the attack stops, connect the computer to the
network again.
Run the port-security enable command on the interface to enable port security
or run the mac-address limit command to set the maximum number of MAC
addresses that the interface can learn to 1.
If the interface is connected to a hub, perform either of the following operations:
Configure port mirroring or other tools to observe packets received by the
interface. Analyze the packet types to locate the attacking computer. Disconnect
the computer after obtaining permission of the administrator. When the attack
stops, connect the computer to the hub again.
Disconnect computers connected to the hub one by one after obtaining
permission of the administrator. If the fault is rectified after a computer is
116
disconnected, the computer is the attacker. After it stops the attack, connect it to
the hub again.
If the number of MAC addresses on the interface is equal to or smaller than the number
of devices connected to the interface, the number of devices connected to the switch
has exceeded the maximum supported by the switch. Adjust network deployment.
----End
117
5 STP/RSTP Configuration
About This Chapter
The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets. The Rapid Spanning Tree Protocol (RSTP) was
developed based on STP to implement faster convergence. RSTP defines edge ports and provides
protection functions.
5.1 STP/RSTP Overview
The Spanning Tree Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) eliminates loops
on a Layer 2 network by blocking redundant links to prune the network into a tree structure.
5.2 STP/RSTP Features Supported by the CE series switches
This section describes STP/RSTP features supported by the CE series switches.
This section describes the default STP/RSTP configuration. You can change the configuration
based on actual needs.
5.4 Configuring Basic STP/RSTP Functions
You can configure STP/RSTP on switches on an Ethernet to trim a network into a tree topology
free from loops.
5.5 Setting STP Parameters That Affect STP Convergence
STP cannot implement rapid convergence. However, you can set STP parameters including the
network diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delay
timer value.
5.6 Setting RSTP Parameters That Affect RSTP Convergence
RSTP implements rapid convergence by configuring the link type of a port and fast transition
mechanism.
5.7 Configuring RSTP Protection Functions
This section describes how to configure RSTP protection functions. You can configure one or
more functions.
5.8 Setting Parameters for Interworking Between the CE series switches and a Non-Huawei
Device
To implement interworking between the CE series switches and a non-Huawei device, select
the fast transition mode based on the Proposal/Agreement mechanism of the non-Huawei device.
Configuration Guide - Ethernet 5 STP/RSTP Configuration
118
5.9 Maintaining STP/RSTP
STP/RSTP maintenance includes resetting STP/RSTP statistics.
This section provides several configuration examples of STP/RSTP.
119
5.1 STP/RSTP Overview
The Spanning Tree Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) eliminates loops
on a Layer 2 network by blocking redundant links to prune the network into a tree structure.
Introduction to STP/RSTP
Loops often occur on a complex network. On a complex network, to implement redundancy,
network designers tend to deploy multiple physical links between two devices, one of which is
the master and the others are the backup.
Loops cause broadcast storms. Consequently, network resources are exhausted and the network
breaks down. Loops also damage MAC addresses.
To remove loops, run STP at the data link layer. Devices running STP exchange STP BPDUs
to discover loops on the network and block some ports to prune the network into a loop-free tree
network. STP prevents infinite looping of packets to ensure packet processing capabilities of
switches.
Because STP provides slow convergence, IEEE 802.1w released RSTP in 2001. RSTP enhances
STP and speeds up network convergence.
STP/RSTP Concepts
l Root bridge
Every tree network must have a root. The root bridge is the root of the STP network.
An STP/RSTP network has only one root bridge. The root bridge is the logical center of
the network, but may be not the physical center. The root bridge may vary with the network
topology change.
l ID
IDs are classified into Bridge IDs (BIDs) and port IDs (PIDs).
BID: On the STP network, the device with the smallest BID is selected as the root bridge.
The bridge priority that is allowed to be configured on a Huawei device can be configured
manually.
PID: The PID is used when the designated port needs to be selected. That is, when the root
path costs and the sender BIDs of two ports are the same, the port with a smaller PID is
selected as the designated port. The port priority affects role selection in a specified MSTI.
l Path cost
On an STP/RSTP network, the accumulated cost of path from a port to the root bridge
consists of all path costs of ports on the passed bridges. This cost is called root path cost,
which determines root port selection.
The path cost is port-specific, which is used by STP/RSTP to select a link. STP/RSTP
calculates the path cost to select the robust link and blocks redundant links to trim the
network into a loop-free tree topology. The root path of a port on the root device is 0.
l Port role
STP-capable port
Root port: is the port that is nearest to the root bridge. The root port is responsible for
forwarding data to the root bridge and receiving BPDUs and user traffic from the
upstream device. The root port is determined based on the path cost. Among all the
120
STP-enabled ports, the port with the least root path cost is a root port. There is only one
root port on an STP/RSTP-capable device, but there is no root port on the root bridge.
Designated port: forwards BPDUs to the downstream switching device. All the ports
on the root bridge are designated ports. A designated port is selected on each network
segment. The device where the designated port resides is called the designated bridge
on the network segment.
RSTP-capable port
Compared with STP, RSTP has three additional types of ports: alternate port, backup
port, and edge port. More port roles are defined, which helps you to learn and deploy
STP.
Figure 5-1 Port roles
a
S2
a
b
S1
Root bridge
S1
Root bridge
Root port
Designated port
Alternate port
Backup port
A B
S3
A
S2
A
A B
S3
A
A
B
Edge port
As shown in Figure 5-1, RSTP defines five port roles: root port, designated port,
alternate port, backup port, and edge port.
The functions of the root port and designated port are the same as those defined in STP.
The alternate port and backup port are described as follows:
121
Alternate port: An alternate port is blocked after the device learns the configuration
BPDUs sent by other devices. The alternate port backs up the root port and provides an
alternate path from the designated bridge to the root bridge.
Backup port: A backup port is blocked after the device learns the configuration BPDUs
sent by itself. The backup port backs up the designated port and provides an alternate
path from the root node to the leaf node.
Edge port: An edge port is located at the edge of an MST region and does not connect
to any switching device. Generally, edge ports are directly connected to terminals.
l Port status
STP port status
Table 5-1 shows the status of an STP-capable port.
Table 5-1 STP port status
Port
Status
Purpose Description
Forward
ing
A port in Forwarding state can
forward user traffic and process
BPDUs.
Only the root port or designated
port can enter the Forwarding state.
Learnin
g
When a port is in Learning state, a
device creates a MAC address table
based on the received user traffic
but does not forward user traffic.
This is a transition state, which is
designed to prevent temporary
loops.
Listenin
g
When a port is in Listening state,
the root bridge, root port, and
designated port are to be selected.
This is a transition state.
Blockin
g
A port in Blocking state receives
and forwards only BPDUs, but
does not forward user traffic.
This is the final state of a blocked
port.
Disabled A port in Disabled state does not
process BPDUs or forward user
traffic.
The port is Down.

RSTP port status
Table 5-2 shows the port status of an RSTP-capable port.
Table 5-2 RSTP port status
Port Status Description
Forwarding A port in Forwarding state can forward user traffic and process
BPDUs.
122
Port Status Description
Learning This is a transition state. When a port is in Learning state, a
device creates a MAC address table based on the received user
traffic but does not forward user traffic.
A port in the Learning state processes BPDUs, but does not
forward user traffic.
Discarding A port in discarding state can receive only BPDUs.

NOTE
Huawei datacom devices use the MSTP mode by default. After a device transits from the MSTP
mode to the STP mode, an STP-capable port supports the same port states as those supported by an
MSTP-capable port ( an MSTP-capable port supports the same port states as those supported by an
RSTP-capable port ) , including the Forwarding, Learning, and Discarding states. For details, see
Table 5-2.
l Three timers
Table 5-3 STP timers
Timer Description
Hello Time Sets the interval at which BPDUs are sent.
Forward Delay Timer Sets the duration when a port remains in
Listening and Learning states.
Max Age Sets the maximum lifetime of a BPDU.
When the Max Age timer expires, the
connection with the root bridge fails.

5.2 STP/RSTP Features Supported by the CE series switches
This section describes STP/RSTP features supported by the CE series switches.
STP/RSTP eliminates loops on a Layer 2 network by blocking redundant links to prune the
network into a tree structure.
l To remove loops between devices, configure basic STP/RSTP functions.
l To speed up convergence, set parameters that affect STP/RSTP convergence.
l To communicate with a non-Huawei device, set proper parameters on the STP/RSTP-
enabled Huawei device.
To meet requirements for special applications and extended functions, RSTP supports the
following functions:
l Provides a feedback mechanism to confirm topology convergence. This implements rapid
convergence.
l Provides the following protection functions listed in Table 5-4.
123
Table 5-4 RSTP protection functions
Protection
Function
Scenario Configuration Impact
BPDU
protection
An edge port changes into a
non-edge port after
receiving a BPDU, which
triggers spanning tree
recalculation. If an attacker
keeps sending pseudo
BPDUs to a switching
device, network flapping
occurs.
After BPDU protection is enabled, the
switching device shuts down the edge port if
the edge port receives an RST BPDU. Then
the device notifies the NMS of the shutdown
event. The attributes of the edge port are not
changed.
The shutdown edge port can only be restored
by the administrator. To enable the shutdown
edge port to restore automatically, set the
recovery delay.
TC-BPDU
attack
defense
Generally, after receiving
TC BPDUs (packets for
advertising network
topology changes), a
switching device needs to
delete MAC entries and ARP
entries. Frequent deletions
exhaust CPU resources.
TC protection is used to suppress TC BPDUs.
You can configure the number of times a
switching device processes TC BPDUs
within a given time period. If the number of
TC BPDUs that the switching device receives
within a given time exceeds the specified
threshold, the switching device processes
only the specified number of TC BPDUs.
After the specified time period expires, the
device processes the excess TC BPDUs for
once. This function prevents the switching
device from frequently deleting MAC entries
and ARP entries, saving CPU resources.
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority than its own priority.
Consequently, the legitimate
root bridge is no longer able
to serve as the root bridge
and the network topology is
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
If a designated port is enabled with the root
protection function, the role of the port cannot
be changed. Once a designated port that is
enabled with root protection receives RST
BPDUs with a higher priority, the port enters
the Discarding state and does not forward
packets. If the port does not receive any RST
BPDUs with a higher priority before a period
(generally two Forward Delay periods)
expires, the port automatically enters the
Forwarding state.
124
Protection
Function
Loop
protection
A root port or an alternate
port will age if link
congestion or a one-way link
failure occurs. After the root
port ages, a switching device
may re-select a root port
incorrectly. After the
alternate port ages, the port
enters the Forwarding state.
Loops may occur in such a
situation.
After loop protection is configured, if the root
port or alternate port does not receive RST
BPDUs from the upstream switching device
for a long time, the switching device notifies
the NMS that the port enters the Discarding
state. The blocked port remains in the
Blocked state and no longer forwards packets.
This function helps prevent loops on the
network. The root port transitions to the
Forwarding state after receiving new BPDUs.

