Beruflich Dokumente
Kultur Dokumente
V100R006C00
01
Date
2011-07-15
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2011-07-15)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 01 (2011-07-15)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 01 (2011-07-15)
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 Ethernet Interface Configuration...............................................................................................1
1.1 Introduction to Ethernet Interfaces.....................................................................................................................2
1.2 Ethernet Interface Features Supported by the S2700.........................................................................................2
1.3 Configuring Basic Attributes of the Ethernet Interface......................................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 (Optional) Configuring a Description for an Interface..............................................................................3
1.3.3 (Optional) Configuring the Cable Type on an Interface............................................................................4
1.3.4 (Optional) Setting the Duplex Mode.........................................................................................................5
1.3.5 (Optional) Setting the Rate of an Interface................................................................................................5
1.3.6 (Optional) Enabling Auto-Negotiation......................................................................................................6
1.3.7 (Optional) Switching Between Optical and Electrical Interfaces..............................................................6
1.3.8 Checking the Configuration.......................................................................................................................7
1.4 Configuring Advanced Attributes of an Ethernet Interface................................................................................7
1.4.1 Establishing the Configuration Task.........................................................................................................7
1.4.2 (Optional) Configuring Loopback on the Ethernet Interface....................................................................8
1.4.3 (Optional) Configuring the Interface Group..............................................................................................8
1.4.4 (Optional) Enabling Flow Control.............................................................................................................9
1.4.5 (Optional) Enabling Auto-Negotiation of Flow Control...........................................................................9
1.4.6 (Optional) Enabling Port Isolation..........................................................................................................10
1.4.7 (Optional) Performing a Cable Test on an Interface...............................................................................10
1.4.8 (Optional) Configuring a Loopback Test on an Interface.......................................................................11
1.4.9 Checking the Configuration.....................................................................................................................12
1.5 Maintaining Ethernet Interfaces.......................................................................................................................12
1.5.1 Debugging Ethernet Interfaces................................................................................................................12
1.6 Configuration Examples...................................................................................................................................12
1.6.1 Example for Configuring Port Isolation..................................................................................................12
iv
Contents
3 VLAN Configuration..................................................................................................................39
3.1 Introduction......................................................................................................................................................41
3.2 VLAN Features Supported by the S2700.........................................................................................................48
3.3 Dividing a LAN into VLANs...........................................................................................................................50
3.3.1 Establishing the Configuration Task.......................................................................................................50
3.3.2 Dividing a LAN into VLANs Based on Ports.........................................................................................52
3.3.3 Dividing a LAN into VLANs Based on MAC Addresses.......................................................................54
3.3.4 Checking the Configuration.....................................................................................................................55
3.4 Creating a VLANIF Interface...........................................................................................................................55
3.4.1 Establishing the Configuration Task.......................................................................................................55
3.4.2 Creating a VLANIF Interface..................................................................................................................56
3.4.3 Assigning an IP Address to a VLANIF Interface....................................................................................57
3.4.4 (Optional) Setting a Delay After Which a VLANIF Interface Goes Down............................................57
3.4.5 (Optional) Setting the MTU of a VLANIF Interface...............................................................................58
3.4.6 Checking the Configuration.....................................................................................................................59
3.5 Configuring Inter-VLAN Communication.......................................................................................................59
3.5.1 Establishing the Configuration Task.......................................................................................................59
3.5.2 Configuring VLANIF Interfaces for Inter-VLAN Communication........................................................60
3.5.3 Checking the Configuration.....................................................................................................................62
Issue 01 (2011-07-15)
Contents
vi
Contents
5 QinQ Configuration..................................................................................................................107
5.1 Concept of QinQ.............................................................................................................................................108
5.2 QinQ Features Supported by the S2700.........................................................................................................108
5.3 Configuring QinQ on an Interface..................................................................................................................108
5.3.1 Establishing the Configuration Task.....................................................................................................108
5.3.2 Setting the Link Type of an Interface....................................................................................................109
5.3.3 Specifying the Outer VLAN ID.............................................................................................................109
5.3.4 Checking the Configuration...................................................................................................................110
5.4 Configuring QinQ Stacking on a VLANIF Interface.....................................................................................110
5.4.1 Establishing the Configuration Task.....................................................................................................110
5.4.2 Configuring QinQ Stacking on a VLANIF Interface............................................................................112
5.4.3 Checking the Configuration...................................................................................................................112
5.5 Setting the Protocol Type in the Outer VLAN Tag........................................................................................113
5.5.1 Establishing the Configuration Task.....................................................................................................113
5.5.2 Configuring the Type of an Interface....................................................................................................113
5.5.3 Setting the Protocol Type in the Outer VLAN Tag...............................................................................114
5.5.4 Checking the Configuration...................................................................................................................114
5.6 Configuration Examples.................................................................................................................................115
5.6.1 Example for Configuring QinQ on Interfaces.......................................................................................115
5.6.2 Example for Configuring QinQ Stacking on the VLANIF Interface....................................................118
6 GVRP Configuration................................................................................................................121
6.1 GVRP Overview.............................................................................................................................................122
6.2 GVRP Features Supported by the S2700.......................................................................................................125
6.3 Configuring GVRP.........................................................................................................................................126
6.3.1 Establishing the Configuration Task.....................................................................................................126
6.3.2 Enabling GVRP.....................................................................................................................................126
6.3.3 (Optional) Setting the Registration Mode of a GVRP Interface............................................................127
6.3.4 (Optional) Setting the GARP Timers....................................................................................................128
6.3.5 Checking the Configuration...................................................................................................................129
6.4 Maintaining GVRP.........................................................................................................................................129
6.4.1 Clearing GARP Statistics......................................................................................................................129
6.5 Configuration Examples.................................................................................................................................130
6.5.1 Example for Configuring GVRP...........................................................................................................130
vii
Contents
8 STP/RSTP Configuration.........................................................................................................157
8.1 STP/RSTP Overview......................................................................................................................................158
8.1.1 STP/RSTP Overview.............................................................................................................................158
8.1.2 STP/RSTP Features Supported by the S2700........................................................................................163
8.2 Configuring Basic STP/RSTP Functions.......................................................................................................165
8.2.1 Establishing the Configuration Task.....................................................................................................165
8.2.2 Configuring the STP/RSTP Mode.........................................................................................................167
8.2.3 (Optional) Configuring Switching Device Priorities.............................................................................167
8.2.4 (Optional) Setting the Path Cost for a Port............................................................................................168
8.2.5 (Optional) Configuring Port Priorities...................................................................................................169
8.2.6 Enabling STP/RSTP..............................................................................................................................170
8.2.7 Checking the Configuration...................................................................................................................170
8.3 Configuring STP/RSTP Parameters on an Interface......................................................................................171
8.3.1 Establishing the Configuration Task.....................................................................................................173
8.3.2 Setting System Parameters....................................................................................................................174
8.3.3 Setting Port Parameters.........................................................................................................................175
8.3.4 Checking the Configuration...................................................................................................................177
8.4 Configuring RSTP Protection Functions........................................................................................................177
8.4.1 Establishing the Configuration Task.....................................................................................................177
8.4.2 Configuring BPDU Protection on a Switching Device.........................................................................179
8.4.3 Configuring TC Protection on a Switching Device...............................................................................180
8.4.4 Configuring Root Protection on a Port..................................................................................................180
Issue 01 (2011-07-15)
viii
Contents
9 MSTP Configuration.................................................................................................................194
9.1 MSTP Overview.............................................................................................................................................195
9.1.1 MSTP Introduction................................................................................................................................195
9.1.2 MSTP Features Supported by the S2700...............................................................................................203
9.2 Configuring Basic MSTP Functions...............................................................................................................205
9.2.1 Establishing the Configuration Task.....................................................................................................206
9.2.2 Configuring the MSTP Mode................................................................................................................208
9.2.3 Configuring and Activating an MST Region........................................................................................208
9.2.4 (Optional) Setting a Priority for a Switching Device in an MSTI.........................................................210
9.2.5 (Optional) Setting a Path Cost of a Port in an MSTI.............................................................................211
9.2.6 (Optional) Setting a Port Priority in an MSTI.......................................................................................212
9.2.7 Enabling MSTP.....................................................................................................................................213
9.2.8 Checking the Configuration...................................................................................................................213
9.3 Configuring MSTP Parameters on an Interface.............................................................................................213
9.3.1 Establishing the Configuration Task.....................................................................................................214
9.3.2 Configuring System Parameters............................................................................................................214
9.3.3 Configuring Port Parameters.................................................................................................................216
9.3.4 Checking the Configuration...................................................................................................................218
9.4 Configuring MSTP Protection Functions.......................................................................................................218
9.4.1 Establishing the Configuration Task.....................................................................................................218
9.4.2 Configuring BPDU Protection on a Switching Device.........................................................................220
9.4.3 Configuring TC Protection on a Switching Device...............................................................................220
9.4.4 Configuring Root Protection on an Interface........................................................................................221
9.4.5 Configuring Loop Protection on an Interface........................................................................................222
9.4.6 Checking the Configuration...................................................................................................................223
9.5 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices...........................223
9.5.1 Establishing the Configuration Task.....................................................................................................223
9.5.2 Configuring a Proposal/Agreement Mechanism...................................................................................224
9.5.3 Configuring the MSTP Protocol Packet Format on an Interface...........................................................225
9.5.4 Enabling the Digest Snooping Function................................................................................................226
9.5.5 Checking the Configuration...................................................................................................................226
Issue 01 (2011-07-15)
ix
Contents
Issue 01 (2011-07-15)
Issue 01 (2011-07-15)
Rate (Mbit/
s)
Auto-negotiation
Non-negotiation
Full
Duplex
Half
Duplex
Full
Duplex
Half
Duplex
Ethernet
electrical
interface
10
Yes
Yes
Yes
Yes
100
Yes
Yes
Yes
Yes
1000
Yes
No
Yes
No
100
No
No
Yes
No
1000
Yes
No
Yes
No
Ethernet
optical
interface
If the local interface works in auto-negotiation mode, the peer interface must also work in autonegotiation mode; otherwise, packet loss may occur.
Port Group
The port group function enables you to configure multiple interfaces at the same time. You can
run commands in the port group view to configure all the interfaces in the group.
Auto-Negotiation
The auto-negotiation function allows interfaces on both ends of a link to select the same operating
parameters by exchanging capability information. Each interface sends its capability information
to the remote end and checks capabilities of the remote end. After both interfaces receive the
capability information from each other, they adopt the highest capability they support to
communicate with each other.
The interfaces negotiate the duplex mode, speed, and flow control parameters. After a successful
negotiation, the interfaces use the same duplex mode, speed, and flow control parameters.
Issue 01 (2011-07-15)
Port Isolation
The port isolation function isolates Layer 2 and Layer 3 communication between ports in the
same VLAN. This function restricts packet transmission between ports flexibly, providing a
secure and flexible network solution.
You can configure the description of interfaces to facilitate the identification, maintenance,
and configuration of the interfaces.
By default, an FE electrical interface automatically identifies the network cable type. If the
interface cannot identify the cable type properly, set the cable type for the interface
manually.
By default, an FE electrical interface negotiates the duplex mode and rate with the
equipment that is directly connected to the interface. If the connected equipment does not
have the auto-negotiation capability, set the duplex mode and rate for the FE interface
manually so that the interface can work with the connected equipment.
Pre-configuration Tasks
None
Data Preparation
To configure the basic functions of Ethernet interfaces, you need the following data.
No.
Data
Context
Perform the following steps on the S2700.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Step 4 Run:
speed { 10 | 100 | 1000 }
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface gigabitethernet interface-number
The S2700 provides the interface group function, which enables you to configure multiple
interfaces at the same time.
If the traffic volume received on an interface of the S2700 may exceed the processing
capability of the interface and the directly connected interface supports traffic control,
enable the traffic control function on the interface. When the rate of received traffic reaches
the threshold, the interface sends a Pause frame (in full duplex mode) or sends a back
pressure signal (in half duplex mode) to notify the peer interface. If the peer interface
supports traffic control, it decreases the rate of at which it sends traffic so that the local
interface can properly process received traffic.
Ports enabled with port isolation cannot communicate with each other so that ports on the
same VLAN can be isolated. Port isolation provides secure and flexible networking
schemes for customers.
Issue 01 (2011-07-15)
Pre-configuration Tasks
None.
Data Preparation
To configure the advanced functions of Ethernet interfaces, you need the following data.
No.
Data
Interface number
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
Procedure
Step 1 Run:
system-view
After interface A is isolated from interface B unidirectionally, packets sent by interface A cannot reach
interface B, whereas packets sent from interface B can reach interface A.
Step 4 Run:
port-isolate enable [ group group-id ]
Ports in a port isolation group are isolated from each other, and ports in different port isolation groups can
communicate with each other. If group-id is not specified, a port is added to port isolation group 1.
----End
10
Context
A cable test detects faults on the cable connected to an interface. If the cable is working properly,
the total length of the cable is displayed. If the cable cannot work properly, the distance between
the interface and the fault point is displayed.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
11
Run the display port-group [ all | port-group-name ] command to check information about
a port group.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When an Ethernet interface or Eth-Trunk fault occurs, run the following debugging commands
in the user view to locate the fault.
Procedure
Step 1 Run the debugging l2if [ error | event | msg | updown ] command to enable the debugging of
link layer features.
----End
12
Networking Requirements
As shown in Figure 1-1, it is required that PC1 and PC2 cannot communicate with each other,
but they can communicate with PC3.
Figure 1-1 Networking diagram for configuring port isolation
Switch
Eth0/0/2
Eth0/0/1
Eth0/0/3
PC1
PC2
PC3
10.10.10.1/24 10.10.10.2/24 10.10.10.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enable port isolation on the ports connected to PC1 and PC2 respectively to prevent PC1
and PC2 from communicating with each other.
Data Preparation
To complete the configuration, you need the following data:
l
ID of the VLAN that the ports connected to PC1, PC2, and PC3 belong to (VLAN 1 by
default)
Port isolation group that the ports connected to PC1 and PC2 belong to (group 1 by default)
Procedure
Step 1 Enable port isolation.
# Enable port isolation on Ethernet 0/0/1.
<Quidway> system-view
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] port-isolate enable
[Quidway-Ethernet0/0/1] quit
Issue 01 (2011-07-15)
13
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
interface Ethernet0/0/1
port-isolate enable group 1
#
interface Ethernet0/0/2
port-isolate enable group 1
#
interface Ethernet0/0/3
#
return
Issue 01 (2011-07-15)
14
Issue 01 (2011-07-15)
15
16
Manual load balancing mode: Generally, all member interfaces are active interfaces unless
a fault occurs on these interfaces.
Static LACP mode: The interfaces connected to M links are active interfaces that are
responsible for forwarding data; the interfaces connected to N links are inactive interfaces
that are used for redundancy backup.
SwitchA
SwitchB
17
Applicable Environment
When the bandwidth or the reliability of two devices should be increased and either of the two
devices does not support LACP, you should create an Eth-Trunk in manual load balancing mode
on Switches and add member interfaces to the Eth-Trunk to increase the bandwidth and improve
reliability of devices.
As shown in Figure 2-2, Eth-Trunks are created between SwitchA and SwitchB.
Figure 2-2 Networking diagram for configuring link aggregation in load balancing mode
Eth-Trunk 1
Eth-Trunk 1
Eth-Trunk
SwitchA
SwitchB
Pre-configuration Tasks
Before configuring an Eth-Trunk in manual load balancing mode, complete the following tasks:
l
Data Preparation
To configure an Eth-Trunk in manual load balancing mode, you need the following data.
No.
Data
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the
Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be
changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk trunk-id command in
the interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk
view.
Do as follows on the S2700 where you need to configure an Eth-Trunk in manual load balancing
mode.
Issue 01 (2011-07-15)
18
Procedure
Step 1 Run:
system-view
Procedure
l
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Run:
system-view
Run:
interface interface-type interface-number
19
3.
Run:
eth-trunk trunk-id
Procedure
Step 1 Run:
system-view
20
Procedure
l
Setting the upper threshold of the number of interfaces that determine bandwidth of the
Eth-Trunk
1.
Run:
system-view
Run:
interface eth-trunk trunk-id
Issue 01 (2011-07-15)
21
Run:
max bandwidth-affected-linknumber link-number
The maximum number of interfaces that determine bandwidth of the Eth-Trunk is set.
By default, the maximum number of interfaces that determine bandwidth of the EthTrunk is 8 on the S2700EI.
By default, the maximum number of interfaces that determine bandwidth of the EthTrunk is 4 on the S2700SI.
NOTE
l The upper threshold the number of interfaces that determine bandwidth of the Eth-Trunk of the
local S2700 and that of the remote S2700 can be different. If the upper thresholds at two ends
are different, the smaller one is used.
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
least active-linknumber link-number
l The lower threshold of the number of active interfaces of the local S2700 and that of the remote
S2700 can be different. If the lower thresholds at two ends are different, the larger one is used.
----End
Run the display trunkmembership eth-trunk trunk-id command to display the member
interfaces of the Eth-Trunk.
Run the display eth-trunk trunk-id command to display the load balancing status of the
Eth-Trunk.
----End
Issue 01 (2011-07-15)
22
The links between two devices can implement redundancy backup. When a fault occurs on
some links, the backup links replace the faulty ones to keep data transmission uninterrupted.
Eth-Trunk 1
Eth-Trunk 1
Eth-Trunk
SwitchA
Active link
Standby link
SwitchB
Pre-configuration Tasks
Before configuring an Eth-Trunk in static LACP mode, complete the following tasks:
l
Data Preparation
To configure an Eth-Trunk in static LACP mode, you need the following data.
No.
Data
23
Context
NOTE
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the
Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be
changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk trunk-id command in
the interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk
view.
Do as follows on the S2700 where you need to configure an Eth-Trunk of static LACP mode.
Procedure
Step 1 Run:
system-view
The Eth-Trunk member interfaces are configured to send received BPDUs to the CPU.
Step 4 Run:
mode lacp-static
Procedure
l
Run:
system-view
Run:
interface eth-trunk trunk-id
24
3.
Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Run:
system-view
Run:
interface interface-type interface-number
Run:
eth-trunk trunk-id
25
Procedure
Step 1 Run:
system-view
26
Procedure
l
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
max active-linknumber link-number
l The upper threshold of the number of active interfaces should not be smaller the lower threshold
for the number of active interfaces.
l The upper threshold of the number of active interfaces of the local S2700 and that of the remote
S2700 can be different. If the upper thresholds at two ends are different, the smaller one is used.
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
least active-linknumber link-number
27
l The lower threshold of the number of active interfaces should not be larger than the upper
threshold of the number of active interfaces.
l The lower threshold of the number of active interfaces of the local S2700 and that of the remote
S2700 can be different. If the lower thresholds at two ends are different, the larger one is used.
----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
28
Procedure
Step 1 Run:
system-view
To ensure normal running of an Eth-Trunk, it is recommended that you enable or disable LACP preemption
on both ends of the Eth-Trunk.
Step 4 Run:
lacp preempt delay delay-time
29
The delay for LACP preemption refers to the period in which an inactive interface of the EthTrunk in static LACP mode waits before it becomes active.
----End
Procedure
Step 1 Run:
system-view
The timeout for receiving LACP protocol packets the Eth-Trunk is set.
NOTE
l After the lacp timeout command is used, the local end informs the peer end of the timeout interval
through LACP packets. If the fast is selected, the interval for sending LACP packets is 1 second. If
the slow keyword is selected, the interval for sending LACP packets is 30 seconds.
l The timeout interval for receiving LACP packets is three times the interval for sending LACP packets.
That is, when the fast keyword is used, the timeout interval for receiving LACP packets is 3s; when
the slow keyword is used, the timeout interval for receiving LACP packets is 90s.
l You can select different keywords on the two ends. To facilitate the maintenance, however, it is
recommended that you select the same keyword on both ends.
----End
Run the display trunkmembership eth-trunk trunk-id command to display the member
interfaces of the Eth-Trunk.
----End
Issue 01 (2011-07-15)
30
CAUTION
The statistics of LACP packets cannot be restored after you clear them. So, confirm the action
before you use the command.
Procedure
l
Run the reset lacp statistics eth-trunk [ trunk-id ] command to clear statistics of received
and sent LACP packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a running fault occurs in the link aggregation group, run the following debugging
commands in the user view to check the debugging information, and locate and analyze the fault.
Procedure
l
Run the debugging trunk error command to enable the debugging of Eth-Trunk errors.
Run the debugging trunk event command to enable the debugging of Eth-Trunk events.
Run the debugging trunk lacp-pdu command to enable the debugging of LACP packets.
Run the debugging trunk lagmsg command to enable the debugging of LACP protocol
messages.
Run the debugging trunk msg command to enable the debugging of Eth-Trunk messages.
Issue 01 (2011-07-15)
31
Run the debugging trunk state-machine command to enable the debugging of Eth-Trunk
status machine.
Run the debugging trunk updown command to enable the debugging of Eth-Trunk Up
and Down messages.
Run the debugging trunk command to enable the debugging of Eth-Trunk messages.
----End
Procedure
l
Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interfacenumber ] ] command to display the statistics of sent and received LACP packets.
Run the display trunkmembership eth-trunk trunk-id command to display the member
interfaces of the Eth-Trunk.
----End
Issue 01 (2011-07-15)
32
Figure 2-4 Networking diagram for configuring link aggregation in manual load balancing mode
SwitchA
Eth-Trunk 1
Eth-Trunk
Eth-Trunk 1
GE0/0/3
GE0/0/4
Switch
GE0/0/1
VLAN 100-150
LAN Switch
GE0/0/2
VLAN 151-200
LAN Switch
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create an Eth-Trunk.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create an Eth-Trunk.
# Create Eth-Trunk 1.
<Quidway> system-view
[Quidway] sysname Switch
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] quit
33
The preceding information indicates that Eth-Trunk 1 consists of member interfaces Eth 0/0/3
and Eth 0/0/4. The member interfaces are both in Up state.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 to 200
#
interface Ethernet0/0/3
eth-trunk 1
Issue 01 (2011-07-15)
34
#
interface Ethernet0/0/4
eth-trunk 1
#
return
N links between two Switches can carry out redundancy backup. When a fault occurs on
an active link, the backup link replaces the faulty link to keep the reliability of data
transmission.
Figure 2-5 Networking diagram for configuring link aggregation in static LACP mode
Eth-Trunk 1
Eth 0/0/1
Eth 0/0/2
Eth 0/0/3
Eth-Trunk
Eth-Trunk 1
Eth 0/0/1
Eth 0/0/2
Eth 0/0/3
SwitchA
Active link
Backup link
SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create an Eth-Trunk on the Switch and configure the Eth-Trunk to work in static LACP
mode.
