Series Switches Huawei s5700

S1720&S2700&S3700&S5700&S6700&S7700&S970
0 Series Switches
Common Operation Guide

Issue
05
Date
2015-10-23
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://e.huawei.com
Issue 05 (2015-10-23)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
About This Document
About This Document
Intended Audience
This document is intended for:
l
Data configuration engineers
Commissioning engineers
Network monitoring engineers
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation
which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation
which, if not avoided, could result in death
or serious injury.
which, if not avoided, may result in minor
or moderate injury.
which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 05 (2015-10-23)

ii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Symbol
About This Document
Description
Calls attention to important information,
best practices and tips.
NOTE
NOTE is used to address information not

related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n

times.
A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples and may not exist on devices. In device
configuration, use the existing interface numbers on devices.
Security Conventions
l
Issue 05 (2015-10-23)
Password setting
iii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
About This Document
When configuring a password, the cipher text is recommended. To ensure device

security, change the password periodically.
When you configure a password in plain text that starts and ends with %^%#, %#
%#, %@%@ or @%@% (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA,
SHA1, SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and
MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or
lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols
allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or
higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on
actual networking. The irreversible encryption algorithm must be used for the
administrator password, SHA2 is recommended.
Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.
The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configure
your devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Issue 05 (2015-10-23)

iv
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
About This Document
Changes in Issue 05 (2015-10-23)

This version has the following updates:
Some contents are modified according to updates in the product.

Some contents are modified according to updates in the product.

The following information is modified:
l
2.9 Using Basic ACL Rules to Control User Login
2.10 Backing Up the Configuration File
2.11 Restoring the Configuration File
2.12 Logging In to a Device Through STelnet

The matching software version V200R007C10 is added to the document.

Initial commercial release.
Issue 05 (2015-10-23)

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Contents
Contents
About This Document.....................................................................................................................ii
1 Use the Quick Search Tool.......................................................................................................... 1
2 Common System Operations...................................................................................................... 2
2.1 Handling Loss of the Password for Console Port Login................................................................................................ 3
2.2 Handling Loss of the Password for Telnet Login........................................................................................................... 4
2.3 Handling Loss of the Password for Web Login..............................................................................................................5
2.4 Handling BootROM Password Loss...............................................................................................................................5
2.5 Deleting the Device Configuration.................................................................................................................................6
2.6 Configuring a Local Telnet User.................................................................................................................................... 6
2.7 Setting a User Level....................................................................................................................................................... 7
2.8 Setting Screen Display....................................................................................................................................................7
2.9 Using Basic ACL Rules to Control User Login............................................................................................................. 7
2.10 Backing Up the Configuration File.............................................................................................................................. 8
2.11 Restoring the Configuration File.................................................................................................................................. 9
2.12 Logging In to a Device Through STelnet................................................................................................................... 11
3 Common Hardware Management Operations.......................................................................13

3.1 Active/Standby Switchover.......................................................................................................................................... 14
3.2 Setting Temperature Alarm Thresholds........................................................................................................................14
3.3 Setting Temperature Thresholds for Adjusting the Fan Speed.....................................................................................14
4 Common Mirroring Operations................................................................................................16

4.1 Configuring an Observing Port.....................................................................................................................................17
4.2 Configuring Port Mirroring.......................................................................................................................................... 17
4.3 Configuring Traffic Mirroring...................................................................................................................................... 18
4.4 Deleting the Mirroring Configuration.......................................................................................................................... 20
5 Common MAC Address Operations........................................................................................21

5.1 Displaying All MAC Address Entries.......................................................................................................................... 22
5.2 Displaying MAC Address Entries Learned by an Interface......................................................................................... 22
5.3 Displaying MAC Address Entries Learned in a VLAN............................................................................................... 22
5.4 Displaying the System MAC Address..........................................................................................................................22
5.5 Displaying the MAC Address of an Interface.............................................................................................................. 23
5.6 Displaying the MAC Address of a VLANIF Interface.................................................................................................23
Issue 05 (2015-10-23)

vi
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Contents
5.7 Configuring a Static MAC Address..............................................................................................................................23

5.8 Configuring a Blackhole MAC Address...................................................................................................................... 24
5.9 Displaying and Setting the Aging Time of MAC Addresses........................................................................................24
5.10 Configuring Port Security...........................................................................................................................................24
6 Common Ethernet Interface Operations................................................................................. 26

6.1 Configuring a Port Group............................................................................................................................................. 27
6.2 Configuring Port Isolation............................................................................................................................................ 27
6.3 Configuring the Working Mode of a Combo Interface................................................................................................ 28
6.4 Configuring the Interface Rate..................................................................................................................................... 28
6.5 Configuring the Duplex Mode......................................................................................................................................29
6.6 Switching an Interface to Layer 3 Mode...................................................................................................................... 29
6.7 One-Click Configuration Deletion on an Interface...................................................................................................... 30
7 Common Link Aggregation Operations................................................................................. 31

7.1 Adding Member Interfaces to an Eth-Trunk in a Batch............................................................................................... 32
7.2 Deleting a Specified Member Interface from an Eth-Trunk.........................................................................................32
7.3 Deleting an Eth-Trunk.................................................................................................................................................. 32
7.4 Displaying the Eth-Trunk Configuration......................................................................................................................32
7.5 Displaying Information About Eth-Trunk Member Interfaces.....................................................................................34
7.6 Displaying the Numbers of Eth-Trunks and Member Interfaces Supported by the Device......................................... 34
8 Common VLAN Operations......................................................................................................35

8.1 Creating VLANs in a Batch..........................................................................................................................................36
8.2 Adding Interfaces to a VLAN in a Batch..................................................................................................................... 36
8.3 Restoring the Default VLAN Configuration of an Interface........................................................................................ 37
8.4 Deleting a VLAN or VLANs in a Batch...................................................................................................................... 37
8.5 Changing the Link Type of an Interface....................................................................................................................... 37
9 Common QinQ Operations....................................................................................................... 40

