Beruflich Dokumente
Kultur Dokumente
0 Series Switches
05
Date
2015-10-23
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://e.huawei.com
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Intended Audience
This document is intended for:
l
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation
which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation
which, if not avoided, could result in death
or serious injury.
Indicates a potentially hazardous situation
which, if not avoided, may result in minor
or moderate injury.
Indicates a potentially hazardous situation
which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 05 (2015-10-23)
ii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Symbol
Description
Calls attention to important information,
best practices and tips.
NOTE
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Security Conventions
l
Issue 05 (2015-10-23)
Password setting
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
When you configure a password in plain text that starts and ends with %^%#, %#
%#, %@%@ or @%@% (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA,
SHA1, SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and
MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or
lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols
allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or
higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on
actual networking. The irreversible encryption algorithm must be used for the
administrator password, SHA2 is recommended.
Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.
The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configure
your devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Issue 05 (2015-10-23)
iv
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Contents
Contents
About This Document.....................................................................................................................ii
1 Use the Quick Search Tool.......................................................................................................... 1
2 Common System Operations...................................................................................................... 2
2.1 Handling Loss of the Password for Console Port Login................................................................................................ 3
2.2 Handling Loss of the Password for Telnet Login........................................................................................................... 4
2.3 Handling Loss of the Password for Web Login..............................................................................................................5
2.4 Handling BootROM Password Loss...............................................................................................................................5
2.5 Deleting the Device Configuration.................................................................................................................................6
2.6 Configuring a Local Telnet User.................................................................................................................................... 6
2.7 Setting a User Level....................................................................................................................................................... 7
2.8 Setting Screen Display....................................................................................................................................................7
2.9 Using Basic ACL Rules to Control User Login............................................................................................................. 7
2.10 Backing Up the Configuration File.............................................................................................................................. 8
2.11 Restoring the Configuration File.................................................................................................................................. 9
2.12 Logging In to a Device Through STelnet................................................................................................................... 11
vi
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Contents
vii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Contents
viii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Contents
Issue 05 (2015-10-23)
ix
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTICE
Telnet may bring security risks. You are advised to log in to the switch through STelnet V2.
Ensure that you have an STelnet/Telnet account and administrator rights. The following uses
the command lines and outputs of logging in to the device using STelnet as an example. After
logging in to the switch through STelnet, perform the following configuration.
# Take password authentication as an example. Set the password to Huawei@123.
<HUAWEI> system-view
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password cipher Huawei@123
[HUAWEI-ui-console0] return
<HUAWEI> save
# Take AAA authentication as an example. Set the user name and password to admin123 and
Huawei@123 respectively.
<HUAWEI> system-view
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode aaa
[HUAWEI-ui-console0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type terminal
[HUAWEI-aaa] return
<HUAWEI> save
If the switch has two MPUs, remove the standby MPU before performing the following operations.
After performing the following operations, install the standby MPU and run the save command to ensure
the consistent configuration on the active and standby MPUs.
You can use the BootROM menu of the switch to clear the lost password for console port
login. After starting the switch, set a new password and save your configuration. Perform the
following steps.
1.
Connect the terminal to the console port of the switch and restart the switch. When the
following message is displayed, press Ctrl+B immediately and enter the BootROM
password to enter the BootROM menu.
Information displayed on modular switches:
Press Ctrl+B to enter boot menu ...
Password:
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
l Some models of fixed switches allow you to enter the BootROM menu by pressing Ctrl+E.
Perform operations as prompted on the screen.
l The default BootROM password of fixed switches is huawei in versions earlier than
V100R006C03 and Admin@huawei.com in V100R006C03 and later.
l The default BootROM password of modular switches is 9300 in V100R006 and earlier
versions, and Admin@huawei.com in versions after V100R006.
2.
Select Clear password for console user on the BootROM menu to clear the password
for console port login.
3.
Select Boot with default mode on the BootROM menu to start the switch as prompted.
NOTE
4.
After the switch is started, log in through the console port. Authentication is not required
when you log in. Set a password as prompted after login.
5.
You can set an authentication mode and password for the console user interface
according to service requirements. The configuration is similar to that of Logging In to
the Switch Through STelnet or Telnet to Set a New Password, and is not provided
here.
The following uses the command lines of the S7700 in V200R006C00 as an example.
Connect the DB9 female connector of the console cable to the COM port on the PC, and
connect the RJ45 connector to the console port on the device.
2.
Start the terminal emulation software on the PC. Create a connection, select the
connected port, and set communication parameters.
3.
Data bits : 8
Stop bits : 1
Parity : None
Click Connect. Enter or configure the login password as prompted to log in to the switch.
# Take password authentication for VTY0 login as an example. Set the password to
Huawei@123.
<HUAWEI> system-view
[HUAWEI] user-interface vty 0
[HUAWEI-ui-vty0] protocol inbound telnet
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
earlier versions
support SSH.
[HUAWEI-ui-vty0]
[HUAWEI-ui-vty0]
[HUAWEI-ui-vty0]
[HUAWEI-ui-vty0]
<HUAWEI> save
# Take AAA authentication for VTY0 login as an example. Set the user name and password to
admin123 and Huawei@123 respectively.
<HUAWEI> system-view
[HUAWEI] user-interface vty 0
[HUAWEI-ui-vty0] protocol inbound telnet
//By default, switches in V200R006 and
earlier versions support Telnet, and switches in V200R007 and later versions
support SSH.
[HUAWEI-ui-vty0] authentication-mode aaa
[HUAWEI-ui-vty0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type telnet
[HUAWEI-aaa] local-user admin123 privilege level 15
[HUAWEI-aaa] return
<HUAWEI> save
NOTICE
Telnet may bring security risks. You are advised to log in to the switch through the console
port or STelnet.
# Set the user name and password to admin123 and Huawei@123 respectively.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type http
[HUAWEI-aaa] local-user admin123 privilege level 15
[HUAWEI-aaa] return
<HUAWEI> save
The default BootROM password of fixed switches is huawei in versions earlier than
V100R006C03 and Admin@huawei.com in V100R006C03 and later.
The default BootROM password of modular switches is 9300 in V100R006 and earlier
versions, and Admin@huawei.com in versions after V100R006.
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTICE
Exercise caution and follow the instructions of the technical support personnel when you run
this command.
<HUAWEI> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
Warning: Now clearing the configuration in the device.
Info: Succeeded in clearing the configuration in the device.
<HUAWEI> reboot
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the next
startup saved-configuration file flash:/vrpcfg.zip. Continue? [Y/N]:n
//Select
"N" here.
Info: If want to reboot with saving diagnostic information, input 'N' and then
execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:y
The command outputs on your device may be different from that provided in this example.
The following uses the command lines of the S7700 in V200R006C00 as an example.
<HUAWEI> system-view
[HUAWEI] user-interface vty 0
[HUAWEI-ui-vty0] protocol inbound telnet
//By default, switches in V200R006 and
earlier versions support Telnet, and switches in V200R007 and later versions
support SSH.