2.
3.
4.
5.
Set the priority of the interface and determine the active link.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-07-15)
35
Procedure
Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static LACP mode.
# Configure SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] bpdu enable
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] mode lacp-static
[SwitchA-Eth-Trunk1] quit
# Configure SwitchB.
<Quidway> system-view
[Quidway] sysname SwitchB
[SwitchB] bpdu enable
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] mode lacp-static
[SwitchB-Eth-Trunk1] quit
# Configure SwitchB.
[SwitchB] interface ethernet 0/0/1
[SwitchB-Ethernet0/0/1] eth-trunk 1
[SwitchB-Ethernet0/0/1] quit
[SwitchB] interface ethernet 0/0/2
[SwitchB-Ethernet0/0/2] eth-trunk 1
[SwitchB-Ethernet0/0/2] quit
[SwitchB] interface ethernet 0/0/3
[SwitchB-Ethernet0/0/3] eth-trunk 1
[SwitchB-Ethernet0/0/3] quit
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 Set the upper threshold M of active interfaces on SwitchA to 2.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] max active-linknumber 2
[SwitchA-Eth-Trunk1] quit
Step 5 Set the priority of the interface and determine active links on SwitchA.
[SwitchA] interface ethernet
[SwitchA-Ethernet0/0/1] lacp
[SwitchA-Ethernet0/0/1] quit
[SwitchA] interface ethernet
[SwitchA-Ethernet0/0/2] lacp
[SwitchA-Ethernet0/0/2] quit
0/0/1
priority 100
0/0/2
priority 100
36
# Check information about the Eth-Trunk of the Switches and check whether the negotiation is
successful on the link.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
Hash arithmetic: According to SA-XOR-DA
System Priority: 100
System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: Up
Number Of Up Port In Trunk: 2
-----------------------------------------------------------------------------ActorPortName
Status
PortType PortPri
PortNo PortKey
PortState
Weight
Ethernet0/0/1
Selected 100M
100
6145
2865
11111100
1
Ethernet0/0/2
Selected 100M
100
6146
2865
11111100
1
Ethernet0/0/3
Unselect 100M
32768
6147
2865
11100000
1
Partner:
-----------------------------------------------------------------------------PartnerPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
Ethernet0/0/1
32768 00e0-fca6-7f85 32768
6145
2609
11111100
Ethernet0/0/2
32768 00e0-fca6-7f85 32768
6146
2609
11111100
Ethernet0/0/3
32768 00e0-fca6-7f85 32768
6147
2609
11110000
[SwitchB] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
Hash arithmetic: According to SA-XOR-DA
System Priority: 32768
System ID: 00e0-fca6-7f85
Least Active-linknumber: 1
Max Active-linknumber: 8
Operate status: Up
Number Of Up Port In Trunk: 2
-----------------------------------------------------------------------------ActorPortName
Status
PortType PortPri
PortNo PortKey
PortState
Weight
Ethernet0/0/1
Selected 100M
32768
6145
2609
11111100
1
Ethernet0/0/2
Selected 100M
32768
6146
2609
11111100
1
Ethernet0/0/3
Unselect 100M
32768
6147
2609
11100000
1
Partner:
-----------------------------------------------------------------------------PartnerPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
Ethernet0/0/1
100
00e0-fca8-0417 100
6145
2865
11111100
Ethernet0/0/2
100
00e0-fca8-0417 100
6146
2865
11111100
Ethernet0/0/3
100
00e0-fca8-0417 32768
6147
2865
11110000
The preceding information shows that the system priority of SwitchA is 100 and it is higher than
the system priority of SwitchB. Member interfaces Eth0/0/1 and Eth0/0/2 become the active
interfaces and are in Selected state. Interface Eth0/0/3 is in Unselect state. M active links work
in load balancing mode and N links are the backup links.
----End
Configuration Files
l
Issue 01 (2011-07-15)
37
#
sysname SwitchA
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp-static
max active-linknumber 2
#
interface Ethernet0/0/1
eth-trunk 1
lacp priority 100
#
interface Ethernet0/0/2
eth-trunk 1
lacp priority 100
#
interface Ethernet0/0/3
eth-trunk 1
#
return
#
sysname SwitchB
#
interface Eth-Trunk1
mode lacp-static
#
interface Ethernet0/0/1
eth-trunk 1
#
interface Ethernet0/0/2
eth-trunk 1
#
interface Ethernet0/0/3
eth-trunk 1
#
return
Issue 01 (2011-07-15)
38
3 VLAN Configuration
VLAN Configuration
39
3 VLAN Configuration
Issue 01 (2011-07-15)
40
3 VLAN Configuration
3.1 Introduction
The VLAN technology is important for forwarding on Layer 2 networks. This section describes
the background, functions, and advantages of the VLAN technology.
Overview of VLAN
The Ethernet technology is for sharing communication mediums and data based on the Carrier
Sense Multiple Access/Collision Detect (CSMA/CD). If there are a large number of PCs on an
Ethernet network, collision becomes a serious problem and can lead to broadcast storms. As a
result, network performance deteriorates. This can even cause the Ethernet network to become
unavailable. Switches can be used to interconnect local area networks (LANs). Switches forward
information received by inbound ports to specified outbound ports, thereby preventing access
collision in a shared medium. If no specified outbound port is found for information received
by an inbound port, the switch will forward the information from all ports except the inbound
port. This forms a broadcast domain.
To prevent broadcast domains from being too broad and causing problems, you can divide a
network into segments. In this manner, a large broadcast domain is divided into multiple small
broadcast domains to confine the possible scope of broadcast packets. Routers can be deployed
at the network layer to separate broadcast domains, but this method has disadvantages, which
include: complex network planning, inflexible networking, and high levels of expenditure. The
Virtual Local Area Network (VLAN) technology can divide a large Layer 2 network into
broadcast domains to prevent broadcast storms and protect network security.
Definition of VLAN
The VLAN technology is used to divide a physical LAN into multiple logical broadcast domains,
each of which is called a VLAN. Each VLAN contains a group of PCs that have the same
requirements. A VLAN has the same attributes as a LAN. PCs of a VLAN can be placed on
different LAN segments. If two PCs are located on one LAN segment but belong to different
VLANs, they do not broadcast packets to each other. With VLAN, the broadcast traffic volume
is reduced; fewer devices are required; network management is simplified; and network security
is improved.
Figure 3-1 shows a typical VLAN application. Three switches are placed in different locations,
for example, different stories of an office building. If each enterprise builds up a LAN, a high
level of expenditure is required. If enterprises in the office building use the existing LAN,
enterprise information security cannot be guaranteed. The VLAN technology allows enterprises
to share LAN facilities and ensures information security for each enterprise network.
Issue 01 (2011-07-15)
41
3 VLAN Configuration
Router
Switch1
Switch2
Switch3
VLAN-A
VLAN-B
VLAN-C
Broadcast domains are confined. A broadcast domain is confined to a VLAN. This saves
bandwidth and improves network processing capabilities.
Network security is enhanced. Packets from different VLANs are separately transmitted.
PCs in one VLAN cannot directly communicate with PCs in another VLAN.
Network robustness is improved. A fault in a VLAN does not affect PCs in other VLANs.
Virtual groups are set up flexibly. With the VLAN technology, PCs in different
geographical areas can be grouped together. This facilitates network construction and
maintenance.
6bytes
Destination
address
6bytes
2bytes
46-1500bytes 4bytes
Source
Data
FCS
Length/Type
address
IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It
adds a 32-bit field between the Source address and the Length/Type fields of the original
frame, as shown in Figure 3-3.
Issue 01 (2011-07-15)
42
3 VLAN Configuration
6bytes
4bytes
TPID
2bytes
PRI
Data
FCS
CFI VID
Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify
the frame as an IEEE 802.1Q-tagged frame. If an 802.1Q-incapable device receives an
802.1Q frame, it will discard the frame.
Priority (PRI): a 3-bit field which indicates the frame priority. The value ranges from 0
to 7. The greater the value, the higher the priority. These values can be used to prioritize
different classes of traffic to ensure that frames with high priorities are transmitted first
when traffic is heavy.
Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC
address is in the non-canonical format. If the value is 0, the MAC address is in the
canonical format. CFI is used to ensure compatibility between Ethernet networks and
Token Ring networks. It is always set to zero for Ethernet switches.
VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs.
On the S2700, VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved,
and therefore VLAN IDs range from 1 to 4094.
Each frame sent by an 802.1Q-capable switch carries a VLAN ID. On a VLAN, Ethernet
frames are classified into the following types:
Tagged frames: frames with 32-bits 802.1Q tags.
Untagged frames: frames without 32-bits 802.1Q tags.
l
Definition
Port-based
VLAN division
Issue 01 (2011-07-15)
43
3 VLAN Configuration
VLAN
Division
Method
Definition
VLAN3
PC4
Access link
3
3
2
Trunk link
CE1
3
2
Trunk link
PE
2
Access link
PC1
VLAN2
CE2
PC2
VLAN2
As shown in Figure 3-4, there are the following types of VLAN links:
Access link: connects a PC to a switch. Generally, a PC does not know which VLAN
it belongs to, and PC hardware cannot distinguish frames with VLAN tags. Therefore,
PCs send and receive only untagged frames.
Trunk link: connects a switch to another switch or to a router. Data of different VLANs
are transmitted along a trunk link. The two ends of a trunk link must be able to distinguish
frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk
links.
l
Port types
Table 3-2 lists VLAN port types.
Issue 01 (2011-07-15)
44
3 VLAN Configuration
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Access
port
Accepts an untagged
frame and adds a tag
with the default
VLAN ID to the
frame.
l Accepts a
tagged
frame if the
VLAN ID
carried in
the frame is
the same as
the default
VLAN ID.
An access port
connects a
switch to a PC
and can be
added to only
one VLAN.
l Discards a
tagged
frame if the
VLAN ID
carried in
the frame is
different
from the
default
VLAN ID.
Issue 01 (2011-07-15)
45
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Trunk
port
l Accepts a
tagged
frame if the
port permits
the VLAN
ID carried in
the frame.
l Removes the
tag from a
received
frame and
sends the
frame if the
VLAN ID
carried in the
frame is the
same as the
default
VLAN ID
and
permitted by
the port.
A trunk port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
trunk port
connects a
switch to
another switch
or to a router.
Hybrid
port
Issue 01 (2011-07-15)
3 VLAN Configuration
l Discards a
tagged
frame if the
port denies
the VLAN
ID carried in
the frame.
l Directly
sends a
received
frame if the
VLAN ID
carried in the
frame is
different
from the
default
VLAN ID
but permitted
by the port.
Sends a received
frame if the port
permits the
VLAN ID
carried in the
frame. A
specified
command can be
used to
determine
whether a hybrid
port sends
frames with or
without tags.
A hybrid port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
hybrid port can
connect a
switch to a PC
or connect a
network device
to another
network
device.
46
3 VLAN Configuration
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
QinQ
port
QinQ ports are enabled with the IEEE 802.1QinQ protocol. A QinQ port adds
a tag to a single-tagged frame, and thus supports a maximum of 4094 x 4094
VLAN tags, which meets the requirement of a Networkfor the number of
VLANs.
NOTE
The S2700SI does not support QinQ port.
Each access, trunk, hybrid, or QinQ port can be configured with a default VLAN, namely,
the port default VLAN ID (PVID) to specify the VLAN to which the port belongs.
The PVID of an access port indicates the VLAN to which the port belongs.
As a trunk or hybrid port can be added to multiple VLANs, the port must be configured
with PVIDs.
By default, a port is added to VLAN 1.
l
Assume that VLANs are configured based on MAC addresses. After an access port on CE 1
receives an untagged frame from PC 1, the port checks the VLAN mapping table for a VLAN
ID corresponding to the source MAC address, and adds a tag with the obtained VLAN ID to
the frame.
2.
After the trunk port on CE 1 and PE receives the frame, the port checks whether the
VLAN ID carried in the frame is the same as that configured on the port. If the VLAN
ID has been configured on the port, the port transparently transmits the frame to CE
2. If the VLAN ID is not configured on the port, the port discards the frame.
3.
After a trunk port on CE 2 receives the frame, the system searches the MAC address
table for an outbound port.
4.
After the frame is sent to the access port connecting CE 2 to PC 2, the port checks that
the VLAN ID carried in the frame is the same as that configured on the port. The port
then removes the tag from the frame and sends the untagged frame to PC 2.
VLANIF interface
A VLANIF interface is a Layer 3 logical interface, which can be configured on either a
Layer 3 switch or a router.
Layer 3 switching combines routing and switching techniques to implement routing on a
switch, thus improving the overall network performance. After sending the first data flow,
a Layer 3 switch generates mappings between MAC addresses and IP addresses. To send
the same data flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based
on this mapping table. In this manner, delays on the network caused by route selection are
eliminated, thus improving data forwarding efficiency. Layer 3 switches have both
switching and routing functions.
Issue 01 (2011-07-15)
47
3 VLAN Configuration
To allow that new data flows are correctly forwarded based on the routing table, be sure
that the routing table's routing entries are correct. Therefore, VLANIF interfaces and
routing protocols must be configured on Layer 3 switches for reachable Layer 3 routes.
NOTE
A PC does not need to know the VLAN to which it belongs. It sends only untagged frames.
After receiving an untagged frame from a PC, a switching device determines the VLAN to which
the frame belongs. The determination is based on the configured VLAN division method such as port
information, and then the switching device processes the frame accordingly.
If the frame needs to be forwarded to another switching device, the frame must be transparently
transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow
other switching devices to properly forward the frame based on the VLAN information.
Before sending the frame to the destination PC, the switching device connected to the destination PC
removes the VLAN tag from the frame to ensure that the PC receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on
access links. In this manner, switching devices on the network can properly process VLAN information
and PCs are not concerned about VLAN information.
After VLANs are configured, users in a VLAN can communicate with each other.
2.
3.
The following VLAN features are also supported to meet requirements of special
applications and extended functions:
l VLAN aggregation: prevents the waste of IP addresses and implements inter-VLAN
communication.
l Voice VLAN: select voice data packets from various packets and changes the priority
of voice data packets to improve the voice data transmission quality.
l Management VLAN (mVLAN): helps implement integrated management by using a
remote device. A user can use the IP address of the VLANIF interface corresponding
to the mVLAN to telnet to a management switch.
NOTE
VLAN Assignment
VLAN assignment is a basic VLAN configuration. After VLANs are configured, users in a
VLAN can communicate with each other. VLANs are configured in different manners, as shown
in Table 3-3.
Issue 01 (2011-07-15)
48
3 VLAN Configuration
Advantage
Disadvantage
Usage Scenario
Port-based
VLAN
assignment
The configuration is
simple. It is the most
common VLAN
assignment method.
The configuration is
not flexible. If a port
needs to transmit
frames of another
VLAN, the port must
be deleted from the
original VLAN and
added to the new
VLAN. For a network
having a large number
of traveling users, the
network administrator
needs to spend more
time on maintenance.
Port-based VLAN
assignment is applicable
to large-scale networks
that do not have high
security requirements.
A network
administrator needs to
configure a switch
with a MAC address
associated with a
specific VLAN. For a
network with a large
number of terminals,
configuration will take
the network
administrator a lot of
work before VLANbased communication
can be enabled.
MAC address-based
VLAN assignment is
applicable to networks
that have high security
requirements and many
traveling users.
NOTE
Inter-VLAN Communication
After VLANs are configured, users in a VLAN can communicate with each other. Users in
different VLANs cannot directly communicate with each other. Table 3-4 lists schemes for interVLAN communication.
Issue 01 (2011-07-15)
49
3 VLAN Configuration
Advantage
Disadvantage
Usage Scenario
VLANIF
interface
After VLANIF
interfaces are
configured, users in
different VLANs and
network segments can
communicate with
each other as long as
routes are reachable.
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs to be assigned an
IP address. This
increases configuration
workload and uses a lot
of IP addresses.
This scheme is
applicable to smallscale networks on
which users belong to
different network
segments and IP
addresses of these
users are seldom
changed.
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
routes are reachable.
This scheme boasts of
low operating costs.
VLAN Aggregation
To implement inter-VLAN communication on switches, configure IP addresses for the VLANIF
interfaces. When many VLANs are deployed, a great number of IP addresses are occupied.
VLAN aggregation can solve the problem of occupation of excessive IP addresses.
VLAN aggregation means that multiple VLANs are aggregated into a super-VLAN. The VLANs
that form the super-VLAN is called sub-VLANs.
You can create a VLANIF interface for a super-VLAN. Then, you can configure an IP address
only for this interface rather than for each sub-VLAN. All sub-VLANs share the same IP network
segment, which optimizes the use of IP addresses.
Applicable Environment
Currently, the S2700 supports the following VLAN division modes. You can choose one of them
as required. Table 3-5 lists VLAN division modes.
Issue 01 (2011-07-15)
50
3 VLAN Configuration
Advantage
Disadvantage
Usage Scenario
Port-based
VLAN
assignment
The configuration is
simple. It is the most
common VLAN
assignment method.
The configuration is
not flexible. If a port
needs to transmit
frames of another
VLAN, the port must
be deleted from the
original VLAN and
added to the new
VLAN. For a network
having a large number
of traveling users, the
network administrator
needs to spend more
time on maintenance.
Port-based VLAN
assignment is applicable
to large-scale networks
that do not have high
security requirements.
A network
administrator needs to
configure a switch
with a MAC address
associated with a
specific VLAN. For a
network with a large
number of terminals,
configuration will take
the network
administrator a lot of
work before VLANbased communication
can be enabled.
MAC address-based
VLAN assignment is
applicable to networks
that have high security
requirements and many
traveling users.
NOTE
In the case that the S2700 supports multiple VLAN division modes, the priorities of these VLAN division
modes are in descending order:
1. MAC address-based VLAN division
2. Port-based VLAN division
Port-based VLAN division has the lowest priority, but is most commonly used.
Pre-configuration Tasks
Before dividing a LAN into VLANs, complete the following task:
l
Issue 01 (2011-07-15)
Connecting ports and configuring physical parameters of the ports, ensuring that the ports
are physically Up
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
51
3 VLAN Configuration
Data Preparation
To dividing a LAN into VLANs, you need the following data.
No.
Data
VLAN ID, number of each Ethernet port to be added to the VLAN, and (optional)
attributes of Ethernet ports
Context
After VLANs are configured based on ports, the VLANs can process tagged and untagged frames
in the following manners:
l
After receiving an untagged frame, a port adds the PVID to the frame, searches the MAC
address table for an outbound port, and sends the tagged frame from the outbound port.
After a port receives a tagged frame, it checks the VLAN ID carried in the frame:
If the port allows frames with the specified VLAN ID to pass through, it forwards the
frame.
If the port does not allow frames with the specified VLAN ID to pass through, it discards
the frame.
Create VLANs.
2.
3.
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
Issue 01 (2011-07-15)
52
3 VLAN Configuration
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
quit
2.
Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure
the port type.
By default, the port type is hybrid.
l If a Layer 2 Ethernet port is directly connected to a terminal, set the port type to access
or hybrid. Setting the port type to access is recommended.
l If a Layer 2 Ethernet port is connected to another switch, the port type can be set to
access, trunk, hybrid, or QinQ. Setting the port type to trunk is recommended.
53
3 VLAN Configuration
Context
VLANs configured based on MAC addresses process only untagged frames, and treat tagged
frames in the same manner as VLANs configured based on ports.
After receiving an untagged frame, a port searches for a MAC-VLAN mapping based on the
source MAC address in the frame.
l
If a mapping is found, the port forwards the frame based on the VLAN ID and priority
value in the mapping.
If no matching mapping is found, the port matches the frame with other matching rules.
Create VLANs.
2.
3.
4.
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length ]
Issue 01 (2011-07-15)
54
3 VLAN Configuration
Run the interface interface-type interface-number command to enter the view of the port
to be configured to allow frames with a specified VLAN ID to pass through.
2.
Run the port link-type hybrid command to set the port type to hybrid.
By default, the port type is hybrid.
3.
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command
to configure the hybrid port to allow frames with a specified VLAN ID to pass through.
NOTE
If an interface is added to a MAC address-based VLAN with a mask specified, add this interface to
its default VLAN.
Step 6 Run:
mac-vlan enable
Prerequisite
The configurations of VLAN division are complete.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check information about all
VLANs or a specified VLAN.
Run the display mac-vlan { mac-address { all | mac-address [ mac-address-mask | macaddress-mask-length ] } | vlan vlan-id } command to check information about VLANs
configured based on MAC addresses.
----End
55
3 VLAN Configuration
Applicable Environment
Layer 3 switching combines routing and switching techniques to implement routing on a switch,
thus improving the overall network performance. After sending the first data flow, a Layer 3
switch generates mappings between MAC addresses and IP addresses. To send the same data
flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based on this mapping
table. In this manner, delays on the network caused by route selection are eliminated, thus
improving data forwarding efficiency. Layer 3 switches have both switching and routing
functions.
To allow that new data flows are correctly forwarded based on the routing table, be sure that the
routing table's routing entries are correct. Therefore, VLANIF interfaces and routing protocols
must be configured on Layer 3 switches for reachable Layer 3 routes.
Pre-configuration Tasks
Before creating a VLANIF interface, complete the following task:
l
Creating a VLAN
Data Preparation
To create a VLANIF interface, you need to the following data.
No.
Data
VLAN ID
Procedure
Step 1 Run:
system-view
56
3 VLAN Configuration
NOTE
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
----End
Procedure
Step 1 Run:
system-view
An IP address is assigned to the VLANIF interface for communication at the network layer.
----End
Context
If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports
the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF
interface to go Down.
To prevent network flapping caused by changes of VLANIF interface status, enable VLAN
damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system
starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event
after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF
interface remains Up.
Procedure
Step 1 Run:
system-view
57
3 VLAN Configuration
Step 2 Run:
interface vlanif vlan-id
l After changing the maximum transmission unit (MTU) by using the mtu command on a specified
interface, you need to restart the interface to make the new MTU take effect. To restart the interface,
run the shutdown command and then the undo shutdown command, or run the restart command in
the interface view.
l If you change the MTU of an interface, you need to change the MTU of the peer interface to the same
value by using the mtu command; otherwise, services may be interrupted.
l To ensure availability of Layer 3 functions, set the MTU value of the VLANIF interface to be smaller
than the maximum length of frames on the physical interface in the corresponding VLAN.
Procedure
Step 1 Run:
system-view
If the MTU is too small whereas the packet size is large, the packet is probably split into many fragments.
Therefore, the packet may be discarded due to the insufficient QoS queue length. To avoid this situation,
lengthen the QoS queue accordingly.
----End
Issue 01 (2011-07-15)
58
3 VLAN Configuration
Prerequisite
The configurations of a VLANIF interface are complete.