9.1 Configuring Basic QinQ............................................................................................................................................... 41
9.2 Configuring Selective QinQ......................................................................................................................................... 41
9.3 Configuring the Device to Add Double Tags to Untagged Packets............................................................................. 42
9.4 Deleting the Selective QinQ Configuration..................................................................................................................43
10 Common STP/RSTP Operations.............................................................................................44

10.1 Enabling STP/RSTP................................................................................................................................................... 45
10.2 Disabling STP/RSTP.................................................................................................................................................. 45
10.3 Configuring Root Protection...................................................................................................................................... 45
10.4 Configuring an Edge Port........................................................................................................................................... 45
10.5 Changing the STP/RSTP Cost.................................................................................................................................... 45
10.6 Displaying the STP/RSTP Status............................................................................................................................... 46
10.7 Displaying the Root Bridge........................................................................................................................................ 46
11 Common DHCP Operations....................................................................................................47

11.1 Configuring IP Addresses Not Dynamically Assigned.............................................................................................. 49
Issue 05 (2015-10-23)

vii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Contents
11.2 Modifying the Lease................................................................................................................................................... 49

11.3 Assigning Fixed IP Addresses to Clients....................................................................................................................50
11.4 Withdrawing the Fixed IP Addresses Assigned to Clients......................................................................................... 50
11.5 Checking IP Addresses Used......................................................................................................................................51
11.6 Clearing Conflicting Addresses.................................................................................................................................. 51
11.7 Increasing the Address Pool Range............................................................................................................................ 52
11.8 Decreasing the Address Pool Range...........................................................................................................................53
11.9 Preventing a Device from Obtaining an IP Address from a Pseudo DHCP Server....................................................54
11.10 Disabling the DHCP Service.................................................................................................................................... 54
12 Common ARP Operations....................................................................................................... 55

12.1 Checking ARP entries................................................................................................................................................ 56
12.2 Updating ARP Entries................................................................................................................................................ 57
12.3 Setting the Aging Time of ARP Entries..................................................................................................................... 58
12.4 Configuring Static ARP Entries................................................................................................................................. 58
12.5 Configuring ARP Proxy............................................................................................................................................. 61
12.6 Shielding ARP Miss Alarms Based on Source IP Addresses.....................................................................................62
12.7 Configuring Dynamic ARP Detection........................................................................................................................62
12.8 Configuring ARP Gateway Anti-Collision.................................................................................................................63
13 Common ACL Operations....................................................................................................... 64

13.1 Deleting a Time Range............................................................................................................................................... 65
13.2 Deleting ACL and ACL6............................................................................................................................................65
13.3 Configuring a Time-Based ACL Rule........................................................................................................................ 65
13.4 Configuring a Packet Filtering Rule Based on the Source IP Address (Host Address)............................................. 66
13.5 Configuring a Packet Filtering Rule Based on the Source IP Address Segment....................................................... 66
13.6 Configuring a Packet Filtering Rule Based on the IP Fragment Information and Source IP Address Segment........66
13.7 Configuring a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP Address (Host Address) and
Destination IP Address Segment........................................................................................................................................ 67
13.8 Configuring a Packet Filtering Rule for TCP Protocol Packets Based on TCP Destination Port Number, Source IP
Address (Host Address), and Destination IP Address Segment......................................................................................... 67
13.9 Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address Segment and TCP Flags....68
13.10 Configuring Packet Filtering Rules Based on the Source MAC Address, Destination MAC Address, and Layer 2
Protocol Types.................................................................................................................................................................... 69
13.11 Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and Inner VLAN IDs............. 69
13.12 Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String Masks, and UserDefined Character Strings.................................................................................................................................................. 70
14 Common QoS Operations........................................................................................................73

14.1 Configuring Interface-based Rate Limiting on the S7700/S9700.............................................................................. 74
14.2 Configuring Interface-based Rate Limiting on the S2700/S5700/S6700................................................................... 74
14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700.......................................................75
14.4 Deleting the Interface-based Rate Limiting Configuration on the S2700/S5700/S6700........................................... 75
14.5 Using a Traffic Policy to Limit the Rate of Packets................................................................................................... 75
14.6 Using a Traffic Policy to Filter Packets......................................................................................................................76
Issue 05 (2015-10-23)

viii
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Contents
14.7 Configuring Traffic Statistics in a Traffic Policy....................................................................................................... 77
15 Common IPSG Operations...................................................................................................... 80

15.1 Configuring IPSG Based on a Static Binding Table...................................................................................................81
15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table....................................................................82
15.3 Deleting Static Binding Entries.................................................................................................................................. 83
16 Common AAA Operations...................................................................................................... 85

16.1 Configuring Authentication for Telnet Login Users (AAA Local Authentication)................................................... 86
16.2 Setting the User Level................................................................................................................................................ 86
16.3 Configuring the Global Default Domain.................................................................................................................... 87
17 Common NAC Operations...................................................................................................... 88

17.1 Configuring MAC Address Bypass Authentication................................................................................................... 89
17.2 Configuring the Guest VLAN Function..................................................................................................................... 89
17.3 Configuring Layer 2 Transparent Transmission of 802.1x Authentication Packets...................................................90
18 Common VRRP Operations.................................................................................................... 91

18.1 Enabling the Master to Respond to Ping Packets Sent to a Virtual IP Address......................................................... 92
18.2 Configuring Association Between VRRP and the Interface Status............................................................................92
18.3 Configuring Association Between VRRP and BFD...................................................................................................92
18.4 Configuring Association Between VRRP and NQA.................................................................................................. 92
18.5 Configuring Association Between VRRP and Routing..............................................................................................93
18.6 Configuring the VRRP Version Number.................................................................................................................... 93
18.7 Configuring a Preemption Mode................................................................................................................................ 93
18.8 Configuring the Mode in Which the Master Sends VRRP Advertisement Packets in a Super-VLAN..................... 93
18.9 Enabling MAC Address Triggered ARP Entry Update..............................................................................................94
19 Common SNMP Operations....................................................................................................95