[HUAWEI-ui-vty0] authentication-mode aaa
[HUAWEI-ui-vty0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type telnet
[HUAWEI-aaa] local-user admin123 privilege level 15
[HUAWEI-aaa] return
<HUAWEI> save
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
When AAA authentication is used, use the following methods (in descending order of
priorities) to set a user level. Take the VTY user interface as an example.
l
Set a user level for all users that log in through a specified user interface.
<HUAWEI> system-view
[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY user
interfaces to 15.
[HUAWEI] user-interface vty 0 14 //Enter the VTY user interfaces VTY 0 to
VTY 14.
[HUAWEI-ui-vty0-14] user privilege level 15 //Set the user level to 15 for
the VTY user interfaces VTY 0 to VTY 14.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTE
The Telnet protocol will bring risks to network security. The STelnet V2 mode is recommended.
The following operation assumes that the user logs in to the device using Telnet or STelnet.
# Configure rules in ACL 2005 to allow only the user at 192.168.1.5 and users on network
segment 10.10.5.0/24 to log in to the VTY interfaces 0 to 4.
<HUAWEI> system-view
[HUAWEI] acl 2005
[HUAWEI-acl-basic-2005] rule permit source 192.168.1.5 0
//Allow only the user
at 192.168.1.5 to log in to the device.
[HUAWEI-acl-basic-2005] rule permit source 10.10.5.0 0.0.0.255
////Allow only
users on the network segment 10.10.5.0/24 to log in to the device.
[HUAWEI-acl-basic-2005] quit
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] acl 2005 inbound
[HUAWEI-ui-vty0-4] quit
When the device serves as an FTP server and the PC serves as an FTP client:
# Configure the FTP function for the device and information about an FTP user.
<HUAWEI> system-view
[HUAWEI] ftp server enable
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234
[HUAWEI-aaa] local-user admin1234
[HUAWEI-aaa] local-user admin1234
[HUAWEI-aaa] local-user admin1234
[HUAWEI-aaa] quit
[HUAWEI] quit
# Connect the PC to the device using FTP. Enter the user name admin1234 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>
l
Issue 05 (2015-10-23)
When the PC serves as an FTP server and the device serves as an FTP client:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
//
[ftp]
l After the configuration file is transferred to the PC, check whether the size of the configuration
file on the PC is the same as that on the device. If not, an exception may occur during file
backup. Back up the configuration file again.
l To transfer the configuration file in a simpler way, configure the PC as the TFTP server and
the device as the TFTP client. The configuration procedure is similar to the procedure when
the PC serves as an FTP server and the device serves as an FTP client, except that the user
name and password are not required for configuring the TFTP server. You only need to run the
tftp 10.110.24.254 put config.cfg command on the device.
l TFTP has no authentication or authorization mechanism, whereas FTP has authentication and
authorization mechanisms. TFTP and FTP both transfer data in plaintext mode, which bring
security risks and therefore apply to good-performance networks. If you have a high
requirement for network security, SFTP V2, SCP, or FTPS is recommended.
When the device serves as an FTP server and the PC serves as an FTP client:
# Configure the FTP function for the device and information about an FTP user.
<HUAWEI> system-view
[HUAWEI] ftp server enable
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234 password irreversible-cipher
Helloworld@6789
[HUAWEI-aaa] local-user admin1234 privilege level 15
[HUAWEI-aaa] local-user admin1234 service-type ftp
Issue 05 (2015-10-23)
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# Connect the PC to the device using FTP. Enter the user name admin1234 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating
system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>
When the PC serves as an FTP server and the device serves as an FTP client:
# Start the FTP server program.
Start the FTP server program on the PC. Specify the FTP working directory where
the configuration file is saved, and the IP address, port number, user name, and
password of the FTP server.
# Log in to the FTP server.
<HUAWEI> ftp 10.110.24.254
Trying 10.110.24.254 ...
Press CTRL+K to abort
Connected to 10.110.24.254.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
WFTPD is the local FTP server program.
User(10.135.86.164:(none)):admin123
//Enter the user name.
331 Give me your password, please
Enter password:
//Enter the password.
230 Logged in successfully
[ftp]
Issue 05 (2015-10-23)
10
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTE
l After the configuration file is transferred to the device, check whether the size of the
configuration file on the PC is the same as that on the device. If not, an exception may
occur during file transfer. Transfer the file again.
l To transfer the configuration file in a simpler way, configure the PC as the TFTP server
and the device as the TFTP client. The configuration procedure is similar to the
procedure when the PC serves as an FTP server and the device serves as an FTP client.
The only difference is that the user name and password are not required for configuring
the TFTP server. You only need to run the tftp 10.110.24.254 get config.cfg command
on the device.
l TFTP has no authentication or authorization mechanism, whereas FTP has
authentication and authorization mechanisms. TFTP and FTP both transfer data in
plaintext mode, which bring security risks and therefore apply to good-performance
networks. If you have a high requirement for network security, SFTP V2, SCP, or FTPS
is recommended.
2.
11
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTICE
If the protocol supported by VTY user interfaces 0 to 4 is changed from Telnet to SSH, users
cannot log in to the device using Telnet after logout. In this case, configure VTY user
interfaces 0 to 4 to support all protocols first. Configure STelnet and then run the protocol
inbound ssh command to configure VTY user interfaces 0 to 4 to support SSH.
# Create an SSH user named admin123 and configure the password authentication mode
for the user.
[HUAWEI] aaa
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI] ssh
# Log in to the device using the third-party software (such as PuTTY). Enter the device IP
address, select SSH, and enter the user name and password to log in to the device through
STelnet.
To verify the STelnet login, run the ssh client first-time enable and stelnet 127.0.0.1
commands in system view to log in to the device. If the login page is displayed, the
configuration succeeds. If the login page is not displayed, the configuration fails.
Issue 05 (2015-10-23)
12
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
13
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# To set the lower temperature alarm threshold to 20C and upper temperature alarm threshold
to 45C on a device with slot ID 0, run the following commands:
<HUAWEI> system-view
[HUAWEI] temperature threshold slot 0 lower-limit 20 upper-limit 45
14
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# To reduce temperature thresholds for adjusting the fan speed by 10C, run the following
commands.
<HUAWEI> system-view
[HUAWEI] set fan speed-adjust threshold minus 10
Info: Succeeded in setting the fan speed-adjust threshold.
Issue 05 (2015-10-23)
15
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
16
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Configure local observing ports in a batch, which directly connect to monitoring devices.
<HUAWEI> system-view
[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 to
gigabitEthernet 1/0/3
Issue 05 (2015-10-23)
17
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Related Content
Support Community
Mirroring an Effective Network Monitoring Tool (Working Mechanism and
Configuration)
Mirroring an Effective Network Monitoring Tool (Specifications)
Videos
How to Configure Port Mirroring
18
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
is easy to configure but supports fewer packets types than MQC-based traffic mirroring and
supports only inbound traffic mirroring. MQC-based traffic mirroring is complex to configure
but supports more packet types and the inbound, outbound traffic mirroring.