Procedure
l
Run the display interface vlanif [ vlan-id ] command to check the physical status, link
protocol status, description, and IP address of the VLANIF interface.
----End
Applicable Environment
Currently, schemes listed in Table 3-6 are provided for inter-VLAN communication. You can
choose one of them based on the real world situation.
Issue 01 (2011-07-15)
59
3 VLAN Configuration
Advantage
Disadvantage
Usage Scenario
VLANIF
interface
After VLANIF
interfaces are
configured, users in
different VLANs and
network segments can
communicate with
each other as long as
routes are reachable.
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs to be assigned an
IP address. This
increases configuration
workload and uses a lot
of IP addresses.
This scheme is
applicable to smallscale networks on
which users belong to
different network
segments and IP
addresses of these
users are seldom
changed.
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
routes are reachable.
This scheme boasts of
low operating costs.
Pre-configuration Tasks
Before configuring inter-VLAN communication, complete the following task:
l
Creating VLANs
Data Preparation
To configure inter-VLAN communication, you need the following data.
No.
Data
VLAN ID, VLANIF interface number, IP address and mask of the VLANIF
interface
Context
VLAIF interfaces are Layer 3 logical interfaces. After being assigned IP addresses, VLANIF
interfaces are able to communicate at the network layer.
By using VLANIF interfaces to implement inter-VLAN communication, you need to configure
a VLANIF interface for each VLAN and assign an IP address to each VLANIF interface.
Issue 01 (2011-07-15)
60
3 VLAN Configuration
Figure 3-5 Networking diagram for configuring VLANIF interfaces for inter-VLAN
communication
Switch
VLANIF2
VLAN2
VLANIF3
VLAN3
NOTE
The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF
interface. Otherwise, inter-VLAN communication will fail.
Procedure
Step 1 Run:
system-view
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
61
3 VLAN Configuration
Prerequisite
The configurations of inter-VLAN communication are complete.
Procedure
l
Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interfacetype interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -system-time | -t
timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host command to check
whether users in different VLANs can communicate with each other.
If the ping fails, you can run the following commands to locate the fault:
Run the display vlan [ vlan-id [ verbose ] ] command to check information about all
VLANs or a specified VLAN.
Run the display interface vlanif [ vlan-id ] command to check information about
VLANIF interfaces.
Before running this command, ensure that VLANIF interfaces have been configured.
----End
Applicable Environment
As networks expand, address resources become insufficient. VLAN aggregation is developed
to save IP addresses.
In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical ports
cannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and an
IP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN but
no VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use the
same IP address with the VLANIF interface of the super-VLAN. This saves subnet IDs, default
gateway addresses of the subnets, and directed broadcast addresses of the subnets. In addition,
different broadcast domains can use the addresses in the same subnet segment. As a result, subnet
differences are eliminated, addressing becomes flexible, and the number of idle addresses is
reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain and
reduces the waste of IP addresses to be assigned to ordinary VLANs.
Issue 01 (2011-07-15)
62
3 VLAN Configuration
PE
Super
VLAN4
CE1
CE2
Sub-VLAN 2
Sub-VLAN 3
NOTE
Pre-configuration Tasks
Before configuring VLAN aggregation, complete the following task:
l
Connecting ports and configuring physical parameters of the ports, ensuring that the ports
are physically Up
Data Preparation
To configure VLAN aggregation, you need the following data.
No.
Data
ID of a super-VLAN
63
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
Context
NOTE
Procedure
Step 1 Run:
system-view
64
3 VLAN Configuration
Step 3 Run:
aggregate-vlan
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
VLAN 1 cannot be configured as a super-VLAN.
Step 4 Run:
access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Procedure
Step 1 Run:
system-view
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
Issue 01 (2011-07-15)
65
3 VLAN Configuration
PCs in ordinary VLANs can communicate with each other at the network layer by using different
gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address
and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate
with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer
2. Consequently, PCs in different sub-VLANs cannot communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another subVLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,
proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and
reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network
layer.
NOTE
An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.
Otherwise, proxy ARP cannot take effect.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view
Prerequisite
The VLAN aggregation configurations are complete.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN information.
Run the display interface vlanif [ vlan-id ] command to check information about a specific
VLANIF interface.
----End
Issue 01 (2011-07-15)
66
3 VLAN Configuration
Applicable Environment
Voice and non-voice data are transmitted on networks. Voice data is configured with a higher
priority than non-voice data to reduce the probability of the transmission delay and packet loss.
In most cases, an Access Control List (ACL) is configured to distinguish voice data from nonvoice data, and the Quality of Service (QoS) is used to ensure the transmission quality of voice
data.
Voice over IP (VoIP) phones are commonly used. If an ACL is configured to distinguish voice
data from non-voice data, and QoS is used to ensure the transmission quality of voice data, each
terminal needs to be configured with an ACL rule. This increases the network administrator's
workload and burdens maintenance.
The voice VLAN technique is introduced to solve the preceding problem.
After being enabled with the voice VLAN function, a device determines voice data based on
source MAC addresses of received frames, adds ports that receive voice data to a voice VLAN,
and automatically applies priority rules to ensure high priorities and good qualities of voice data.
This simplifies user configuration and facilitates management on voice data.
On the network shown in Figure 3-7, a user's High Speed Internet (HSI), VoIP, and Internet
Protocol Television (IPTV) services are connected to a switch. A voice VLAN can be configured
on the switch to implement QoS for voice data, prioritize voice data, and ensure the
communication quality.
Issue 01 (2011-07-15)
67
3 VLAN Configuration
Server
Network
Voice VLAN
VLAN 10
Switch
LAN Switch2
LAN Switch1
HSI
VoIP
IPTV
HSI
VoIP
IPTV
Voice flow
Pre-configuration Tasks
Before configuring a voice VLAN, complete the following task:
l
Creating VLANs
Data Preparation
To configure a voice VLAN, you need the following data.
Issue 01 (2011-07-15)
No.
Data
The Organizationally Unique Identifier (OUI) address and mask of the voice VLAN
(Optional) 802.1p priority and DSCP value for the voice VLAN
Type and number of the port enabled with the voice VLAN function
68
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
The view of a port connecting the device to users' voice devices is displayed.
Step 3 Run:
voice-vlan vlan-id enable
A voice VLAN is configured and the voice VLAN function is enabled on the port.
By default, the voice VLAN function is disabled on ports.
NOTE
----End
Context
An OUI is a globally-unique identifier assigned by the Institute of Electrical and Electronics
Engineers (IEEE) to a specific equipment vendor. An OUI represents the first 24 bits of a binary
MAC address.
An OUI represents a MAC address segment that is obtained by performing the AND operation
between a 48-bit MAC address and a mask. For example, the MAC address is 1-1-1, and the
mask is FFFF-FF00-0000. The AND operation is performed between the MAC address and the
mask to obtain the OUI 0001-0000-0000. If the first 24 bits of the MAC address of a device are
the same as an OUI, a voice VLAN-enabled port considers the device as a voice device and data
from the device as voice data.
Issue 01 (2011-07-15)
69
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
An OUI is configured.
l The mac-address value cannot be all 0s or a multicast or broadcast address.
l A device can be configured with a maximum of 16 OUIs. When the device is configured
with 16 OUIs, subsequent configurations will not take effect.
l When using the undo voice-vlan mac-address command to delete an OUI, specify the macaddress value in this command as the result of the AND operation by using the configured
MAC address and mask.
NOTE
When the source MAC address of a packet matches the OUI, the S2700 changes the priority of the packet
basing on the configuration of 3.7.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for
the Voice VLAN to improve the transmission quality.
----End
Context
The aging timer of a voice VLAN is effective only when ports are automatically added to the
voice VLAN.
If a voice VLAN-enabled port does not receive voice data from a voice device before the aging
timer expires, the port will be automatically deleted from the voice VLAN. If the port receives
voice data from the voice device again, the port will be automatically added to the voice VLAN.
Procedure
Step 1 Run:
system-view
70
3 VLAN Configuration
Context
By default, the 802.1p priority and DSCP value for each voice VLAN are 6 and 46 respectively.
Manual configuration of the 802.1p priority and DSCP value will allow you to plan priorities
for different voice services at will.
NOTE
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN frame. This
field determines the transmission priority for data packets when a switching device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4 packet header.
DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks. The traffic controller
on the network gateway takes actions merely based on the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view
An 802.1p priority and a DSCP value are configured for a voice VLAN.
By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.
----End
Context
Ports can be added to a voice VLAN in either of the following modes:
l
Automatic mode
A voice VLAN-enabled port learns source MAC addresses of frames from voice devices,
adds ports connecting the device to voice devices to a voice VLAN, and uses the voice
VLAN aging timer to control the number of ports in the voice VLAN. If a voice VLANenabled port does not receive voice data from a voice device before the aging timer expires,
the port will be automatically deleted from the voice VLAN. If the port receives voice data
from the voice device again, the port will be automatically added to the voice VLAN.
l
Issue 01 (2011-07-15)
Manual mode
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
71
3 VLAN Configuration
After the voice VLAN function is enabled, ports connected to voice devices must be
manually added to a voice VLAN. Otherwise, the voice VLAN function does not take
effect.
Procedure
Step 1 Run:
system-view
The view of a port connecting the device to users' voice devices is displayed.
Step 3 Run:
voice-vlan mode { auto | manual }
In Access ports cannot be automatically added to a voice VLAN. To add a port of the access type to the
voice VLAN, run the port link-type command to change the port type to trunk or hybrid.
----End
Context
Based on the data filtering mechanism, a voice VLAN works in either security or ordinary mode:
l
Security mode
A voice VLAN-enabled inbound port transmits only frames of which the source MAC
addresses match OUIs configured on the device, discards the voice data not belong to the
current voice VLAN and the other data can be forwarded normally.
The security mode prevents a voice VLAN from being attacked by malicious data flows,
but consumes system resources to check frames.
Issue 01 (2011-07-15)
72
3 VLAN Configuration
Ordinary mode
A voice VLAN-enabled inbound port transmits both voice and non-voice data. The port
does not compare source MAC addresses in received frames with configured OUIs,
exposing a voice VLAN to malicious attacks.
NOTE
Transmitting voice and service data at the same time in a voice VLAN is not recommended. If a voice
VLAN must transmit both voice and service data, ensure that the voice VLAN works in ordinary mode.
Table 3-7 shows how to process frames in different voice VLAN working modes.
Table 3-7 Frame processing in different voice VLAN working modes
Voice VLAN
Working Mode
Security mode
If the source MAC address of a frame and the OUI do not match,
the priority of the frame is not changed and the frame is prohibited
from forwarding in the voice VLAN.
Ordinary mode
If the source MAC address of a frame and the OUI do not match,
the priority of the frame is not changed and the frame is allowed to
be forwarded in the voice VLAN.
Procedure
l
Security mode
1.
2.
3.
Run the voice-vlan security enable command to configure the voice VLAN work in
security mode.
By default, a voice VLAN works in security mode.
Ordinary mode
1.
2.
3.
Run the undo voice-vlan security enable command to configure the voice VLAN
work in ordinary mode.
By default, a voice VLAN works in security mode.
----End
73
3 VLAN Configuration
Context
After VoIP devices of some vendors are powered on, proprietary protocol packets but not DHCP
packets are sent to apply for IP addresses. To help Huawei datacom devices communicate with
voice devices of other vendors, you can enable the voice VLAN legacy function. This allows
Huawei devices to identify packets of proprietary protocols of other vendors.
Procedure
Step 1 Run:
system-view
The view of a port connecting the device to users' voice devices is displayed.
Step 3 Run:
voice-vlan legacy enable
Prerequisite
The configurations of a voice VLAN are complete.
Procedure
l
Run the display voice-vlan [ vlan-id ] status command to check information about the
voice VLAN, including the working mode, security mode, aging timer value and the 802.1p
priority and DSCP value as well as the configuration of the port enabled with the voice
VLAN function.
Run the display voice-vlan oui command to check information about the OUI of the voice
VLAN, including the mask and description of the OUI.
----End
74
3 VLAN Configuration
Applicable Environment
An mVLAN can be configured to help a user use an NMS to manage indirectly-connected
devices.
After an mVLAN is configured, a user can use the IP address of the VLANIF interface
corresponding to the mVLAN to telnet to a management switch and manage devices attached
to the switch.
Pre-configuration Tasks
Before configuring an mVLAN, complete the following task:
l
Creating a VLAN
Data Preparation
To configure an mVLAN, you need the following data.
No.
Data
VLAN ID
Procedure
Step 1 Run:
system-view
An mVLAN is configured.
Issue 01 (2011-07-15)
75
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
After assigning an IP address to the VLANIF interface, you can run the telnet command to log
in to a management switch to manage attached devices.
----End
Prerequisite
The configurations of an mVLAN are complete.
Procedure
l
Run the display vlan command to check information about the mVLAN. The command
output shows information about the mVLAN in the line started with an asterisk sign (*).
----End
76
3 VLAN Configuration
Context
CAUTION
Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before
you use the command.
To clear the Statistics of VLAN Packets, run the following reset command in the user view:
Procedure
l
Run the reset vlan vlan-id statistics command to clear packets of a specified VLAN
statistics.
----End
Networking Requirements
An enterprise has multiple departments. It is required that departments in charge of the same
service can communicate with each other, and departments in charge of different services cannot
communicate with each other.
It is required that on the network shown in Figure 3-8, the requirements are as follows:
l
Issue 01 (2011-07-15)
77
3 VLAN Configuration
Network
Eth0/0/4
Eth0/0/1
Eth0/0/2
Switch
Eth0/0/3
Group32 Department 4
Department 1 Department 2 Department
VLAN 3
VLAN 2
VLAN 3
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Add the ports connected to department 1 and department 2 to VLAN 2 and the ports
connected to department 3 and department 4 to VLAN 3 to prevent employees in department
1 or department 2 from communicating with employees in department 3 or department 4.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the Switch.
# Create VLAN 2.
<Quidway> system-view
[Quidway] vlan 2
[Quidway-vlan2] quit
# Set the link type of Eth 0/0/1 to trunk and add Eth 0/0/1 to VLAN 2.
Issue 01 (2011-07-15)
78
3 VLAN Configuration
# Set the link type of Eth 0/0/2 to trunk and add Eth 0/0/2 to VLAN 2.
[Quidway]interface ethernet 0/0/2
[Quidway-Ethernet0/0/2] port link-type trunk
[Quidway-Ethernet0/0/2] port trunk allow-pass vlan 2
[Quidway-Ethernet0/0/2] quit
# Create VLAN 3.
[Quidway] vlan 3
[Quidway-vlan3] quit
# Set the link type of Eth 0/0/3 to trunk and add Eth 0/0/3 to VLAN 3.
[Quidway] interface ethernet 0/0/3
[Quidway-Ethernet0/0/3] port link-type trunk
[Quidway-Ethernet0/0/3] port trunk allow-pass vlan 3
[Quidway-Ethernet0/0/3] quit
# Set the link type of Eth 0/0/4 to trunk and add Eth 0/0/4 to VLAN 3.
[Quidway] interface ethernet 0/0/4
[Quidway-Ethernet0/0/4] port link-type trunk
[Quidway-Ethernet0/0/4] port trunk allow-pass vlan 3
[Quidway-Ethernet0/0/4] quit
Configuration Files
The following lists the configuration file of the Switch.
#
sysname Quidway
#
vlan batch 2 to 3
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 3
#
interface Ethernet0/0/4
port link-type trunk
Issue 01 (2011-07-15)
79
3 VLAN Configuration
Networking Requirements
On an enterprise network, the network administrator adds PCs of employees in a department to
the same VLAN. To improve information security, only employees is this department are
allowed to access the intranet.
As shown in Figure 3-9, only PC1, PC2, and PC3 are allowed to access the intranet through
SwitchA and Switch.
Figure 3-9 Network diagram of MAC address-based VLAN assignment
Network
Eth0/0/2
Switch
Eth0/0/1
Eth0/0/1
SwitchA
Configuration Roadmap
The configuration roadmap is as follows:
1.
Issue 01 (2011-07-15)
Create VLANs and determine the VLAN that PCs of employees belong to.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
80
3 VLAN Configuration
2.
3.
Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the
Switch can assign the VLAN to packets according to their source MAC addresses.
Data Preparation
To complete the configuration, you need the following data:
l
MAC addresses of PC1, PC2, and PC3 need to be associated with VLAN 10.
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 100
0/0/1
hybrid pvid vlan 100
hybrid untagged vlan 10
0/0/2
hybrid tagged vlan 10
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Quidway] vlan 10
[Quidway-Vlan10] mac-vlan mac-address 22-22-22
[Quidway-Vlan10] mac-vlan mac-address 33-33-33
[Quidway-Vlan10] mac-vlan mac-address 44-44-44
[Quidway-Vlan10] quit
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
Issue 01 (2011-07-15)
81
3 VLAN Configuration
Networking Requirements
Departments of an enterprise are located on different network segments and use same services
such as Internet access and VoIP. Departments in different VLANs need to use the same service,
so communication between VLANs must be implemented.
As shown in Figure 3-10, department 1 and department 2 use the same service but belong to
different VLANs and are located on different network segments. Users in department 1 and
department 2 need to communicate with each other.
Figure 3-10 Communication between VLANs using VLANIF interfaces
Switch
Eth0/0/1
SwitchA
Eth0/0/2
VLAN 10
Department1
Eth0/0/1
Eth0/0/3
VLAN 20
Department2
PC1
10.10.10.2/24
PC2
20.20.20.2/24
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2011-07-15)
82
3 VLAN Configuration
1.
2.
Add Layer 2 interfaces to the VLANs so that packets of the VLANs can pass through the
Layer 2 interfaces.
3.
On the Layer 3 switch, create VLANIF interfaces corresponding to the VLANs and
configure IP addresses for the VLANIF interfaces to implement Layer 3 communication.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as gateway address.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 # Configure the Switch.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 20
Issue 01 (2011-07-15)
0/0/1
link-type trunk
trunk allow-pass vlan 10 20
0/0/2
83
3 VLAN Configuration
link-type access
default vlan 10
link-type access
default vlan 20
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
84
3 VLAN Configuration
Networking Requirements
Assume that an enterprise has many departments and IP addresses of these departments are on
the same network segment, to improve the service security, IP address of employee users in
different departments are added to different VLANs. Employee users in different departments
need to communicate with each other.
As shown in Figure 3-11, IP addresses of the R&D department and test department belong to
different VLANs. It is required that employee users in different VLANs communicate with each
other.
Figure 3-11 Typical networking of VLAN configuration
Switch
Eth0/0/1
Eth0/0/3
Eth0/0/2
Eth0/0/4
VLAN2
VLAN3
VLAN4
VLANIF4:100.1.1.12/24
VLAN 2
VLAN 3
Development
Department
Test
Department
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-07-15)
85
3 VLAN Configuration
Procedure
Step 1 Set the interface type.
# Configure Eth 0/0/1 as an access interface.
<Quidway> system-view
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] port link-type access
[Quidway-Ethernet0/0/1] quit
86
3 VLAN Configuration
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 100.1.1.12 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Ethernet0/0/1
port link-type access
port default vlan 2
#
interface Ethernet0/0/2
port link-type access
port default vlan 2
#
interface Ethernet0/0/3
port link-type access
port default vlan 3
#
interface Ethernet0/0/4
port link-type access
port default vlan 3
#
return
87
3 VLAN Configuration
Networking Requirements
Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require
high quality of VoIP services; therefore, voice data flows must be transmitted with a high priority
to ensure the call quality.
As shown in Figure 3-12, after a voice VLAN is configured on the Switch, the Switch checks
whether a data flow received by Ethernet0/0/1 is a voice data flow based on the source MAC
address of the flow. If the data flow is a voice data flow, the Switch changes the priority of the
flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in a common
VLAN without changing the priority of the flow. Ethernet0/0/1 needs to be automatically added
to or deleted from the voice VLAN.
Figure 3-12 Networking diagram of a voice VLAN in auto mode
DHCP Server
Internet
Switch
Eth0/0/1
LAN Switch
HSI
VoIP
IPTV
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs.
2.
3.
4.
Set the mode of adding the interface to the voice VLAN to auto.
5.
6.
7.
Issue 01 (2011-07-15)
88
3 VLAN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2
and VLAN 6
Procedure
Step 1 Create VLANs and configure the interface on the Switch.
# Create VLAN 2 and VLAN 6.
<Quidway> system-view
[Quidway] vlan batch 2 6
# Set the mode of adding the interface to the voice VLAN to auto.
[Quidway-Ethernet0/0/1] voice-vlan mode auto
[Quidway-Ethernet0/0/1] quit
Run the display voice-vlan 2 status command to check whether the mode of adding the interface
to the voice VLAN, working mode, and aging time of the voice VLAN are correct.
<Quidway> display voice-vlan 2 status
Voice VLAN Configurations:
Issue 01 (2011-07-15)
89
3 VLAN Configuration
--------------------------------------------------Voice VLAN ID
: 2
Voice VLAN status
: Enable
Voice VLAN aging time
: 100 (minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark
: 46
---------------------------------------------------------Port Information:
----------------------------------------------------------Port
Add-Mode Security-Mode Legacy
----------------------------------------------------------Ethernet0/0/1
Auto
Security
Disable
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 2 6
#
voice-vlan aging-time 100
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
interface Ethernet0/0/1
port hybrid pvid vlan 6
port hybrid untagged vlan 6
voice-vlan 2 enable
#
return
Networking Requirements
Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require
high quality of VoIP services; therefore, voice data flows must be transmitted with a high priority
to ensure the call quality.
As shown in Figure 3-13, after a voice VLAN is configured on the Switch, the Switch checks
whether a data flow received by Ethernet0/0/1 is a voice data flow based on the source MAC
address of the data flow. If the data flow is a voice data flow, the Switch changes the priority of
the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in a common
VLAN without changing the priority of the flow. Ethernet0/0/1 needs to be added to or deleted
from the voice VLAN manually.
Issue 01 (2011-07-15)
90
3 VLAN Configuration
DHCP Server
Internet
Switch
Eth0/0/1
LAN Switch
HSI
VoIP
IPTV
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs.
2.
3.
4.
Set the mode of adding the interface to the voice VLAN to manual.
5.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
l
Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2
and VLAN 6
Procedure
Step 1 Create VLANs and configure the interface on the Switch.
# Create VLAN 2 and VLAN 6.
Issue 01 (2011-07-15)
91
3 VLAN Configuration
<Quidway> system-view
[Quidway] vlan batch 2 6
# Set the mode of adding the interface to the voice VLAN to manual and add the interface to the
voice VLAN.