19.1 Configuring Access Control....................................................................................................................................... 96
19.2 Setting the SNMP Version and Community Name.................................................................................................... 96
19.3 Configuring User Group and User Name................................................................................................................... 96
19.4 Configuring the Device to Send Traps....................................................................................................................... 97
19.5 Deleting Community Name........................................................................................................................................98
20 Common OSPF Operations..................................................................................................... 99
Issue 05 (2015-10-23)

ix
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
1 Use the Quick Search Tool
Use the Quick Search Tool
Switch Hardware Query Tool

This tool allows you to quickly query hardware information of switches. You do not need to
register a Huawei account before using this tool.
Switch Hardware Query Tool
Command Query Tool

This tool shows details about commands used on switches. You do not need to register a
Huawei account before using this tool.
Command Query Tool
Alarm Query Tool

This tool shows details about alarms used on switches. You do not need to register a Huawei
account before using this tool.
Alarm Query Tool
Issue 05 (2015-10-23)

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
2 Common System Operations
Common System Operations
About This Chapter

This chapter describes common system login and file management operations, providing
instructions on how to handle password loss, configure a local user, and set screen display.
2.1 Handling Loss of the Password for Console Port Login
2.2 Handling Loss of the Password for Telnet Login
2.3 Handling Loss of the Password for Web Login
2.4 Handling BootROM Password Loss
2.5 Deleting the Device Configuration
2.6 Configuring a Local Telnet User
2.7 Setting a User Level
2.8 Setting Screen Display
Issue 05 (2015-10-23)

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
2.1 Handling Loss of the Password for Console Port Login

If you forget the password for logging in through the console port, use either of the following
two methods to set a new password.
Logging In to the Switch Through STelnet or Telnet to Set a New Password
NOTICE
Telnet may bring security risks. You are advised to log in to the switch through STelnet V2.
Ensure that you have an STelnet/Telnet account and administrator rights. The following uses
the command lines and outputs of logging in to the device using STelnet as an example. After
logging in to the switch through STelnet, perform the following configuration.
# Take password authentication as an example. Set the password to Huawei@123.
<HUAWEI> system-view
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password cipher Huawei@123
[HUAWEI-ui-console0] return
<HUAWEI> save
# Take AAA authentication as an example. Set the user name and password to admin123 and
Huawei@123 respectively.
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode aaa
[HUAWEI-ui-console0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type terminal
[HUAWEI-aaa] return
<HUAWEI> save
Clearing the Lost Password Through the BootROM Menu

NOTE
If the switch has two MPUs, remove the standby MPU before performing the following operations.
After performing the following operations, install the standby MPU and run the save command to ensure
the consistent configuration on the active and standby MPUs.
You can use the BootROM menu of the switch to clear the lost password for console port
login. After starting the switch, set a new password and save your configuration. Perform the
following steps.
1.
Connect the terminal to the console port of the switch and restart the switch. When the
following message is displayed, press Ctrl+B immediately and enter the BootROM
password to enter the BootROM menu.
Information displayed on modular switches:
Press Ctrl+B to enter boot menu ...
Password:
Issue 05 (2015-10-23)
//Enter the BootROM password.

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Information displayed on fixed switches:

Press Ctrl+B or Ctrl+E to enter BootROM menu ... 2
password:
//Enter the BootROM password.
NOTE
l Some models of fixed switches allow you to enter the BootROM menu by pressing Ctrl+E.
Perform operations as prompted on the screen.
l The default BootROM password of fixed switches is huawei in versions earlier than
V100R006C03 and Admin@huawei.com in V100R006C03 and later.
l The default BootROM password of modular switches is 9300 in V100R006 and earlier
versions, and Admin@huawei.com in versions after V100R006.
2.
Select Clear password for console user on the BootROM menu to clear the password
for console port login.
3.
Select Boot with default mode on the BootROM menu to start the switch as prompted.
NOTE
Do not select Reboot; otherwise, the password cannot be cleared.
4.
After the switch is started, log in through the console port. Authentication is not required
when you log in. Set a password as prompted after login.
5.
You can set an authentication mode and password for the console user interface
according to service requirements. The configuration is similar to that of Logging In to
the Switch Through STelnet or Telnet to Set a New Password, and is not provided
here.
2.2 Handling Loss of the Password for Telnet Login

If you forget the Telnet login password, log in to the switch through the console port and set a
new password for Telnet login.
NOTE
The following uses the command lines of the S7700 in V200R006C00 as an example.
# Logging in to the device through the console port.

1.
Connect the DB9 female connector of the console cable to the COM port on the PC, and
connect the RJ45 connector to the console port on the device.
2.
Start the terminal emulation software on the PC. Create a connection, select the
connected port, and set communication parameters.
3.
Baud rate : 9600
Data bits : 8
Stop bits : 1
Parity : None
Flow Control : None
Click Connect. Enter or configure the login password as prompted to log in to the switch.
# Take password authentication for VTY0 login as an example. Set the password to
Huawei@123.
[HUAWEI] user-interface vty 0
[HUAWEI-ui-vty0] protocol inbound telnet
Issue 05 (2015-10-23)
//By default, switches in V200R006 and

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
earlier versions
support SSH.
[HUAWEI-ui-vty0]
[HUAWEI-ui-vty0]
[HUAWEI-ui-vty0]
[HUAWEI-ui-vty0]
<HUAWEI> save
support Telnet, and switches in V200R007 and later versions

authentication-mode password
set authentication password cipher Huawei@123
user privilege level 15
return
# Take AAA authentication for VTY0 login as an example. Set the user name and password to
admin123 and Huawei@123 respectively.
earlier versions support Telnet, and switches in V200R007 and later versions
support SSH.
[HUAWEI-ui-vty0] authentication-mode aaa
[HUAWEI-ui-vty0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 service-type telnet
[HUAWEI-aaa] local-user admin123 privilege level 15
[HUAWEI-aaa] return
<HUAWEI> save
2.3 Handling Loss of the Password for Web Login

If you forget the web login password, log in to the switch through the console port, Telnet, or
STelnet, and set a new password for web login.
NOTICE
Telnet may bring security risks. You are advised to log in to the switch through the console
port or STelnet.
# Set the user name and password to admin123 and Huawei@123 respectively.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 service-type http
[HUAWEI-aaa] return
<HUAWEI> save
2.4 Handling BootROM Password Loss