4.1 Configuring an Observing Port. For example, configure a local observing port
GE1/0/1 that is directly connected to a monitoring device.
<HUAWEI> system-view
[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
2.
Create an ACL. For example, create a Layer 2 ACL to match packets with 802.1p
priority 6.
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit 8021p 6
[HUAWEI-acl-L2-4001] quit
3.
Copy packets with 802.1p priority 6 in the inbound direction of all the ports on the
device to observing port GE1/0/1.
[HUAWEI] traffic-mirror inbound acl 4001 to observe-port 1
Copy packets with 802.1p priority 6 in the inbound direction of all the ports in
VLAN 10 to observing port GE1/0/1.
[HUAWEI] traffic-mirror vlan 10 inbound acl 4001 to observe-port 1
4.1 Configuring an Observing Port. For example, configure a local observing port
GE1/0/1 that is directly connected to a monitoring device.
<HUAWEI> system-view
[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
2.
Create a traffic classifier. For example, create a traffic classifier c1 to match packets with
802.1p priority 6.
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match 8021p 6
[HUAWEI-classifier-c1] quit
3.
Create a traffic behavior with the mirroring action. For example, create a traffic behavior
b1 and set the action to traffic mirroring.
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] mirroring to observe-port 1
[HUAWEI-behavior-b1] quit
4.
Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic
policy. For example, create a traffic policy p1 and bind the traffic classifier and traffic
behavior to the traffic policy.
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
5.
Issue 05 (2015-10-23)
Copy packets with 802.1p priority 6 in the inbound direction of all the ports on the
device to observing port GE1/0/1.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
19
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Copy packets with 802.1p priority 6 in the inbound direction of all the ports in
VLAN 10 to observing port GE1/0/1.
[HUAWEI] vlan 10
[HUAWEI-vlan10] traffic-policy p1 inbound
2.
Run the undo port-mirroring command on the mirrored port to delete the binding
between the observing port and mirrored port and restore the mirrored port as a common
port. For example, restore GE2/0/1 in step 1 to a common port.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 2/0/1
[HUAWEI-GigabitEthernet2/0/1] undo port-mirroring to observe-port 2 inbound
[HUAWEI-GigabitEthernet2/0/1] quit
3.
Run the undo observe-port command in the system view to delete the observing port.
For example, delete the observing port in step 1 and restore GE1/0/1 to a common port.
[HUAWEI] undo observe-port 2
You can delete the observing port only after deleting the binding between the observing
port and mirrored port.
Issue 05 (2015-10-23)
20
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
21
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
22
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
In V200R002 and later versions, run the display bridge mac-address command to
check the device's MAC address.
<HUAWEI> display bridge mac-address
System bridge MAC address: 00e0-f74b-6d00
Issue 05 (2015-10-23)
23
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
a static MAC address and bind the MAC address of 0000-0012-0034 to the
GigabitEthernet1/0/1.
NOTE
The interface bound to the MAC address must belong to the specified VLAN and the VLAN must have
been created.
In the system view, configure the MAC address of 0000-0012-0034 as a global blackhole
MAC address.
<HUAWEI> system-view
[HUAWEI] mac-address blackhole 0000-0012-0034
In the system view, configure the MAC address of 0000-0012-0035 as the blackhole
MAC address in VLAN 10.
<HUAWEI> system-view
[HUAWEI] mac-address blackhole 0000-0012-0035 vlan 10
# In any view, run the display mac-address aging-time command to view the aging time of
dynamic MAC addresses.
<HUAWEI> display mac-address aging-time
Aging time: 300 second(s)
# Set the maximum number of MAC addresses that can be learned by the gigabitethernet1/0/1
to 5.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
Issue 05 (2015-10-23)
24
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Before setting the maximum number of MAC addresses that can be learned by an interface, ensure that
the interface has been enabled with port security.
Issue 05 (2015-10-23)
25
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
26
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# Run the interface range command to add GE1/0/16 to GE1/0/20 to a temporary port group.
(The interface range command is supported by only V200R003C00 and later versions.)
<HUAWEI> system-view
[HUAWEI] interface range gigabitethernet 1/0/16 to gigabitethernet 1/0/20
[HUAWEI-port-group]
All S series chassis switches support Layer 2 and Layer 3 isolation. S series box switches support Layer
2 and Layer 3 isolation excluding the S2700SI and S2700EI in V100R006C05 and the S1720, S2720,
S2750EI, S5700LI, S5710-X-LI, S5710-C-LI and S5700S-LI in V200R001 and later versions.
Issue 05 (2015-10-23)
27
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
To configure the working mode of a combo interface, run the combo-port { auto | copper |
fiber } command in the combo interface view.
l
When the auto mode is specified, the system checks whether the combo optical interface
has an optical module installed, and selects the interface working mode as follows:
When the electrical interface is not connected, the combo interface works as an
optical interface if the combo optical interface has an optical module installed.
When the electrical interface is connected using a network cable and the combo
interface is Up, the combo interface works as an electrical interface even if the
combo optical interface has an optical module installed. However, the combo
interface works as an optical interface after the device restarts.
When the electrical interface is connected using a network cable and the combo
interface is Down, the combo interface works as an optical interface if the combo
optical interface has an optical module installed.
In summary, when the auto mode is specified and the combo optical interface has an
optical module installed, the combo interface works as an optical interface after the
device restarts.
l
You can forcibly specify the working mode of the combo interface based on the peer
interface type. If the local combo electrical interface is connected to a peer electrical
interface, configure the combo interface to work in copper mode. If the local combo
optical interface is connected to a peer optical interface, configure the combo interface to
work in fiber mode.
Issue 05 (2015-10-23)
28
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTE
GE optical interfaces do not support manually configuring the interface rate in auto-negotiation mode,
except the GE optical interface that has an GE copper module installed.
Physical service interfaces of the S5710HI, S6700EI, S5720HI, S5720EI and S6720EI do not support
the duplex mode configuration.
Physical service interfaces of the X1E series cards on a modular switch do not support the duplex mode
configuration.
To switch an interface to Layer 3 mode, run the undo portswitch command in the interface
view.
By default, an Ethernet interface works in Layer 2 mode.
When you run this command on an interface, the mode switching configuration takes effect
when only attribute configurations (such as shutdown and description configurations) exist
on the interface. If service configurations (such as the port link-type trunk configuration)
Issue 05 (2015-10-23)
29
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
exist on the interface, you need to clear all service configurations before running this
command.
Since V200R003, interfaces on the S5700EI, S5700HI, S5710EI, S5710HI, S5720EI,
S5720HI, S6700EI, S6720EI, S7700, and S9700 support switching between Layer 2 and
Layer 3 modes.
For switches in V200R005C00 and later versions, after running the undo portswitch
command to switch an Ethernet interface to Layer 3 mode, you can assign an IP address to the
interface.