[Quidway-Ethernet0/0/1] voice-vlan mode manual
[Quidway-Ethernet0/0/1] port hybrid tagged vlan 2
[Quidway-Ethernet0/0/1] quit
Run the display voice-vlan 2 status command to check whether the mode of adding the interface
to the voice VLAN, working mode, and aging time of the voice VLAN are correct.
<Quidway> display voice-vlan 2 status
Voice VLAN Configurations:
--------------------------------------------------Voice VLAN ID
: 2
Voice VLAN status
: Enable
Voice VLAN aging time
: 1440(minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark
: 46
---------------------------------------------------------Port Information:
----------------------------------------------------------Port
Add-Mode Security-Mode Legacy
----------------------------------------------------------Ethernet0/0/1
Manual
Security
Disable
----End
Configuration Files
Configuration file of the Switch
Issue 01 (2011-07-15)
92
3 VLAN Configuration
#
sysname Quidway
#
vlan batch 2 6
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
interface Ethernet0/0/1
port hybrid pvid vlan 6
port hybrid tagged vlan 2
port hybrid untagged vlan 6
voice-vlan 2 enable
voice-vlan mode manual
#
return
Issue 01 (2011-07-15)
93
Issue 01 (2011-07-15)
94
Pre-configuration Tasks
Before configuring VLAN mapping, complete the following task:
l
Configuring VLANs
Data Preparation
To configure VLAN mapping, you need the following data.
Issue 01 (2011-07-15)
No.
Data
95
No.
Data
Procedure
Step 1 Run:
system-view
l VLAN mapping can only be configured on a trunk or hybrid interface, and the interface must be added
to the VLAN specified by map-vlan in tagged mode.
l The interface must be added to original VLANs (VLANs before mapping) in tagged mode.
l A maximum of 16 original VLANs can be specified for VLAN mapping. The original VLAN IDs
cannot be the same as the allowed VLAN IDs modulo 128.
l Limiting MAC address learning on an interface may affect the N:1 VLAN mapping on the interface.
----End
Issue 01 (2011-07-15)
96
Run the display vlan vlan-id command to check whether the interface is added to the
translated local VLAN.
Run the display current-configuration command to display information about the VLAN
mapping of single VLAN tag on the interface.
Run the preceding command, and you can obtain the following information:
The interface is added to the translated local VLAN.
The information about the VLAN mapping is correct.
----End
Global VLAN mapping and interface-based VLAN mapping cannot be configured on an S2700
simultaneously.
Pre-configuration Tasks
Before configuring global VLAN mapping, complete the following tasks:
l
Data Preparations
To configure global VLAN mapping, you need the following data.
Issue 01 (2011-07-15)
No.
Data
Original VLAN ID
Translated VLAN ID
97
Procedure
Step 1 Run:
system-view
----End
Run the display this command in the VLAN view to check the configuration of global
VLAN mapping.
----End
Example
Run the display this command in the VLAN view.
[Quidway-vlan10] display this
#
vlan 10
vlan-mapping map-vlan 20 remark-8021p 3
#
return
Issue 01 (2011-07-15)
98
Network
SwitchC
Eth0/0/1
VLAN10
SwitchD
Eth0/0/1
SwitchA
SwitchB
Eth0/0/1
VLAN6
Eth0/0/2
Eth0/0/3
Eth0/0/1
Eth0/0/2
VLAN5
Eth0/0/3
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-07-15)
99
Procedure
Step 1 Create VLANs on the Switches.
# Create VLAN 6 on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan 6
0/0/2
link-type trunk
trunk allow-pass vlan 6
0/0/3
link-type trunk
trunk allow-pass vlan 6
0/0/2
link-type trunk
trunk allow-pass vlan 5
0/0/3
link-type trunk
trunk allow-pass vlan 5
Issue 01 (2011-07-15)
100
Configuration Files
l
#
sysname SwitchA
#
vlan batch 6
#
interface Ethernet0/0/1
qinq vlan-translation enable
port link-type trunk
port trunk allow-pass vlan 6
port vlan-mapping vlan 10 map-vlan 6
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 6
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 6
#
return
#
sysname SwitchB
#
vlan batch 5
#
interface Ethernet0/0/1
qinq vlan-translation enable
port link-type trunk
Issue 01 (2011-07-15)
101
#
sysname SwitchC
#
vlan batch 10
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
#
sysname SwitchD
#
vlan batch 10
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
Issue 01 (2011-07-15)
102
Internet
Switch
VLAN100~110
SwitchA
SwitchC
SwitchB
Eth0/0/1
SwitchD
SwitchE
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Add Eth 0/0/1 of the Switch to the VLANs before and after mapping in tagged mode.
3.
Data preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 100 to 110
103
Configuration Files
l
#
sysname Quidway
#
vlan batch 10 100 to 110
#
interface Ethernet0/0/1
qinq vlan-translation enable
port hybrid tagged vlan 10 100 to 110
port vlan-mapping vlan 100 to 110 map-vlan 10
#
return
Issue 01 (2011-07-15)
104
Internet
VLAN 20
Switch
Eth0/0/1
VLAN 10
SwitchA
SwitchB
SwitchC
SwitchD
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Data Preparations
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 20
Issue 01 (2011-07-15)
105
Configuration Files
l
#
sysname Quidway
#
vlan batch 10 20
#
interface Ethernet0/0/1
port hybrid tagged vlan 10 20
qinq vlan-translation enable
#
vlan-mapping map-vlan 20
#
return
Issue 01 (2011-07-15)
106
5 QinQ Configuration
QinQ Configuration
Issue 01 (2011-07-15)
107
5 QinQ Configuration
Pre-configuration Tasks
None
Data Preparation
To configure QinQ on the interface, you need the following data.
Issue 01 (2011-07-15)
108
No.
Data
Outer VLAN ID
5 QinQ Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
109
5 QinQ Configuration
----End
Applicable Environment
As shown in Figure 5-1, SwitchA is connected to SwitchB through a third-party network. The
management VLAN on SwitchB is the same as the VLAN for users connected to SwitchA. The
VLAN ID provided by the carrier, however, is different from the management VLAN ID.
Issue 01 (2011-07-15)
110
5 QinQ Configuration
IP
10
20
SwitchB
Internet
SwitchA
IP
Management VLAN 10
Interface VLANIF 10
10
user2
user1
VLAN 10
To log in to SwitchB to manage it from SwitchA, you can configure QinQ stacking on the
VLANIF interface corresponding to the management VLAN on SwitchB.
After QinQ stacking is configured, data frames are processed as follows:
l
Pre-configuration Tasks
Before configuring QinQ stacking on a VLANIF interface, complete the following tasks:
l
Creating VLANs
Data Preparations
To configure QinQ stacking on a VLANIF interface, you need the following data.
Issue 01 (2011-07-15)
111
No.
Data
VLAN IDs
5 QinQ Configuration
Procedure
Step 1 Run:
system-view
l When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interface
corresponds to the management VLAN. VLANIF interfaces corresponding to other VLANs do not
support QinQ stacking.
l To change the configured outer VLAN tag, run the undo qinq stacking vlan command to disable QinQ
stacking, and then run the qinq stacking vlan command to configure a new outer VLAN tag.
l The qinq stacking vlan command conflicts with the icmp host-unreachable send command.
Therefore, you must run the undo icmp host-unreachable send command before using the qinq
stacking vlan command.
----End
Prerequisite
The configurations of QinQ stacking on the VLANIF interface are complete.
Procedure
Step 1 Run the display vlan [ vlan-id [ verbose ] ] command to check whether the management VLAN
is configured correctly.
Issue 01 (2011-07-15)
112
5 QinQ Configuration
Step 2 Run the display this command in the VLANIF interface view to check whether QinQ stacking
is configured correctly.
----End
Pre-configuration Tasks
None.
Data Preparation
To set the protocol type in the outer VLAN tag, you need the following data.
No.
Data
Interface number
Procedure
Step 1 Run:
system-view
113
5 QinQ Configuration
Step 3 Run:
port link-type { hybrid | trunk | access }
Procedure
Step 1 Run:
system-view
l To implement the connectivity between the devices of different vendors, the protocol type in the outer
VLAN tag must be identified by the peer device.
l The protocol IDs set by the qinq protocol command cannot be the same as well-known protocol IDs.
Otherwise, the interface cannot distinguish packets of these protocols. For example, protocol-id cannot
be set to 0x0806, which is the ARP protocol ID.
----End
114
5 QinQ Configuration
Enterprise 2
SwitchG
Eth0/0/1
Eth0/0/2
Eth0/0/3
Eth0/0/4
SwitchF
Eth0/0/3
Eth0/0/1
VLAN2000
VLAN3000
VLAN2000
VLAN3000
Eth0/0/2
VLAN1000 VLAN1500
Enterprise 1
VLAN2000
VLAN3000
Enterprise 2
VLAN1000
VLAN1500
Enterprise1
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2011-07-15)
115
5 QinQ Configuration
1.
2.
Configure Eth 0/0/1, Eth 0/0/2, and Eth 0/0/3 of SwitchF as QinQ interfaces.
3.
4.
Add Eth 0/0/4 of SwitchF and Eth 0/0/3 of SwitchG to VLAN 20 in tagged mode.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create VLANs.
# Create VLAN 10 and VLAN 20 on SwitchF.
<Quidway> system-view
[Quidway] sysname SwitchF
[SwitchF] vlan batch 10 20
0/0/1
link-type dot1q-tunnel
default vlan 10
0/0/2
link-type dot1q-tunnel
default vlan 20
0/0/3
link-type dot1q-tunnel
default vlan 10
# Set Eth 0/0/1 and Eth 0/0/2 of SwitchG as QinQ interfaces; set the VLAN ID of the outer
VLAN tags added by Eth 0/0/1 and Eth 0/0/2/ to VLAN 20.
[SwitchG] interface ethernet
[SwitchG-Ethernet0/0/1] port
[SwitchG-Ethernet0/0/1] port
[SwitchG-Ethernet0/0/1] quit
[SwitchG] interface ethernet
[SwitchG-Ethernet0/0/2] port
[SwitchG-Ethernet0/0/2] port
[SwitchG-Ethernet0/0/2] quit
0/0/1
link-type dot1q-tunnel
default vlan 20
0/0/2
link-type dot1q-tunnel
default vlan 20
116
5 QinQ Configuration
Configuration Files
The following lists the configuration files of the Switch.
l
#
sysname SwitchF
#
vlan batch 10 20
#
interface Ethernet0/0/1
port link-type dot1q-tunnel
port default vlan 10
#
interface Ethernet0/0/2
port link-type dot1q-tunnel
port default vlan 20
#
interface Ethernet0/0/3
port link-type dot1q-tunnel
port default vlan 10
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 20
#
return
#
sysname SwitchG
#
vlan batch 20
#
interface Ethernet0/0/1
port link-type dot1q-tunnel
port default vlan 20
#
interface Ethernet0/0/2
Issue 01 (2011-07-15)
117
5 QinQ Configuration
Networking Requirements
As shown in Figure 5-3, Switch A is connected to the remote server through the third-party
network. The management VLAN is deployed on the remote server and the VLAN ID that the
downstream user connected to Switch A belongs to is the same as the management VLAN ID.
The VLAN ID provided by the carrier, however, is different from the management VLAN ID.
Figure 5-3 Networking diagram for configuring QinQ stacking on the VLANIF interface
IP
10
E th 0 /0 /2
20
In te rn e t
S e rv e r
E th 0 /0 /2
S w itc h A E th 0 /0 /1
IP
10
E th 0 /0 /2
S w itc h C
E th 0 /0 /1
u s e r1
VLAN 10
To remotely log in to the remote server for managing VLAN services on Switch A, you can
configure QinQ stacking on the VLANIF interface corresponding to the management VLAN on
Switch B.
NOTE
The VLANIF interface where QinQ stacking is configured must correspond to the management VLAN.
This is because other types of VLANs do not support QinQ stacking.
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2011-07-15)
118
5 QinQ Configuration
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure Switch C.
# Configure Eth 0/0/1 and Eth 0/0/2 to allow packets from VLAN 10 to pass through.
<Quidway> system-view
[Quidway] sysname SwitchC
[SwitchC] vlan batch 10
[SwitchC] interface ethernet
[SwitchC-Ethernet0/0/1] port
[SwitchC-Ethernet0/0/1] quit
[SwitchC] interface ethernet
[SwitchC-Ethernet0/0/2] port
[SwitchC-Ethernet0/0/2] quit
0/0/1
hybrid tagged vlan 10
0/0/2
hybrid tagged vlan 10
0/0/1
vlan-stacking vlan 10 stack-vlan 20
hybrid untagged vlan 20
0/0/2
hybrid tagged vlan 20
Issue 01 (2011-07-15)
119
5 QinQ Configuration
Configuration Files
l
Issue 01 (2011-07-15)
120
6 GVRP Configuration
GVRP Configuration
Issue 01 (2011-07-15)
121
6 GVRP Configuration
GVRP
GVRP is an application of GARP that maintains and propagates VLAN registration information
to other devices.
GARP
GARP enables member switches on a LAN to distribute, transmit, and register information such
as VLAN information and multicast addresses with one another.
GARP is not an entity on a device. GARP-compliant entities are called GARP participants.
GVRP is a GARP application. When a GARP application runs on an interface, the interface is
considered a GARP participant.
l
Issue 01 (2011-07-15)
122
6 GVRP Configuration
Join timer: To ensure reliable transmission of Join messages, a participant can send
each Join message twice. If the participant does not receive the response after
sending the Join message the first time, it sends the Join message again. The Join
timer specifies the interval between the two Join messages.
Leave timer: When a GARP participant expects other participants to deregister its
attribute, it sends Leave messages to other participants. When another participant
receives the Leave message, it starts the Leave timer. If the participant does not
receive any Join message before the Leave timer expires, it deregisters the attributes
of the Leave message sender.
LeaveAll timer: When a GARP participant is enabled, the LeaveAll timer is started.
When the LeaveAll timer expires, the GARP participant sends LeaveAll messages
to request other GARP participants to re-register all its attributes. Then the LeaveAll
timer restarts.
NOTE
l The GARP timers apply to all GARP participants (such as GVRP) on the same LAN.
l The Hold timer, Join timer, and Leave timer must be set individually on each interface,
whereas the LeaveAll timer is set globally and takes effect on all interfaces of a device.
l Devices on a network may have different settings of the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of
a device expires, the device sends LeaveAll messages to other devices. After other devices
receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the
LeavelAll timer with the smallest value takes effect even if devices have different settings
of the LeaveAll timer.
Issue 01 (2011-07-15)
123
6 GVRP Configuration
PDU
Ethernet Frame
N
2
Attribute Type
Message structure
Attribute List
N
1
Attribute 1
1
Attribute structure
Issue 01 (2011-07-15)
Field
Description
Value
Protocol ID
The value is 1.
Message
Attribute Type
Attribute List
Attribute
Indicates an attribute,
which consists of the
Attribute Length, Attribute
Event, and Attribute Value
fields.
Attribute Length
124
6 GVRP Configuration
Field
Description
Value
Attribute Event
l 0: LeaveAll event
l 1: JoinEmpty event
l 2: JoinIn event
l 3: LeaveEmpty event
l 4: LeaveIn event
l 5: Empty event
Attribute Value
End Mark
Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode of a trunk interface is set to fixed, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 to pass even
if it is configured to allow all the VLANs to pass.
Issue 01 (2011-07-15)
125
6 GVRP Configuration
NOTE
Pre-configuration Tasks
Before configuring the GVRP function, complete the following task:
l
Data Preparation
To configure the GVRP function, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
126
6 GVRP Configuration
gvrp
----End
Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode of a trunk interface is set to fixed, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 even if it
is configured to allow all the VLANs.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
127
6 GVRP Configuration
Before setting the registration mode of an interface, you need to enable GVRP on the interface.
----End
The undo garp timer command restores the default values of the GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does not
take effect.
The value range of each timer changes with the values of the other timers. If a value you
set for a timer is not in the allowed range, you can change the value of the timer that
determines the value range of this timer.
To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then restore the Join timer, Leave timer, and LeaveAll timer to the default values
in sequence.
NOTE
In actual application, it is recommended that you use the following values of the GVRP timers:
l
When the number of dynamic VLANs increases, lengths of the GARP timers need to be increased.
Issue 01 (2011-07-15)
128
6 GVRP Configuration
Procedure
Step 1 Run:
system-view
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20
centiseconds, and the value of the Leave timer is 60 centiseconds.
----End
Run the display gvrp status command to view the status of global GVRP is enabled.
Run the display gvrp statistics [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the statistics about GVRP on an
interface.
Run the display garp timer [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the values of GARP timers.
----End
Issue 01 (2011-07-15)
129
6 GVRP Configuration
Context
CAUTION
GARP statistics cannot be restored after being cleared. Therefore, use this command with
caution.
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear statistics about GARP on the
specified interfaces.
----End
SwitchB
Eth0/0/1
SwitchA
Eth0/0/2
Eth0/0/1 SwitchC
Eth0/0/1
Company A
Eth0/0/2
Eth0/0/2
Branch of
company A
Issue 01 (2011-07-15)
Company A
Company A
Company B
130
6 GVRP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Registration modes of Eth 0/0/1 and Eth 0/0/2 of Switch C: fixed and normal respectively
Procedure
Step 1 Configure Switch A.
# Enable GVRP globally.
<Quidway>
[Quidway]
[SwitchA]
[SwitchA]
system-view
sysname SwitchA
gvrp
bpdu enable
# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and configure the interfaces to allow all
VLANs.
[SwitchA] interface ethernet
[SwitchA-Ethernet0/0/1] port
[SwitchA-Ethernet0/0/1] port
[SwitchA-Ethernet0/0/1] quit
[SwitchA] interface ethernet
[SwitchA-Ethernet0/0/2] port
[SwitchA-Ethernet0/0/2] port
[SwitchA-Ethernet0/0/2] quit
0/0/1
link-type trunk
trunk allow-pass vlan all
0/0/2
link-type trunk
trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchA] interface ethernet
[SwitchA-Ethernet0/0/1] gvrp
[SwitchA-Ethernet0/0/1] gvrp
[SwitchA-Ethernet0/0/1] quit
[SwitchA] interface ethernet
[SwitchA-Ethernet0/0/2] gvrp
[SwitchA-Ethernet0/0/2] gvrp
[SwitchA-Ethernet0/0/2] quit
0/0/1
registration normal
0/0/2
registration normal
The configuration of Switch B is similar to the configuration of Switch A, and is not mentioned
here.
Step 2 Configure Switch C.
# Create VLAN 101 to VLAN 200.
Issue 01 (2011-07-15)
131
6 GVRP Configuration
<Quidway> system-view
[Quidway] sysname SwitchC
[SwitchC] vlan batch 101 to 200
# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and configure the interfaces to allow all
VLANs.
[SwitchC] interface ethernet
[SwitchC-Ethernet0/0/1] port
[SwitchC-Ethernet0/0/1] port
[SwitchC-Ethernet0/0/1] quit
[SwitchC] interface ethernet
[SwitchC-Ethernet0/0/2] port
[SwitchC-Ethernet0/0/2] port
[SwitchC-Ethernet0/0/2] quit
0/0/1
link-type trunk
trunk allow-pass vlan all
0/0/2
link-type trunk
trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchC] interface ethernet
[SwitchC-Ethernet0/0/1] gvrp
[SwitchC-Ethernet0/0/1] gvrp
[SwitchC-Ethernet0/0/1] quit
[SwitchC] interface ethernet
[SwitchC-Ethernet0/0/2] gvrp
[SwitchC-Ethernet0/0/2] gvrp
[SwitchC-Ethernet0/0/2] quit
0/0/1
registration fixed
0/0/2
registration normal
Run the display gvrp statistics command on Switch A to view statistics about GVRP on GVRP
interfaces, including the GVRP state of each interface, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration type of each interface.
<SwitchA> display gvrp statistics
GVRP statistics on port Ethernet0/0/1
GVRP status
: Enabled
GVRP registrations failed
: 0
GVRP last PDU origin
: 0000-0000-0000
GVRP registration type
: Normal
Configuration Files
l
#
sysname SwitchA
#
gvrp
Issue 01 (2011-07-15)
132
6 GVRP Configuration
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
#
sysname SwitchB
#
gvrp
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
#
sysname SwitchC
#
vlan batch 101 to 200
#
gvrp
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
gvrp registration fixed
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
Issue 01 (2011-07-15)
133
134
Issue 01 (2011-07-15)
135
Definition
A MAC address table is maintained on theS2700. The MAC address table stores the MAC
addresses of other devices learned by the S2700, the VLAN IDs, and the outbound interfaces
that are used to send data. Before forwarding a data packet, the S2700 searches the MAC address
table based on the destination MAC address and the VLAN ID of the packet to find the outbound
interface quickly. This reduces the number of broadcast packets.
Automatic creation: MAC address entries are learned by the system automatically. The
MAC address table needs to be updated constantly because the network topology always
changes. The automatically created MAC address entries are not always valid. Each entry
has an aging time. If an entry is not updated within the aging time, it is deleted. If the entry
is updated before its aging time expires, the aging timer is reset.
Manual creation: Automatically created MAC address entries cannot distinguish packets
of authorized users from attack packets. If a hacker sets the source MAC address of attack
packets to the MAC address of an authorized user and connects to another interface of the
S2700, the S2700 learns an incorrect MAC address entry. The packets that should be
forwarded to the authorized user are forwarded to the hacker. To improve interface security,
you can manually create MAC address entries to bind MAC addresses of authorized users
to specified interfaces. This prevents hackers from intercepting data of authorized users.
Manually created MAC address entries take precedence over automatically created MAC
address entries.
Dynamic MAC address entries that are learned by an interface after MAC address learning
is enabled.
Static MAC address entries that are configured manually. Static MAC address entries take
precedence over dynamic MAC address entries.
Blackhole MAC address entries that are the manually configured and used to discard data
frames with the specified source or destination MAC addresses. Blackhole MAC address
entries take precedence over dynamic MAC address entries.
Issue 01 (2011-07-15)
Unicast mode: If the destination MAC address of a packet can be found in the MAC address
table, the S2700 forwards the packet through the outbound interface specified in the
matching entry.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
136
Create static MAC address entries for MAC addresses of fixed upstream devices or trusted
user devices to improve communication security.
Configure blackhole MAC address entries to protect the S2700 from attacks.
Set a proper aging time for dynamic MAC addresses to prevent sharp increase of dynamic
MAC address entries.
You can use the following methods to improve security or meet special requirements:
l
Disable MAC address learning. This method can be used on a network where the topology
seldom changes or forwarding paths are specified in static MAC address entries. This
method prevents users with unknown MAC addresses from accessing the network, protects
the network from MAC address attacks, and improves network security.