If you forget the BootROM password, log in to the switch and run the reset boot password
command in the user view to restore the default BootROM password.
l
The default BootROM password of fixed switches is huawei in versions earlier than
V100R006C03 and Admin@huawei.com in V100R006C03 and later.
The default BootROM password of modular switches is 9300 in V100R006 and earlier
versions, and Admin@huawei.com in versions after V100R006.
Issue 05 (2015-10-23)

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
2.5 Deleting the Device Configuration

To clear the current configuration and restore factory settings of a device, run the reset savedconfiguration command to clear the configuration file for the next startup and then restart the
device. If you are prompted to save the configuration, select N indicating that the device will
not save the current configuration.
NOTICE
Exercise caution and follow the instructions of the technical support personnel when you run
this command.
<HUAWEI> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
Warning: Now clearing the configuration in the device.
Info: Succeeded in clearing the configuration in the device.
<HUAWEI> reboot
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the next
startup saved-configuration file flash:/vrpcfg.zip. Continue? [Y/N]:n
//Select
"N" here.
Info: If want to reboot with saving diagnostic information, input 'N' and then
execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:y
The command outputs on your device may be different from that provided in this example.
2.6 Configuring a Local Telnet User

# Take AAA authentication as an example. Set the user name and password to admin123 and
Huawei@123 respectively.
Ensure that the Telnet function has been enabled before performing this operation.
NOTE
The following uses the command lines of the S7700 in V200R006C00 as an example.
earlier versions support Telnet, and switches in V200R007 and later versions
support SSH.
[HUAWEI-ui-vty0] authentication-mode aaa
[HUAWEI-ui-vty0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 service-type telnet
[HUAWEI-aaa] return
<HUAWEI> save
Issue 05 (2015-10-23)

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
2.7 Setting a User Level

When password authentication or none authentication is used, use the following method to set
a user level. Take the VTY user interface as an example.
[HUAWEI-ui-vty0] user privilege level 15
0 user interface.
//Set the user level to 15 for the VTY
When AAA authentication is used, use the following methods (in descending order of
priorities) to set a user level. Take the VTY user interface as an example.
l
Set a user level for a single user.

[HUAWEI] aaa
[HUAWEI-aaa] local-user user1 privilege level 15
user1 to 15.
//Set the user level of
Set a user level for all users in a domain.

[HUAWEI] aaa
[HUAWEI-aaa] service-scheme sch1
[HUAWEI-aaa-service-sch1] admin-user privilege level 15 //Set the user level
to 15.
[HUAWEI-aaa-service-sch1] quit
[HUAWEI-aaa] domain domain1
[HUAWEI-aaa-domain-domain1] service-scheme sch1 //Bind the service scheme
sch1 to domain1.
Set a user level for all users that log in through a specified user interface.
[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY user
interfaces to 15.
[HUAWEI] user-interface vty 0 14 //Enter the VTY user interfaces VTY 0 to
VTY 14.
[HUAWEI-ui-vty0-14] user privilege level 15 //Set the user level to 15 for
the VTY user interfaces VTY 0 to VTY 14.
2.8 Setting Screen Display

Run the screen-length screen-length [ temporary ] command in the user view or user
interface view to set the number of rows to be displayed on a screen. The parameter
temporary is mandatory when you run this command in the user view and specifies the
number of rows to be temporarily displayed on a terminal screen. The default number of rows
is 24.
In V200R005 and earlier versions, run the screen-width screen-length command in any view
to set the number of columns to be displayed on the screen. The default number of columns is
80. Each character is a column. In versions after V200R005, the number of columns displayed
on a terminal screen cannot be set using this command. The device automatically adjusts the
number of columns displayed on a terminal screen.

After logging in to a device using Telnet or STelnet, you can configure ACL rules to allow
only users with the specified IP addresses or on the specified network segments can log in to
the device.
Issue 05 (2015-10-23)

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
NOTE
The Telnet protocol will bring risks to network security. The STelnet V2 mode is recommended.
The following operation assumes that the user logs in to the device using Telnet or STelnet.
# Configure rules in ACL 2005 to allow only the user at 192.168.1.5 and users on network
segment 10.10.5.0/24 to log in to the VTY interfaces 0 to 4.
[HUAWEI] acl 2005
[HUAWEI-acl-basic-2005] rule permit source 192.168.1.5 0
//Allow only the user
at 192.168.1.5 to log in to the device.
[HUAWEI-acl-basic-2005] rule permit source 10.10.5.0 0.0.0.255
////Allow only
users on the network segment 10.10.5.0/24 to log in to the device.
[HUAWEI-acl-basic-2005] quit
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] acl 2005 inbound
[HUAWEI-ui-vty0-4] quit

If a device is damaged unexpectedly, the configuration file cannot be recovered. To prevent
configuration loss, you can back up the configuration file using FTP. Assume that the PC's IP
address is 10.110.24.254/24 and the device's IP address is 10.136.23.5/24.
l
When the device serves as an FTP server and the PC serves as an FTP client:
# Configure the FTP function for the device and information about an FTP user.
[HUAWEI] ftp server enable
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234
[HUAWEI-aaa] quit
[HUAWEI] quit
password irreversible-cipher Helloworld@6789

privilege level 15
service-type ftp
ftp-directory cfcard:/
# Save the current configuration on the device.

<HUAWEI> save
# Connect the PC to the device using FTP. Enter the user name admin1234 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>
# Back up the configuration file of the device to the PC.

ftp> get vrpcfg.zip
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.zip.
226 Transfer complete.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
l
Issue 05 (2015-10-23)
When the PC serves as an FTP server and the device serves as an FTP client:
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
# Start the FTP server program.

Start the FTP server program on the PC. Specify the FTP working directory where the
configuration file is to be saved, and the IP address, port number, user name, and
password of the FTP server.
# Save the current configuration on the device.
<HUAWEI> save
# Log in to the FTP server.