# Run the clear configuration this command in the interface view to delete configurations on
GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] clear configuration this
Warning: All configurations of the interface will be cleared, and its state will
be shutdown. Continue? [Y/N] :y
Info: Total 3 command(s) executed, 3 successful, 0 failed.
Issue 05 (2015-10-23)
30
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
31
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Run the undo eth-trunk command in the member interface view to delete a specified
member interface from an Eth-Trunk.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo eth-trunk
Procedure
Run the undo interface eth-trunk trunk-id command in the system view.
<HUAWEI> system-view
[HUAWEI] undo interface eth-trunk 10
Issue 05 (2015-10-23)
32
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
ActorPortName
PortState Weight
GigabitEthernet1/0/2
10111100 1
GigabitEthernet1/0/3
10111100 1
GigabitEthernet1/0/4
10100000 1
PortType
Selected 1GE
10
262
2609
Selected 1GE
10
263
2609
Unselect 1GE
32768
264
2609
Partner:
-------------------------------------------------------------------------------ActorPortName
SysPri SystemID
PortPri PortNo PortKey
PortState
GigabitEthernet1/0/2
32768 00e0-fc6e-bb11 32768 262
2609
10111100
GigabitEthernet1/0/3
32768 00e0-fc6e-bb11 32768 263
2609
10111100
GigabitEthernet1/0/4
32768 00e0-fc6e-bb11 32768 264
2609
10110000
Eth-Trunk11's state information is:
WorkingMode: NORMAL
Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up
Number Of Up Port In Trunk: 1
-------------------------------------------------------------------------------PortName
Status
Weight
GigabitEthernet1/0/1
Up
1
Issue 05 (2015-10-23)
33
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
V200R005 and later versions support the display trunk configuration command.
Issue 05 (2015-10-23)
Item
Meaning
Default
Current
Configured
Configured Eth-Trunk specifications. If the configured EthTrunk specifications are different from the current Eth-Trunk
specifications, the configured Eth-Trunk specifications take
effect after the device restarts.
trunk-group
trunk-member
34
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
35
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Create 10 noncontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
<HUAWEI> system-view
[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 noncontiguous VLANs or VLAN range at one time. If more than
10 noncontiguous VLANs need to be created, run this command multiple times. For example, vlan
batch 10 15 to 19 25 28 to 30 indicates four noncontiguous VLAN ranges.
Issue 05 (2015-10-23)
36
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
1/0/1
port trunk pvid vlan
port trunk allow-pass vlan all
trunk pvid vlan 1
1/0/1
port hybrid pvid vlan
port hybrid vlan all
hybrid untagged vlan 1
The earlier versions of V200R005, before deleting a VLAN where a VLANIF interface has been
configured, run the undo interface vlanif command to delete the VLANIF interface.
In V200R005 and later versions, run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command and enter y or n as prompted. When the interface uses the
default VLAN configuration, the system does not display any message. The link type of
the interface is changed directly.
When you enter y and press Enter, the device automatically deletes the non-default
VLAN configuration of the interface and set the link type of the interface to the
specified one.
When you enter n and press Enter, the device retains the current link type and
VLAN configuration of the interface.
37
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
Warning: This command will delete VLANs on this port. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment...done.
In earlier versions of V200R005, an interface joins VLAN 1 by default, and the PVID of
an interface is VLAN 1. You can run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command to change the link type of the interface.
When you change the link type of an interface that does not use the default VLAN
configuration, the system displays the message "Error: Please renew the default
configurations."
You need to restore the default configuration of the interface, and then change the link
type of the interface.
Issue 05 (2015-10-23)
38
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
39
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
40
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
If the received packet carries one VLAN tag, the packet then has double tags.
If the received packet does not carry any VLAN tag, the packet then carries the default
VLAN tag of an interface.
# Configure uplink interface GE1/0/2 to transparently transmit packets with VLAN 10 in the
outer tag.
[HUAWEI] interface gigabitethernet1/0/2
[HUAWEI-GigabitEthernet1/0/2] port link-type trunk
[HUAWEI-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
Issue 05 (2015-10-23)
41
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
42
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTE
l The S5700SI, S5700EI, ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and
EH1D2G24SSA0 and EH1D2S24CSA0 cards of the S9700 do not support this configuration.
l When you configure the device to add double tags to untagged packets, run the port link-type
hybrid command to change the link type of the interface to hybrid if the following message is
displayed:
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10
stack-inner-vlan 5
Error: The port is not a Trunk or Hybrid port.
l When you configure the fixed device to add double tags to untagged packets, run the qinq vlantranslation enable command to enable VLAN translation if the following message is displayed:
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10
stack-inner-vlan 5
Error: Please configure qinq vlan-translation enable on this port first.
l When you configure the device to add double tags to untagged packets, run the undo port hybrid
pvid vlan command to restore the PVID of the interface to be 1 if the following message is
displayed:
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10
stack-inner-vlan 5
Error: This port has been configured with default VLAN or PVID, please
undo it first.
Issue 05 (2015-10-23)
//
43
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
10
Issue 05 (2015-10-23)
44
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
45
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] stp cost 20000
Role
DESI
DESI
DESI
DESI
DESI
STP State
FORWARDING
FORWARDING
FORWARDING
FORWARDING
FORWARDING
Protection
NONE
NONE
NONE
NONE
NONE
Issue 05 (2015-10-23)
46
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
11
Model
V100R006C05
V200R001C00&C01
V200R002C00
Issue 05 (2015-10-23)
47
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Version
Model
V200R003C00&C02&C10
V200R005C00&C01
Issue 05 (2015-10-23)
48
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Configure the IP addresses that are not dynamically assigned on the device functioning as the
DHCP server. For example, in an address pool with a mask length of 24 on the network
segment 10.1.1.0, configure 10.1.1.100-10.1.1.200 as IP addresses that are not dynamically
assigned.
l
l
Issue 05 (2015-10-23)
49
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] dhcp server lease day 10
# Modify the lease to 10 days (864000 seconds) on the device functioning as a DHCP client.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] dhcp client expected-lease 864000
b.
Issue 05 (2015-10-23)
50
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
b.
: Unlocked
----------------------------------------------------------------------------Start
End
Total
Used
Idle(Expired)
Conflict
Disable
----------------------------------------------------------------------------10.1.1.1
10.1.1.254
253
252(0)
----------------------------------------------------------------------------Network section :
----------------------------------------------------------------------------Index
IP
MAC
Lease
Status
----------------------------------------------------------------------------253
4
10.1.1.254
10.1.1.5
0235-2036-adcc
00e0-0987-7895
178
60
Used
Static-
bind
-----------------------------------------------------------------------------
The clients with conflicting addresses need to be reconnected to obtain new IP addresses.
Issue 05 (2015-10-23)
51
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
l After the mask length is changed from 25 to 24, 128 new users can be assigned IP addresses.
l The increased address range cannot conflict with other address ranges on the network.
l The ratio of the client quantity to the address pool range is planned according to the clients' online status.