Limit the number of MAC addresses that can be learned. This method can be used on an
insecure network to prevent untrusted users from connecting to the network.
Enable port security. If a network requires high security, port security can be configured
on the interfaces connected to trusted devices. The port security function prevents devices
with untrusted MAC addresses from accessing these interfaces and improves device
security.
Discard packets with an all-0 MAC address. A faulty device may send packets with an all-0
source or destination MAC address to the S2700. You can configure the S2700 to discard
such packets and send a trap to the network management system (NMS). You can locate
the faulty device according to the trap message.
NOTE
Issue 01 (2011-07-15)
137
Port Security
The port security function changes MAC addresses learned by an interface to secure dynamic
MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses
from accessing an interface and improves device security.
Differences between secure dynamic MAC addresses and sticky MAC addresses are:
l
Secure dynamic MAC addresses are learned after port security is enabled and will not be
aged out by default. You can set the aging time of secure dynamic MAC addresses so that
they can be aged out. Secure dynamic MAC addresses will be lost after the device restarts
and the device needs to learn the MAC addresses again.
Sticky MAC addresses are learned after the sticky MAC function is enabled. Sticky MAC
addresses will not be aged out and will exist after the S2700 restarts.
Applicable Environment
You can configure a static MAC address entry if an interface is connected to an upstream device
or a server, as shown in Figure 7-1. Attackers may set the source MAC address of packets to
the server MAC address and send the packets to the Switch to intercept data of the server. To
protect the server and ensure communication between users and the server, you can configure a
static MAC address entry in which the destination MAC address is the server MAC address and
the outbound interface is the interface connected to the server.
Issue 01 (2011-07-15)
138
Network
Server
Switch
VLAN2
LSW
VLAN4
PC1
PC2
Pre-configuration Tasks
None.
Data Preparation
To configure a static MAC address entry, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Static MAC address entries take precedence over dynamic MAC address entries.
----End
Issue 01 (2011-07-15)
139
Applicable Environment
To protect user devices or network devices from MAC address attacks, you can configure
untrusted MAC addresses as blackhole MAC addresses. Packets with source or destination MAC
addresses matching the blackhole MAC address entries are discarded.
Pre-configuration Tasks
None.
Data Preparation
To configure a blackhole MAC address entry, you need the following data.
No.
Data
Destination or source MAC address and ID of VLAN to which the outbound interface
belongs to
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
140
Applicable Environment
Dynamical MAC address entries are learned by the S2700 from source MAC addresses of
received packets. The system starts an aging timer for dynamic MAC address entry. If a dynamic
MAC address entry is not updated within a certain period (twice the aging time), this entry is
deleted. If the entry is updated within this period, the aging timer of this entry is reset. A shorter
aging time enables the S2700 to respond to network topology changes more quickly.
The network topology changes frequently, and the S2700 will learn many MAC addresses. After
the aging time of dynamic MAC address entries is set, the S2700 can delete unneeded MAC
address entries to prevent sharp increase of MAC address entries.
Pre-configuration Tasks
None.
Data Preparation
To set the aging time of dynamic MAC address entries, you need the following data.
No.
Data
Aging time
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
Run the display mac-address aging-time command to check whether the aging time of
dynamic MAC address entries is set properly.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
141
Applicable Environment
As shown in Figure 7-2, an interface of the Switch is connected to a server. To protect the server,
configure the server MAC address as a static MAC address, disable MAC address learning on
the interface, and configure the interface to discard the packets with unknown MAC addresses.
The configuration prevents other servers or terminals from accessing the interface and improves
network stability and security.
Figure 7-2 Disabling MAC address learning
Server
mac-address
learning disable
Switch
NOTE
Pre-configuration Tasks
None.
Data Preparation
To disable MAC address learning, you need the following data.
Issue 01 (2011-07-15)
142
No.
Data
VLAN ID
Context
When an S2700 enabled with MAC address learning receives an Ethernet frame, it records the
source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When
receiving other Ethernet frames destined for this MAC address, the S2700 forwards the frames
through the corresponding outbound interface according to the MAC address entry. The MAC
address learning function reduces broadcast packets on a network. After MAC address learning
is disabled on an interface, the S2700 does not learn source MAC addresses of packets received
by the interface.
Procedure
Step 1 Run:
system-view
If you set the action to forward when disabling MAC address learning, untrusted terminals can still access
the network. This action only controls the number of learned MAC address entries.
----End
Issue 01 (2011-07-15)
143
Context
After MAC address learning is disabled in a VLAN, the S2700 checks source MAC addresses
of packets received by interfaces in the VLAN. If the source MAC address of a packet is in the
MAC address table, the S2700 forwards the packet; otherwise, the S2700 broadcasts the packet.
Procedure
Step 1 Run:
system-view
Procedure
l
----End
144
Applicable Environment
As shown in Figure 7-3, an insecure residential network or enterprise often receives packets
with bogus MAC addresses. The capacity of a MAC address table is limited; therefore, if hackers
forge a large number of packets with different source MAC addresses and send the packets to
the Switch, the MAC address table of the Switch becomes full quickly. When the MAC address
table is full, the Switch cannot learn source MAC addresses of valid packets. A limit can be set
for the number of learned MAC addresses. When the number of learned MAC addresses reaches
the limit, the Switch stops learning MAC addresses. When the Switch receives packets with
unknown source MAC addresses, it can be configured to generate an alarm. This protects the
network from MAC address attacks.
Figure 7-3 Limiting the number of MAC addresses on an insecure network
Internet
Switch
VLAN2
MAC- Limit
VLAN2
LSW1
LSW2
VLAN2
Pre-configuration Tasks
Before limiting the number of learned MAC addresses, complete the following task:
l
Deleting the existing MAC address entries from the interface where you want to limit the
number of learned MAC addresses
Data Preparation
To limit the number of learned MAC addresses, you need the following data.
Issue 01 (2011-07-15)
No.
Data
145
Context
The MAC address limiting rule applies to all MAC addresses, including trusted MAC addresses.
If a user from an enterprise or a family uses bogus MAC addresses to attack the network, users
in the enterprise or family are not allowed to access the network, but other users on the network
are not affected.
Procedure
Step 1 Run:
system-view
The S2700 is configured to (or not to) send a trap to the NMS when the number of learned MAC
addresses reaches the limit.
By default, the S2700 sends a trap to the NMS when the number of learned MAC addresses
reaches the limit.
----End
Procedure
Step 1 Run the display mac-limit [ interface-type interface-number | vlan vlan-id ] command to view
the MAC address limiting rule.
----End
Issue 01 (2011-07-15)
146
Applicable Environment
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface
does not learn new MAC addresses and allows only the devices with the learned MAC addresses
to communicate with the S2700. This prevents devices with untrusted MAC addresses from
accessing these interfaces, improving security of the S2700 and the network.
NOTE
Pre-configuration Tasks
Before configuring port security on an interface, complete the following tasks:
l
Data Preparation
To configure port security on an interface, you need the following data.
Issue 01 (2011-07-15)
No.
Data
Secure dynamic MAC: interface type and number, limit on the number of learned
MAC addresses, action to perform when the limit is exceeded, and aging time of
secure dynamic MAC addresses
Sticky MAC: interface type and number, limit on the number of learned MAC
addresses, and action to perform when the limit is exceeded
147
Context
By default, secure dynamic MAC addresses will not be aged out. You can set the aging time of
secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses
will be lost after the device restarts and the device needs to learn the MAC addresses again.
Procedure
Step 1 Run:
system-view
You can set the limit on the number of secure dynamic MAC addresses, aging time of secure dynamic
MAC addresses, and protection action only when port security is enabled.
148
l shutdown: shuts down the interface when the number of learned MAC addresses exceeds
the limit.
Step 6 (Optional) Run:
port-security aging-time time [ type { absolute | inactivity } ]
Context
The sticky MAC function changes MAC addresses learned by an interface to sticky MAC
addresses. Sticky MAC addresses will not be aged out and will exist after the S2700 restarts.
Procedure
Step 1 Run:
system-view
149
Procedure
l
----End
Applicable Environment
A faulty network device may send packets with an all-0 source or destination MAC address to
the S2700. You can configure the S2700 to discard such packets and send a trap to the network
management system (NMS). You can locate the faulty device according to the trap message.
NOTE
The S2700SI cannot discard invalid packets with an all-0 source or destination MAC address.
Pre-configuration Tasks
l
Issue 01 (2011-07-15)
150
Data Preparation
None.
Procedure
Step 1 Run:
system-view
The S2700 is configured to send a trap to the NMS when receiving packets with an all-0 MAC
address.
By default, the S2700 does not send a trap to the NMS when receiving packets with an all-0
MAC address.
NOTE
The S2700 sends only one trap after receiving packets with an all-0 MAC address. To enable the S2700 to
send a trap again, run the drop illegal-mac alarm command.
----End
Issue 01 (2011-07-15)
To prevent hackers from attacking the network with MAC addresses, you need to add a
static entry to the MAC table of the Switch for each user host. When sending packets
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
151
through Eth 0/0/1, the Switch changes the VLAN ID to VLAN 4 to which the LSW belongs.
In addition, you need to set the aging time of the dynamic entries in the MAC address table
to 500 seconds.
l
To prevent hackers from forging the MAC address of the server and stealing user
information, you can configure the packet forwarding based on static MAC address entries
on the Switch.
N e tw o rk
S w itch
M A C a d d re ss: 4 -4 -4
E th 0 /0 /2
VLAN2
E th 0 /0 /1
LSW
PC1
VLAN4
PC2
M A C a d d re ss: 2 -2 -2
M A C a d d re ss: 3 -3 -3
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
VLAN ID required to be changed to when the Switch sends packets through the outgoing
interface: VLAN 4
Aging time of dynamic entries in the MAC address table of the Switch: 500 seconds
Issue 01 (2011-07-15)
152
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2; add Eth 0/0/1 0/0/2 to VLAN 2; configure VLAN mapping on Eth 0/0/1.
<Quidway> system-view
[Quidway] vlan 2
[Quidway-vlan2] quit
[Quidway] interface ethernet
[Quidway-Ethernet0/0/1] port
[Quidway-Ethernet0/0/1] port
[Quidway-Ethernet0/0/1] port
[Quidway-Ethernet0/0/1] quit
[Quidway] interface ethernet
[Quidway-Ethernet0/0/2] port
[Quidway-Ethernet0/0/2] port
[Quidway-Ethernet0/0/2] quit
0/0/1
hybrid pvid vlan 2
hybrid untagged vlan 2
vlan-mapping vlan 4 map-vlan 2
0/0/2
hybrid pvid vlan 2
hybrid untagged vlan 2
# Run the display mac-address aging-time command in any view. You can check whether the
aging time of dynamic entries is set successfully.
[Quidway] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
The following lists the configuration file of the Switch.
#
sysname Quidway
#
vlan batch 2
#
mac-address aging-time 500
#
interface Ethernet0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
port vlan-mapping vlan 4 map-vlan 2
Issue 01 (2011-07-15)
153
#
interface Ethernet0/0/2
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
mac-address static 0002-0002-0002 Ethernet0/0/1 vlan 2
mac-address static 0003-0003-0003 Ethernet0/0/1 vlan 2
mac-address static 0004-0004-0004 Ethernet0/0/2 vlan 2
#
return
Internet
Switch
Eth0/0/1
VLAN 10
SwitchA
PC1
PC2
PC3
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN and set the link type of the interface to trunk.
2.
3.
4.
Issue 01 (2011-07-15)
154
5.
Set the maximum number of MAC addresses that can be learned by the interface.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create a VLAN and set the link type of the interface to trunk.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] port link-type trunk
[Quidway-Ethernet0/0/1] port trunk allow-pass vlan 10
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-Ethernet0/0/1] port-security max-mac-num 4
To enable the interface security function on other interfaces, repeat the preceding steps.
Step 3 Verify the configuration.
If PC1 is replaced by another PC, this PC cannot access the intranet of the company.
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
port-security enable
port-security protect-action protect
port-security mac-address sticky
Issue 01 (2011-07-15)
155
port-security max-mac-num 4
#
return
Issue 01 (2011-07-15)
156
8 STP/RSTP Configuration
STP/RSTP Configuration
Issue 01 (2011-07-15)
157
8 STP/RSTP Configuration
Introduction
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
The devices running STP discover loops on the network by exchanging information with each
other and trim the ring topology into a loop-free tree topology by blocking a certain interface.
In this manner, replication and circular propagation of packets are prevented on the network. In
addition, it is prevented that the processing performance of devices is degraded when
continuously processing repeated packets.
STP, however, converges the network topology slowly. In 2001, the IEEE published document
802.1w to introduce an evolution of the Spanning Tree Protocol: Rapid Spanning Tree Protocol
(RSTP). RSTP is developed based on STP but outperforms STP.
Concepts
l
Root bridge
A tree topology must have a root. Therefore, the root bridge is introduced by STP/RSTP.
There is only one root bridge on the entire STP/RSTP-capable network. The root bridge is
the logical center but is unnecessarily the physical center of the entire network. The root
bridge may be served by another switching device along with the network topology change.
ID
There are Bridge IDs (BIDs) and port IDs (PIDs).
BID
IEEE 802.1D defines that a BID is composed of a 2-bit bridge priority and a bridge
MAC address. That is, BID (8 bits) = Bridge priority (2 bits) + Bridge MAC address (6
bits).
On the STP-capable network, the device with the smallest BID is selected as the root
bridge. The bridge priority that is allowed to be configured on a Huawei device ranges
from 0 to 61440. By default, the bridge priority is 32768.
PID
Issue 01 (2011-07-15)
158
8 STP/RSTP Configuration
A 16-bit PID is composed of a 4-bit port priority and a 12-bit port number.
The PID is used when the designated port needs to be selected. That is, when the root
path costs and the sender BIDs of two ports are the same, the port with a smaller PID
is selected as the designated port. As shown in Figure 8-1, the root path costs and sender
BIDs of port A and port B on S2 are the same. Port A has a smaller PID, and is thus
selected as the designated port on the local segment. The port priority that can be
configured on a Huawei device ranges from 0 to 240, with the step 16. That is, the port
priority can be 0, 16, or 32. By default, the port priority is 128.
l
Path cost
A path cost is port-specific, which is used by STP/RSTP as a reference to select a link.
STP/RSTP calculates the path cost to select the robust link and blocks redundant links to
trim the network into a loop-free tree topology.
On an STP/RSTP-capable network, the accumulative cost of the path from a certain port
to the root bridge is the sum of the costs of the segment paths into which the path is separated
by the ports on the transit bridges.
Port roles
STP-capable port
Root port
The root port is the port that is nearest to the root bridge. The root port is determined
based on the path cost. Among all the ports where STP is enabled on the network
bridge, the port with the smallest root path cost is the root port. There is only one
root port on an STP-capable device, but there is no root port on the root bridge.
Designated Port
The designated port on a switching device forwards bridge protocol data units
(BPDUs) to the downstream switching device. All ports on the root bridge are
designated ports. A designated port is selected on each network segment. The device
where the designated port resides is called the designated bridge on the network
segment.
RSTP-capable port
Compared with STP, RSTP has two additional types of ports, namely, the alternate port
and backup port. More port roles are defined to simplify the knowledge and deployment
of STP.
Issue 01 (2011-07-15)
159
8 STP/RSTP Configuration
S2
S3
S1
Root bridge
S2
A
B
b
S3
Root port
Designated port
Alternate port
Backup port
As shown in Figure 8-1, RSTP defines four port roles: root port, designated port,
alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The description of the alternate port and backup port is as follows:
From the perspective of configuration BPDU transmission:
The alternate port is blocked after learning the configuration BPDUs sent by
other bridges.
The backup port is blocked after learning the configuration BPDUs sent by itself.
From the perspective of user traffic:
The alternate port backs up the root port and provides an alternate path from the
designated bridge to the root bridge.
The backup port backs up the designated port and provides an alternate path from
the root node to the leaf node.
After all ports are assigned roles, topology convergence is completed.
Issue 01 (2011-07-15)
160
8 STP/RSTP Configuration
Port status
STP port state
Table 8-1 shows the port status of an STP-capable port.
Table 8-1 STP port state
Port state
Purpose
Description
Forwardin
g
Learning
Listening
Blocking
Disabled
Description
Forwarding
Learning
Discarding
Issue 01 (2011-07-15)
161
8 STP/RSTP Configuration
CAUTION
A Huawei datacom device is in MSTP mode by default. After a device experiences the
transition from the MSTP mode to the STP mode, an STP-capable port supports the same
port states as those supported by an MSTP-capable port, including the Forwarding,
Learning, and Discarding states. For details, see Table 8-2.
l
Three timers
Hello Timer
Sets the interval at which BPDUs are sent.
Forward Delay Timer
Sets the time spent in the Listening and Learning states.
Max Age
Sets the maximum lifetime of a BPDU on the network. When the Max Age time expires,
the connection to the root bridge fails.
Characteristics
Applicable
Environment
Precautions
STP
A loop-free tree is
generated. Thus, broadcast
storms are prevented and
redundancy is
implemented.
Irrespective of different
users or services, all
VLANs share one
spanning tree.
NOTE
RSTP
l A loop-free tree is
generated. Thus,
broadcast storms are
prevented and
redundancy is
implemented.
l A feedback mechanism
is provided to confirm
topology convergence.
Thus, rapid
convergence is
implemented.
Issue 01 (2011-07-15)
l If the current
switching device
supports STP and
RSTP, RSTP is
recommended.
l If the current
switching device
supports STP or
RSTP, and MSTP,
MSTP is
recommended. See
MSTP
Configuration.
162
8 STP/RSTP Configuration
Spanning
Tree
Protocol
Characteristics
Applicable
Environment
MSTP
l In an MSTP region, a
loop-free tree is
generated. Thus,
broadcast storms are
prevented and
redundancy is
implemented.
User or service-specific
load balancing is
required. Traffic for
different VLANs is
forwarded through
different spanning
trees, which are
independent of each
other.
l A feedback mechanism
is provided to confirm
topology convergence.
Thus, rapid
convergence is
implemented.
Precautions
l MSTP implements
load balancing among
VLANs. Traffic in
different VLANs is
transmitted along
different paths.
Select a switching device (functioning as a root bridge) from switching devices for each
spanning tree. You can configure the priorities of the switching devices to preferentially
select a root bridge.
2.
In each spanning tree, calculate the shortest paths from the other switching devices to the
root bridge, and select a root port for each non-root switching device. You can configure
the cost of the path from a switching device to the root bridge to preferentially select a root
port.
3.
In each spanning tree, select a designated port for each connection according to the bridge
ID, the cost of path and port IDs. If the devices have the same bridge ID and the cost of
path, You can configure the port priorities to preferentially select a designated port.
STP/RSTP also supports the following features to meet requirements of special applications and
extended functions:
l
Issue 01 (2011-07-15)
163
8 STP/RSTP Configuration
Issue 01 (2011-07-15)
Protection
Function
Scenario
Configuration Impact
BPDU
protection
TC
protection
TC protection is used to suppress TCBPDUs. The number of times that TCBPDUs are processed by a switching
device within a given time period is
configurable. If the number of TC-BPDUs
that the switching device receives within a
given time exceeds the specified threshold,
the switching device handles TC-BPDUs
only for the specified number of times.
Excess TC-BPDUs are processed by the
switching device as a whole for once after
the timer (that is, the specified time period)
expires. This protects the switching device
from frequently deleting MAC entries and
ARP entries, thus avoiding over-burdened.
Root
protection
Due to incorrect
configurations or
malicious attacks on the
network, a root bridge may
receive BPDUs with a
higher priority.
Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the
network topology is
illegitimately changed,
triggering spanning tree
recalculation. This may
transfer traffic from highspeed links to low-speed
links, causing traffic
congestion.
164
8 STP/RSTP Configuration
Protection
Function
Scenario
Configuration Impact
Loop
protection
Setting a priority for a switching device: The lower the numerical value, the higher the
priority of the switching device and the more likely the switching device becomes a root
bridge; the higher the numerical value, the lower the priority of the switching device and
the less likely that the switching device becomes a root bridge.
Setting a path cost for a port: With the same calculation method, the lower the numerical
value, the smaller the cost of the path from the port to the root bridge and the more likely
the port becomes a root port; the higher the numerical value, the larger the cost of the path
from the port to the root bridge and the less likely that the port becomes a root port.
Setting a priority for a port: The lower the numerical value, the more likely the port becomes
a designated port; the higher the numerical value, the less likely that the port becomes a
designated port.
Applicable Environment
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Issue 01 (2011-07-15)
165
8 STP/RSTP Configuration
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
STP/RSTP can be deployed on a network to eliminate loops. If a loop is detected, STP/RSTP
blocks one port to eliminate the loop.
As shown in Figure 8-2, Switch A, Switch B, Switch C, and Switch D form a ring network, and
STP/RSTP is enabled on the ring network to eliminate loops.
Figure 8-2 Diagram of a ring network
Network
Root
Bridge
SwitchA
SwitchB
SwitchC
SwitchD
PC1
PC2
Blocked port
NOTE
If the current switching device supports STP and RSTP, RSTP is recommended.
Pre-configuration Tasks
Before configuring basic STP/RSTP functions, complete the following task:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Data Preparation
To configure basic STP/RSTP functions, you need the following data.
Issue 01 (2011-07-15)
166
No.
Data
8 STP/RSTP Configuration
Procedure
Step 1 Run:
system-view
Context
On an STP/RSTP-capable network, there is only one root bridge and it is the logic center of the
entire spanning tree. In root bridge selection, the switching device with high performance and
network hierarchy is generally selected as a root bridge; however, the priority of such a device
may be not that high. Thus setting a high priority for the switching device is necessary so that
the device can function as a root bridge.
Other devices with low performance and network hierarchy are not fit to be a root bridge.
Therefore, set low priorities for these devices.
CAUTION
If an S2700 is configured as the root switch or secondary root switch, the priority of the
S2700 cannot be set. If you want to set the priority of the S2700, you must disable the root switch
or secondary root switch.
Issue 01 (2011-07-15)
167
8 STP/RSTP Configuration
Procedure
Step 1 Run:
system-view
priority
l To configure a switching device as a primary root bridge, you can run the stp root primary command
directly. The priority value of this switching device is 0.
l To configure a switching device as a secondary root bridge, run the stp root secondary command. The
priority value of this switching device is 4096.
A switching device cannot act as a primary root bridge and a secondary root bridge at the same time.
----End
Context
A path cost is port-specific, which is used by STP/RSTP as a reference to select a link.
The range of the path cost value is determined by the calculation method. After the calculation
method is determined, you are recommended to set a relatively small path cost value for the port
at a high link rate.
Use the Huawei proprietory calculation method as an example. Different link rates correspond
to default path cost values of ports. For details, see Table 8-5.