This section describes the default STP/RSTP configuration. You can change the configuration
based on actual needs.
Working mode MSTP
STP/RSTP status STP/RSTP is enabled globally and on an interface.
Switching device priority 32768
Port priority 128
Algorithm used to calculate the
default path cost
dot1t, IEEE 802.1t
Forward Delay Time 1500 centiseconds
Hello Time 200 centiseconds
Max Age Time 2000 centiseconds

5.4 Configuring Basic STP/RSTP Functions
You can configure STP/RSTP on switches on an Ethernet to trim a network into a tree topology
free from loops.
5.4.1 Configuring the STP/RSTP Mode
Context
The device supports three working modes: STP, RSTP, and MSTP. A switching device can
select only the STP mode on a ring network running only STP, and can select only the RSTP
125
mode on a ring network running only RSTP. In other scenarios, the MSTP mode is used by
default.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.
By default, the working mode of a switching device is MSTP. MSTP is compatible with STP
and RSTP.
Step 3 Run:
commit
----End
5.4.2 (Optional) Configuring the Root Bridge and Secondary Root
Bridge
Context
The root bridge can be calculated through calculation. You can also manually configure the root
bridge or secondary root bridge.
l In a spanning tree, only one root bridge takes effect. When two or more devices are specified
as root bridges of a spanning tree, the device with the smallest MAC address is used as the
root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, the secondary root bridge becomes the new root bridge. If a
new root bridge is specified, the secondary root bridge will not become the root bridge. If
multiple backup bridges are configured, the backup bridge with smallest MAC address will
become the root bridge of the spanning tree.
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
l Perform the following operations on the device to be used as the root bridge.
1. Run:
system-view
2. Run:
stp root primary
The device is configured as the root bridge.
126
By default, a switching device does not function as the root bridge. After the
configuration is complete, the priority valueof the device is 0 and cannot be changed.
3. Run:
commit
l Perform the following operations on the device to be used as the secondary root bridge.
1. Run:
system-view
2. Run:
stp root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After
the configuration is complete, the priority value of the device is 4096 and cannot be
changed.
3. Run:
commit
----End
5.4.3 (Optional) Configuring Switching Device Priorities
Context
On an STP/RSTP-capable network, there is only one root bridge, which is the logic center of
the entire spanning tree. During root bridge selection, a high-performance switching device at
a high network layer should be selected as the root bridge; however, the priority of such a device
may not be the highest on the network. It is therefore necessary to set a high priority for the
switching device to ensure that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,
set low priorities for these devices.
A smaller value of the priority indicates a higher priority of the switching device. The switching
device with a higher priority is more likely to be elected as the root bridge. A larger value of the
priority indicates a lower priority of the switching device. The switching device with a lower
priority is less likely to be elected as the root bridge.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp priority priority
The priority of a switching device is configured.
127
The default priority value of a switching device is 32768.
NOTE
If the stp root primary or stp root secondary command has been executed to configure the device as the
root bridge or secondary root bridge, to change the device priority, run the undo stp root command to
disable the root bridge or secondary root bridge function and run the stp priority priority command to set
a priority.
Step 3 Run:
commit
----End
5.4.4 (Optional) Setting the Path Cost for a Port
Context
A path cost is port-specific and is used by STP/RSTP to select a link.
The path cost value range is determined by the calculation method. After the calculation method
is determined, it is recommended that you set a relatively small path cost value for the ports with
high link rates.
In the Huawei proprietary calculation method for example, the link rate determines the
recommended value for the path cost. Table 5-5 lists the recommended path costs for ports with
different link rates.
Table 5-5 Mappings between link rates and path cost values
Link Rate Recommended
Path Cost
Recommended
Path Cost Range
Path Cost Range
10 Mbit/s 2000 200 to 20000 1 to 200000
100 Mbit/s 200 20 to 2000 1 to 200000
1 Gbit/s 20 2 to 200 1 to 200000
10 Gbit/s 2 2 to 20 1 to 200000
Over 10 Gbit/s 1 1 to 2 1 to 200000

If a network has loops, it is recommended that you set a relatively large path cost for ports with
low link rates. STP/RSTP then blocks these ports.
Procedure
Step 1 Run:
system-view
Step 2 (Optional)Run:
128
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
The view of the interface participating in STP calculation is displayed.
Step 4 Run:
stp cost cost
A path cost is set for the interface.
l When the Huawei proprietary calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
Step 5 Run:
commit
----End
5.4.5 (Optional) Configuring Port Priorities
Context
In spanning tree calculation, the priority of the switching device port affects designated port
election.
To block one switching device port, set the port priority to be higher than the default value.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp port priority priority
The port priority is configured.
The default priority value of a port on a switching device is 128.
Step 4 Run:
commit
129
----End
5.4.6 Enabling STP/RSTP
Context
CAUTION
After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees
on the network. Configurations on the switching device, such as the switching device priority
and port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform
basic configurations on the switching device and its ports, and enable STP/RSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
STP/RSTP is enabled on the switching device.
By default, STP/RSTP is enabled on a switch.
Step 3 Run:
commit
----End
Procedure
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning-tree status and statistics.
----End
5.5 Setting STP Parameters That Affect STP Convergence
STP cannot implement rapid convergence. However, you can set STP parameters including the
network diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delay
timer value.
130
Before setting STP parameters that affect STP convergence, complete the following task:
l Configuring basic STP functions
5.5.1 Setting the STP Network Diameter
Context
On a switched network, any two terminals on the switching network are connected through a
specific path along which multiple devices reside. The network diameter is the maximum number
of devices between any two terminals. A larger network diameter indicates a larger network
scale.
An improper network diameter may cause slow network convergence and affects
communication. Run the stp bridge-diameter command to set a network diameter based on the
network scale, which helps speed up convergence.
It is recommended that all devices use the same network diameter.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance deterioration
cannot be prevented when the network scale grows. Therefore, the network diameter cannot be larger
than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay period, Hello timer value,
and Max Age timer value based on the set network diameter.
Step 3 Run:
commit
----End
5.5.2 Setting the STP Timeout Interval
Context
If the device does not receive any BPDU from the upstream device in the set period, the device
considers that the upstream device fails and then it re-calculates its spanning tree.
131
Sometimes, the device cannot receive the BPDU in a long time from the upstream device because
the upstream device is very busy. In this case, the device should not re-calculate its spanning
tree. Therefore, you can set a long period for the device on a stable network to avoid waste of
network resources.
If the local switching device does not receive a BPDU from the upstream switching device within
the timeout interval, spanning tree recalculation is performed. The timeout interval is calculated
as follows:
l Timeout interval = Hello time x 3 x Timer Factor
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
Step 3 Run:
commit
----End
5.5.3 Setting the Values of STP Timers
Context
The following parameters are used in spanning tree calculation:
l Forward Delay: determines the interval for port status transition. To prevent temporary
loops, an interface first enters the Learning state when transiting from Discarding to
Forwarding. The status transition lasts for the time specified by Forward Delay so that the
local device can synchronize the status with the remote switch.
l Hello Time: is the interval at which hello packets are sent. The switching device sends
configuration BPDUs at an interval of Hello Time to check whether links are faulty. If the
switching device does not receive any BPDU at an interval of the timeout period (timeout
period = Hello Time x 3 x Timer Factor), the switching device recalculates the spanning
tree due to BPDU timeout.
l Max Age: determines whether BPDUs expire. The switching device determines whether
the received BPDU expires based on this value. If the received BPDU expires, the spanning
tree needs to be recalculated.
Devices on a ring network must use the same values of Forward Delay, Hello Time, and Max
Age.
Generally, you are not advised to directly adjust the preceding three parameters. This is because
the three parameters are relevant to the network scale. It is recommended that the network
diameter be adjusted so that the spanning tree protocol automatically adjusts the three
132
parameters. When the default network diameter is used, the default values of the three parameters
are used.
CAUTION
To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age
conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure
Step 1 Run:
system-view
Step 2 Set Forward Delay, Hello Time, and Max Age.
1. Run:
stp timer forward-delay forward-delay
The value of Forward Delay of the switching device is set.
By default, the value of Forward Delay of the switching device is 1500 centiseconds.
2. Run:
stp timer hello hello-time
The value of Hello Time of the switching device is set.
By default, the value of Hello Time of the switching device is 200 centiseconds.
3. Run:
stp timer max-age max-age
The value of Max Age of the switching device is set.
By default, the value of Max Age of the switching device is 2000 centiseconds.
Step 3 Run:
commit
----End
5.5.4 Setting the Maximum Number of Connections That Affect
Spanning Tree Calculation
Context
The interface path cost affects spanning tree calculation. When the path cost changes, the system
performs spanning tree recalculation. The interface path cost is affected by the bandwidth, so
you can change the interface bandwidth to affect spanning tree calculation.
133
As shown in Figure 5-2, deviceAand deviceB are connected through two Eth-Trunks. Eth-Trunk
1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces in Up
state. If each member link has the same bandwidth, deviceA is selected as the root bridge.
l Eth-Trunk 1 has larger bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections is 1 in Eth-Trunk 1, the path cost of Eth-Trunk 1
is larger than the path cost of Eth-Trunk 2. The system performs spanning tree recalculation.
Then Eth-Trunk 1 on deviceB becomes the alternate port and Eth-Trunk 2 becomes the
root port.
Figure 5-2 Setting the maximum number of connections
SwitchA SwitchB
Eth-Trunk1
Eth-Trunk2
Alternate port
Before
Configuration
After
Configuration
SwitchA SwitchB
Root Bridge
Root Bridge
Designated port
Root port
Eth-Trunk1
Eth-Trunk2
NOTE
The maximum number of connections affects only the link cost of an interface where spanning tree
calculation is performed, but does not affect the actual link bandwidth. The actual bandwidth for an Eth-
Trunk to forward traffic depends on the number of active interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
max bandwidth-affected-linknumber link-number
The maximum number of connections is set.
By default, the upper threshold for the number of interfaces that determine the bandwidth of an
Eth-Trunk is 16.
134
Step 4 Run:
commit
----End
Procedure
----End
5.6 Setting RSTP Parameters That Affect RSTP Convergence
RSTP implements rapid convergence by configuring the link type of a port and fast transition
mechanism.
Before configuring RSTP parameters that affect RSTP convergence, configure basic RSTP
functions.
5.6.1 Setting the RSTP Network Diameter
Context
scale.
Procedure
Step 1 Run:
system-view
Step 2 Run:
135
NOTE
than 7.
Step 3 Run:
commit
----End
5.6.2 Setting the RSTP Timeout Interval
Context
network resources.
as follows:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
commit
----End
136
5.6.3 Setting RSTP Timers
Context
Age.
are used.
CAUTION
Procedure
Step 1 Run:
system-view
1. Run:
2. Run:
137
3. Run:
Step 3 Run:
commit
----End
Context
root port.
SwitchA SwitchB
Eth-Trunk1
Eth-Trunk2
Alternate port
Before
Configuration
After
Configuration
SwitchA SwitchB
Root Bridge
Root Bridge
Designated port
Root port
Eth-Trunk1
Eth-Trunk2
138
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Eth-Trunk is 16.
Step 4 Run:
commit
----End
5.6.5 Setting the Link Type of a Port
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P link
are root or designated ports, the ports can transit to the forwarding state quickly by sending
Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the Ethernet interface participating in STP calculation is displayed.
Step 3 Run:
stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.
139
By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
Step 4 Run:
commit
----End
5.6.6 Setting the Maximum Transmission Rate of an Interface
Context
A larger value of packet-number indicates more BPDUs sent in a hello interval and therefore
more system resources occupied. Setting the proper value of packet-number prevents excess
bandwidth usage when route flapping occurs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port in a specified period is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is .
Step 4 Run:
commit
----End
5.6.7 Switching to the RSTP mode
Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device, the interface
switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the RSTP-enabled device, the
interface cannot switch to the RSTP mode. In this case, you can switch the interface to the RSTP
mode by using the stp mcheck command.
In the following cases, you need to manually switch the interface to the RSTP mode:
140
l The STP-enabled device is shut down or disconnected.
l The STP-enabled device is switched to the RSTP mode.
Procedure
l Switching to the RSTP mode in the interface view
1. Run:
system-view
2. Run:
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
3. Run:
stp mcheck
The device is switched to the RSTP mode.
4. Run:
commit
l Switching to the RSTP mode in the system view
1. Run:
system-view
2. Run:
stp mcheck
The device is switched to the RSTP mode.
3. Run:
commit
----End
5.6.8 Configuring a Port as an Edge Port and BPDU Filter Port
Context
If a designated port is located at the edge of a network and is directly connected to terminal
devices, this port is called edge port.
An edge port does not receive or process configuration BPDUs, or RSTP calculation. It can
transit from Disable to Forwarding without any delay.
After a designated port is configured as an edge port, the port can still send BPDUs. Then BPDUs
are sent to other networks, causing flapping of other networks. You can configure a port as an
edge port and BPDU filter port so that the port does not process or send BPDUs.
141
CAUTION
After all ports are configured as edge ports and BPDU filter ports in the system view, none of
ports on the device send BPDUs or negotiate the STP status with directly connected ports on
the peer device. All ports are in forwarding state. This may cause loops on the network, leading
to broadcast storms. Exercise caution when you configure a port as an edge port and BPDU filter
port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs. The port cannot negotiate the STP status with the directly
connected port on the peer device. Exercise caution when you configure a port as an edge port
and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
1. Run:
system-view
2. Run:
stp edged-port default
All ports are configured as edge ports.
By default, all ports are non-edge ports.
3. Run:
stp bpdu-filter default
All ports are configured as BPDU filter ports.
By default, all ports are non-BPDU filter ports.
4. Run:
commit
l Configuring an edge port and BPDU filtering in the interface view
1. Run:
system-view
2. Run:
displayed.
3. Run:
stp edged-port enable
The port is configured as an edge port.
4. Run:
142
stp bpdu-filter enable
The port is configured as a BPDU filter port.
By default, a port is a non-BPDU filter port.
5. Run:
commit
----End
Procedure
----End
5.7 Configuring RSTP Protection Functions
This section describes how to configure RSTP protection functions. You can configure one or
more functions.
5.7.1 Configuring BPDU Protection on a Switching Device
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is disabled on the switching device.
Step 3 Run:
commit
----End
Follow-up Procedure
To allow an edge port to automatically start after being shut down, run the error-down auto-
recovery cause bpdu-protection interval interval-value command to configure the auto
recovery function and set the delay on the port. After the delay expires, the port automatically
goes Up. Note the following when setting this parameter:
143
l By default, the auto recovery function is disabled, so there is no delay. When you enable
the auto recovery function, you must specify the recovery delay.
l A smaller value of interval-value indicates a shorter time taken for the edge port to go Up,
and a more frequency at which the edge port alternates between Up and Down.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up,
and a longer service interruption time.
l The auto recovery function takes effect only for the interface that transitions to the error-
down state after the error-down auto-recovery command is executed.
5.7.2 Configuring TC Protection on a Switching Device
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp tc-protection
TC protection is enabled for a switching device.
By default, TC protection is not enabled on the switching device.
Step 3 Run:
stp tc-protection threshold threshold
The maximum number of times the switching device processes received TC BPDUs and updates
forwarding entries within a given time is set.
Step 4 Run:
commit
----End
5.7.3 Configuring Root Protection on a Port
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp root-protection
Root protection is enabled on the interface.
144
By default, root protection is disabled.
NOTE
Root protection takes effect only on designated ports.
Root protection and loop protection cannot be configured on a port simultaneously.
Step 4 Run:
commit
----End
5.7.4 Configuring Loop Protection on a Port
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp loop-protection
Loop protection for the root port or the alternate port is configured on the switching device.
By default, loop protection is disabled.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Root protection and loop protection cannot be configured on a port simultaneously.
Step 4 Run:
commit
----End
Procedure
----End
145
5.8 Setting Parameters for Interworking Between the CE
series switches and a Non-Huawei Device
To implement interworking between the CE series switches and a non-Huawei device, select
the fast transition mode based on the Proposal/Agreement mechanism of the non-Huawei device.
Context
The switching device supports the following modes:
l Enhanced mode: The current interface counts a root port when it calculates the
synchronization flag bit.
1. An upstream device sends a Proposal message to a downstream device requesting fast
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device as the root port and blocks all non-edge ports.
2. The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
3. The downstream device then responds with an Agreement message. After receiving
the message, the upstream device sets the port connected to the downstream device
as the designated port, and then the status of the designated port changes to
Forwarding.
l Common mode: The current interface ignores the root port when it calculates the
1. An upstream device sends a Proposal message to a downstream device requesting fast
transition. After receiving the message, the downstream device sets the port connected
to the upstream device as the root port and blocks all non-edge ports. Then, the status
of the root port changes to Forwarding.
2. The downstream device then responds with an Agreement message. After receiving
the message, the upstream device sets the port connected to the downstream device
as the designated port, and then the status of the designated port changes to
Forwarding.
On a network running STP, if the CE series switches connect to a non-Huawei device that uses
a different Proposal/Agreement mechanism, the CE series switches may fail to communicate
with the non-Huawei device. Select the enhanced mode or common mode based on the Proposal/
Agreement mechanism of the non-Huawei device.
Before setting parameters for interworking between the CE series switches and a non-Huawei
device, complete the following task:
l Configuring basic STP/RSTP functions
Procedure
Step 1 Run:
system-view
146
Step 2 Run:
The view of the Ethernet interface that participates in STP calculation is displayed.
Step 3 Run:
stp no-agreement-check
The fast transition mechanism in common mode is used.
By default, the fast transition mechanism in enhanced mode is configured on a port.
Step 4 Run:
commit
----End
5.9 Maintaining STP/RSTP
STP/RSTP maintenance includes resetting STP/RSTP statistics.
5.9.1 Clearing STP/RSTP Statistics
Context
CAUTION
STP/RSTP statistics cannot be restored after being cleared.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
l Run the reset stp error packet statistics to clears the statistics of error STP packets.
----End
This section provides several configuration examples of STP/RSTP.
147
5.10.1 Example for Configuring STP
On a complex network, to implement redundancy, network designers tend to deploy multiple
physical links between two devices, one of which is the master and the others are the backup.
Loops occur, causing broadcast storms or damaging MAC addresses.
After the network designer plans a network, you can deploy STP on the network to prevent loops.
When loops exist on the network, STP blocks a port to remove loops. As shown in Figure
5-4, loops occur on the network. SwitchA, SwitchB, SwitchC, and SwitchD running STP
exchange STP BPDUs to discover loops on the network and block some ports to prune the
network into a loop-free tree network. STP prevents infinite looping of packets to ensure packet
processing capabilities of switches.
Figure 5-4 Networking diagram of STP configuration
Server1
SwitchA
10GE1/0/2
10GE1/0/1
10GE1/0/1
10GE1/0/2
10GE1/0/3
10GE1/0/3
10GE1/0/1
10GE1/0/3
Network
SwitchC
SwitchB
STP
Blocked port
SwitchD
10GE1/0/1
10GE1/0/3
10GE1/0/2
Server2
10GE1/0/2
Root
Bridge