If all clients (for example, enterprise employees' PCs) are online concurrently, ensure that the number of
addresses that can be assigned in the address pool is equal to or greater than the number of clients. If the
clients (for example, PCs in public areas such as hotels and Internet cafes) are not online concurrently, the
number of addresses that can be assigned in the address pool can be less than the number of clients.
Issue 05 (2015-10-23)
52
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
After the mask length is increased from 24 to 25, 128 IP addresses can be saved.
After the address pool range is decreased, the clients that have IP addresses beyond the range will
re-apply for addresses when their leases expire.
Issue 05 (2015-10-23)
53
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 25
length.
l For a Layer 2 access device, steps 1-3 are mandatory. Configure this function in sequence.
l For a DHCP relay device, only steps 1 and 2 are mandatory.
1.
2.
Enable DHCP snooping on the interface connected to the DHCP client (configuring all
interfaces connected to the DHCP client and using GE1/0/1 as an example).
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] quit
3.
Issue 05 (2015-10-23)
54
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
12
Issue 05 (2015-10-23)
55
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
INTERFACE
VPN-
-----------------------------------------------------------------------------172.16.10.3
0025-9efb-be55
S--
GE1/0/6
0200-0000-00e8
0025-9ef4-abcd
S-I -
GE1/0/19
D-0
GE1/0/6
100/172.16.20.3
172.16.10.1
Vlanif100
172.16.10.2
0025-9efb-be55
20
100/172.16.20.1
0025-9ef4-abcd
I GE1/0/19
172.16.20.2
0200-0000-00e8 18
D-0
GE1/0/19
-----------------------------------------------------------------------------Total:6
Dynamic:2
Static:2
Interface:2
In the command output, the ARP entry of each row is described as follows:
l
Issue 05 (2015-10-23)
56
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP
packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP
Request packets to the destination network segment.
l
Before receiving an ARP Reply packet, the device discards the IP packets matching the
temporary ARP entry, and no ARP Miss message is triggered.
After receiving the ARP Reply packet, the device generates a correct ARP entry to replace
the temporary entry.
After the temporary ARP entry ages out, the device deletes this entry.
NOTICE
After ARP entries are cleared, mappings between IP addresses and MAC addresses are
deleted. As a result, users may not access specified nodes. Exercise caution when you clear
ARP entries.
# Clear all ARP entries on the device.
<HUAWEI> reset arp all
# Clear the dynamic ARP entries with the IP address 172.16.10.1 on the device.
<HUAWEI> reset arp dynamic ip 172.16.10.1 //If the IP address is not specified,
all dynamic ARP entries are deleted from the device.
# Clear the static ARP entries with the IP address 172.16.20.1, MAC address
0023-0045-0067, and outbound interface GE1/0/1 on the device.
<HUAWEI> system-view
[HUAWEI] undo arp static 172.16.20.1 0023-0045-0067 interface gigabitethernet
1/0/1
# Clear the ARP entries learned from VLANIF 100 with the IP address 172.16.20.1 on the
device.
<HUAWEI> reset arp interface vlanif 100 ip 172.16.20.1 //If the IP address is not
specified, all ARP entries learned by VLANIF 100 are deleted from the device.
Issue 05 (2015-10-23)
57
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# After the configuration is complete, you can run the display current configuration |
include arp command in any view to check the configured aging time of dynamic ARP
entries.
<HUAWEI> display current-configuration | include arp
arp expire-time 1800
If the outbound interface is an Ethernet interface in Layer 2 mode, you are advised to configure a long
static ARP entry. Specify the VLAN and outbound interface when configuring the entry.
# Configure a static ARP entry with the IP address 172.16.10.2, MAC address
0023-0045-0067, and outbound interface GE1/0/1 in Layer 2 mode. This static ARP entry
belongs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan batch 100
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 172.16.10.1 24 //The IP address of the VLANIF
interface must be in the same network segment with the IP address (172.16.10.2)
in the static ARP entry.
[HUAWEI-Vlanif100] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type trunk
[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 //The interface
GigabitEthernet1/0/1 is in Layer 2 mode and needs to be added to VLAN 100.
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] arp static 172.16.10.2 0023-0045-0067 vid 100 interface gigabitethernet
1/0/1
# Configure a static ARP entry with the IP address 172.16.20.2, MAC address
0023-0045-0068, and outbound interface GE1/0/2 in Layer 3 mode.
Issue 05 (2015-10-23)
58
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] undo portswitch
[HUAWEI-GigabitEthernet1/0/2] ip address 172.16.20.1 24 //The IP address of
GigabitEthernet1/0/2 must be in the same network segment with the IP address
(172.16.20.2) in the static ARP entry.
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] arp static 172.16.20.2 0023-0045-0068 interface gigabitethernet 1/0/2
# Configure a static ARP entry with the IP address 172.16.30.2 and MAC address
0023-0045-0069. This static ARP entry belongs to the VPN instance vpn1.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] quit
[HUAWEI-vpn-instance-vpn1] quit
[HUAWEI] arp static 172.16.30.2 0023-0045-0069 vpn-instance vpn1
# Configure a static ARP entry with the IP address 172.16.40.2 and MAC address
02bf-0045-0070. (For example, you can configure such short static ARP entry when the
device is connected to the NLB server cluster in multi-port ARP mode.)
<HUAWEI> system-view
[HUAWEI] arp static 172.16.40.2 02bf-0045-0070
Using Automatic Scanning and Fixed ARP to Batch Configure Static ARP Entries
# The IP address of VLANIF 103 is 172.16.50.1/24. Perform automatic scanning on the ARP
entries with the IP addresses 172.16.50.2 to 172.16.50.4, and convert the learned ARP entries
into static ARP entries.
<HUAWEI> system-view
[HUAWEI] vlan batch 103
[HUAWEI] interface vlanif 103
[HUAWEI-Vlanif103] ip address 172.16.50.1 24
[HUAWEI-Vlanif103] quit
[HUAWEI] interface gigabitethernet 1/0/3
[HUAWEI-GigabitEthernet1/0/3] port link-type trunk
[HUAWEI-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[HUAWEI-GigabitEthernet1/0/3] quit
[HUAWEI] display arp network 172.16.50.0 24
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
INSTANCE
VLAN/
CEVLAN
VPN-
-----------------------------------------------------------------------------172.16.50.1
00e0-0987-7895
I Vlanif103
-----------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
[HUAWEI] interface vlanif 103
[HUAWEI-Vlanif103] arp scan 172.16.50.2 to 172.16.50.4 //Automatic scanning is
performed on VLANIF 103. The IP addresses 172.16.50.2 to 172.16.50.4 are in the
same network segment with the IP address 172.16.50.1 of VLANIF 103. That is, the
start and end IP addresses in the ARP automatically scanned area must be in the
same network segment with the IP address (primary or secondary) of the VLANIF
interface.
Warning: This operation may take a long time, press CTRL+C to break. Continue?