Table 8-5 Mappings between link rates and path cost values
Issue 01 (2011-07-15)
Link Rate
Recommended
value
Recommended
Value Range
Value Range
10 Mbit/s
2000
200-20000
1-200000
100 Mbit/s
200
20-2000
1-200000
1 Gbit/s
20
2-200
1-200000
10 Gbit/s
2-20
1-200000
Over 10 Gbit/s
1-2
1-200000
168
8 STP/RSTP Configuration
On a network where loops occur, you are recommended to set a relatively large path cost for the
port at a low link rate. STP/RSTP puts the port with the large path cost in the Blocking state and
blocks the link where this port resides.
Procedure
Step 1 Run:
system-view
Context
Whether a port on a switching device will be selected as a designated port is determined by its
priority. For details, see 8.1.1 STP/RSTP Overview.
If you expect to block a port on a switching device to eliminate loops, set the port priority value
to be larger than the default value when the devices have the same bridge ID and the cost of
path. This port will be blocked in designated port selection.
Procedure
Step 1 Run:
system-view
169
8 STP/RSTP Configuration
Step 2 Run:
interface interface-type interface-number
Context
After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees
on the network. Configurations on the switching device, such as the switching device priority
and port priority, will affect spanning tree calculation. Any change of the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform
basic configurations on the switching device and its ports and enable STP/RSTP.
Procedure
Step 1 Run:
system-view
Prerequisite
All configurations of basic STP/RSTP functions are complete.
Procedure
l
----End
Issue 01 (2011-07-15)
170
8 STP/RSTP Configuration
Issue 01 (2011-07-15)
Paramete
r
Parameter
Description
Commands
Description
System
parameter
network
diameter, timer
value (Hello
Time, Forward
Delay period,
Max Age time),
and timeout
period for
waiting for
BPDUs from
the upstream (3
x hello time x
time factor)
l stp bridge-diameter
diameter
171
8 STP/RSTP Configuration
Paramete
r
Parameter
Description
Commands
Description
Port
parameter
Link type of a
port
Port transition
to the RSTP
mode
l stp mcheck
On a switching device
running RSTP, if an
interface is connected to a
device running STP, the
interface automatically
transitions to the STP
mode.
Enabling MCheck on the
interface is required When
the interface fail to
automatically transition to
the RSTP mode.
Maximum
number of
BPDUs sent by
the interface
within each
Hello time
Issue 01 (2011-07-15)
172
Paramete
r
8 STP/RSTP Configuration
Parameter
Description
Commands
Description
Edge ports
l error-down auto-recovery
cause cause-item interval
interval-value
Applicable Environment
On some specific networks, RSTP parameters will affect the speed of network convergence.
Configuring proper RSTP parameters is required.
NOTE
The default configurations of the parameters described in this section help implement RSTP rapid
convergence. Therefore, the configuration process and all involved procedures described in this section
are optional. You can perform some of the configurations as required.
Pre-configuration Tasks
Before configuring STP/RSTP parameters, complete the following task:
l
Data Preparation
To configure STP/RSTP parameters, you need the following data.
Issue 01 (2011-07-15)
No.
Data
Network diameter
Hello time, forwarding delay time, maximum aging time, and timeout period for
waiting for BPDUs from the upstream (3 x hello time x time factor)
173
8 STP/RSTP Configuration
No.
Data
Whether auto recovery needs to be configured for an edge port being shut down
10
Procedure
Step 1 Run:
system-view
The timeout period for waiting for BPDUs from the upstream of a switching device is set.
By default, the timeout period of a switching device is 9 times as long as the Hello time.
Step 4 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the
following operations:
l Run the stp timer forward-delay forward-delay command to set the Forward Delay period
for a switching device.
Issue 01 (2011-07-15)
174
8 STP/RSTP Configuration
The values of the Hello time, Forward Delay period, and Max Age period must comply with the following
formulas. Otherwise, networking flapping occurs.
l 2 (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 (Hello Time + 1.0 second)
----End
Procedure
Step 1 Run:
system-view
MCheck is enabled.
On a switching device running RSTP, if a port is connected to a device running STP, the port
automatically transitions to the STP interoperable mode.
Enabling MCheck on the port is required because the port may fail to automatically transition
to the RSTP mode in the following situations:
Issue 01 (2011-07-15)
175
8 STP/RSTP Configuration
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port within each Hello time is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is 51.
Step 6 (Optional) Run:
stp edged-port enable
The auto recovery function on an edge port is configured. That is, enable the port in the errordown state to automatically go Up, and set the delay for the transition from Down to Up.
There is no default value for the recovery time. Therefore, you must specify a delay when
configuring this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. Then, ARP entries corresponding to those VLANs on the switching device need to be
updated. STP/RSTP processes ARP entries in either fast or normal mode.
l
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the STP/RSTP convergence is configured as normal.
Issue 01 (2011-07-15)
176
8 STP/RSTP Configuration
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.
Prerequisite
The parameters that affect the topology convergence have been configured.
Procedure
l
----End
Applicable Environment
RSTP provides the following protection functions, as listed in Table 8-7.
Table 8-7 RSTP Protection Function
Issue 01 (2011-07-15)
Protection
Function
Scenario
Configuration Impact
BPDU
protection
177
8 STP/RSTP Configuration
Protection
Function
Scenario
Configuration Impact
TC protection
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the network
topology is illegitimately
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
Loop
protection
Pre-configuration Tasks
Before configuring basic RSTP functions, complete the following task:
Issue 01 (2011-07-15)
178
8 STP/RSTP Configuration
Configuring an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure basic RSTP functions, you need the following data.
No.
Data
Context
Edge ports are directly connected to user terminals and normally, the edge ports will not receive
BPDUs. Some attackers may send pseudo BPDUs to attach the switching device. If the edge
ports receive the BPDUs, the switching device automatically configures the edge ports as nonedge ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU
protection can be used to protect switching devices against malicious attacks.
NOTE
Procedure
Step 1 Run:
system-view
Follow-up Procedure
To allow an edge port to automatically start after being shut down, you can run the error-down
auto-recovery cause cause-item interval interval-value command to configure the auto
recovery function and set the delay on the port. After the delay expires, the port automatically
goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following when
setting this parameter:
Issue 01 (2011-07-15)
179
8 STP/RSTP Configuration
The smaller the interval-value is set, the sooner the edge port becomes Up, and the more
frequently the edge port alternates between Up and Down.
The larger the interval-value is set, the later the edge port becomes Up, and the longer the
service interruption lasts.
Context
An attacker may send pseudo TC BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processed
by a switching device within a given time period is configurable. If the number of TC BPDUs
that the switching device receives within a given time exceeds the specified threshold, the
switching device handles TC BPDUs only for the specified number of times. Excess TC-BPDUs
are processed by the switching device as a whole for once after the specified time period expires.
This protects the switching device from frequently deleting MAC entries and ARP entries, thus
avoiding overburden.
Procedure
Step 1 Run:
system-view
The threshold of the number of times the switching device handles the received TC BPDUs and
updates forwarding entries within a given time is set.
NOTE
The value of the given time is consistent with the RSTP Hello time set by using the stp timer hello hellotime command.
----End
180
8 STP/RSTP Configuration
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge, and the network topology is incorrectly changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
NOTE
Root protection is configured on a designated port. Root protection takes effect only on a designated port.
Procedure
Step 1 Run:
system-view
Context
On a network running RSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream because of link congestion or unidirectional-link
failure, the switching device re-selects a root port. The original root port becomes a designated
port and the original blocked ports change to the Forwarding state. This may cause network
loops. To address such a problem, configure loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This prevents loops on the network. The root port restores the
Forwarding state after receiving new BPDUs.
Issue 01 (2011-07-15)
181
8 STP/RSTP Configuration
NOTE
An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Procedure
Step 1 Run:
system-view
Loop protection for the root port or the alternate port is configured on the switching device.
By default, loop protection is disabled.
----End
Prerequisite
All configurations of RSTP protection functions are complete.
Procedure
l
----End
182
8 STP/RSTP Configuration
tasks, and obtain the required data. This will help you complete the configuration task quickly
and accurately.
Applicable Environment
On a network running STP/RSTP, inconsistent protocol packet formats and BPDU keys may
lead to a communication failure. Configuring proper STP/RSTP parameters on Huawei devices
ensures interoperability between Huawei devices and non-Huawei devices.
Pre-configuration Tasks
Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei
devices, complete the following task:
l
Data Preparation
To configure STP/RSTP interoperability between Huawei devices and non-Huawei devices, you
need the following data.
No.
Data
BPDU format
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching
devices currently support the following modes:
l
Enhanced mode: The current interface counts a root port when it counts the synchronization
flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device to a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
Issue 01 (2011-07-15)
Common mode: The current interface ignores the root port when it counts the
synchronization flag bit.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
183
8 STP/RSTP Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
Parameters have been configured to ensure MSTP interoperability between Huawei devices and
non-Huawei devices.
Procedure
l
----End
Issue 01 (2011-07-15)
184
8 STP/RSTP Configuration
Context
CAUTION
STP/RSTP statistics cannot be restored after you clear them. Therefore, exercise caution when
using the reset commands.
After you confirm that STP/RSTP statistics need to be cleared, run the following command in
the user view.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
Networking Requirements
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and damages MAC address entries.
STP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 8-3, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover
loops on the network by exchanging information with each other, they trim the ring topology
into a loop-free tree topology by blocking a certain port. In this manner, replication and circular
propagation of packets are prevented on the network and the switching devices are released from
processing duplicated packets, thereby improving their processing performance.
Issue 01 (2011-07-15)
185
8 STP/RSTP Configuration
Network
Eth0/0/3
SwitchD
Eth0/0/3
Root
Eth0/0/1 Eth0/0/1
Bridge
Eth0/0/2 SwitchA
Eth0/0/2
STP
Eth0/0/3
Eth0/0/3
SwitchC
Eth0/0/1
SwitchB
Eth0/0/1
Eth0/0/2
Eth0/0/2
PC1
PC2
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1.
STP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in STP calculation.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-07-15)
186
8 STP/RSTP Configuration
Procedure
Step 1 Configure basic STP functions.
1.
Configure the STP mode for the devices on the ring network.
# Configure the STP mode on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] stp mode stp
2.
3.
Set path costs for ports in each spanning tree to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 20000.
l All switching devices on a network must use the same path cost calculation method.
4.
Issue 01 (2011-07-15)
187
8 STP/RSTP Configuration
Protection
NONE
NONE
After SwitchA is configured as a root bridge, Eth 0/0/2 and Eth 0/0/1 connected to SwitchB and
SwitchD respectively are elected as designated ports in spanning tree calculation.
# Run the display stp interface ethernet 0/0/1 brief command on SwitchB to view status of
Eth 0/0/1. The displayed information is as follows:
[SwitchB] display stp interface ethernet 0/0/1 brief
MSTID Port
Role STP State
0
Ethernet0/0/1
DESI FORWARDING
Protection
NONE
Eth 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
type. The displayed information is as follows:
[SwitchC] display stp brief
MSTID Port
0
Ethernet0/0/1
0
Ethernet0/0/3
Protection
NONE
NONE
Eth 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
Eth 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Configuration Files
l
l
Issue 01 (2011-07-15)
188
8 STP/RSTP Configuration
#
sysname
SwitchB
#
stp mode
stp
#
interface Ethernet0/0/2
stp disable
#
return
Networking Requirements
On a complex network, loops often occur. To implement network redundancy backup, network
designers tend to deploy multiple physical links between two devices, one of which is the master
device and the others are backup devices. Loops are likely or bound to occur in such a situation.
Loops will cause broadcast storms, exhausting network resources and making the network break
down. Loops also cause flapping of MAC address tables and damage MAC address entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 8-4, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP detect
loops on the network by exchanging information with each other, they trim the ring topology
into a loop-free tree topology by blocking a certain port. In this manner, packets are not replicated
and looped on the network and switching devices do not need to process duplicate packets,
improving their processing performance.
Issue 01 (2011-07-15)
189
8 STP/RSTP Configuration
Network
Eth0/0/3
SwitchD
Eth0/0/3
Root
Eth0/0/1 Eth0/0/1
Bridge
Eth0/0/2 SwitchA
Eth0/0/2
RSTP
Eth0/0/3
Eth0/0/3
SwitchC
Eth0/0/1
SwitchB
Eth0/0/1
Eth0/0/2
Eth0/0/2
PC1
PC2
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1.
RSTP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in RSTP calculation.
2.
Configure RSTP protection functions, for example, root protection on a designated port of
a root bridge in each MSTI.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-07-15)
190
8 STP/RSTP Configuration
Procedure
Step 1 Configure basic RSTP functions.
1.
Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] stp mode rstp
2.
3.
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 20000.
l All switching devices on a network must use the same path cost calculation method.
4.
Issue 01 (2011-07-15)
191
8 STP/RSTP Configuration
Protection
ROOT
ROOT
After SwitchA is configured as a root bridge, Eth 0/0/2 and Eth 0/0/1 connected to SwitchB and
SwitchD respectively are elected as designated ports in spanning tree calculation. The root
protection function is enabled on the designated ports.
# Run the display stp interface ethernet 0/0/1 brief command on SwitchB to view status of
Eth 0/0/1. The displayed information is as follows:
[SwitchB] display stp interface ethernet 0/0/1 brief
MSTID Port
Role STP State
0
Ethernet0/0/1
DESI FORWARDING
Protection
NONE
Eth 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
type. The displayed information is as follows:
[SwitchC] display stp brief
MSTID Port
0
Ethernet0/0/1
0
Ethernet0/0/3
Protection
NONE
NONE
Eth 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
Eth 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Issue 01 (2011-07-15)
192
8 STP/RSTP Configuration
Configuration Files
l
Issue 01 (2011-07-15)
193
9 MSTP Configuration
MSTP Configuration
Issue 01 (2011-07-15)
194
9 MSTP Configuration
Background
STP and RSTP are used in a LAN to prevent loops. The devices running STP/RSTP discover
loops on the network by exchanging information with each other and trim the ring topology into
a loop-free tree topology by blocking a certain interface. Replication and circular propagation
of packets are thus prevented on the network and the processing performance of devices is
improved by avoiding repeated packets on the network.
STP and RSTP both have a defect: All VLANs on a LAN use one spanning tree, and thus interVLAN load balancing cannot be performed. Once a link is blocked, the link will no longer
transmit traffic, wasting bandwidth and causing a failure in forwarding certain VLAN packets.
To fix the defect of STP and RSTP, the IEEE released the 802.1s standard in 2002, defining
MSTP. MSTP compatible with STP and RSTP implements rapid convergence and provides
multiple paths to load balance VLAN traffic.
Table 9-1 shows the comparison between STP, RSTP, and MSTP.
Issue 01 (2011-07-15)
195
9 MSTP Configuration
Characteristics
Application
Scenarios
Precautions
STP
Irrespective of
different users or
services, all
VLANs share one
spanning tree.
NOTE
RSTP
l A loop-free tree is
generated. Thus,
broadcast storms are
prevented and redundancy
is implemented.
l A feedback mechanism is
provided to confirm
topology convergence.
Thus, rapid convergence
is implemented.
MSTP
l If the current
switching
device
supports
only STP,
STP is
recommende
d. For
details, see
STP/RSTP
Configurati
on.
l If the current
switching
device
supports
both STP
and RSTP,
RSTP is
recommende
d. For
details, see
STP/RSTP
Configurati
on.
l If the current
switching
device
supports
STP or
RSTP, and
MSTP,
MSTP is
recommende
d.
Introduction
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
MSTP, compatible with STP and RSTP, isolates service traffic and user traffic by using multiple
instances and provides multiple paths to load balance VLAN traffic.
Issue 01 (2011-07-15)
196
9 MSTP Configuration
If MSTP is deployed in the LAN shown in Figure 9-1, MSTIs are generated, as shown in Figure
9-1.
Figure 9-1 Multiple spanning trees in an MST region
SwitchD
SwitchA
VLAN3
VLAN2
VLAN2
VLAN2
VLAN3
VLAN3
Host C
(VLAN3)
Host A
(VLAN2)
SwitchB
SwitchE
VLAN2
Host B
(VLAN2)
VLAN2
VLAN2
VLAN3
VLAN2
VLAN3
Host D
(VLAN3)
VLAN3
SwitchC
VLAN3
SwitchF
MSTI 1 uses Switch D as the root switching device to forward packets of VLAN 2.
MSTI 2 uses Switch F as the root switching device to forward packets of VLAN 3.
Devices within the same VLAN can communicate with each other and packets of different
VLANs are load-balanced along different paths.
MST region
An MST region contains multiple switching devices and network segments between them.
The switching devices have the following characteristics:
MSTP-enabled
Same region name
Same VLAN-to-instance mapping
Same MSTP revision number
A LAN can comprise several MST regions that are directly or indirectly connected.
Multiple switching devices can be grouped into an MST region by using MSTP
configuration commands.
As shown in Figure 9-2, the MST region D0 contains the switching devices S1, S2, S3,
and S4, and has three MSTIs.
Issue 01 (2011-07-15)
197
9 MSTP Configuration
D0
Master Bridge
MSTI1
root switch:S3
S1
MSTI2
root switch:S2
S2
S3
S4
MSTI0 (IST)
root switch:S1
VLAN1
MSTI1
VLAN2,VLAN3 MSTI2
other VLANs MSTI0
Regional root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 9-4, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI
regional root is the root of the MSTI. On the network shown in Figure 9-3, each MSTI has
its own regional root.
Issue 01 (2011-07-15)
198
9 MSTP Configuration
MST Region
VLA
N
VLAN
10&20&30
10&
20
VLAN 20&30
VLAN
10&30
VLAN
30
VLAN
20
VLAN
10&30
VLAN 10
Root
Root
MSTI
corresponding to
VLAN 10
MSTI
corresponding to
VLAN 20
MSTI Root
corresponding to
VLAN 30
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,
but a VLAN can be mapped to only one MSTI.
l
Issue 01 (2011-07-15)
CIST root
199
9 MSTP Configuration
A0
CIST Root
D0
Region Root
B0
Region Root
C0
Region Root
IST
CST
On the network shown in Figure 9-4, the CIST root is the root bridge of a CIST. The CIST
root is a device in A0.
l
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
Each MST region can be considered a node. A CST is calculated by using STP or RSTP
based on all the nodes.
As shown in Figure 9-4, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with the MSTI ID of 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 9-4, the switching devices in an MST region are connected to form an
IST.
CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 9-4, the ISTs and the CST form a complete spanning tree, that is, CIST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
Issue 01 (2011-07-15)
200
9 MSTP Configuration
A switching device running STP or RSTP belongs to only one spanning tree.
An MST region has only one switching device.
As shown in Figure 9-4, the switching device in B0 is an SST.
l
Port roles
Compared with RSTP, MSTP has two additional port types. MSTP ports can be root ports,
designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge
ports.
The functions of root ports, designated ports, alternate ports, backup ports, and edge ports
have been defined in RSTP. Table 9-2 lists all port roles in MSTP.
NOTE
Description
Root port
A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 9-5, S1 is the root; CP1 is the root port on S3; BP1 is
the root port on S2; DP1 is the root port on S4.
Designat
ed port
Alternate
port
Backup
port
Issue 01 (2011-07-15)
201
9 MSTP Configuration
Port
Roles
Description
Master
port
A master port is on the shortest path connecting MST regions to the CIST
root.
BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on
ISTs or CISTs and master ports in instances.
As shown in Figure 9-5, S1, S2, S3, and S4 form an MST region. AP1 on
S1, being the nearest port in the region to the CIST root, is the master port.
Regional
edge port
A regional edge port is located at the edge of an MST region and connects
to another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port
in the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 9-5, AP1, DP2, and DP3 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of
the MST region.
As shown in Figure 9-5, AP1 is a regional edge port and also a master port
in the CIST. Therefore, AP1 is the master port in every MSTI in the MST
region.
Edge
port
An edge port is located at the edge of an MST region and does not connect
to any switching device.
Generally, edge ports are directly connected to terminals.
As shown in Figure 9-5, BP3 is an edge port.
S1
AP2
CP1
S3
CP2
CP3
Root bridge
AP3
BP1
S2
BP2
Root port
Designated port
Alternate port
Backup port
Issue 01 (2011-07-15)
202
9 MSTP Configuration
Port status
Table 9-3 lists the MSTP port status, which is the same as the RSTP port status.
Table 9-3 Port status
Port
Status
Description
Forwardi
ng
A port in the Forwarding state can send and receive BPDUs as well as
forward user traffic.
Learning
This is a transition state. A port in the Learning state learns MAC addresses
from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but cannot
forward user traffic.
Discardi
ng
There is no necessary link between the port status and the port role. Table 9-4 lists the
relationships between port roles and port status.
Table 9-4 Relationships between port roles and port status
Port
Status
Root Port/
Master
Port
Designate
d Port
Regional
Edge Port
Alternate
Port
Backup
Port
Forwardi
ng
Yes
Yes
Yes
No
No
Learning
Yes
Yes
Yes
No
No
Discardi
ng
Yes
Yes
Yes
Yes
Yes
203
9 MSTP Configuration
MSTP is used to block redundant links on the Layer 2 network and trim a network into a loopfree tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into different
instances to load-balance VLAN traffic. The basic configuration roadmap of MSTP is as follows:
1.
In a ring network, divide regions and create different instances for regions.
2.
Select a switching device functioning as a root bridge from switching devices for each
instance.
3.
In each instance, calculate the shortest paths from the other switching devices to the root
bridge, and select a root port for each non-root switching device.
4.
In each instance, select a designated port for each connection according to port IDs.
According to current networking, master ports and backup ports may be involved. For details,
see 9.1.1 MSTP Introduction.
MSTP also supports the following features to meet requirements of special applications and
extended functions:
l
Supports MSTP interoperability between Huawei devices and non-Huawei devices. Proper
parameters are required on Huawei devices running MSTP to ensure nonstop
communication.
NOTE
Issue 01 (2011-07-15)
MSTP
Protection
Scenario
Configuration Impact
BPDU
protection
TC protection
204
9 MSTP Configuration
MSTP
Protection
Scenario
Configuration Impact
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the network
topology is illegitimately
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
Loop
protection
NOTE
The S2700 does not support the Per-VLAN Spanning Tree (PVST) protocol and cannot process PVST
packets. You can configure the S2700 to transparently transmit PVST packets. For details, see 10 Layer
2 Protocol Transparent Transmission Configuration.
Issue 01 (2011-07-15)
Setting a priority for a switching device in an MSTI: The lower the numerical value, the
higher the priority of the switching device and the more likely the switching device becomes
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
205
9 MSTP Configuration
a root bridge; the higher the numerical value, the lower the priority of the switching device
and the less likely that the switching device becomes a root bridge.
l
Setting a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the cost
of the path from the port to the root bridge and the less likely that the port becomes a root
port.