1. Configure the STP mode on the ring network.
2. Configure the root bridge and secondary root bridge.
3. Set path costs for ports to block certain ports.
148
4. Enable STP to eliminate loops.
NOTE
The interface connected to a server does not participate in STP calculation; therefore, disable STP
on it.
5. Verify the configuration.
Procedure
Step 1 Configure devices to work in STP mode on the ring network. The configurations on SwitchB,
SwitchC, and SwitchD are similar to the configurations on SwitchA, and are not mentioned here.
[~HUAWEI] commit
[~SwitchA] stp mode stp
[~SwitchA] commit
Step 2 Configure the root bridge and secondary root bridge.
# Configure SwitchA as a root bridge.
[~SwitchA] stp root primary
[~SwitchA] commit
# Configure SwitchB as a secondary root bridge.
[~SwitchB] stp root secondary
[~SwitchB] commit
Step 3 Set path costs for ports to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. This example uses the Huawei
proprietary calculation method as an example to set the path costs of the ports to be blocked to 20000.
l All switching devices on a network must use the same path cost calculation method.
# On SwitchA, configure the path cost calculation method as the Huawei proprietary method.
[~SwitchA] stp pathcost-standard legacy
[~SwitchA] commit
# On SwitchB, configure the path cost calculation method as the Huawei proprietary method.
[~SwitchB] stp pathcost-standard legacy
[~SwitchB] commit
# Set the path cost of 10GE1/0/1 on SwitchC to 20000.
[~SwitchC] stp pathcost-standard legacy
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] stp cost 20000
[~SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
# On SwitchD, configure the path cost calculation method as the Huawei proprietary method.
[~SwitchD] stp pathcost-standard legacy
[~SwitchD] commit
Step 4 Enable STP to eliminate loops.
l Disable STP on the interface connected to the server.
# Disable STP on 10GE1/0/2 of SwitchB.
149
[~SwitchB-10GE1/0/2] stp disable
# Disable STP on 10GE1/0/2 of SwitchC.
[~SwitchC-10GE1/0/2] stp disable
l Enable STP globally on devices. The configurations on SwitchB, SwitchC, and SwitchD are
similar to the configurations on SwitchA, and are not mentioned here.
[~SwitchA] stp enable
[~SwitchA] commit
After the preceding configurations are complete and the network topology becomes stable,
perform the following operations to verify the configuration.
# Run the display stp brief command on SwitchA to view the status and protection type on the
ports. The displayed information is as follows:
[~SwitchA] display stp brief
MSTID Port Role STP State Protection Cost
Edged
0 10GE1/0/1 DESI FORWARDING NONE 2
DISABLE
DISABLE
After SwitchA is configured as a root bridge, 10GE1/0/2 and 10GE1/0/1 connected to SwitchB
and SwitchD respectively are elected as designated ports in spanning tree calculation.
# Run the display stp interface 10GE 1/0/1 brief command on SwitchB to view the status of
10GE1/0/1. The displayed information is as follows:
[~SwitchB] display stp interface 10ge 1/0/1 brief
Edged
DISABLE
10GE1/0/1 is elected as a designated port in spanning tree calculation and is in Forwarding state.
# Run the display stp brief command on SwitchC to check the interface status. The following
information is displayed:
[~SwitchC] display stp brief
Edged
0 10GE1/0/1 ALTE DISCARDING NONE 20000
DISABLE
0 10GE1/0/3 ROOT FORWARDING NONE 2
DISABLE
10GE1/0/1 is elected as an alternate port in spanning tree calculation and is in
DISCARDING state.
10GE1/0/3 is elected as a root port in spanning tree calculation and is in FORWARDING state.
----End
150
Configuration Files
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return
#
sysname SwitchB
#
stp mode stp
stp instance 0 root secondary
#
interface 10GE1/0/2
stp disable
#
return
l Configuration file of SwitchC
#
sysname SwitchC
#
stp mode stp
#
interface 10GE1/0/1
stp instance 0 cost 20000
#
interface 10GE1/0/2
stp disable
#
return
#
sysname SwitchD
#
stp mode stp
#
return
5.10.2 Example for Configuring RSTP
Loops occur, causing broadcast storms or damaging MAC addresses.
After the network designer plans a network, you can deploy RSTP on the network to prevent
loops. When loops exist on the network, RSTP blocks a port to remove loops. As shown in
Figure 5-5, loops occur on the network. SwitchA, SwitchB, SwitchC, and SwitchD running
RSTP exchange STP BPDUs to discover loops on the network and block some ports to prune
the network into a loop-free tree network. RSTP prevents infinite looping of packets to ensure
packet processing capabilities of switches.
151
Figure 5-5 Networking diagram of RSTP configuration
Server1
SwitchA
10GE1/0/2
10GE1/0/1
10GE1/0/1
10GE1/0/2
10GE1/0/3
10GE1/0/3
10GE1/0/1
10GE1/0/3
Network
SwitchC
SwitchB
RSTP
Blocked port
SwitchD
10GE1/0/1
10GE1/0/3
10GE1/0/2
Server2
10GE1/0/2
Root
Bridge