<HUAWEI> ftp 10.110.24.254
Trying 10.110.24.254 ...
Press CTRL+K to abort
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
WFTPD is the local FTP server program.
User(10.135.86.164:(none)):admin123
//Enter the user name.
331 Give me your password, please
Enter password:
//Enter the password.
230 Logged in successfully
//
[ftp]
# Back up the configuration file of the device to the PC.

[ftp] put config.cfg
200 Port command successful.
150 Opening data connection for config.cfg.
226 File received ok
FTP: 1257 byte(s) sent in 0.03 second(s) 40.55Kbyte(s)/sec.
NOTE
l After the configuration file is transferred to the PC, check whether the size of the configuration
file on the PC is the same as that on the device. If not, an exception may occur during file
backup. Back up the configuration file again.
l To transfer the configuration file in a simpler way, configure the PC as the TFTP server and
the device as the TFTP client. The configuration procedure is similar to the procedure when
the PC serves as an FTP server and the device serves as an FTP client, except that the user
name and password are not required for configuring the TFTP server. You only need to run the
tftp 10.110.24.254 put config.cfg command on the device.
l TFTP has no authentication or authorization mechanism, whereas FTP has authentication and
authorization mechanisms. TFTP and FTP both transfer data in plaintext mode, which bring
security risks and therefore apply to good-performance networks. If you have a high
requirement for network security, SFTP V2, SCP, or FTPS is recommended.

When misconfigurations cause exceptions on a device, transfer the backup configuration file
to the device and specify the downloaded configuration file for the next startup. Assume that
the IP address of the PC that saves the configuration file is 10.110.24.254/24 and the device's
IP address is 10.136.23.5/24.
1.
Transfer the backup configuration file to the device using FTP.
When the device serves as an FTP server and the PC serves as an FTP client:
# Configure the FTP function for the device and information about an FTP user.
[HUAWEI] ftp server enable
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234 password irreversible-cipher
Helloworld@6789
[HUAWEI-aaa] local-user admin1234 service-type ftp
Issue 05 (2015-10-23)

S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI-aaa] local-user admin1234 ftp-directory cfcard:/

[HUAWEI-aaa] quit
[HUAWEI] quit
# Connect the PC to the device using FTP. Enter the user name admin1234 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating
system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>
# Upload the backup configuration file to the device.

ftp> put vrpcfg.zip
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.zip.
226 Transfer complete.
ftp: 1257 bytes sent in 0.03 Seconds 40.55Kbytes/sec.
When the PC serves as an FTP server and the device serves as an FTP client:
# Start the FTP server program.
Start the FTP server program on the PC. Specify the FTP working directory where
the configuration file is saved, and the IP address, port number, user name, and
password of the FTP server.
# Log in to the FTP server.
<HUAWEI> ftp 10.110.24.254
Trying 10.110.24.254 ...
Press CTRL+K to abort
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
WFTPD is the local FTP server program.
User(10.135.86.164:(none)):admin123
//Enter the user name.
331 Give me your password, please
Enter password:
//Enter the password.
230 Logged in successfully
[ftp]
# Download the backup configuration file to the device.

[ftp] get config.cfg
Warning: The file config.cfg already exists. Overwrite it? [Y/N]:Y
//Overwrite the current configuration file on the device. To reserve the
current configuration file, enter N to stop the file upload. Change the
name of the configuration file on the FTP server to different from that
on the device. Download the configuration file from the FTP server.
200 Port command successful.
150 Opening data connection for config.cfg.
226 File sent ok
FTP: 1257 byte(s) received in 0.03 second(s) 40.55byte(s)/sec.
[ftp] bye
Issue 05 (2015-10-23)

10
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
NOTE
l After the configuration file is transferred to the device, check whether the size of the
configuration file on the PC is the same as that on the device. If not, an exception may
occur during file transfer. Transfer the file again.
l To transfer the configuration file in a simpler way, configure the PC as the TFTP server
and the device as the TFTP client. The configuration procedure is similar to the
procedure when the PC serves as an FTP server and the device serves as an FTP client.
The only difference is that the user name and password are not required for configuring
the TFTP server. You only need to run the tftp 10.110.24.254 get config.cfg command
on the device.
l TFTP has no authentication or authorization mechanism, whereas FTP has
authentication and authorization mechanisms. TFTP and FTP both transfer data in
plaintext mode, which bring security risks and therefore apply to good-performance
networks. If you have a high requirement for network security, SFTP V2, SCP, or FTPS
is recommended.
2.
Specify the backup configuration file for the next startup.

<HUAWEI> startup saved-configuration config.cfg
<HUAWEI> display startup
MainBoard:
Configured startup system software:
cfcard:/device_software.cc
Startup system software:
Next startup system software:
Startup saved-configuration file:
cfcard:/config_old.cfg
//
Current configuration file name.
Next startup saved-configuration file:
cfcard:/config.cfg
//Name of
the configuration file for the next startup.
Startup paf file:
default
Next startup paf file:
default
Startup license file:
default
Next startup license file:
default
Startup patch package:
NULL
Next startup patch package:
NULL
<HUAWEI> reboot
//Restart the device.
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the
next startup saved-configuration file cfcard:/config.cfg. Continue? [Y/
N]:N
//Enter N to prevent the device configuration from being saved in the
backup configuration file.
Now saving the current configuration to the slot 13.
Save the configuration successfully.
Info: If want to reboot with saving diagnostic information, input 'N' and
then execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:Y
//Enter Y to restart the device.

AAA authentication is used as an example. Set the user name to admin123 and password to
Huawei@123.
# Generate a local key pair on the server.
[HUAWEI] dsa local-key-pair create
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Configure VTY user interfaces on the device.

Issue 05 (2015-10-23)

11
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches

[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] protocol inbound ssh
NOTICE
If the protocol supported by VTY user interfaces 0 to 4 is changed from Telnet to SSH, users
cannot log in to the device using Telnet after logout. In this case, configure VTY user
interfaces 0 to 4 to support all protocols first. Configure STelnet and then run the protocol
inbound ssh command to configure VTY user interfaces 0 to 4 to support SSH.
# Create an SSH user named admin123 and configure the password authentication mode
for the user.
[HUAWEI] aaa
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI] ssh
local-user admin123 password irreversible-cipher Huawei@123

local-user admin123 service-type ssh
local-user admin123 privilege level 15
quit
user admin123 authentication-type password
# Enable the STelnet service.