[Y/N]:y
Processing...
Info: ARP scanning is completed.
[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //After automatic scanning,
Issue 05 (2015-10-23)
59
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
check ARP entries. The device newly learns three 3 dynamic ARP entries.
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/
CEVLAN
-----------------------------------------------------------------------------172.16.50.1
Vlanif103
172.16.50.2
GE1/0/3
00e0-0987-7895
I -
0200-0000-0212
20
D-0
0200-0000-0212
20
D-0
0200-0000-0212
20
D-0
103/172.16.50.3
GE1/0/3
103/172.16.50.4
GE1/0/3
103/-----------------------------------------------------------------------------Total:4
Dynamic:3
Static:0
Interface:1
[HUAWEI-Vlanif103] arp fixup //Configure fixed ARP entries on VLANIF 103 by
converting dynamic ARP entries learned into static ARP entries.
Warning: This operation may generate configuration of static ARP, and take a long
time, press CTRL+C to break. Continue?[Y/N]:y
Processing...
Info: ARP fixup is completed.
[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //Check fixed ARP entries.
The three dynamic ARP entries that newly learned by the device have been
converted into static ARP entries.
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/
CEVLAN
-----------------------------------------------------------------------------172.16.50.2
0200-0000-0212
S--
GE1/0/3
0200-0000-0212
S--
GE1/0/3
0200-0000-0212
S--
GE1/0/3
103/172.16.50.3
103/172.16.50.4
103/172.16.50.1
00e0-0987-7895
I Vlanif103
-----------------------------------------------------------------------------Total:4
Issue 05 (2015-10-23)
Dynamic:0
Static:3
Interface:1
60
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Scenario
Issue 05 (2015-10-23)
61
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# Cancel the rate limit on ARP Miss messages of all source IP addresses. (The S2750, S5710C-LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this command.)
<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 0
If the parameters match the table information, the user is authorized and the device
allows the ARP packet to pass through.
If the parameters do not match the table information, the device considers that it is an
attack packet and discards the packet.
# Configure DHCP snooping on the device and enable DAI on the interface connecting the
device to the user side.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the
interface connecting the device to the user side.
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the interface
connecting the device to the DHCP server as a trusted interface. If DHCP snooping
is deployed on the DHCP relay device, the trusted interface configuration is
optional.
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static
binding table on the device for the users configured with static IP addresses.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI
on the interface connecting the device to the user side.
[HUAWEI-GigabitEthernet1/0/1] quit
Issue 05 (2015-10-23)
62
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# Configure DHCP snooping on the device and enable DAI in the user-side VLAN.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN that the
user device belongs to.
[HUAWEI-vlan100] quit
[HUAWEI] vlan 200
[HUAWEI-vlan200] dhcp snooping enable
[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //
Configure the interface connecting the device to the DHCP server as a trusted
interface. If DHCP snooping is deployed on the DHCP relay device, the trusted
interface configuration is optional.
[HUAWEI-vlan200] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static
binding table on the device for the users configured with static IP addresses.
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the userside VLAN.
[HUAWEI-vlan100] quit
The source IP address in the ARP packet is the same as the IP address of the VLANIF
interface matching the inbound interface of the packet.
The source IP address in the ARP packet is the virtual IP address of the inbound
interface but the source MAC address in the ARP packet is not the virtual MAC address
of the Virtual Router Redundancy Protocol (VRRP) group.
The device generates an ARP anti-collision entry and discards the received ARP packets with
the same source MAC address and VLAN ID in a specified period. This function prevents
ARP packets with the bogus gateway address from being broadcast in a VLAN.
# Enable the ARP gateway anti-collision function on the gateway device. By default, the ARP
gateway anti-collision function is disabled.
<HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable
Issue 05 (2015-10-23)
63
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
13
Issue 05 (2015-10-23)
64
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
To delete an ACL, run the undo acl { [ number ] acl-number | all } or undo acl name
acl-name command in the system view.
To delete an ACL6, run the undo acl ipv6 { all | [ number ] acl6-number } or undo acl
ipv6 name acl6-name command in the system view.
Related Information
Support Community
l
Issue 05 (2015-10-23)
65
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
ACL Matching
ACL Application
Related Information
Support Community
l
ACL Matching
ACL Application
Related Information
Support Community
l
ACL Matching
ACL Application
66
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment
Related Information
Support Community
l
ACL Matching
ACL Application
Related Information
Support Community
l
ACL Matching
ACL Application
To prohibit Telnet connections between the specified host and the hosts on a network
segment, configure a rule in an advanced ACL. For example, to prohibit Telnet
connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24,
configure the following rule in the advanced ACL deny-telnet.
<HUAWEI> system-view
[HUAWEI] acl name deny-telnet
[HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source
192.168.1.3 0 destination 192.168.2.0 0.0.0.255
Issue 05 (2015-10-23)
To prohibit the specified hosts from accessing web pages (HTTP is used to access web
pages, and TCP port number is 80), configure rules in an advanced ACL. For example,
to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
67
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
following rules in ACL no-web and set the description for the ACL to Web access
restrictions.
<HUAWEI> system-view
[HUAWEI] acl name no-web
[HUAWEI-acl-adv-no-web] description Web access restrictions
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source
192.168.1.3 0
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source
192.168.1.4 0
Related Information
Support Community
l
ACL Matching
ACL Application
Issue 05 (2015-10-23)
68
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Related Information
Support Community
l
ACL Matching
ACL Application
To allow the ARP packets with the specified destination and source MAC addresses and
Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow
the ARP packets with destination MAC address 0000-0000-0001, source MAC address
0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule
in ACL 4001.
<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac
0000-0000-0002 l2-protocol 0x0806
To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in
a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863,
configure the following rule in ACL 4001.
<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863
Related Information
Support Community
l
ACL Matching
ACL Application
69
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL
deny-vlan10-mac.
<HUAWEI> system-view
[HUAWEI] acl name deny-vlan10-mac link
[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000
ffff-ffff-0000
Related Information
Support Community
l
ACL Matching
ACL Application
To reject the ARP packets from the specified host, configure a rule in a user-defined
ACL. For example, to reject the ARP packets from host 192.168.0.2, configure the
following rule in ACL 5001.
In the following rule:
10 indicates the protocol type field offset in the ARP packets (without VLAN ID).
26 and 30 respectively indicate the offsets of the higher and lower two bytes in the
source IP addresses in ARP packets (without VLAN ID). The source IP address in
an ARP packet begins at the 28th byte in Layer 2 header and occupies 4 bytes. The
Layer 2 header offset defined in a user-defined ACL must be 4n+2 (n is an integer).
Therefore, the source IP address is divided into two segments for matching. The
lower two bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher
two bytes among the four bytes behind offset 30 (4 x 7 + 2) are matched separately.
To filter ARP packets with VLAN IDs, add 4 to each of the following offsets.