1. Configure the RSTP mode on the ring network.
2. Configure the root bridge and secondary root bridge.
3. Set path costs for ports to block certain ports.
4. Enable RSTP to eliminate loops.
NOTE
The interface connected to a server does not participate in RSTP calculation; therefore, disable RSTP
on it.
5. Configure protection functions to protect devices or links.
6. Verify the configuration.
Procedure
Step 1 Configure the RSTP mode for devices on the ring network. The configurations on SwitchB,
SwitchC, and SwitchD are similar to the configurations on SwitchA, and are not mentioned here.
[~HUAWEI] commit
[~SwitchA] stp mode rstp
152
[~SwitchA] commit
Step 2 Configure the root bridge and secondary root bridge.
# Configure SwitchA as a root bridge.
[~SwitchA] stp root primary
[~SwitchA] commit
# Configure SwitchB as a secondary root bridge.
[~SwitchB] stp root secondary
[~SwitchB] commit
Step 3 Set path costs for ports to block certain ports.
NOTE
proprietary calculation method as an example to set the path costs of the ports to be blocked to 20000.
# On SwitchA, configure the path cost calculation method as the Huawei proprietary method.
[~SwitchA] commit
# On SwitchB, configure the path cost calculation method as the Huawei proprietary method.
[~SwitchB] commit
# Set the path cost of 10GE1/0/1 on SwitchC to 20000.
[~SwitchC-10GE1/0/1] stp cost 20000
# On SwitchD, configure the path cost calculation method as the Huawei proprietary method.
[~SwitchD] commit
Step 4 Enable RSTP to eliminate loops.
l Disable RSTP on the interface connected to the server.
# Disable RSTP on 10GE1/0/2 of SwitchB.
[~SwitchB-10GE1/0/2] stp disable
# Disable RSTP on 10GE1/0/2 of SwitchC.
l Enable RSTP globally on devices. The configurations on SwitchB, SwitchC, and SwitchD
are similar to the configurations on SwitchA, and are not mentioned here.
[~SwitchA] commit
Step 5 Configure root protection on the designated port of the root bridge.
# Configure root protection on 10GE1/0/1 and 10GE1/0/2 of SwitchA.
153
[~SwitchA-10GE1/0/1] stp root-protection
[~SwitchA] commit
Edged
0 10GE1/0/1 DESI FORWARDING ROOT 2
DISABLE
0 10GE1/0/2 DESI FORWARDING ROOT 2
DISABLE
After SwitchA is configured as a root bridge, 10GE1/0/2 and 10GE1/0/1 connected to SwitchB
and SwitchD respectively are elected as designated ports in spanning tree calculation and
configured with root protection.
# Run the display stp interface 10GE 1/0/1 brief command on SwitchB to view the status of
10GE1/0/1. The displayed information is as follows:
[~SwitchB] display stp interface 10ge 1/0/1 brief
Edged
DISABLE
10GE1/0/1 is elected as a designated port in spanning tree calculation and is in Forwarding state.
# Run the display stp brief command on SwitchC to check the interface status. The following
information is displayed:
[~SwitchC] display stp brief
Edged
0 10GE1/0/1 ALTE DISCARDING NONE 20000
DISABLE
0 10GE1/0/3 ROOT FORWARDING NONE 2
DISABLE
10GE1/0/1 is elected as an alternate port in spanning tree calculation and is in
DISCARDING state.
10GE1/0/3 is elected as a root port in spanning tree calculation and is in FORWARDING state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp
154
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
stp root-protection
#
return
#
sysname SwitchB
#
stp mode rstp
#
interface 10GE1/0/2
stp disable
#
return
#
sysname SwitchC
#
stp mode rstp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
stp disable
#
return
#
sysname SwitchD
#
stp mode rstp
#
return
155
6 MSTP Configuration
About This Chapter
The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
6.1 MSTP Introduction
The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables
rapid convergence and provides load balancing across redundant paths.
6.2 MSTP Features Supported by the CE series switches
This section describes MSTP features supported by the CE series switches.
This section describes the default MSTP configuration. You can change the configuration based
on actual needs.
6.4 Configuring Basic MSTP Functions
MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,
each of which has multiple spanning trees that are independent of each other. MSTP isolates
different VLANs' traffic, and load-balances VLAN traffic.
6.5 Configuring MSTP Multi-Process
On a network with Layer 2 single-access rings and multi-access rings deployed, configure
multiple MSTP processes so that spanning trees of different processes are calculated
independently and do not affect each other.
6.6 Configuring MSTP Parameters on an Interface
Proper MSTP parameter settings achieve rapid convergence.
6.7 Configuring MSTP Protection Functions
This section describes how to configure MSTP protection functions. You can configure one or
more functions.
6.8 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices
To communicate with a non-Huawei device, set proper parameters on the MSTP-enabled
Huawei device.
Configuration Guide - Ethernet 6 MSTP Configuration
156
6.9 Maintaining MSTP
This section describes how to maintain MSTP.
This section provides several configuration examples of MSTP.
157
6.1 MSTP Introduction
The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables
rapid convergence and provides load balancing across redundant paths.
Introduction
Network designers tend to deploy multiple physical links between two devices (one link is the
master and the others are backups) to fulfill network redundancy requirements. Loops are bound
to occur on such types of complex networks.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause MAC address flapping that damages MAC address entries.
STP/RSTP eliminates loops on a Layer 2 network by blocking redundant links to prune the
network into a tree structure. STP/RSTP cannot implement VLAN-based load balancing because
all the VLANs on a LAN share a spanning tree. The blocked link does not carry any traffic,
which wastes bandwidth and may cause a failure to forward certain VLAN packets.
To address the deficiencies in STP and RSTP, the IEEE released the 802.1s standard in 2002,
which defines MSTP. MSTP is compatible with STP and RSTP. It implements rapid
convergence and provides multiple paths to load balance VLAN traffic.
Table 6-1 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol and
their applicable environments.
158
Table 6-1 Comparison between STP, RSTP, and MSTP
Spanning Tree
Protocols
Characteristics Application
Scenarios
Precautions
STP Ensures a loop-free tree
topology that helps prevent
broadcast storms and allows
for redundant links between
switches.
Irrespective of
users or services,
all VLANs share
one spanning tree.
NOTE
l If the current
switching
device
supports
both STP
and RSTP,
RSTP is
recommende
d. For
details, see
STP/RSTP
Configurati
on.
l If the current
switching
device
supports
STP or
RSTP, and
MSTP,
MSTP is
recommende
d.
RSTP l Ensures a loop-free tree
topology that helps
prevent broadcast storms
and allows for redundant
links between switches.
l Provides a feedback
mechanism to confirm
topology convergence,
implementing rapid
convergence.
MSTP l Ensures a loop-free tree
topology that helps
prevent broadcast storms
and allows for redundant
links between switches in
an MSTP region.
l Provides a feedback
mechanism to confirm
topology convergence,
implementing rapid
convergence.
l Implements load
balancing among VLANs.
Traffic in different
VLANs is transmitted
along different paths.
User or service-
specific load
balancing is
required. Traffic
for different
VLANs is
forwarded
through different
spanning trees,
which are
independent of
each other.

If MSTP is deployed on a LAN, MSTIs are generated, as shown in Figure 6-1.
l MSTI 1 uses SwitchD as the root switching device to forward packets of VLAN 2.
l MSTI 2 uses SwitchF as the root switching device to forward packets of VLAN 3.
Devices within the same VLAN can communicate with each other and packets of different
VLANs are load-balanced along different paths.
159
Figure 6-1 Multiple spanning trees in an MST region
VLAN2
VLAN2
Server A
Server B
SwitchA SwitchD
SwitchB
SwitchE
SwitchC SwitchF
VLAN2
VLAN2
(VLAN2)
(VLAN2)
Server C
(VLAN3)
Server D
(VLAN3)
VLAN2
VLAN3
VLAN3
VLAN3
VLAN3
VLAN3
MSTI1 (root switch: SwitchD)
MSTI2 (root switch: SwitchF)
VLAN2
VLAN3
MSTI1
MSTI2

Basic MSTP Concepts
l MST region
An MST region contains multiple switching devices and network segments between them.
The switching devices have the following characteristics:
MSTP-enabled
Same region name
Same VLAN-to-instance mapping
Same MSTP revision number
A LAN can comprise several MST regions that are directly or indirectly connected. You
can use MSTP configuration commands to group multiple switching devices into an MST
region.
As shown in Figure 6-2, the MST region D0 contains the switching devices S1, S2, S3,
and S4. The region has three MSTIs.
160
Figure 6-2 MST region

D0
S1
other VLANs MSTI0
S2
S4
S3
VLAN1 MSTI1
VLAN2,VLAN3 MSTI2
MSTI1
root switch:S3
MSTI2
root switch:S2
MSTI0 (IST)
root switch:S1
AP1
Master Bridge

l VLAN mapping table
The VLAN mapping table is an attribute of the MST region. It describes mappings between
VLANs and MSTIs.Figure 6-2 shows the VLAN mapping table of the MST region D0:
VLAN 1 is mapped to MSTI 1.
VLAN 2 and VLAN 3 are mapped to MSTI 2.
Other VLANs are mapped to MSTI 0.
l Regional root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 6-4, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI
regional root is the root of the MSTI. On the network shown in Figure 6-3, each MSTI has
its own regional root.
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,
but a VLAN can be mapped to only one MSTI.
161
Figure 6-3 MSTI
Root
VLAN
10&20&30
V
L
A
N
1
0
&
2
0
VLAN 20&30
VLAN
10&30
V
L
A
N
3
0
VLAN
10&30
V
L
A
N
2
0
VLAN 10
MST Region
Root
MSTI
corresponding to
VLAN 10
Root
MSTI
corresponding to
VLAN 20
MSTI
corresponding to
VLAN 30
MSTI links
MSTI links blocked by the protocol

l CIST root
On the network shown in Figure 6-4, the CIST root is the root bridge of a CIST. The CIST
root is a device in A0.
162
Figure 6-4 MSTP network
CIST Root
A0
B0
C0
D0
Region Root
Region Root
Region Root
CST
IST

l CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
Each MST region can be considered a node. A CST is calculated by using STP or RSTP
based on all the nodes.As shown in Figure 6-4, the MST regions are connected to form a
CST.
l IST
An IST resides within an MST region.
An IST is a special MSTI with an MSTI ID of 0, called MSTI 0.An IST is a segment of the
CIST in an MST region.As shown in Figure 6-4, the switching devices in an MST region
are connected to form an IST.
l CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 6-4, the ISTs and the CST form a complete spanning tree (CIST).
l SST
A Single Spanning Tree (SST) is formed in either of the following situations:
A switching device running STP or RSTP belongs to only one spanning tree.
An MST region has only one switching device.
163
As shown in Figure 6-4, the switching device in B0 is an SST.
l Port roles
Compared with RSTP which defined root ports, designated ports, alternate ports, backup
ports, and edge ports, MSTP has two additional port types: master ports and regional edge
ports.
Table 6-2 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.
A port can play different roles in different MSTIs.
Table 6-2 Port roles
Port
Roles
Description
Root port A root port is the non-root bridge port closest to the root bridge. Root ports
are responsible for sending data to root bridges. Root bridges do not have
root ports.
As shown in Figure 6-5, S1 is the root; CP1 is the root port on S3; BP1 is
the root port on S2; DP1 is the root port on S4.
Designat
ed port
The designated port on a switching device forwards bridge protocol data
units (BPDUs) to the downstream switching device.
As shown in Figure 6-5, AP2 and AP3 are designated ports on S1; BP2 is
a designated port on S2; CP2 is a designated port on S3.
Alternate
port
l An alternate port is blocked after it receives a BPDU sent by other
devices.
l An alternate port provides an alternate path to the root bridge. This path
is different than using the root port.
As shown in Figure 6-5, DP4 and AP4 are alternate ports.
Backup
port
l A backup port is blocked after it receives a BPDU sent by itself.
l A backup port provides a redundant path to a segment and is the backup
for the root port.
As shown in Figure 6-5, CP3 is a backup port.
Master
port
A master port is on the shortest path connecting MST regions to the CIST
root.
BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on
ISTs or CISTs and master ports in instances.
As shown in Figure 6-5, S1, S2, S3, and S4 form an MST region. AP1 on
S1, being the nearest port in the region to the CIST root, is the master port.
164
Port
Roles
Description
Regional
edge port
A regional edge port is located at the edge of an MST region and connects
to another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port
in the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 6-5, AP1, DP2, and DP3 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of
the MST region.
As shown in Figure 6-5, AP1 is a regional edge port and also a master port
in the CIST. Therefore, AP1 is the master port in every MSTI in the MST
region.
Edge
port
An edge port is located at the edge of an MST region and does not connect
to any switching device.
Generally, edge ports are directly connected to terminals.
As shown in Figure 6-5, BP3 is an edge port.