Setting a priority for a port in an MSTI: The lower the numerical value, the more likely the
port becomes a designated port; the higher the numerical value, the less likely that the port
becomes a designated port.
Applicable Environment
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
MSTP can be deployed on a network to eliminate loops. If a loop is detected, MSTP blocks one
or more ports to eliminate the loop. In addition, MSTIs can be configured to load-balance VLAN
traffic.
As shown in Figure 9-6, Switches A, B, C, and D all support MSTP. It is required to create
MSTI 1 and MSTI 2, configure a root bridge for each MSTI, and set the ports to be blocked to
load-balance traffic of VLANs 1 to 10 and VLANs 11 to 20 among different paths.
Issue 01 (2011-07-15)
206
9 MSTP Configuration
Network
MST Region
SwitchA
SwitchB
SwitchC
SwitchD
PC1
PC2
VLAN1~10
VLAN11~20
MSTI1
MSTI2
MSTI1:
Root Switch:SwitchA
Blocked port
MSTI2:
Root Switch:SwitchB
Blocked port
NOTE
Pre-configuration Tasks
Before configuring basic MSTP functions, complete the following task:
Issue 01 (2011-07-15)
207
9 MSTP Configuration
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Data Preparation
To configure basic MSTP functions, you need the following data.
No.
Data
(Optional) ID of an MSTI
Procedure
Step 1 Run:
system-view
The working mode of the switching device is configured as MSTP. By default, the working
mode is MSTP.
STP and MSTP cannot recognize packets of each other but MSTP and RSTP can. If a switching
device is configured to work in MSTP mode and is connected to some switching devices running
STP, the switching device automatically transits the working mode of the interfaces connected
to the switching devices running STP to STP and other interfaces still run MSTP. This enables
devices running different spanning tree protocols to interwork with each other.
----End
208
9 MSTP Configuration
Context
An MST region contains multiple switching devices and network segments between them. These
switching devices are directly connected and have the same region name, same VLAN-toinstance mapping, same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions and multiple switching devices can be grouped into
one MST region by using MSTP configuration commands.
CAUTION
Two switching devices belong to the same MST region when they have the same:
l
Procedure
Step 1 Run:
system-view
l The instance instance-id vlan { vlan-id [ to vlan-id ] }&<1-10> command is recommended because
VLAN-to-instance mapping assignments cannot meet actual mapping requirements.
l In the command, vlan-mapping modulo indicates that the formula (VLAN ID-1)%modulo+1 is used.
In the formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of
modulo. This formula is used to map a VLAN to the corresponding MSTI. The calculation result of
the formula is ID of the mapping MSTI.
Issue 01 (2011-07-15)
209
9 MSTP Configuration
The change of related MST region configurations (especially change of the VLAN mapping table) causes
the recalculation of spanning trees and the route flapping in a network. Therefore, after an MST region
name, VLAN-to-instance mappings, and an MSTP revision number is configured, activating the MST
region is necessary. You can run the check region-configuration command in the MST region view to check
whether region configurations are correct. After confirming that region configurations are correct, run the
active region-configuration command to activate MST region configurations.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-instance
mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts, run
the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
----End
Context
In an MSTI, there is only one root bridge and it is the logic center of the MSTI. In root bridge
selection, the switching device with high performance and network hierarchy is generally
selected as a root bridge; however, the priority of such a device may be not that high. Thus setting
a high priority for the switching device is necessary so that the device can function as a root
bridge.
Other devices with low performance and network hierarchy are not fit to be a root bridge.
Therefore, set low priorities for these devices.
CAUTION
If an S2700 is configured as the root switch or secondary root switch, the priority of the
S2700 cannot be set. If you want to set the priority of the S2700, you must disable the root switch
or secondary root switch.
Issue 01 (2011-07-15)
210
9 MSTP Configuration
Procedure
Step 1 Run:
system-view
l To configure a switching device as a primary root bridge, you can run the stp [ instance instance-id ]
root primary command directly. The priority value of this switching device is 0.
l To configure a switching device as a secondary root bridge, run the stp [ instance instance-id ] root
secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as a primary root bridge and a secondary root bridge at the
same time.
----End
Context
A path cost is port-specific, which is used by MSTP as a reference to select a link.
Path costs of a port are an important basis for calculating spanning trees. If you set different path
costs for a port in different MSTIs, you can make VLAN traffic be transmitted along different
physical links and thus carry out VLAN load balancing.
On a network where loops occur, you are recommended to set a relatively large path cost for the
port at a low link rate. MSTP puts the port with the large path cost in the Blocking state and
blocks the link where this port resides.
Procedure
Step 1 Run:
system-view
211
9 MSTP Configuration
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
interface interface-type interface-number
Context
In spanning tree calculation, priorities of ports on switching devices in MSTIs determine
designated port selection.
If you expect to block a port on a switching device in an MSTI to eliminate loops, set the port
priority value to be larger than the default value. This port will be blocked in designated port
selection.
Procedure
Step 1 Run:
system-view
212
9 MSTP Configuration
Context
After MSTP is enabled on a ring network, MSTP immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and port
priority, will affect spanning tree calculation. Any change of the configurations may cause
network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic
configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view
Prerequisite
All configurations of basic MSTP functions are complete.
Procedure
l
Run the display stp [ instance instance-id ][ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
Run the display stp region-configuration [ digest ] command to view the digest
configurations of activated MST regions.
----End
Issue 01 (2011-07-15)
213
9 MSTP Configuration
Applicable Environment
In some specific networks, MSTP parameters will affect the speed of network convergence.
Configuring proper MSTP parameters is required.
NOTE
The default parameters also can be used to complete MSTP rapid convergence. Therefore, the configuration
procedures and steps in this command task are all optional.
Pre-configuration Tasks
Before configuring MSTP parameters, complete the following task:
l
Data Preparation
To configure MSTP parameters, you need the following data.
No.
Data
Network diameter
Hello time, forwarding delay time, maximum aging time, and timeout period for
waiting for BPDUs from the upstream (3 x hello time x time factor)
Whether auto recovery needs to be configured for an edge port being shut down
10
11
214
9 MSTP Configuration
Procedure
Step 1 Run:
system-view
The timeout period for waiting for BPDUs from the upstream of a switching device is set.
By default, the timeout period of a switching device is 9 times as long as the Hello time.
Step 4 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the
following operations:
l Run the stp timer forward-delay forward-delay command to set the Forward Delay period
for a switching device.
The default Forward Delay period of a switching device is 1500, in centiseconds.
l Run the stp timer hello hello-time command to set the Hello time for a switching device.
The default Hello time of a switching device is 200, in centiseconds.
l Run the stp timer max-age max-age command to set the Max Age period for a switching
device.
The default Max Age period of a switching device is 2000, in centiseconds.
NOTE
The values of the Hello time, Forward Delay period, and Max Age period must comply with the following
formulas. Otherwise, networking flapping occurs.
l 2 (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 (Hello Time + 1.0 second)
Step 5 Run:
stp max-hops hop
MCheck is enabled.
Issue 01 (2011-07-15)
215
9 MSTP Configuration
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
Enabling MCheck on the interface is required because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP is shut down or moved.
l The switching device running STP transitions to the MSTP mode.
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
----End
Procedure
Step 1 Run:
system-view
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
Enabling MCheck on the interface is required because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP is shut down or moved.
Issue 01 (2011-07-15)
216
9 MSTP Configuration
The maximum number of BPDUs sent by a port within each Hello time is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is 51.
Step 6 (Optional) Run:
stp edged-port enable
The auto recovery function on an edge port is configured. That is, enable the port in the errordown state to automatically go Up, and set the delay for the transition from Down to Up.
There is no default value for the recovery time. Therefore, you must specify a delay when
configuring this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. Then, ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l
You can run the stp converge { fast | normal } command in the system view to configure the
MSTP convergence mode.
By default, the MSTP convergence is configured as normal.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.
Issue 01 (2011-07-15)
217
9 MSTP Configuration
Prerequisite
The configurations of MSTP parameters are complete.
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
Applicable Environment
MSTP provides the following protection functions, as listed in Table 9-6.
Table 9-6 MSTP protection
Issue 01 (2011-07-15)
MSTP
Protection
Scenario
Configuration Impact
BPDU
protection
218
9 MSTP Configuration
MSTP
Protection
Scenario
Configuration Impact
TC protection
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the network
topology is illegitimately
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
Loop
protection
Pre-configuration Tasks
Before configuring MSTP protection functions on a switching device, complete the following
task:
Issue 01 (2011-07-15)
219
9 MSTP Configuration
Configuring an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure MSTP protection functions on a switching device, you need the following data.
No.
Data
Context
Edge ports are directly connected to user terminals and normally, the edge ports will not receive
BPDUs. Some attackers may send pseudo BPDUs to attach the switching device. If the edge
ports receive the BPDUs, the switching device automatically sets the edge ports as non-edge
ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU
protection can be used to protect switching devices against network attacks.
NOTE
Procedure
Step 1 Run:
system-view
220
9 MSTP Configuration
Context
An attacker may send pseudo TC-BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are
processed by a switching device within a given time period is configurable. If the number of
TC-BPDUs that the switching device receives within a given time exceeds the specified
threshold, the switching device handles TC-BPDUs only for the specified number of times.
Excessive TC-BPDUs are processed by the switching device as a whole for once after the timer
(that is, the specified time period) expires. This protects the switching device from frequently
deleting MAC entries and ARP entries, thus avoiding over-burdened.
Procedure
Step 1 Run:
system-view
The threshold of the number of times the MSTP process handles the received TC-BPDUs and
updates forwarding entries within a given time is set.
NOTE
The value of the given time is consistent with the MSTP Hello time set by using the stp timer hello hellotime command.
----End
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge, and the network topology is illegitimately changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
Issue 01 (2011-07-15)
221
9 MSTP Configuration
NOTE
Root protection is configured on a designated port. It takes effect only when being configured on the port
that functions as a designated port on all MSTIs. If root protection is configured on other types of ports, it
does not take effect.
Procedure
Step 1 Run:
system-view
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream because of link congestion or unidirectional-link
failure, the switching device re-selects a root port. The original root port becomes a designated
port and the original blocked ports change to the Forwarding state. This may cause network
loops. To address such a problem, configure loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This prevents loops on the network. The root port restores the
Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Do as follows on a root port and an alternate port on a switching device in an MST region:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
222
9 MSTP Configuration
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
----End
Prerequisite
All configurations of MSTP protection functions are complete.
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
Applicable Environment
On an MSTP network, inconsistent protocol packet formats and BPDU keys may lead to a
communication failure. Configuring proper MSTP parameters on Huawei devices ensures
interoperability between Huawei devices and non-Huawei devices.
Issue 01 (2011-07-15)
223
9 MSTP Configuration
Pre-configuration Tasks
Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
complete the following task:
l
Data Preparation
To configure MSTP interoperability between Huawei devices and non-Huawei devices, you
need the following data.
No.
Data
BPDU format
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching
devices currently support the following modes:
l
Enhanced mode: The current interface counts a root port when it computes the
synchronization flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device then responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to the
Forwarding state.
Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
Issue 01 (2011-07-15)
224
9 MSTP Configuration
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
When Huawei Datacom devices are interworking with non-Huawei devices, select either mode
depending on the Proposal/Agreement mechanism on non-Huawei devices.
Procedure
Step 1 Run:
system-view
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets). The auto mode is introduced to allow an interface to automatically
use the format of MSTP protocol packets sent from the remote interface. In this manner, the two
interfaces use the same MSTP protocol packet format.
Do as follows on a switching device in an MST region:
Procedure
Step 1 Run:
system-view
225
9 MSTP Configuration
NOTE
If the format of MSTP packets is set to dot1s on one end and legacy on the other end, the negotiation fails.
----End
Context
Do as follows on a switching device in an MST region:
Procedure
Step 1 Run:
system-view
Prerequisite
All the configurations for the interoperability between Huawei devices and non-Huawei devices
are complete.
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
226
9 MSTP Configuration
Context
CAUTION
MSTP statistics cannot be restored after you clear them. Therefore, exercise caution when using
the reset commands.
After you confirm that MSTP statistics need to be cleared, run the following command in the
user view.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
SwitchA
Eth0/0/2
Eth0/0/2
Eth0/0/1
Eth0/0/1
Eth0/0/3
Eth0/0/3
SwitchC
Eth0/0/1
Issue 01 (2011-07-15)
SwitchB
SwitchD
Eth0/0/2
Eth0/0/2
Eth0/0/1
227
9 MSTP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add SwitchA and SwitchC to MST region RG1, and create MSTI1.
2.
Add SwitchB and SwitchD to MST region RG2, and create MSTI1.
3.
4.
In RG1, configure SwitchA as the CIST regional root and regional root of MSTI1.
Configure the root protection function on Eth 0/0/2 and the Eth 0/0/1 on SwitchA.
5.
In RG2, configure SwitchB as the CIST regional root and SwitchD as the regional root of
MSTI1.
6.
On SwitchC and SwitchD, connect Eth 0/0/1 to a PC and configure Eth 0/0/1 as an edge
port. Enable BPDU protection on SwitchC and SwitchD.
7.
Configure the Switches to calculate the path cost by using the algorithm of Huawei.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure SwitchA.
# Configure the MST region on SwitchA.
<SwitchA> system-view
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 1 to 10
# Set the priority of SwitchA in MSTI0 to 0 to ensure that SwitchA functions as the CIST root.
[SwitchA] stp instance 0 priority 0
# Set the priority of SwitchA in MSTI1 to 1 to ensure that SwitchA functions as the regional
root of MSTI1.
[SwitchA] stp instance 1 priority 0
# Configure SwitchA to use Huawei private algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
Issue 01 (2011-07-15)
228
9 MSTP Configuration
# Enable MSTP.
[SwitchA] stp enable
[SwitchA] bpdu enable
# Set the priority of SwitchB in MSTI0 to 4096 to ensure that SwitchB functions as the CIST
root.
[SwitchB] stp instance 0 priority 4096
# Configure SwitchB to use Huawei private algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
Issue 01 (2011-07-15)
229
9 MSTP Configuration
# Enable MSTP.
[SwitchB] stp enable
[SwitchB] bpdu enable
# Configure SwitchC to use Huawei private algorithm to calculate the path cost.
[SwitchC] stp pathcost-standard legacy
# Enable MSTP.
[SwitchC] stp enable
[SwitchC] bpdu enable
Issue 01 (2011-07-15)
230
9 MSTP Configuration
# Set the priority of SwitchD in MSTI1 to 0 to ensure that SwitchD functions as the regional
root of MSTI1.
[SwitchD] stp instance 1 priority 0
# Configure SwitchD to use Huawei private algorithm to calculate the path cost.
[SwitchD] stp pathcost-standard legacy
# Enable MSTP.
[SwitchD] stp enable
[SwitchD] bpdu enable
Role
DESI
DESI
DESI
DESI
STP State
FORWARDING
FORWARDING
FORWARDING
FORWARDING
Protection
ROOT
ROOT
ROOT
ROOT
The priority of SwitchA is the highest in the CIST; therefore, SwitchA is elected as the CIST
root and regional root of RG1. Eth 0/0/2 and Eth 0/0/1 of SwitchA are designated ports in the
CIST.
The priority of SwitchA in MSTI1 is the highest in RG1; therefore, SwitchA is elected as the
regional root of SwitchA. Eth 0/0/2 and Eth 0/0/1 of SwitchA are designated ports in MSTI1.
# Run the display stp interface brief commands on SwitchC. The displayed information is as
follows:
Issue 01 (2011-07-15)
231
9 MSTP Configuration
Protection
NONE
NONE
Protection
NONE
NONE
Eth 0/0/3 of SwitchC is the root port in the CIST and MSTI1. Eth 0/0/2 of SwitchC is a designated
port in the CIST and MSTI1.
# Run the display stp brief command on SwitchB. The displayed information is as follows:
<SwitchB> display stp brief
MSTID
Port
0
Ethernet0/0/1
0
Ethernet0/0/2
1
Ethernet0/0/1
1
Ethernet0/0/2
Role
DESI
ROOT
ROOT
MAST
STP State
FORWARDING
FORWARDING
FORWARDING
FORWARDING
Protection
NONE
NONE
NONE
NONE
The priority of SwitchB in the CIST is lower than that of SwitchA; therefore, Eth 0/0/2 of
SwitchB functions as the root port in the CIST. SwitchA and SwitchB belong to different regions;
therefore, Eth 0/0/2 of SwitchB functions as the master port in MSTI1. In MSTI1, the priority
of SwitchB is lower than that of SwitchD; therefore, Eth 0/0/1 of SwitchB functions as the root
port. The priority of SwitchB in the CIST is higher than that of SwitchB; therefore, Eth 0/0/1 of
SwitchB functions as the designated port in the CIST.
# Run the display stp interface brief commands on SwitchD. The displayed information is as
follows:
<SwitchD> display stp interface Ethernet 0/0/3 brief
MSTID
Port
Role STP State
0
Ethernet0/0/3
ROOT FORWARDING
1
Ethernet0/0/3
DESI FORWARDING
<SwitchD> display stp interface Ethernet 0/0/2 brief
MSTID
Port
Role STP State
0
Ethernet0/0/2
ALTE DISCARDING
1
Ethernet0/0/2
ALTE DISCARDING
Protection
NONE
NONE
Protection
NONE
NONE
On SwitchD, Eth 0/0/2 functions as the alternate port in the CIST. SwitchD and SwitchC are in
different regions; therefore, Eth 0/0/2 of SwitchD also functions as the alternate port in MSTI1.
Eth 0/0/3 of SwitchD is the root port in the CIST. The priority of SwitchD is higher than that of
SwitchB in MSTI1; therefore, Eth 0/0/3 also functions as the designated port in MSTI1.
----End
Configuration Files
l
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 0 priority 0
stp instance 1 priority 0
stp pathcost-standard legacy
stp region-configuration
region-name RG1
instance 1 vlan 1 to 10
active region-configuration
#
interface Ethernet0/0/1
Issue 01 (2011-07-15)
232
9 MSTP Configuration
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp instance 0 priority 4096
stp pathcost-standard legacy
stp region-configuration
region-name RG2
instance 1 vlan 1 to 10
active region-configuration
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 1 to 20
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 20
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
stp pathcost-standard legacy
stp region-configuration
region-name RG1
instance 1 vlan 1 to 10
active region-configuration
#
interface Ethernet0/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
stp edged-port enable
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 20
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 1 to 20
#
return
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp instance 1 priority 0
stp bpdu-protection
Issue 01 (2011-07-15)
233
9 MSTP Configuration
Issue 01 (2011-07-15)
234
10
Issue 01 (2011-07-15)
235
Background
In certain network environments, packets of Layer 2 protocols such as MSTP, HGMP, and LACP
need to be transmitted between user networks across the backbone network to complete
calculation of the protocols.
As shown in Figure 10-1, user network 1 and user network 2 run Layer 2 protocols, for example,
MSTP. Layer 2 protocol packets of user network 1 must traverse the backbone network to reach
user network 2 so that the spanning tree can be calculated. Packets of a Layer 2 protocol usually
use the same destination MAC address. For example, MSTP packets are BPDUs that use 0180C200-0000 as the destination MAC address. Therefore, when the BPDUs reach a PE on the
backbone network, the PE cannot identify whether the BPDUs are sent from a user network or
the backbone network. As a result, the PE sends the BPDUs to the CPU for spanning tree
calculation.
In this case, the spanning tree is calculated between the devices of user network 1 and PE1, and
the devices of user network 2 are not involved in the calculation. Therefore, BPDUs of user
network 1 cannot be sent to user network 2 through the backbone network.
Figure 10-1 Transparent transmission of Layer 2 protocol packets on an ISP network
ISP
network
PE1
PE2
CE1
CE2
User
network1
User
network2
236
Each site on a user network can receive Layer 2 protocol packets from other sites.
Layer 2 protocol packets sent from a user network are not processed by CPUs of devices
on the backbone network.
Layer 2 protocol packets of different user networks are separated from each other.
A user-side device on the backbone network replaces the multicast destination MAC
address of Layer 2 protocol packets with a specified multicast MAC address.
Devices on the backbone network determine whether to add an outer VLAN tag to the
packet according to the transparent transmission mode.
The egress device on the backbone network restores the original multicast destination MAC
address of the packet according to the mappings between multicast destination MAC
addresses and Layer 2 protocols. The egress device also determines whether to remove the
outer VLAN tag, and then forwards the packet to the user network.
Currently, the S2700 can transparently transmit packets of the following Layer 2 protocols:
l
User-defined protocols
NOTE
Issue 01 (2011-07-15)
237
Port based
VLAN 200
LAN-B
MSTP
LAN-B
MSTP
ISP Network
PE1
Port based
VLAN 300
LAN-A
MSTP
PE2
Port based
VLAN 300
PE3
LAN-A
MSTP
Port based
VLAN 200
LAN-B
MSTP
As shown in Figure 10-2, each interface of a PE is connected to one user network. The user
networks connected to the same PE belong to different LANs, namely, LAN-A and LAN-B.
BPDUs sent from user networks are not tagged, but the PE needs to identify the LAN that each
BPDU belongs to. BPDUs of a user network on LAN-A must be forwarded to other user networks
on LAN-A, but cannot be forwarded to user networks on LAN-B. In addition, BPDUs cannot
be processed by network devices of the ISP.
The following methods can be used to meet the proceeding requirements:
l
Issue 01 (2011-07-15)
Replace the default multicast MAC address of Layer 2 protocol packets that can be
identified by PEs on the backbone network with another multicast MAC address.
1.
Configure all PEs as providers. Then the multicast destination MAC address of
BPDUs sent from the backbone network is changed from 01-80-C2-00-00-00 to
01-80-C2-00-00-08.
2.
Configure all devices on user networks as customers. Then the multicast destination
MAC address of BPDUs sent from user networks is 01-80-C2-00-00-00.
3.
On PEs, add the interfaces connected to the same user network to the same VLAN.
Then PEs add VLAN tags to received BPDUs according to default VLANs of the
interfaces.
4.
PEs (providers) do not consider these packets as Layer 2 protocol BPDUs and do not
send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
according to the default VLANs of interfaces.
5.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
238
6.
The egress device on the backbone network forwards the packets to user networks
without modifying the packets.
NOTE
l This method is applicable only to STP, RSTP, and MSTP. To configure a device as the provider,
run the bpdu-tunnel stp bridge role provider command.
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
NOTE
1.
PEs identify the type (such as STP) of the Layer 2 protocol packets sent from user
networks and tag the packets with corresponding VLAN IDs according to default
VLANs of interfaces.