[HUAWEI] stelnet server enable
# Configure the STelnet service type for the user admin123.

[HUAWEI] ssh user admin123 service-type stelnet
# Log in to the device using the third-party software (such as PuTTY). Enter the device IP
address, select SSH, and enter the user name and password to log in to the device through
STelnet.
To verify the STelnet login, run the ssh client first-time enable and stelnet 127.0.0.1
commands in system view to log in to the device. If the login page is displayed, the
configuration succeeds. If the login page is not displayed, the configuration fails.
Issue 05 (2015-10-23)

12
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
3 Common Hardware Management Operations
Common Hardware Management

Operations
About This Chapter

This chapter describes common hardware management operations.
3.1 Active/Standby Switchover
3.2 Setting Temperature Alarm Thresholds
3.3 Setting Temperature Thresholds for Adjusting the Fan Speed
Issue 05 (2015-10-23)

13
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
3.1 Active/Standby Switchover

In a stack containing multiple fixed switches, you can manually switch the master and
standby switches during software upgrade or system maintenance. After the active/standby
switchover is complete, the original master switch joins the stack after restarting, and the
original standby switch becomes the new master switch.
During software upgrade or system maintenance, you can manually perform an active/standby
switchover on MPUs. After the active/standby switchover is performed, the running active
MPU restarts. The standby MPU becomes the new active MPU.
# To perform an active/standby switchover in the system, run the following commands.
[HUAWEI] slave switchover enable
[HUAWEI] slave switchover
Warning: This operation will switch the slave board to the master board.
Continue? [Y/N]:y
3.2 Setting Temperature Alarm Thresholds

The ambient temperature and device running time affect the device temperature. A higher
ambient temperature and a longer device running time indicate a higher temperature of the
device. When the device temperature exceeds the specified range, the device service life and
performance are reduced. To prevent the device from overheating, set temperature alarm
thresholds for the device. When the device temperature exceeds the specified range, the
device sends an alarm to the NMS to alert the administrator. The administrator should then
can take measures to lower the temperature.
NOTE
Only fixed switches support the configuration of temperature alarm thresholds.
# To set the lower temperature alarm threshold to 20C and upper temperature alarm threshold
to 45C on a device with slot ID 0, run the following commands:
[HUAWEI] temperature threshold slot 0 lower-limit 20 upper-limit 45
3.3 Setting Temperature Thresholds for Adjusting the Fan

Speed
By default, the device uses fixed temperature thresholds to increase and decrease the fan
speed. The fan speed increases when the device temperature exceeds the upper threshold and
decreases when the device temperature falls below the lower threshold. If you want to keep
the device working at a lower temperature, set lower fixed temperature thresholds. When the
device temperature reaches the lowered threshold for increasing the fan speed, the fan speed
will increase. The fan speed will not decrease until the device temperature falls below the
lower threshold for lowering the fan speed.
To view the original temperature thresholds and the adjusted thresholds, run the display fan
speed-adjust threshold minus command.
Issue 05 (2015-10-23)

14
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
# To reduce temperature thresholds for adjusting the fan speed by 10C, run the following
commands.
[HUAWEI] set fan speed-adjust threshold minus 10
Info: Succeeded in setting the fan speed-adjust threshold.
Issue 05 (2015-10-23)

15
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
4 Common Mirroring Operations
Common Mirroring Operations
About This Chapter

This chapter describes common mirroring operations.
4.1 Configuring an Observing Port
4.2 Configuring Port Mirroring
4.3 Configuring Traffic Mirroring
4.4 Deleting the Mirroring Configuration
Issue 05 (2015-10-23)

16
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
4.1 Configuring an Observing Port

A physical port must be configured as an observing port before the mirroring function is
configured. You can configure a single observing port or multiple observing ports in a batch.
Observing ports configured in a batch are added to an observing port group. After a mirrored
port is configured, the mirrored port is bound to the observing port group. Therefore, such
batch configuration is usually performed in 1:N mirroring to simplify the configuration.
Configuring a Single Observing Port

l
Configure a local observing port, which directly connects to a monitoring device.

[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
Configure a Layer 2 remote observing port, which forwards mirroring packets to a

monitoring device across a Layer 2 network.
[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 vlan 10
Configure a Layer 3 remote observing port, which forwards mirroring packets to a

monitoring device across a Layer 3 network. (Only S7700/S9700 support the
configuration of a Layer 3 remote observing port.)
[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 destination-ip
10.1.1.1 source-ip 10.2.2.2
Configure Observing Ports in a Batch (only in V200R005 and Later Versions)

l
Configure local observing ports in a batch, which directly connect to monitoring devices.
[HUAWEI] observe-port 1 interface-range gigabitethernet 1/0/1 to
gigabitEthernet 1/0/3
Configure Layer 2 remote observing ports, which forward mirroring packets to

monitoring devices across a Layer 2 network.
gigabitEthernet 1/0/3 vlan 10
Layer 3 remote observing ports cannot be configured in a batch.
4.2 Configuring Port Mirroring

Configuring 1:1 Port Mirroring
You can copy packets on a mirrored port to an observing port. For example, copy incoming
packets (received packets) on mirrored port GE2/0/1 to observing port GE1/0/1. GE1/0/1 is
directly connected to a monitoring device.
[HUAWEI] interface gigabitethernet 2/0/1
[HUAWEI-GigabitEthernet2/0/1] port-mirroring to observe-port 1 inbound
Issue 05 (2015-10-23)

17
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Configuring 1:N Port Mirroring

You can copy packets on one mirrored port to N observing ports. For example, copy incoming
packets (received packets) on mirrored port GE2/0/1 to observing ports GE1/0/1 through
GE1/0/3. These observing ports are directly connected to monitoring devices.
l
Configure observing ports one by one.