Issue 05 (2015-10-23)
70
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Figure 13-1 Source IP address field offset in Layer 2 header of an ARP packet
0
40+2=2byte
15
23
31 bit
4 byte
Hardware Type
Protocol Type
Hardware Length
Protocol Length
OP 46+2=26byte
32 byte
IP Address of destination(0-15)
40 byte
IP Address of destination(16-31)
<HUAWEI> system-view
[HUAWEI] acl 5001
[HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8
0x0000ffff 26 0x00020000 0xffff0000 30
8 indicates the protocol type offset in the IP packets. (The protocol type field in an
IP packet begins at the 10th byte in IPv4 header and occupies one byte. The IPv4
header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore,
the second higher byte among the four bytes behind offset 8 in the IPv4 header is
matched.)
<HUAWEI> system-view
[HUAWEI] acl name deny-tcp user
[HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8
4
8
Version Header Length
10byte
Header
TTL
16 19
Tos
identifier
24
Total length
Flags
Protocol
Source IP address
31 bit
4 byte
Fragment offset
8 byte
Header checksum
12 byte
20 byte
Destination IP address
Options (variable length)
Data
Issue 05 (2015-10-23)
71
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Related Information
Support Community
l
ACL Matching
ACL Application
Issue 05 (2015-10-23)
72
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
14
Issue 05 (2015-10-23)
73
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
74
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
configure the device to not calculate the inter-frame gap and preamble of packets during rate
limit calculation, to improve rate limit accuracy.
l
Issue 05 (2015-10-23)
75
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
76
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 25
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 110
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 80
[HUAWEI-acl-adv-3000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 3000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] deny
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
77
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] acl 4000
[HUAWEI-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff
[HUAWEI-acl-L2-4000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 4000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] statistic enable
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound
[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound
Issue 05 (2015-10-23)
78
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
SA cards of S series do not support byte-based traffic statistics. The information is displayed as -.
Issue 05 (2015-10-23)
79
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
15
Issue 05 (2015-10-23)
80
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
IPSG matches packets against all options in the static binding entry. Ensure that the created
binding entry is correct and contains all the options to check. The device forwards the packets
from hosts only when the packets match all options in the binding entry, and discards the packets
not matching the binding entry.
The device can bind multiple IP addresses or IP address segments to the same interface or MAC
address.
2.
If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For
example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12
interface gigabitethernet 1/0/1 to bind multiple IP addresses to the same interface.
If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to
end-ip. When the keyword to is used, the IP address segments cannot overlap. For example,
you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address
0001-0001-0001 to bind multiple IP addresses to the same MAC address.
Run the ip source check user-bind enable command in the interface or VLAN view to
enable IPSG.
Enabling IPSG on an interface: IPSG checks all packets received by the interface
against the binding entry. Choose this method if you need to check IP packets on
the specified interfaces and trust other interfaces. In addition, this method is
convenient if an interface belongs to multiple VLANs because you do not need to
enable IPSG in each VLAN.
Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in
the VLAN against the binding entry. Choose this method if you need to check IP
packets in the specified VLANs and trust other VLANs. In addition, this method is
convenient if multiple interfaces belong to the same VLAN because you do not
need to enable IPSG on each interface.
The following example shows how to configure IPSG based on the static binding table:
# Create a static binding entry (source IP address 192.168.1.1 and source MAC address
0003-0003-0003) and enable IPSG on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] user-bind static ip-address 192.168.1.1 mac-address 0003-0003-0003
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable
# Create a static binding entry (source IP address 192.168.2.1, source MAC address
0002-0002-0002, interface GE1/0/1, and VLAN 10) and enable IPSG in VLAN 10.
<HUAWEI> system-view
Issue 05 (2015-10-23)
81
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Run the dhcp enable command in the system view to enable DHCP globally.
b.
Run the dhcp snooping enable command in the system view to enable DHCP
snooping globally.
c.
Run the dhcp snooping enable command in the interface or VLAN view to enable
DHCP snooping on the interface or in the VLAN.
d.
Run the dhcp snooping trusted command in the interface view or the dhcp
snooping trusted interface interface-type interface-number command in the
VLAN view to configure a trusted interface.
The device directly forwards the IP packets received by the trusted interface
without checking them against the binding entry.
2.
Run the ip source check user-bind enable command in the interface or VLAN view to
enable IPSG.
The following example shows how to configure IPSG based on DHCP snooping dynamic
binding table:
# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG on
GE1/0/2.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/2] ip source check user-bind enable
# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG in
VLAN 10.
<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type trunk
[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] dhcp enable
Issue 05 (2015-10-23)
82
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
When you delete a binding entry, the parameters specified in the undo command must be
the same as the corresponding parameters in the binding entry; otherwise, the entry
cannot be deleted.
Run the undo user-bind static command to delete all binding entries.
Run the undo user-bind static interface gigabitethernet 1/0/1 command to delete
all entries on the specified interface GE1/0/1.
Run the undo user-bind static vlan 10 command to delete all entries in VLAN 10.
83
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] undo user-bind static vlan 10
After the preceding steps are performed in sequence, all binding entries are deleted.
Issue 05 (2015-10-23)
84
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
16
Issue 05 (2015-10-23)
85
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
l
Issue 05 (2015-10-23)
86
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme sch1
[HUAWEI-aaa-service-sch1] admin-user privilege level 15
levels of all users in a domain to 15.
Set the user level for all users logging in through the same user interface (such as VTY
user interface).
<HUAWEI> system-view
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 0 14
[HUAWEI-ui-vty0-14] user privilege level 15
VTY 14 to 15.
Issue 05 (2015-10-23)
87
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
17
Issue 05 (2015-10-23)
88
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
In the V200R005C00 and later versions, only the common NAC mode supports MAC address bypass
authentication.
system-view
dot1x enable
dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5
dot1x mac-bypass interface gigabitethernet 1/0/1 gigabitethernet
In the V200R005C00 and later versions, only the common NAC mode supports the guest VLAN function.
Issue 05 (2015-10-23)
89
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
GE0/0/1
LAN Switch
GE0/0/3
Intranet
Switch/802.1x
authentication
User
As shown in Figure 17-1, there is the Layer 2 LAN Switch between the user and device
Switch enabled with 802.1x authentication. To ensure that the user's 802.1x authentication
packet can reach the Switch through the LAN Switch, perform the following configurations
on the LAN Switch (using the S5700HI as an example of the Layer 2 switch).
<HUAWEI> system-view
[HUAWEI] sysname LAN Switch
[LAN Switch] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180c200-0003 group-mac 0100-0000-0002
//group-mac cannot be set to the reserved
multicast MAC addresses (from 0180-C200-0000 to 0180-C200-002F) and some other
special MAC addresses.
[LAN Switch] interface gigabitethernet 0/0/1 //Connect the Layer 2 switch to the
uplink network and configure all interfaces of the users.