Figure 6-5 Port roles
S1
AP2
S2 S3
AP3
CP2 CP3
BP2
CP1 BP1
S4
Root Bridge
MST Region
AP1
AP4
DP1
DP4
DP2
DP3
Server
Root port
Designated port
Alternate port
Backup port
Master port
Edge port
Regional edge port
BP3

l Port status
Table 6-3 lists the MSTP port status, which is the same as the RSTP port status.
165
Table 6-3 Port status
Port
Status
Description
Forwardi
ng
A port in the Forwarding state can send and receive BPDUs as well as
Learning This is a transition state. A port in the Learning state learns MAC addresses
from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but cannot
Discardi
ng
A port in the Discarding state can only receive BPDUs.

The port status is not determined by the port role. Table 6-4 lists the port status supported
by each port role.
Table 6-4 Status of port roles
Port
Status
Root Port/
Master
Port
Designate
d Port
Regional
Edge Port
Alternate
Port
Backup
Port
Forwardi
ng
Yes Yes Yes No No
Learning Yes Yes Yes No No
Discardi
ng
Yes Yes Yes Yes Yes

NOTE
Yes: The port supports this status.
No: The port does not support this status.
6.2 MSTP Features Supported by the CE series switches
This section describes MSTP features supported by the CE series switches.
MSTP
MSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-
free tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into different
instances to load-balance VLAN traffic. The basic configuration roadmap for MSTP is as
follows:
1. In a ring network, divide regions and create different instances for regions.
2. Select a switching device to function as the root bridge for each instance.
166
3. In each instance, calculate the shortest paths from the other switching devices to the root
bridge, and select a root port for each non-root switching device.
4. In each instance, select a designated port for each connection based on port IDs.
MSTP Multi-process
l Applicable scenario
On the networking with both Layer 2 single-access rings and multi-access rings deployed,
switching devices bear both Layer 2 and Layer 3 services. To enable different rings to bear
different services, deploy MSTP multi-process. Spanning trees of different processes are
calculated independently and do not affect each other.
As shown in Figure 6-6, switching devices are connected through Layer 2 links and enabled
with MSTP. Multiple access rings exist and these rings access the MST region by using
different interfaces on SwitchA and SwitchB.
Figure 6-6 Networking diagram of MSTP multi-process
Switch A
Switch B
S2
S1
S4
S3
A
c
c
e
s
s

L
a
y
e
r
Network
Instance1:VLAN2~100
Process 1
Instance2:VLAN101~200
Process 2
l Share link
As shown in Figure 6-6, the link between SwitchA and SwitchB is a Layer 2 link running
MSTP. The share link between SwitchA and SwitchB is different from the links connecting
switching devices to CEs. The ports on the share link need to participate in the calculation
for multiple access rings and MSTP processes. This allows SwitchA and SwitchB to
identify from which MST BPDUs are sent.
In addition, a port on the share link participates in the calculation for multiple MSTP
processes, and obtains different status. As a result, the port cannot determine its status.
To prevent this situation, it is defined that a port on a share link always adopts its status in
MSTP process 0 when participating in the calculation for multiple MSTP processes.
The procedure for configuring multiple MSTP processes is as follows:
167
1. Enable MSTP multi-process.
2. Bind interfaces to MSTP processes.
3. On the ring network, divide regions and configure MSTIs in MST regions.
4. Select a switching device as the root bridge in each MSTI.
5. In each MSTI, calculate the shortest path from the switching device to the root bridge and
select a root port for each non-root switching device.
6. Select one designated port for each connection in each MSTI based on the port ID.
7. Configure TC notification of MSTP multi-process.
Enhanced Functions of MSTP and MSTP Multi-Process
Some networks may have master ports and backup ports. For details about master ports and
backup ports, see 6.1 MSTP Introduction.
MSTP also supports the following features to meet the requirements of special applications and
extended functions:
l Proposal/Agreement mechanism to implement rapid convergence.
l Protection functions listed in Table 6-5.
l As shown in Figure 6-6, MSTP multi-process in the scenario where MSTP and STP/RSTP
are used together. MSTP multi-process implements independent spanning tree calculation
for every access rings.
l MSTP interoperability between Huawei devices and non-Huawei devices. Certain
parameters must be set on Huawei devices to ensure uninterrupted communication.
Table 6-5 MSTP protection
MSTP
Protection
BPDU
protection
An edge port changes into a
non-edge port after
receiving a BPDU, which
triggers spanning tree
recalculation. If an attacker
keeps sending pseudo
BPDUs to a switching
device, network flapping
occurs.
After BPDU protection is enabled, a
switching device sets an edge port to error
down state if the edge port receives a BPDU
and retains the port as an edge port. In
addition, the switching device sends a
message to notify the NMS.
The error-down edge port can only be
restored by the administrator. To enable the
error-down edge port to restore
automatically, set the recovery delay.
168
MSTP
Protection
TC-BPDU
attack
defense
Generally, after receiving
TC BPDUs (packets for
advertising network
topology changes), a
switching device needs to
delete MAC entries and ARP
entries. Frequent deletions
exhaust CPU resources.
TC protection is used to suppress TC BPDUs.
You can configure the number of times a
switching device processes TC BPDUs
within a given time period. If the number of
TC BPDUs that the switching device receives
within a given time exceeds the specified
threshold, the switching device processes
only the specified number of TC BPDUs.
After the specified time period expires, the
device processes the excess TC BPDUs for
once. This function prevents the switching
device from frequently deleting MAC entries
and ARP entries, saving CPU resources.
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority than its own priority.
Consequently, the legitimate
root bridge is no longer able
to serve as the root bridge
and the network topology is
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
To address this issue, the root protection
function can be configured to protect the root
bridge by preserving the role of the
designated port. With this function, when the
designated port receives RST BPDUs with a
higher priority, the port enters the Discarding
state and does not forward the BPDUs. If the
port does not receive any RST BPDUs with a
higher priority for a certain period (double the
Forward Delay), the port transitions to the
Forwarding state.
Loop
protection
A root port or an alternate
port will age if link
congestion or a one-way link
failure occurs. After the root
port ages, a switching device
may re-select a root port
incorrectly and after the
alternate port ages, the port
enters the Forwarding state.
Loops may occur in such a
situation.
The loop protection function can be used to
prevent such network loops. If the root port
or alternate port cannot receive RST BPDUs
from the upstream switching device, the root
port is blocked and the switching device
notifies the NMS that the port enters the
Discarding state. The blocked port remains in
the Blocked state and no longer forwards
packets. This function helps prevent loops on
the network. The root port or alternate port
transitions to the Forwarding state after
receiving new BPDUs.
Share-link
protection
When a switching device is
dual-homed to a network and
the share link of multiple
processes fails, loops may
occur.
Share-link protection can address such a
problem. This function forcibly changes the
working mode of the local switching device
to RSTP. Share-link protection needs to be
used together with root protection to avoid
network loops.
169

This section describes the default MSTP configuration. You can change the configuration based
on actual needs.
Working mode MSTP
MSTP status MSTP is enabled globally and on an interface.
Switching device priority 32768
Port priority 128
Algorithm used to calculate the
default path cost
dot1t, IEEE 802.1t
Forward Delay Time 1500 centiseconds
Hello Time 200 centiseconds
Max Age Time 2000 centiseconds