Configure observing ports in a batch (only in V200R005 and later versions).

gigabitEthernet 1/0/3
Configuring N:1 Port Mirroring

You can copy packets on N mirrored ports to one observing port. For example, copy incoming
packets (received packets) on mirrored ports GE2/0/1 through GE2/0/3 to observing port
GE1/0/1. GE1/0/1 is directly connected to a monitoring device.
[HUAWEI-GigabitEthernet2/0/1] quit
Related Content
Support Community
Mirroring an Effective Network Monitoring Tool (Working Mechanism and
Configuration)
Mirroring an Effective Network Monitoring Tool (Specifications)
Videos
How to Configure Port Mirroring
4.3 Configuring Traffic Mirroring

Traffic mirroring is a feature that copies a specified type of packets received and sent by
devices, ports, or VLANs to observing ports connected to monitoring devices. Monitoring
devices monitor only the specified type of packets.
Traffic mirroring can be configured based on ACLs and Modular Quality of Service
Command-Line Interface (MQC) (complex traffic classification). ACL-based traffic mirroring
Issue 05 (2015-10-23)

18
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
is easy to configure but supports fewer packets types than MQC-based traffic mirroring and
supports only inbound traffic mirroring. MQC-based traffic mirroring is complex to configure
but supports more packet types and the inbound, outbound traffic mirroring.
Implementing traffic mirroring using ACLs

1.
4.1 Configuring an Observing Port. For example, configure a local observing port
GE1/0/1 that is directly connected to a monitoring device.
2.
Create an ACL. For example, create a Layer 2 ACL to match packets with 802.1p
priority 6.
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit 8021p 6
[HUAWEI-acl-L2-4001] quit
3.
Configure traffic mirroring. For example:
Copy packets with 802.1p priority 6 in the inbound direction of all the ports on the
device to observing port GE1/0/1.
[HUAWEI] traffic-mirror inbound acl 4001 to observe-port 1
Copy packets with 802.1p priority 6 in the inbound direction of all the ports in
VLAN 10 to observing port GE1/0/1.
[HUAWEI] traffic-mirror vlan 10 inbound acl 4001 to observe-port 1
Copy packets with 802.1p priority 6 in the inbound direction of GE2/0/1 to

observing port GE1/0/1.
[HUAWEI-GigabitEthernet2/0/1] traffic-mirror inbound acl 4001 to observeport 1
Implementing Traffic Mirroring Using Complex Traffic Classification

1.
4.1 Configuring an Observing Port. For example, configure a local observing port
GE1/0/1 that is directly connected to a monitoring device.
2.
Create a traffic classifier. For example, create a traffic classifier c1 to match packets with
802.1p priority 6.
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match 8021p 6
[HUAWEI-classifier-c1] quit
3.
Create a traffic behavior with the mirroring action. For example, create a traffic behavior
b1 and set the action to traffic mirroring.
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] mirroring to observe-port 1
[HUAWEI-behavior-b1] quit
4.
Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic
policy. For example, create a traffic policy p1 and bind the traffic classifier and traffic
behavior to the traffic policy.
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
5.
Apply the traffic policy. For example:
Issue 05 (2015-10-23)
Copy packets with 802.1p priority 6 in the inbound direction of all the ports on the
device to observing port GE1/0/1.
19
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] traffic-policy p1 global inbound
Copy packets with 802.1p priority 6 in the inbound direction of all the ports in
VLAN 10 to observing port GE1/0/1.
[HUAWEI] vlan 10
[HUAWEI-vlan10] traffic-policy p1 inbound
Copy packets with 802.1p priority 6 in the inbound direction of GE2/0/1 to

observing port GE1/0/1.
[HUAWEI-GigabitEthernet2/0/1] traffic-policy p1 inbound
4.4 Deleting the Mirroring Configuration

If you want to delete the mirroring configuration after using the mirroring function, you can
perform the following operations:
1.
Run the display current-configuration command to check the current mirroring

configuration. For example, you can view the following mirroring configuration.
<HUAWEI> display current-configuration
#
vlan batch 10 20 30
#
observe-port 2 interface GigabitEthernet1/0/1
...
...
#
interface GigabitEthernet1/0/1
#
...
...
#
port-mirroring to observe-port 2 inbound
#
...
...
2.
Run the undo port-mirroring command on the mirrored port to delete the binding
between the observing port and mirrored port and restore the mirrored port as a common
port. For example, restore GE2/0/1 in step 1 to a common port.
[HUAWEI-GigabitEthernet2/0/1] undo port-mirroring to observe-port 2 inbound
3.
Run the undo observe-port command in the system view to delete the observing port.
For example, delete the observing port in step 1 and restore GE1/0/1 to a common port.
[HUAWEI] undo observe-port 2
You can delete the observing port only after deleting the binding between the observing
port and mirrored port.
Issue 05 (2015-10-23)

20
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
5 Common MAC Address Operations
Common MAC Address Operations
About This Chapter

This chapter describes common MAC address operations.
5.1 Displaying All MAC Address Entries
5.2 Displaying MAC Address Entries Learned by an Interface
5.3 Displaying MAC Address Entries Learned in a VLAN
5.4 Displaying the System MAC Address
5.5 Displaying the MAC Address of an Interface
5.6 Displaying the MAC Address of a VLANIF Interface
5.7 Configuring a Static MAC Address
5.8 Configuring a Blackhole MAC Address
5.9 Displaying and Setting the Aging Time of MAC Addresses
5.10 Configuring Port Security
Issue 05 (2015-10-23)

21
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
5.1 Displaying All MAC Address Entries

# Run the display mac-address command to check all MAC address entries.
<HUAWEI> display mac-address
------------------------------------------------------------------------------MAC Address
VLAN/VSI
Learned-From
Type
------------------------------------------------------------------------------0000-0000-0002 10/blackhole
0000-0000-0003 300/GE1/0/3
static
0026-6e5c-feac 3000/Eth-Trunk2
dynamic
0000-c116-0201 -/test
Eth-Trunk3
dynamic
------------------------------------------------------------------------------Total items displayed = 4
5.2 Displaying MAC Address Entries Learned by an