[LAN Switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x
enable
[LAN Switch-GigabitEthernet0/0/1] bpdu enable
[LAN Switch-GigabitEthernet0/0/1] quit
[LAN Switch] interface gigabitethernet 0/0/2
[LAN Switch-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x
enable
[LAN Switch-GigabitEthernet0/0/2] bpdu enable
[LAN Switch-GigabitEthernet0/0/2] quit
[LAN Switch] interface gigabitethernet 0/0/3
[LAN Switch-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol dot1x
enable
[LAN Switch-GigabitEthernet0/0/3] bpdu enable
[LAN Switch-GigabitEthernet0/0/3] quit
Issue 05 (2015-10-23)
90
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
18
Issue 05 (2015-10-23)
91
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
92
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
93
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Issue 05 (2015-10-23)
94
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
19
Issue 05 (2015-10-23)
95
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
Configure an ACL.
ACL 2001 allows only the NMS on network segment 192.168.1.0 to access the device.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] rule deny source any
SNMPv1
SNMP version is v1, read/write community name is community001, and access control
is configured.
<HUAWEI> system-view
[HUAWEI] snmp-agent sys-info version v1
[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001
SNMPv2c
SNMP version is v2c, read/write community name is community001, and access control
is configured.
<HUAWEI> system-view
[HUAWEI] snmp-agent sys-info version v2c
[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001
If a user group is at the privacy level, the users and trap hosts of the user group must be at the
privacy level. If a user group is at the authentication level, the users and trap hosts of the user
group must be at the privacy or authentication level.
Issue 05 (2015-10-23)
96
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# Set the user name to user001, authentication password to Authe1234 and encryption
password to Priva1234.
<HUAWEI> system-view
[HUAWEI] snmp-agent usm-user v3 user001 group001 authentication-mode sha
Authe1234 privacy-mode des56 Priva1234
# Set the user name to user001, authentication password to Authe@1234 and encryption
password to Priva@1234.
<HUAWEI> system-view
[HUAWEI] snmp-agent usm-user v3 user001 group group001
[HUAWEI] snmp-agent usm-user v3 user001 authentication-mode sha
Please configure the authentication password
(8-64)
Enter Password:
// Enter authentication password Authe@1234.
Confirm Password:
// Enter authentication password Authe@1234.
[HUAWEI] snmp-agent usm-user v3 user001 privacy-mode aes256
Please configure the privacy password
(8-64)
Enter Password:
// Enter encryption password
Priva@1234.
Confirm Password:
// Enter encryption password Priva@1234.
If the trap function is not enabled for modules, each module uses the default trap configuration. To view
the default trap configuration of each module, run the display snmp-agent trap all command. The trap
function of the SNMP module is used as an example here.
2.
Issue 05 (2015-10-23)
97
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
NOTE
After the interface is configured, the IP address of the interface is used to send traps. To ensure device
security, it is recommended that you configure a loopback interface to send traps. The trap sending
interface configured on the switch must be the same as that configured on the NMS; otherwise, the
NMS cannot receive traps. In addition, a reachable route must exist between the IP addresses of trap
sending interface and trap host.
3.
The trap version must be the same as the SNMP version configured on the device; otherwise, traps
cannot be sent to the NMS. When the version is set to v3, the security name must be the same as the
created user name; otherwise, traps cannot be sent to the NMS. v1 and v2c do not have limitation on the
configuration of security names.
The default UDP port number is 162. After the UDP port number is changed, you must reconfigure the
UDP port of the NMS that receives traps. If the UDP ports of the device and NMS are different, traps
cannot be sent to the NMS.
The security level of the trap host cannot be lower than the security level of the user.
In plain text:
You must enter the correct community name; otherwise, the community name cannot be
deleted.
<HUAWEI> system-view
[HUAWEI] undo snmp-agent community community001
In cipher text:
Before deleting a community name in cipher text, you must query the encrypted
community name.
<HUAWEI> system-view
[HUAWEI] display snmp-agent community
Community name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#
+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%#
Group name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#
+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%#
Acl:
2001
Storage-type: nonVolatile
[HUAWEI] undo snmp-agent community %#%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}
+GOBz8V.pEh>=x9)J,Tuy}3Mp#+X4QV5CAI^:Z;NlA3*&ta4}a53-%#%#
Issue 05 (2015-10-23)
98
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
20
This chapter uses the Open Shortest Path First (OSPF) network shown in Figure 20-1 as an
example to describe common OSPF operations.
Figure 20-1 Basic OSPF network
Area0
SwitchA
10GE1/0/2
VLANIF20
192.168.1.1/24
10GE1/0/1
VLANIF10
192.168.0.2/24
10GE1/0/1
VLANIF10
192.168.0.1/24
SwitchB
10GE1/0/1
VLANIF20
192.168.1.2/24
10GE1/0/2
VLANIF30
192.168.2.1/24
10GE1/0/1
VLANIF30
192.168.2.2/24
10GE1/0/2
VLANIF40
172.16.1.1/24
10GE1/0/2
VLANIF50
172.17.1.1/24
10GE1/0/1
VLANIF40
172.16.1.2/24
10GE1/0/1
VLANIF50
172.17.1.2/24
SwitchC
SwitchE
Area1
SwitchD
10GE1/0/2
VLANIF60
172.18.1.1/24
SwitchF
Area2
Issue 05 (2015-10-23)
99
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
[SwitchA-ospf-1-area-0.0.0.0]
VLANIF10.
[SwitchA-ospf-1-area-0.0.0.0]
[SwitchA-ospf-1] area 1
[SwitchA-ospf-1-area-0.0.0.1]
VLANIF20.
[SwitchA-ospf-1-area-0.0.0.1]
[SwitchA-ospf-1] quit
//Enable OSPF on
quit
network 192.168.1.0 0.0.0.255
//Enable OSPF on
quit
Configuring an NSSA
In a not-so-stubby area (NSSA), an ABR does not flood AS external routes received from
other areas, similar to the situation in a stub area. The difference is that an ABR can import
and flood AS external routes to the entire OSPF domain. A border area connected to another
AS on an OSPF network is often configured as an NSSA. For example, configure Area2 as an
NSSA.
The following uses the configuration of SwitchB as an example. The configurations of other
switches in Area2 are similar to the configuration of SwitchB.
[SwitchB] ospf 1
[SwitchB-ospf-1] area 2
[SwitchB-ospf-1-area-0.0.0.2] nssa
[SwitchB-ospf-1-area-0.0.0.2] quit
[SwitchB-ospf-1] quit
Issue 05 (2015-10-23)
100
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Common Operation Guide
# Configure SwitchB.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] ospf 1
[SwitchB-ospf-1] bfd all-interfaces enable
[SwitchB-ospf-1] quit
Issue 05 (2015-10-23)
Area
Type
Generated By
Advertise
d By
LSA Type
Floodi
ng
Area
Commo
n area
ASBR
Type5 LSA
Comm
on area
Stub
area
Automatically
ABR
Type3 LSA
Stub
area
NSSA
ASBR
Type7 LSA
NSSA
Totally
NSSA
Automatically
ABR
Type3 LSA
NSSA
101