6.4 Configuring Basic MSTP Functions
MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,
each of which has multiple spanning trees that are independent of each other. MSTP isolates
different VLANs' traffic, and load-balances VLAN traffic.
Context
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:
l Manually configure the root bridge and secondary root bridge.
l Set a priority for a switching device in an MSTI: The lower the numerical value, the higher
the priority of the switching device and the more likely the switching device becomes a
root bridge; the higher the numerical value, the lower the priority of the switching device
and the less likely that the switching device becomes a root bridge.
l Set a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the cost
of the path from the port to the root bridge and the less likely that the port becomes a root
port.
170
l Set a priority for a port in an MSTI: The lower the numerical value, the more likely the port
becomes a designated port; the higher the numerical value, the less likely that the port
becomes a designated port.
6.4.1 Configuring the MSTP Mode
Context
Before configuring basic MSTP functions, set the working mode of a switching device to MSTP.
MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp mode mstp
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an MSTP-
enabled switching device is connected to switching devices running STP, interfaces of the
MSTP-enabled switching device connected to devices running STP automatically transition to
STP mode, and other interfaces still work in MSTP mode. This enables devices running different
spanning tree protocols to interwork with each other.
Step 3 Run:
commit
----End
6.4.2 Configuring an MST Region
Context
An MST region contains multiple directly connected switching devices and network segments
between these switching devices. These switching devices run MSTP and have the same MST
region name, VLAN mapping table, and MSTP revision level. A switching network can contain
multiple MST regions. You can run MSTP configuration commands to divide multiple switching
devices into an MST region.
171
CAUTION
Two switching devices belong to the same MST region when they have the same following
items:
l MST region name
l Mapping between VLANs and MSTIs
l Revision level of the MST region
Do as follows on the switching device that needs to be added to the MST region.
Procedure
l Configure the name of an MST region.
1. Run:
system-view
2. Run:
stp region-configuration
The MST region view is displayed.
3. Run:
region-name name
The name of an MST region is configured.
By default, the name of an MST region is the MAC address of the management
network port on the main control board of the switching device.
4. (Optional) Run:
check region-configuration
The device is configured to check the MST region name.
5. Run:
commit
l Configure the mapping between MSTIs and VLANs.
You can configure the mapping between MSTIs and VLANs in the MST region view and
VLAN instance view.
Configure the mapping between an MSTI and VLANs in the MST region view.
1. Run:
system-view
2. Run:
3. Run:
172
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The mapping between MSTIs and VLANs is configured.
By default, all VLANs in an MST region are mapped to MSTI 0.
NOTE
A VLAN can be mapped to only one MSTI. After a VLAN has been mapped to an MSTI, the
previous mapping is deleted if you map the VLAN to another MSTI.
4. (Optional) Run:
The device is configured to check the mapping between MSTIs and VLANs.
5. Run:
commit
Configure the mapping between an MSTI and VLANs in the VLAN instance view.
1. Run:
system-view
2. Run:
vlan instance
The VLAN instance view is displayed.
3. Run:
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The mapping between MSTIs and VLANs is configured.
By default, all VLANs in VLAN instance view are mapped to MSTI 0.
NOTE
The vlan instance and stp region-configuration commands cannot be used simultaneously.
4. (Optional) Run:
check vlan instance mapping
The configuration is checked.
5. Run:
commit
l (Optional) Configure the revision level of the MST region.
1. Run:
system-view
2. Run:
3. Run:
revision-level level
173
The MSTP revision level of the MST region is configured.
By default, the revision level of an MST region is 0.
If the MSTP revision level of the MST region that the switching device resides is not
0, perform this operation.
4. (Optional) Run:
The device is configured to check the MSTP revision level of the MST region.
5. Run:
commit
----End
Bridge
Context
l A switching device plays different roles in different spanning trees. The switching device
can function as the root switch or secondary root switch of a spanning tree and the root
switch or secondary root switch of another spanning tree. The switching device can function
as only the root switch or secondary root switch of the same spanning tree.
l In a spanning tree, only one root bridge takes effect. When two or more than two devices
are specified as root bridges of a spanning tree, the device with the smallest MAC address
is used as the root bridge.
multiple secondary root bridges are configured, the secondary root bridge with smallest
MAC address will become the root bridge of the spanning tree.
NOTE
Procedure
1. Run:
system-view
2. Run:
stp [ instance instance-id ] root primary
configuration is complete, the priority value of the device is 0 and cannot be changed.
174
If instance is not specified, the device in MSTI 0 is a root bridge.
3. Run:
commit
1. Run:
system-view
2. Run:
stp [ instance instance-id ] root secondary
the configuration is complete, the priority value of the device is 4096 and cannot be
changed.
If instance is not specified, the device in MSTI 0 is a backup root bridge.
3. Run:
commit
----End
6.4.4 (Optional) Configuring a Priority for a Switching Device in an
MSTI
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be selected
as the root bridge; however, the priority of such a device may not be the highest on the network.
It is therefore necessary to set a high priority for the switching device to ensure that the device
functions as a root bridge.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
175
The default priority value of the switching device is 32768.
If the instance-id is not designated, a priority is set for the switching device in MSTI0.
NOTE
If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary command
has been executed to configure the device as the root bridge or secondary root bridge, to change the device
priority, run the undo stp [ instance instance-id ] root command to disable the root bridge or secondary
root bridge function and run the stp [ instance instance-id ] priority priority command to set a priority.
Step 3 Run:
commit
----End
6.4.5 (Optional) Configuring a Path Cost of a Port in an MSTI
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different path
costs for a port in different MSTIs, VLAN traffic can be transmitted along different physical
links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
low link rates. MSTP then blocks these ports.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The Ethernet interface view is displayed.
Step 4 Run:
stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.
176
Step 5 Run:
commit
----End
6.4.6 (Optional) Configuring a Port Priority in an MSTI
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected as
designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the default
value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
Step 4 Run:
commit
----End
6.4.7 Enabling MSTP
Context
After configuring basic MSTP functions on a switching device, enable MSTP function.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and port
177
priority, will affect spanning tree calculation. Any change to the configurations may cause
network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic
configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
MSTP is enabled on the switching device.
Step 3 Run:
commit
----End
Procedure
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number |
slot slot-id ] [ brief ] command to view spanning-tree status and statistics.
l Run the display stp region-configuration command to view configurations of activated
MST regions.
l Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
6.5 Configuring MSTP Multi-Process
On a network with Layer 2 single-access rings and multi-access rings deployed, configure
multiple MSTP processes so that spanning trees of different processes are calculated
independently and do not affect each other.
MSTP ensures that spanning trees in rings are calculated independently. After MSTP multi-
process is enabled, each MSTP process can manage some ports on a device. Layer 2 interfaces
are managed by multiple MSTP processes, each of which runs the standard MSTP.
Before configuring MSTP multi-process, complete the following task:
l Completing and activating the MST region configuration
178
6.5.1 Creating an MSTP Process
Context
A process ID uniquely identifies an MSTP multi-process. After an MSTP device binds its ports
to different processes, the MSTP device performs the MSTP calculation based on processes, and
only relevant ports in each process take part in MSTP calculation. Do as follows on the devices
connected to access rings:
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp process process-id
An MSTP process is created and the MSTP process view is displayed.
Step 3 Run:
stp mode mstp
A working mode is configured for the MSTP process.
The default mode is MSTP.
NOTE
l After a device starts, there is a default MSTP process with the ID 0. MSTP configurations in the system
view and interface view belong to this process. The default working mode of this process is MSTP.
l To add an interface to an MSTP process with the ID of non-zero, run the stp process command and
then the stp binding process command.
Step 4 Run:
commit
----End
6.5.2 Adding a Port to an MSTP Process
Context
After being added to MSTP processes, interfaces can participate in MSTP calculation:
l The links connecting MSTP devices and access rings are called access links.
l The link shared by multiple access rings are called a share link. The interfaces on the share
link need to participate in MSTP calculation in multiple access rings in different MSTP
processes.
Procedure
l Adding a port to an MSTP process-access link
179
1. Run:
system-view
2. Run:
The interface specified in this command must be the interface that connects the device
and the access ring.
3. Run:
stp binding process process-id
The port is added to the specified MSTP process.
l Adding a port to an MSTP process-share link
1. Run:
system-view
2. Run:
displayed.
The interface specified in this command must be an interface on the share link between
the devices configured with MSTP multi-process but not the interfaces that connect
an access ring and a device.
3. Run:
stp binding process process-id1 [ to process-id2 ] link-share
The port is added to multiple MSTP processes to complete MSTP calculation.
NOTE
In an MSTP process where there are multiple share links, run the stp enable command in the
MSTP multi-instance view. On an interface that is added to an MSTP process in link-share
mode, run the stp enable command in the interface view.
----End
Bridge
Context
l A switching device plays different roles in different spanning trees. The switching device
can function as the root switch or secondary root switch of a spanning tree and the root
switch or secondary root switch of another spanning tree. The switching device can function
as only the root switch or secondary root switch of the same spanning tree.
180
l In a spanning tree, only one root bridge takes effect. When two or more than two devices
are specified as root bridges of a spanning tree, the device with the smallest MAC address
is used as the root bridge.
multiple secondary root bridges are configured, the secondary root bridge with smallest
MAC address will become the root bridge of the spanning tree.
NOTE
Procedure
1. Run:
system-view
2. Run:
The MSTP process view is displayed.
3. Run:
stp [ instance instance-id ] root primary
configuration is complete, the BID of the device is 0 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a root bridge.
4. Run:
commit
1. Run:
system-view
2. Run:
3. Run:
stp [ instance instance-id ] root secondary
the configuration is complete, the BID of the device is 4096 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a secondary root bridge.
181
4. Run:
commit
----End
6.5.4 (Optional) Configuring a Priority for a Switching Device in an
MSTI
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be selected
as the root bridge; however, the priority of such a device may not be the highest on the network.
It is therefore necessary to set a high priority for the switching device to ensure that the device
functions as a root bridge.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If the instance is not designated, a priority is set for the switching device in MSTI0.
182
NOTE
l To configure a switching device as the primary root bridge, run the stp [ instance instance-id ] root
primary command directly. The priority value of this switching device is 0.
l To configure a switching device as the secondary root bridge, run the stp [ instance instance-id ] root
secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as the primary root bridge and secondary root bridge at the
same time.
l If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary command
has been executed to configure the device as the root bridge or secondary root bridge, to change the
device priority, run the undo stp [ instance instance-id ] root command to disable the root bridge or
secondary root bridge function and run the stp [ instance instance-id ] priority priority command to
set a priority.
Step 4 Run:
commit
----End
6.5.5 (Optional) Configuring a Path Cost of a Port in an MSTI
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different path
costs for a port in different MSTIs, VLAN traffic can be transmitted along different physical
links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
low link rates. MSTP then blocks these ports.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
183
Step 4 Run:
A port is bound to an MSTP process.
Step 5 Run:
stp [ process process-id ] instance instance-id cost cost
A path cost is set for the port in the current MSTI.
Step 6 Run:
commit
----End
6.5.6 (Optional) Configuring a Port Priority in an MSTI
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected as
designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the default
value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
A port is bound to an MSTP process.
Step 4 Run:
stp [ process process-id ] instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
Step 5 Run:
commit
184
----End
6.5.7 Configuring TC Notification in MSTP Multi-process
Context
After the TC notification function is configured for MSTP multi-process, the current MSTP
process can notify the MSTIs in other specified MSTP processes to refresh MAC address entries
and ARP entries after receiving a TC-BPDU. Nonstop services are ensured. Do as follows on
the devices connected to access rings:
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the created MSTP process is displayed.
Step 3 Run:
stp tc-notify process 0
TC notification is enabled in the MSTP process.
After the stp tc-notify process 0 command is run, the current MSTP process notifies the MSTIs
in MSTP process 0 to update MAC entries and ARP entries after receiving a TC-BPDU. This
prevents services from being interrupted.
Step 4 Run:
commit
----End
6.5.8 Enabling MSTP
Context
After MSTP multi-process is enabled on the switching device, you must enable MSTP in the
MSTP process view so that the MSTP configuration can take effect in the MSTP process.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and port
priority, will affect spanning tree calculation. Any change to the configurations may cause
network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic
configurations on the switching device and its ports and enable MSTP.
185
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of a created MSTP process is displayed.
Step 3 Run:
stp enable
MSTP is enabled on the MSTP process of the device.
By default, MSTP is disabled on an MSTP process.
Step 4 Run:
commit
----End
Procedure
Step 1 Run the display stp process process-id [ instance instance-id ] [ interface interface-type
interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and statistics.
----End
6.6 Configuring MSTP Parameters on an Interface
Proper MSTP parameter settings achieve rapid convergence.
Before configuring MSTP parameters that affect route convergence, complete the following
task:
l Configuring MSTP or MSTP multi-process
6.6.1 Setting the MSTP Network Diameter
Context
scale.
186
Procedure
Step 1 Run:
system-view
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you
perform configurations in the MSTP process 0, skip this step.
Step 3 Run:
NOTE
than 7.
Step 4 Run:
commit
----End
6.6.2 Setting the MSTP Timeout Interval
Context
network resources.
187
as follows:
Procedure
Step 1 Run:
system-view
NOTE
Step 3 Run:
Step 4 Run:
commit
----End
6.6.3 Setting the Values of MSTP Timers
Context
Age.
188
are used.
CAUTION
Procedure
Step 1 Run:
system-view
NOTE
1. Run:
2. Run:
3. Run:
Step 4 Run:
commit
189
----End
Context
root port.
SwitchA SwitchB
Eth-Trunk1
Eth-Trunk2
Alternate port
Before
Configuration
After
Configuration
SwitchA SwitchB
Root Bridge
Root Bridge
Designated port
Root port
Eth-Trunk1
Eth-Trunk2
NOTE
Procedure
Step 1 Run:
system-view
190
Step 2 Run:
Step 3 Run:
Eth-Trunk is 16.
Step 4 Run:
commit
----End
6.6.5 Setting the Link Type of a Port
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P link
are root or designated ports, the ports can transit to the forwarding state quickly by sending
Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.
By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
Step 4 Run:
commit
----End
191
6.6.6 Setting the Maximum Transmission Rate of an Interface
Context
.A larger value of packet-number indicates more BPDUs sent in a hello interval and therefore
more system resources occupied. Setting the proper value of packet-number prevents excess
bandwidth usage when route flapping occurs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port in a specified period is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is .
Step 4 Run:
commit
----End
6.6.7 Switching to the MSTP Mode
Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device, the interface
switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the MSTP-enabled device, the
interface cannot switch to the MSTP mode. In this case, you can switch the interface to the MSTP
mode by using the stp mcheck command.
In the following cases, you need to manually switch the interface back to the MSTP mode
manually:
l The STP-enabled device is shut down or disconnected.
l The STP-enabled device is switched to the MSTP mode.
Procedure
l Switching to the MSTP mode in the interface view
1. Run:
system-view
192
2. Run:
displayed.
3. Run:
stp mcheck
The device is switched to the MSTP mode.
4. Run:
commit
l Switching to the MSTP mode in the system view
1. Run:
system-view
2. (Optional) Run:
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-
zero ID. If you perform configurations in the MSTP process 0, skip this step.
3. Run:
stp mcheck
The device is switched to the MSTP mode.
4. Run:
commit
----End
6.6.8 Configuring a Port as an Edge Port and BPDU Filter Port
Context
If a designated port is located at the edge of a network and is directly connected to terminal
devices, this port is called edge port.
An edge port does not receive or process configuration BPDUs, or MSTP calculation. It can
transit from Disable to Forwarding without any delay.
After a designated port is configured as an edge port, the port can still send BPDUs. Then BPDUs
are sent to other networks, causing flapping of other networks. You can configure a port as an
edge port and BPDU filter port so that the port does not process or send BPDUs.
193
CAUTION
After all ports are configured as edge ports and BPDU filter ports in the system view, none of
ports on the device send BPDUs or negotiate the STP status with directly connected ports on
the peer device. All ports are in forwarding state. This may cause loops on the network, leading
to broadcast storms. Exercise caution when you configure a port as an edge port and BPDU filter
port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs. The port cannot negotiate the STP status with the directly
connected port on the peer device. Exercise caution when you configure a port as an edge port
and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
1. Run:
system-view
2. Run:
stp edged-port default
All ports are configured as edge ports.
3. Run:
stp bpdu-filter default
All ports are configured as BPDU filter ports.
4. Run:
commit
l Configuring a port as an edge port and BPDU filter port in the interface view
1. Run:
system-view
2. Run:
displayed.
3. (Optional) Run:
stp edged-port enable
The port is configured as an edge port.
4. Run:
194
stp bpdu-filter enable
The port is configured as a BPDU filter port.
5. Run:
commit
----End
6.6.9 Setting the Maximum Number of Hops in an MST Region
Context
Switching devices on a Layer 2 network running MSTP communicate with each other by
exchanging MST BPDUs. An MST BPDU has a field that indicates the number of remaining
hops.
l The number of remaining hops in a BPDU sent by the root switching device equals the
maximum number of hops.
l The number of remaining hops in a BPDU sent by a non-root switching device equals the
maximum number of hops minus the number of hops from the non-root switching device
to the root switching device.
l If a switching device receives a BPDU in which the number of remaining hops is 0, the
switching device will discard the BPDU.
Therefore, the maximum number of hops of a spanning tree in an MST region determines the
network scale. The stp max-hops command can be used to set the maximum number of hops
in an MST domain so that the network scale of a spanning tree can be controlled.
Procedure
Step 1 Run:
system-view
NOTE
Step 3 Run:
stp max-hops hop
The maximum number of hops in an MST region is set.
By default, the maximum number of hops of the spanning tree in an MST region is 20.
Step 4 Run:
commit
195
----End
Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-
type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and
statistics.
----End
6.7 Configuring MSTP Protection Functions
This section describes how to configure MSTP protection functions. You can configure one or
more functions.
Before configuring MSTP protection functions, complete the following task:
l Configuring MSTP or MSTP multi-process
6.7.1 Configuring BPDU Protection on a Switching Device
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
After BPDU protection is enabled on a switching device, the switching device shuts down an
edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.
Perform the following steps on a switching device that has an edge port.
Procedure
Step 1 Run:
system-view
196
NOTE
Step 3 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is not enabled on the switching device.
Step 4 Run:
commit
----End
Follow-up Procedure
To allow an edge port to automatically start after being error-down, you can run the error-down
auto-recovery cause bpdu-protection interval interval-value command to configure the auto
recovery function and set the delay on the port. After the delay expires, the port automatically
goes Up. Note the following when setting this parameter:
l By default, the auto recovery function is disabled, so there is no delay. When you enable
the auto recovery function, you must specify the recovery delay.
l The smaller the interval-value is, the shorter it takes for the edge port to go Up, and the
more frequently the edge port alternates between Up and Down.
l The larger the interval-value is, the longer it takes for the edge port to go Up, and the longer
the service interruption lasts.
l The auto recovery function takes effect only for the interface that transitions to the error
down state after the error-down auto-recovery command is executed.
6.7.2 Configuring TC Protection on a Switching Device
Context
If attackers forge TC-BPDUs to attack the switching device, the switching device receives a
large number of TC-BPDUs within a short time. If MAC address entries and ARP entries are
deleted frequently, the switching device is heavily burdened, causing potential risks to the
network.
TC protection is used to suppress TC BPDUs. You can configure the number of times a switching
device processes TC BPDUs within a given time period. If the number of TC BPDUs that the
switching device receives within a given time exceeds the specified threshold, the switching
device processes only the specified number of TC BPDUs. After the specified time period
expires, the device processes the excess TC BPDUs for once. This function prevents the
switching device from frequently deleting MAC entries and ARP entries, saving CPU resources.
Procedure
Step 1 Run:
system-view
197
NOTE
Step 3 Run:
stp tc-protection
TC protection is enabled for the MSTP process.
By default, TC protection is not enabled on the switching device.
Step 4 Run:
stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates forwarding
entries within a given time is set.
Step 5 Run:
commit
----End
6.7.3 Configuring Root Protection on an Interface
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted
over low-speed links, leading to network congestion. The root protection function on a switching
device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge in an MST region.
Procedure
Step 1 Run:
system-view
Step 2 Run:
198
The port is bound to an MSTP process.
NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID.
If the interface belongs to process 0, skip this step.
Step 4 Run:
stp root-protection
Root protection is configured on the switching device.
By default, root protection is disabled.
Step 5 Run:
commit
----End
6.7.4 Configuring Loop Protection on an Interface
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream device because of link congestion or unidirectional-
link failure, the switching device re-selects a root port. The original root port becomes a
designated port and the original blocked ports change to the Forwarding state. This switching
may cause network loops, which can be mitigated by configuring loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This function helps prevent loops on the network. The root port
or alternate port transitions to the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an MST
region.
Procedure
Step 1 Run:
system-view
Step 2 Run:
199
The port is bound to an MSTP process.
NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID.
If the interface belongs to process 0, skip this step.
Step 4 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
Root protection and loop protection cannot be configured simultaneously.
Step 5 Run:
commit
----End
6.7.5 Configuring Share-Link Protection on a Switching Device
Context
Share-link protection is used in the scenario where a switching device is dual homed to a network.
When a share link fails, share-link protection forcibly changes the working mode of a local
switching device to RSTP. This function can also be used together with root protection to avoid
network loops.
Procedure
Step 1 Run:
system-view
Step 2 Run:
NOTE
Step 3 Run:
stp link-share-protection
Share-link protection is enabled.
200
Step 4 Run:
commit
----End
Procedure
statistics.
----End
6.8 Configuring MSTP Interoperability Between Huawei
Devices and Non-Huawei Devices
To communicate with a non-Huawei device, set proper parameters on the MSTP-enabled
Huawei device.
6.8.1 Configuring a Proposal/Agreement Mechanism
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All switching
devices support the following modes:
l Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port, and the designated port transitions to the
Forwarding state.
l Common mode: The current interface ignores the root port when it computes the
An upstream device sends a Proposal message to a downstream device, requesting rapid
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
201
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that used
on non-Huawei devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp no-agreement-check
The common rapid transition mechanism is configured.
By default, the interface uses the enhanced rapid transition mechanism.
Step 4 Run:
commit
----End
6.8.2 Configuring the MSTP Protocol Packet Format on an Interface
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets).
You can specify the packet format and use the auto mode. In auto mode, the switching device
switches the MSTP protocol packet format based on the received MSTP protocol packet format
so that the switching device can communicate with the peer device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.
202
The auto mode is used by default.
Step 4 Run:
commit
----End
6.8.3 Enabling the Digest Snooping Function
Context
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei device.
Perform the following steps on a switching device in an MST region to enable the digest snooping
function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp config-digest-snoop
The digest snooping function is enabled.
Step 4 Run:
commit
----End
Procedure
statistics.
----End
6.9 Maintaining MSTP
This section describes how to maintain MSTP.
203
6.9.1 Clearing MSTP Statistics
Context
CAUTION
MSTP statistics cannot be restored after being cleared.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
l Run the reset stp error packet statistics to clears the statistics of error STP packets.
----End
This section provides several configuration examples of MSTP.
6.10.1 Example for Configuring MSTP
Loops occur, causing broadcast storms or damaging MAC addresses. After the network designer
plans a network, you can deploy MSTP on the network to prevent loops. MSTP blocks redundant
links and prunes a network into a tree topology free from loops.
As shown in Figure 6-8,SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. to load balance
traffic from VLANs 2 to 20 and VLANs 11 to 20, use MSTP multi-instance. You can configure
a VLAN mapping table to associate VLANs with MSTIs.
204
Figure 6-8 Networking diagram of MSTP configuration
10GE1/0/1
10GE1/0/3
10GE1/0/1
SwitchA
SwitchC
10GE1/0/1
10GE1/0/3
10GE1/0/1
SwitchB
SwitchD
10GE1/0/2
10GE1/0/2
10GE1/0/2
10GE1/0/2
Server1
Server2
Root Switch:SwitchA
Root Switch:SwitchB
MSTI1:
MSTI2:
Blocked port
Blocked port
RG1
Network
VLAN2~10
VLAN11~20
MSTI1
MSTI2