2.
PEs replace the standard multicast destination MAC address of Layer 2 protocol
packets with a specified multicast MAC address according to the mappings between
multicast destination MAC addresses and Layer 2 protocols.
3.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
4.
The egress device of the backbone network restores the original destination MAC
address of the packets according to the mappings between multicast destination MAC
addresses and Layer 2 protocols, and then forwards the packets to user networks.
LAN-B
MSTP
LAN-B
MSTP
CE-VLAN 100
CE-VLAN 100
PE 1
ISP Network
PE 2
BPDU Tunnel
CE-VLAN 200
Trunk
100-200
Trunk
100-200
PE 3
CE-VLAN 200
CE-VLAN 100
LAN-A
MSTP
LAN-A
MSTP
LAN-B
MSTP
Issue 01 (2011-07-15)
239
Replace the default multicast MAC address of the Layer 2 protocol that can be identified
by PEs with another multicast MAC address.
1.
Configure all PEs as providers. Then the multicast destination MAC address of
BPDUs sent from the backbone network is changed from 01-80-C2-00-00-00 to
01-80-C2-00-00-08.
2.
Configure all devices on user networks as customers. Then the multicast destination
MAC address of BPDUs sent from user networks is 01-80-C2-00-00-00.
3.
Configure devices on user networks to send Layer 2 protocol packets with the specified
VLAN IDs to the backbone network.
4.
Enable PEs to identify Layer 2 protocol packets with the specified VLAN IDs and
allow these packets to pass.
5.
PEs (providers) do not consider these packets as Layer 2 protocol BPDUs and do not
send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
according to the default VLANs of interfaces.
6.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
7.
The egress device on the backbone network forwards the packets to user networks
without modifying the packets.
NOTE
l This method is applicable only to STP, RSTP, and MSTP. To configure a device as the provider,
run the bpdu-tunnel stp bridge role provider command.
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
NOTE
Issue 01 (2011-07-15)
1.
Configure devices on user networks to send Layer 2 protocol packets with the specified
VLAN IDs to the backbone network.
2.
Enable PEs to identify Layer 2 protocol packets with the specified VLAN IDs and
allow these packets to pass.
3.
PEs replace the standard multicast destination MAC address of Layer 2 protocol
packets with a specified multicast MAC address according to the mappings between
multicast destination MAC addresses and Layer 2 protocols.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
240
4.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
5.
The egress device of the backbone network restores the original destination MAC
address of the packets according to the mappings between multicast destination MAC
addresses and Layer 2 protocols, and then forwards the packets to user networks.
Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol transparent transmission, complete the
following tasks:
l
Enabling the interfaces to send BPDUs to the CPU by using the bpdu enable command
Data Preparation
To configure interface-based Layer 2 protocol transparent transmission, you need the following
data.
Issue 01 (2011-07-15)
No.
Data
Destination MAC address of Layer 2 protocol packets and multicast MAC address
that replaces the destination MAC address
241
Procedure
Step 1 Run:
system-view
The characteristic information about the Layer 2 protocol is defined, including the protocol
name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets,
and MAC address that replaces the destination MAC address.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
242
Procedure
l
Replace the default multicast MAC address of the Layer 2 protocol that can be identified
by PEs with another multicast MAC address.
1.
Run:
system-view
Run:
bpdu-tunnel stp bridge role provider
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
1.
Run:
system-view
Run:
l2protocol-tunnel protocol-type group-mac group-mac
----End
Procedure
Step 1 Run:
system-view
243
Step 2 Run:
interface interface-type interface-number
The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from
user networks.
Step 6 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
enable
l For details on how to add an interface to VLANs, see the VLAN configuration in the S2700
Configuration Guide- Ethernet.
l Before specifying a user-defined protocol in the l2protocol-tunnel command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2
protocol. STP packets have a default MAC address for replacing the original destination MAC address.
For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the
destination MAC address. For details, see l2protocol-tunnel group-mac.
l The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same protocol type
on the same interface; otherwise, the configurations conflict.
----End
Procedure
l
Run the display l2protocol-tunnel group-mac { all | protocol-type | user-definedprotocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
Issue 01 (2011-07-15)
244
Pre-configuration Tasks
Before configuring VLAN-based Layer 2 protocol transparent transmission, complete the
following tasks:
l
Enabling the interfaces to send BPDUs to the CPU by using the bpdu enable command
Data Preparation
To configure VLAN-based Layer 2 protocol transparent transmission, you need the following
data.
No.
Data
Destination MAC address of Layer 2 protocol packets and multicast MAC address
that replaces the destination MAC address
245
Do as follows on PEs.
Procedure
Step 1 Run:
system-view
The characteristic information about the Layer 2 protocol is defined, including the protocol
name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets,
and MAC address that replaces the destination MAC address.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
Procedure
l
Replace the default multicast MAC address of the Layer 2 protocol that can be identified
by PEs with another multicast MAC address.
1.
Run:
system-view
Run:
bpdu-tunnel stp bridge role provider
246
NOTE
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
1.
Run:
system-view
Run:
l2protocol-tunnel protocol-type group-mac group-mac
----End
Procedure
Step 1 Run:
system-view
247
NOTE
The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from
user networks.
Step 4 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
{ vlan low-id [ to high-id ] } &<1-10>
l For details on how to add an interface to VLANs in tagged mode, see the VLAN configuration in the
S2700 Configuration Guide- Ethernet.
l Before specifying a user-defined protocol in the l2protocol-tunnel vlan command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2
protocol. STP packets have a default MAC address for replacing the original destination MAC address.
For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the
destination MAC address. For details, see l2protocol-tunnel group-mac.
l The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type
on the same interface; otherwise, the configurations conflict.
----End
Procedure
l
Run the display l2protocol-tunnel group-mac { all | protocol-type | user-definedprotocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
Issue 01 (2011-07-15)
248
When a fault occurs during Layer 2 protocol transparent transmission, run the following
debugging command in the user view to locate the fault.
Procedure
l
Run the debugging l2protocol-tunnel [ msg | error | event ] command in the user view
to enable Layer 2 protocol transparent transmission.
----End
VLAN100
CE1
VLAN100
CE2
Eth 0/0/1
PE1
Eth 0/0/1
Eth 0/0/2
PE2
Eth 0/0/3
Eth 0/0/3
Eth 0/0/1
CE3
Eth 0/0/1
Eth 0/0/2
Eth 0/0/1
CE4
VLAN200
Issue 01 (2011-07-15)
Eth 0/0/1
VLAN200
249
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200
to pass.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Enable STP on CEs and PEs.
# Configure CE1.
<Quidway> system-view
[Quidway] sysname CE1
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] stp enable
[CE1] bpdu enable
[CE1] interface ethernet 0/0/1
[CE1-Ethernet0/0/1] port hybrid pvid vlan 100
[CE1-Ethernet0/0/1] port hybrid untagged vlan 100
# Configure CE2.
<Quidway> system-view
[Quidway] sysname CE2
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] stp enable
[CE2] bpdu enable
[CE2] interface ethernet 0/0/1
[CE2-Ethernet0/0/1] port hybrid pvid vlan 100
[CE2-Ethernet0/0/1] port hybrid untagged vlan 100
# Configure CE3.
<Quidway> system-view
[Quidway] sysname CE3
[CE3] vlan 200
[CE3-vlan200] quit
[CE3] stp enable
[CE3] bpdu enable
[CE3] interface ethernet 0/0/1
[CE3-Ethernet0/0/1] port hybrid pvid vlan 200
[CE3-Ethernet0/0/1] port hybrid untagged vlan 200
# Configure CE4.
<Quidway> system-view
Issue 01 (2011-07-15)
250
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1]
# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2]
Step 2 On PE1 and PE2, add Eth 0/0/1 to VLAN 100, add Eth 0/0/2 to VLAN 200, and enable Layer
2 protocol transparent transmission.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] bpdu enable
[PE1] interface Ethernet 0/0/1
[PE1-Ethernet0/0/1] port hybrid pvid vlan 100
[PE1-Ethernet0/0/1] port hybrid untagged vlan 100
[PE1-Ethernet0/0/1] l2protocol-tunnel stp enable
[PE1-Ethernet0/0/1] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1] bpdu enable
[PE1] interface Ethernet 0/0/2
[PE1-Ethernet0/0/2] port hybrid pvid vlan 200
[PE1-Ethernet0/0/2] port hybrid untagged vlan 200
[PE1-Ethernet0/0/2] l2protocol-tunnel stp enable
[PE1-Ethernet0/0/2] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] bpdu enable
[PE2] interface Ethernet 0/0/1
[PE2-Ethernet0/0/1] port hybrid pvid vlan 100
[PE2-Ethernet0/0/1] port hybrid untagged vlan 100
[PE2-Ethernet0/0/1] l2protocol-tunnel stp enable
[PE2-Ethernet0/0/1] quit
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] bpdu enable
[PE2] interface Ethernet 0/0/2
[PE2-Ethernet0/0/2] port hybrid pvid vlan 200
[PE2-Ethernet0/0/2] port hybrid untagged vlan 200
[PE2-Ethernet0/0/2] l2protocol-tunnel stp enable
[PE2-Ethernet0/0/2] quit
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.
Issue 01 (2011-07-15)
251
Step 4 On PE1 and PE2, configure network-side interface Eth 0/0/3 to allow packets of VLAN 100 and
VLAN 200 to pass.
# Configure PE1.
[PE1] interface Ethernet 0/0/3
[PE1-Ethernet0/0/3] port hybrid tagged vlan 100 200
[PE1-Ethernet0/0/3] quit
# Configure PE2.
[PE2] interface Ethernet 0/0/3
[PE2-Ethernet0/0/3] port hybrid tagged vlan 100 200
[PE2-Ethernet0/0/3] quit
Run the display stp command on CE1 and CE2 to view the root in the MST region. You can
find that a spanning tree is calculated between CE1 and CE2. Eth 0/0/1 of CE1 is a root port,
and CE 0/0/1 of CE2 is a designated port.
<CE1> display stp
-------[CIST Global Info] [Mode MSTP] ------CIST Bridge
:32768.00e0-fc9f-3257
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :6
TC count per hello :6
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC received :0 days 2h:24m:36s
----[Port1(Ethernet0/0/1)] [FORWARDING] ---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:51 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:6
TCN: 0, Config: 0, RST: 0, MST: 6
BPDU Received
:4351
TCN: 0, Config: 0, RST: 0, MST: 4351
Issue 01 (2011-07-15)
252
Run the display stp command on CE3 and CE4 to view the root in the MST region. You can
find that a spanning tree is calculated between CE3 and CE4. Eth 0/0/1 of CE3 is a root port,
and CE 0/0/1 of CE4 is a designated port.
<CE3> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-0967-58a0
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-0952-f13e / 199999
CIST RegRoot/IRPC
:32768.000b-0967-58a0 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :0
TC count per hello :0
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC received :0 days 10h:54m:37s
----[Port1(Ethernet0/0/1)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-0952-f13e / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:51 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:114
TCN: 0, Config: 0, RST: 0, MST: 114
Issue 01 (2011-07-15)
253
BPDU Received
:885
TCN: 0, Config: 0, RST: 0, MST: 885
<CE4> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-0952-f13e
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-0952-f13e / 0
CIST RegRoot/IRPC
:32768.000b-0952-f13e / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
TC or TCN received :4
TC count per hello :4
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC received :0 days 8h:59m:18s
----[Port1(Ethernet0/0/1)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-0952-f13e / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:51 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:1834
TCN: 0, Config: 0, RST: 0, MST: 1834
BPDU Received
:1
TCN: 0, Config: 0, RST: 0, MST: 1
----End
Configuration Files
l
Issue 01 (2011-07-15)
254
Issue 01 (2011-07-15)
255
In this example, PEs transparently transmit STP packets sent from user networks by replacing
the original multicast destination MAC address of STP packets with a specified multicast MAC
address. By default, the destination MAC address of STP packets is 0180-C200-0000.
Figure 10-5 Networking of VLAN-based Layer 2 protocol transparent transmission
PE1
Eth0/0/1
Eth0/0/1
Eth0/0/2
Eth0/0/3
Eth0/0/1
Eth0/0/1
CE1
CE3
VLAN 100
VLAN 200
PE2
Eth0/0/1
Eth0/0/2
Eth0/0/2
Eth0/0/3
Eth0/0/1
Eth0/0/1
CE2
VLAN 100
CE4
VLAN 200
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure CEs to send STP packets with specified VLAN tags to PEs.
3.
4.
Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200
to pass.
5.
Configure the Layer 2 forwarding function on the P device so that packets sent from PEs
can be transmitted on the backbone network.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-07-15)
256
Procedure
Step 1 Enable STP on CEs and PEs.
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] bpdu enable
[CE1] interface ethernet 0/0/1
[CE1-Ethernet0/0/1] port hybrid tagged vlan 100
[CE1-Ethernet0/0/1] stp bpdu vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] bpdu enable
[CE2] interface ethernet 0/0/1
[CE2-Ethernet0/0/1] port hybrid tagged vlan 100
[CE2-Ethernet0/0/1] stp bpdu vlan 100
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
[CE3] bpdu enable
[CE3] interface ethernet 0/0/1
[CE3-Ethernet0/0/1] port hybrid tagged vlan 200
[CE3-Ethernet0/0/1] stp bpdu vlan 200
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
[CE4] bpdu enable
[CE4] interface ethernet 0/0/1
[CE4-Ethernet0/0/1] port hybrid tagged vlan 200
[CE4-Ethernet0/0/1] stp bpdu vlan 200
Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the P device.
# Configure PE1.
[PE1] vlan 100
Issue 01 (2011-07-15)
257
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1] bpdu enable
[PE1] interface ethernet 0/0/1
[PE1-Ethernet0/0/1] port hybrid tagged vlan 100 200
[PE1-Ethernet0/0/1] quit
[PE1] interface ethernet 0/0/2
[PE1-Ethernet0/0/2] port hybrid tagged vlan 100
[PE1-Ethernet0/0/2] l2protocol-tunnel stp vlan 100
[PE1-Ethernet0/0/2] quit
[PE1] interface ethernet 0/0/3
[PE1-Ethernet0/0/3] port hybrid tagged vlan 200
[PE1-Ethernet0/0/3] l2protocol-tunnel stp vlan 200
[PE1-Ethernet0/0/3] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] bpdu enable
[PE2] interface ethernet 0/0/1
[PE2-Ethernet0/0/1] port hybrid tagged vlan 100 200
[PE2-Ethernet0/0/1] quit
[PE2] interface ethernet 0/0/2
[PE2-Ethernet0/0/2] port hybrid tagged vlan 100
[PE2-Ethernet0/0/2] l2protocol-tunnel stp vlan 100
[PE2-Ethernet0/0/2] quit
[PE2] interface ethernet 0/0/3
[PE2-Ethernet0/0/3] port hybrid tagged vlan 200
[PE2-Ethernet0/0/3] l2protocol-tunnel stp vlan 200
[PE2-Ethernet0/0/3] quit
Step 4 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-5e00-0011
Step 5 Configure the Layer 2 forwarding function on the P device and configure it to allow packets of
VLAN 100 and VLAN 200 to pass.
[P] vlan 100
[P-vlan100] quit
[P] vlan 200
[P-vlan200] quit
[P] interface ethernet
[P-Ethernet0/0/1] port
[P-Ethernet0/0/1] quit
[P] interface ethernet
[P-Ethernet0/0/2] port
[P-Ethernet0/0/2] quit
0/0/1
hybrid tagged vlan 100 200
0/0/2
hybrid tagged vlan 100 200
Issue 01 (2011-07-15)
Group-MAC
Pri
258
----------------------------------------------------------------------------stp
llc
dsap 0x42
0180-c200-0000 0100-5e00-0011 0
ssap 0x42
Run the display stp command on CE1 and CE2 to view the root in the MST region. You can
find that a spanning tree is calculated between CE1 and CE2. Eth 0/0/1 of CE1 is a root port,
and CE 0/0/1 of CE2 is a designated port.
<CE1> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-09f0-1b91
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-09d4-b66c / 199999
CIST RegRoot/IRPC
:32768.000b-09f0-1b91 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :2
TC count per hello :2
STP Converge Mode
:Normal
Time since last TC received :0 days 3h:53m:43s
----[Port17(Ethernet0/0/1)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:51 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:237
TCN: 0, Config: 0, RST: 0, MST: 237
BPDU Received
:9607
TCN: 0, Config: 0, RST: 0, MST: 9607
<CE2> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-09d4-b66c
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-09d4-b66c / 0
CIST RegRoot/IRPC
:32768.000b-09d4-b66c / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
TC or TCN received :1
TC count per hello :1
STP Converge Mode
:Normal
Time since last TC received :0 days 5h:29m:6s
----[Port17(Ethernet0/0/1)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:51 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:7095
Issue 01 (2011-07-15)
259
Run the display stp command on CE3 and CE4 to view the root in the MST region. You can
find that a spanning tree is calculated between CE3 and CE4. Eth 0/0/1 of CE3 is a root port,
and CE 0/0/1 of CE4 is a designated port.
<CE3> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.00e0-fc9f-3257
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :4
TC count per hello :4
STP Converge Mode
:Normal
Time since last TC received :0 days 3h:57m:0s
----[Port17(Ethernet0/0/1)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:51 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:238
TCN: 0, Config: 0, RST: 0, MST: 238
BPDU Received
:9745
TCN: 0, Config: 0, RST: 0, MST: 9745
<CE4> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.00e0-fc9a-4315
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
TC or TCN received :2
TC count per hello :2
STP Converge Mode
:Normal
Time since last TC received :0 days 5h:33m:17s
----[Port17(Ethernet0/0/1)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:51 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:7171
Issue 01 (2011-07-15)
260
----End
Configuration Files
l
Issue 01 (2011-07-15)
261
Configuration file of P
#
sysname P
#
vlan batch 100 200
#
interface Ethernet0/0/1
port hybrid tagged vlan 100 200
#
interface Ethernet0/0/2
port hybrid tagged vlan 100 200
#
return
Issue 01 (2011-07-15)
262
11
Issue 01 (2011-07-15)
263
Applicable Environment
Figure 11-1 and Figure 11-2 show the application of loopback detection.
A loopback occurs on an interface usually because optical fibers are connected incorrectly, the
optical modem fails, or the interface is damaged by high voltage. As shown in Figure 11-1, a
cable is incorrectly connected on the device connected to the Switch. As a result, packets sent
from an interface of the Switch are sent back to the interface. This may cause traffic forwarding
errors or MAC address flapping on the same interface.
Figure 11-1 Loopback detection application 1
Switch
TX
Issue 01 (2011-07-15)
RX
264
As shown in Figure 11-2, loops may occur on the network connected to an Switch interface.
When a loop occurs, packets sent from the interface are sent back to this interface.
Figure 11-2 Loopback detection application 2
Switch
You can configure loopback detection on the interface in the preceding scenarios. When a
loopback is detected on the interface, the Switch performs certain actions, for example, blocks
the interface. Only users connected to this interface are affected, and other users can still
communicate. When the Switch detects that the loopback has been removed, it recovers
communication on the interface.
NOTE
l Loopback detection cannot prevent loops on the entire network. It only detects loops on a single node.
l A large number of packets are sent during loopback detection, occupying CPU resources; therefore,
disable loopback detection if it is not required.
Pre-configuration Tasks
Before configuring loopback detection, complete the following task:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Data Preparation
To configure loopback detection, you need the following data.
Issue 01 (2011-07-15)
No.
Data
Interface number
265
No.
Data
Context
You can enable loopback detection on all interfaces at one time in the system view or enable it
on a single interface in the interface view.
Procedure
l
Run:
system-view
Run:
loopback-detect enable
You can use this method to simplify configuration when most interfaces need to perform
loopback detection.
Run:
system-view
Run:
interface interface-type interface-number
Run:
loopback-detect enable
----End
266
Context
By default, the system sends untagged detection packets after loopback detection is enabled on
interface. If the interface has been added to a VLAN in tagged mode, the untagged detection
packets are discarded on the link, and the interface cannot receive loopback packets. To solve
the problem, you can configure the VLAN ID for detection packets.
After VLAN IDs are specified, the interface sends an untagged detection packet and multiple
detection packets with the specified VLAN tags. Each interface can send detection packets with
a maximum of eight VLAN IDs.
NOTE
The S2700SI does not support VLAN IDs in loopback detection packets.
Procedure
Step 1 Run:
system-view
Before running the loopback-detect packet vlan vlan-id command, ensure that:
l The specified VLAN exists.
l The interface has been added to the specified VLAN in tagged mode.
----End
Context
After loopback detection is enabled on an interface, the interface periodically sends detection
packets and checks whether loopback packets are received. You can configure the Switch to
take an action to minimize impact on the system and the entire network when a loopback is
detected.
Issue 01 (2011-07-15)
267
Procedure
Step 1 Run:
system-view
The action that will be performed after a loopback is detected on the interface is configured.
The default action is block.
When a loopback is detected on an interface, the system performs any of the following actions:
l block: blocks the interface. After the interface is blocked, it is isolated from other interfaces
and does not forward received data packets to other interfaces.
l nolearn: disables MAC address learning on the interface. When a loopback is detected on
the interface, the interface stops learning MAC addresses.
l shutdown: shuts down the interface.
l trap: only sends a trap.
NOTE
It is recommended that you set the action to shutdown on an S2700SI to prevent high CPU usage caused
by loopback packets.
----End
Procedure
Step 1 Run:
system-view
268
The default recovery time is three times the loopback detection interval.
NOTE
l It is recommended that the recovery time be at least three times the interval for sending loopback
detection packets. If the interval for sending loopback detection packets is very short, set the recovery
time to be at least 10 seconds longer than the interval.
l An interface cannot recover automatically after it is shut down. You must manually recover the interface
by using the undo shutdown command.
----End
Procedure
Step 1 Run:
system-view
Run the display loopback-detect command to check the loopback detection configuration
and status of loopback detection enabled interfaces.
----End
269
Networking Requirements
As shown in Figure 11-3, if there is a loop on the network connected to Eth 0/0/1, broadcast
storms will occur on the Switch or even the entire network. To detect loops on the network
quickly, you can enable loopback detection on this interface.
Figure 11-3 Loopback detection network diagram
Switch
Eth0/0/1
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Enable loopback detection on the interface.
<Quidway> system-view
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] loopback-detect enable
[Quidway-Ethernet0/0/1] quit
270
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 100
#
loopback-detect packet-interval 10
#
interface Ethernet0/0/1
port hybrid tagged vlan 100
loopback-detect enable
loopback-detect recovery-time 30
loopback-detect packet vlan 100
#
return
Issue 01 (2011-07-15)
271