1. Configure basic MSTP functions on the switching device on the ring network.
2. Configure protection functions to protect devices or links. You can configure root
protection on the designated port of the root bridge.
205
3. Configure Layer 2 forwarding.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region named
RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
# Configure an MST region on SwitchA.
[~HUAWEI] commit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] region-name RG1
[~SwitchA-mst-region] instance 1 vlan 2 to 10
[~SwitchA-mst-region] instance 2 vlan 11 to 20
[~SwitchA-mst-region] commit
[~SwitchA-mst-region] quit
# Configure an MST region on SwitchB.
[~HUAWEI] commit
[~SwitchB] stp region-configuration
[~SwitchB-mst-region] region-name RG1
[~SwitchB-mst-region] instance 1 vlan 2 to 10
[~SwitchB-mst-region] instance 2 vlan 11 to 20
[~SwitchB-mst-region] commit
[~SwitchB-mst-region] quit
# Configure an MST region on SwitchC.
[~HUAWEI] sysname SwitchC
[~HUAWEI] commit
[~SwitchC] stp region-configuration
[~SwitchC-mst-region] region-name RG1
[~SwitchC-mst-region] instance 1 vlan 2 to 10
[~SwitchC-mst-region] instance 2 vlan 11 to 20
[~SwitchC-mst-region] commit
[~SwitchC-mst-region] quit
# Configure an MST region on SwitchD.
[~HUAWEI] sysname SwitchD
[~HUAWEI] commit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] region-name RG1
[~SwitchD-mst-region] instance 1 vlan 2 to 10
[~SwitchD-mst-region] instance 2 vlan 11 to 20
[~SwitchD-mst-region] commit
[~SwitchD-mst-region] quit
2. In the MST region RG1, configure the root bridge and secondary root bridge in MSTI 1
and MSTI 2.
l Configure the root bridge and secondary root bridge in MSTI 1.
# Configure SwitchA as the root bridge in MSTI 1.
[~SwitchA] stp instance 1 root primary
206
[~SwitchA] commit
# Configure SwitchB as the secondary root bridge in MSTI 1.
[~SwitchB] stp instance 1 root secondary
[~SwitchB] commit
l Configure the root bridge and secondary root bridge in MSTI 2.
# Configure SwitchB as the root bridge in MSTI 2.
[~SwitchB] stp instance 2 root primary
[~SwitchB] commit
# Configure SwitchA as the secondary root bridge in MSTI 2.
[~SwitchA] stp instance 2 root secondary
[~SwitchA] commit
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be greater than the
default value.
NOTE
proprietary calculation method as an example to set the path costs of the ports to be blocked to
20000.
# Configure SwitchA to use Huawei private algorithm to calculate the path cost.
[~SwitchA] commit
# Configure SwitchB to use Huawei private algorithm to calculate the path cost.
[~SwitchB] commit
# Configure SwitchC to use Huawei private algorithm to calculate the path cost, and set
the path cost of 10GE1/0/2 in MSTI 2 to 20000.
[~SwitchC-10GE1/0/2] stp instance 2 cost 20000
# Configure SwitchD to use Huawei private algorithm to calculate the path cost, and set
the path cost of 10GE1/0/2 in MSTI 1 to 20000.
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] stp instance 1 cost 20000
[~SwitchD-10GE1/0/2] commit
4. Enable MSTP to eliminate loops.
l Enable MSTP globally.
# Enable MSTP on SwitchA.
[~SwitchA] commit
# Enable MSTP on SwitchB.
[~SwitchB] stp enable
[~SwitchB] commit
# Enable MSTP on SwitchC.
[~SwitchC] stp enable
[~SwitchC] commit
# Enable MSTP on SwitchD.
[~SwitchD] stp enable
207
[~SwitchD] commit
l Disable MSTP on the interface connected to the terminal.
# Disable STP on 10GE1/0/1 of SwitchC.
# Disable STP on 10GE1/0/1 of SwitchD.
[~SwitchD-10GE1/0/1] stp disable
Step 2 Configure root protection on the designated port of the root bridge.
# Enable root protection on 10GE1/0/1 of SwitchA.
# Enable root protection on 10GE1/0/1 of SwitchB.
[~SwitchB-10GE1/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on devices on the ring network.
l Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
[~SwitchA] vlan batch 2 to 20
[~SwitchA] commit
# Create VLANs 2 to 20 on SwitchB.
[~SwitchB] vlan batch 2 to 20
[~SwitchB] commit
# Create VLANs 2 to 20 on SwitchC.
[~SwitchC] vlan batch 2 to 20
[~SwitchC] commit
# Create VLANs 2 to 20 on SwitchD.
[~SwitchD] vlan batch 2 to 20
[~SwitchD] commit
l Add ports on switching devices to VLANs.
# Add 10GE1/0/1 on SwitchA to a VLAN.
[~SwitchA-10GE1/0/1] port trunk allow-pass vlan 2 to 20
# Add 10GE1/0/2 on SwitchA to a VLAN.
[~SwitchA-10GE1/0/2] port trunk allow-pass vlan 2 to 20
# Add 10GE1/0/1 on SwitchB to a VLAN.
208
[~SwitchB-10GE1/0/1] port trunk allow-pass vlan 2 to 20
# Add 10GE1/0/2 on SwitchB to a VLAN.
[~SwitchB-10GE1/0/2] port trunk allow-pass vlan 2 to 20
# Add 10GE1/0/1 on SwitchC to a VLAN.
[~SwitchC-10GE1/0/1] port link-type access
[~SwitchC-10GE1/0/1] port default vlan 2
[~SwitchC-10GE1/0/2] port link-type trunk
[~SwitchC-10GE1/0/2] port trunk allow-pass vlan 2 to 20
[~SwitchC-10GE1/0/3] port link-type trunk
[~SwitchC-10GE1/0/3] port trunk allow-pass vlan 2 to 20
# Add 10GE1/0/1 on SwitchD to a VLAN.
[~SwitchD-10GE1/0/1] port link-type access
[~SwitchD-10GE1/0/1] port default vlan 11
[~SwitchD-10GE1/0/2] port trunk allow-pass vlan 2 to 20
[~SwitchD-10GE1/0/3] port trunk allow-pass vlan 2 to 20
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI FORWARDING ROOT 2 DISABLE
0 10GE1/0/2 DESI FORWARDING NONE 2 DISABLE
209
2 10GE1/0/2 ROOT FORWARDING NONE 2 DISABLE
# Run the display stp brief command on SwitchB. The displayed information is as follows:
[~SwitchB] display stp brief
In MSTI 2, 10GE1/0/1 and 10GE1/0/2 are designated ports because SwitchB is the root bridge.
In MSTI 1, 10GE1/0/1 on SwitchB is the designated port and 10GE1/0/2 is the root port.
# Run the display stp interface brief commands on SwitchC. The displayed information is as
follows:
[~SwitchC] display stp interface 10ge 1/0/3 brief
[~SwitchC] display stp interface 10ge 1/0/2 brief
2 10GE1/0/2 ALTE DISCARDING NONE 20000 DISABLE
10GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. 10GE1/0/2 on SwitchC is the
designated port in MSTI 1 but is blocked in MSTI 2.
# Run the display stp interface brief commands on SwitchD. The displayed information is as
follows:
[~SwitchD] display stp interface 10ge 1/0/3 brief
[~SwitchD] display stp interface 10ge 1/0/2 brief
10GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. 10GE1/0/2 on SwitchD is the
blocked port in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 20
#
210
#
region-name RG1
instance 1 vlan 2 to 10
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
#
region-name RG1
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
#
region-name RG1
#
interface 10GE1/0/1
port default vlan 2
stp disable
#
interface 10GE1/0/2
#
interface 10GE1/0/3
211
#
return
#
sysname SwitchD
#
vlan batch 2 to 20
#
#
region-name RG1
#
interface 10GE1/0/1
stp disable
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
212
7 Loopback Detection Configuration
About This Chapter
Loopback detection can detect loops on the network connected to the device and reduce impacts
on the network.
7.1 Loopback Detection Overview
Loopback detection sends loopback detection packets periodically to detect loops on the network
This section describes default settings of loopback detection parameters.
7.3 Configuring Loopback Detection
Loopback detection can detect loops on the network connected to the device.
This section describes configuration examples of loopback detection including networking
Configuration Guide - Ethernet 7 Loopback Detection Configuration
213
7.1 Loopback Detection Overview
Loopback detection sends loopback detection packets periodically to detect loops on the network
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes service
interruption on the entire network. To protect the network, certain actions should be taken on
the interface where the loop occurs, and the administrator needs to check the network connection
and configuration to solve the problem soon. Therefore, a mechanism is required on a Layer 2
network to detect loops and notify the administrator.
Loopback detection is such a mechanism. It sends detection packets from an interface at intervals
and checks whether the packets are sent back to the interface. If the packets are sent back, a
loopback occurs on the interface.
Figure 7-1 and Figure 7-2 show the application of loopback detection.
l TX-RX (RX indicates the receiving end, and TX indicates the sending end) self-loops occur
on an interface usually because optical fibers are connected incorrectly or the interface is
damaged by high voltage. As shown in Figure 7-1, self-loops may occur on the network
connected to a Switch interface. When a self-loop occurs, packets sent from the interface
are sent back to this interface. This causes traffic forwarding errors or MAC address
flapping on the interface.
Figure 7-1 Loopback detection application 1
Switch
TX RX
l As shown in Figure 7-2, loops may occur on the network connected to a Switch interface.
When a loop occurs, packets sent from the interface are sent back to this interface.
214
Figure 7-2 Loopback detection application 2
Switch
You can configure loopback detection on the interface of the Switch in the preceding scenarios.
When a loopback is detected on the interface, the system sends an alarm. You can set the action
to perform on an interface to error-down when a loopback is detected on the interface or set
the time after which the interface in error-down state automatically recovers. Only users
connected to the interface on which a loopback is detected and is in error-down state are affected,
and other users connected to the Switch can still communicate.
NOTE
l Loopback detection cannot prevent loops on the entire network. It only detects loops on a single node.
l A large number of packets are sent during loopback detection, occupying CPU resources; therefore,
disable loopback detection if it is not required.
l Loopback detection cannot be configured on an Eth-Trunk or its member interfaces.
l You cannot enable loopback detection and STP fuction simultaneously.
This section describes default settings of loopback detection parameters.
Table 7-1 Default settings of loopback detection parameters
Loopback Detection Disabled
Action to perform on the interface after a
loopback is detected
Alarm
Interval between sending loopback detection
packets
5 seconds

7.3 Configuring Loopback Detection
Loopback detection can detect loops on the network connected to the device.
215
7.3.1 Enabling Loopback Detection
Context
An interface sends loopback detection packets to detect loopbacks only after loopback detection
is enabled on the interface.
If an interface has been added to VLANs in untagged mode, the interface sends one copy of
untagged detection packet regardless of how many VLANs the interface has been added to. The
untagged detection packets will be discarded on the link, so loopback detection cannot be
performed on the network. In this situation, loopback detection must be configured in these
VLANs.
If an interface has been added to VLANs in tagged mode, loopback detection must be enabled
in specified VLANs, and the interface sends the loopback detection packets of the VLAN that
contains the interface and has loopback detection enabled.
After VLAN IDs are specified, the interface sends one copy of untagged loopback detection
packets and multiple copies of tagged loopback detection packets with the specified VLAN tags.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
loopback-detect enable(interface view)
Loopback detection is enabled on the interface.
By default, loopback detection is disabled on an interface.
loopback-detect vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A VLAN ID is specified for loopback detection packets.
By default, no VLAN ID is specified for loopback detection packets.
NOTE
The interface sends loopback detection packets with specified VLAN tags only when the following
conditions are met.
l A VLAN has been created.
l The interface has been added to the created VLAN in tagged mode.
l A VLAN ID has been specified for loopback detection packets using the loopback-detect vlan { vlan-
id1 [ to vlan-id2 ] } &<1-10> command.
Step 5 Run:
commit
216
----End
7.3.2 (Optional) Configuring an Action to Perform After a Loopback
Is Detected
Context
After loopback detection is enabled on an interface, the interface periodically sends detection
packets and checks whether loopback packets are received. When a loopback is detected on an
interface, the system sets the interface status to loopback, minimizing impact on the system and
the entire network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
loopback-detect action error-down
The action to perform on the interface is set to error-down when a loopback is detected on the
interface.
The default action is alarm.
When the system detects a loopback on an interface, it sets the interface to error-down state
and sends an alarm.
NOTE
l You can run the error-down auto-recovery cause loopback-detect command to sets the time after which
the interface in error-down state automatically recovers.
l If the action to perform on the interface is alarm, inter-device loopback may suppress loopback detection
on other interfaces on the local device. In this situation, set the action to error-down or use STP to prevent
loopback.
Step 3 Run:
commit
----End
7.3.3 (Optional) Setting the Interval Between Sending Loopback
Detection Packets on an Interface
Context
An interface sends loopback detection packets at intervals.
217
Procedure
Step 1 Run:
system-view
Step 2 Run:
loopback-detect transmit interval packet-interval-time
The interval between sending loopback detection packets is set.
By default, the interval between sending loopback detection packets is 5 seconds.
Step 3 Run:
commit
----End
Procedure
l Run the display loopback-detect command to check the loopback detection configuration
and status of loopback detection enabled interfaces.
----End
This section describes configuration examples of loopback detection including networking
7.4.1 Example for Configuring Loopback Detection
As shown in Figure 7-3, if there is a loop on the network connected to the 10GE1/0/1 interface,
broadcast storms will occur on the Switch or even the entire network.
To detect loops on the network connected to the switch and disabled downlink interfaces to
reduce impacts on the switch and other networks, enable loopback detection on the Switch.
218
Figure 7-3 Loopback detection network diagram
Switch
10GE1/0/1
1. Enable loopback detection on the interface to detect loops on downlink networks.
2. Specify the VLAN ID for loopback detection packets.
3. Set loopback detection parameters to enable the interface automatic recovery.
Procedure
Step 1 Enable loopback detection on the interface.
[~HUAWEI] sysname Switch
[~HUAWEI] commit
[~Switch-10GE1/0/1] loopback-detect enable
Step 2 Specify the VLAN ID for loopback detection packets.
[~Switch] vlan 100
[~Switch-10GE1/0/1] loopback-detect vlan 100
Step 3 Set loopback detection parameters.
# Configure the action the interface when a loopback is detected.
[~Switch] loopback-detect action error-down
[~Switch] commit
# Set the interval between sending loopback detection packets.
[~Switch] loopback-detect transmit interval 10
[~Switch] commit
219
Step 4 Check the configuration.
Run the display loopback-detect command to check the configuration.
<Switch> display loopback-detect
------------------------------------------------------------
Loopback-detect transmit interval: 10s
Loopback-detect action: Error-Down
------------------------------------------------------------
------------------------------------------------------------
Interface Status
------------------------------------------------------------
10GE1/0/1 ErrorDown
----End
Configuration Files
#
sysname Switch
#
vlan 100
#
loopback-detect transmit interval 10
loopback-detect action error-down
#
interface 10GE1/0/1
loopback-detect enable
loopback-detect vlan 100
#
return
220

CloudEngine 6800&5800 V100R001C00 Configuration Guide - Ethernet 04 PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CloudEngine 6800&5800 V100R001C00 Configuration Guide - Ethernet 04 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

CloudEngine 6800&5800 Series Switches

Das könnte Ihnen auch gefallen