Interface
# Run the display mac-address dynamic gigabitethernet1/0/1 command to check MAC
address entries learned by GE1/0/1.
<HUAWEI> display mac-address dynamic gigabitethernet1/0/1
------------------------------------------------------------------------------MAC Address
VLAN/VSI
Learned-From
Type
------------------------------------------------------------------------------0000-0000-0003 300/GE1/0/1
dynamic
0026-6e5c-feac 3000/GE1/0/1
dynamic
5.3 Displaying MAC Address Entries Learned in a VLAN

# Run the display mac-address dynamic vlan 10 command to check the MAC address entry
learned in VLAN 10.
<HUAWEI> display mac-address dynamic vlan 10
------------------------------------------------------------------------------MAC Address
VLAN/VSI
Learned-From
Type
------------------------------------------------------------------------------0000-0000-0003 10/GE1/0/1
dynamic
0026-6e5c-feac 10/GE1/0/2
dynamic
5.4 Displaying the System MAC Address

The MAC address of a Layer 2 interface and the device's MAC address are the same. You can
run the following commands to check the device's MAC address.
l
Run the display interface gigabitethernet1/0/1 command. In the command output,

00e0-f74b-6d00 refers to the device's MAC address.
<HUAWEI> display interface gigabitethernet1/0/1
GigabitEthernet1/0/1 current state :
UP
Issue 05 (2015-10-23)

22
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Line protocol current state :

UP
Description:
Switch Port, Link-type :
access(configured),
PVID : 103, TPID : 8100(Hex), The Maximum Frame Length is
9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0f74b-6d00
......
In V200R002 and later versions, run the display bridge mac-address command to
check the device's MAC address.
<HUAWEI> display bridge mac-address
System bridge MAC address: 00e0-f74b-6d00
5.5 Displaying the MAC Address of an Interface

Run the display interface gigabitethernet1/0/1 command. In the command output, 00e0f74b-6d00 refers to the interface's MAC address. The MAC address of a Layer 2 interface and
the device's MAC address are the same.
<HUAWEI> display interface gigabitethernet1/0/1
GigabitEthernet1/0/1 current state : UP
Line protocol current state : UP
Description:
Switch Port, Link-type : access(configured),
PVID : 103, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-f74b-6d00
......
5.6 Displaying the MAC Address of a VLANIF Interface

# Run the display interface vlanif10 command. In the command output, 00e0-0987-7891
refers to the VLANIF interface's MAC address.
<HUAWEI> display interface vlanif10
Vlanif10 current state : DOWN
Line protocol current state : DOWN
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.10.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-0987-7891
Current system time: 2014-08-14 16:40:09+08:00
Input bandwidth utilization : -Output bandwidth utilization : --
5.7 Configuring a Static MAC Address

Configure the MAC address of the fixed upstream device or trusted user host connected to the
switch as the static MAC address to ensure secure communication.
[HUAWEI] vlan 10 //Create VLAN 10.
[HUAWEI-vlan10] quit
[HUAWEI] interface GigabitEthernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type access
[HUAWEI-GigabitEthernet1/0/1] port default vlan 10 //Add an interface to VLAN 10.
[HUAWEI] mac-address static 0000-0012-0034 GigabitEthernet1/0/1 vlan 10 //Create
Issue 05 (2015-10-23)

23
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
a static MAC address and bind the MAC address of 0000-0012-0034 to the
GigabitEthernet1/0/1.
NOTE
The interface bound to the MAC address must belong to the specified VLAN and the VLAN must have
been created.
5.8 Configuring a Blackhole MAC Address

To prevent a hacker from using a MAC address to attack a user device or network, configure
the MAC address of an untrusted user as the blackhole MAC address. The switch then
discards the received packets with the source or destination MAC address as the blackhole
MAC address.
The switch provides two blackhole MAC address modes: global and VLAN-based blackhole
MAC addresses.
l
In the system view, configure the MAC address of 0000-0012-0034 as a global blackhole
MAC address.
[HUAWEI] mac-address blackhole 0000-0012-0034
In the system view, configure the MAC address of 0000-0012-0035 as the blackhole
MAC address in VLAN 10.
[HUAWEI] mac-address blackhole 0000-0012-0035 vlan 10
5.9 Displaying and Setting the Aging Time of MAC

Addresses
# In the system view, run the mac-address aging-time 600 command to set the aging time of
dynamic MAC addresses to 600s. By default, the aging time is 300s.
[HUAWEI] mac-address aging-time 600
# In any view, run the display mac-address aging-time command to view the aging time of
dynamic MAC addresses.
<HUAWEI> display mac-address aging-time
Aging time: 300 second(s)
5.10 Configuring Port Security

Port security implements dynamic binding. After the maximum number of MAC addresses
that can be learned by an interface is set, other non-trusted hosts cannot use the local interface
to communicate with the switch, thereby improving the device and network security.
# Configure port security on the gigabitethernet1/0/1.
[HUAWEI-GigabitEthernet1/0/1] port-security enable
# Set the maximum number of MAC addresses that can be learned by the gigabitethernet1/0/1
to 5.
Issue 05 (2015-10-23)

24
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI-GigabitEthernet1/0/1] port-security enable

[HUAWEI-GigabitEthernet1/0/1] port-security max-mac-num 5
NOTE
Before setting the maximum number of MAC addresses that can be learned by an interface, ensure that
the interface has been enabled with port security.
Issue 05 (2015-10-23)

25
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
6 Common Ethernet Interface Operations
Common Ethernet Interface Operations
About This Chapter

This chapter describes common Ethernet interface operations.
6.1 Configuring a Port Group
6.2 Configuring Port Isolation
6.3 Configuring the Working Mode of a Combo Interface
6.4 Configuring the Interface Rate
6.5 Configuring the Duplex Mode
6.6 Switching an Interface to Layer 3 Mode
6.7 One-Click Configuration Deletion on an Interface
Issue 05 (2015-10-23)

26
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
6.1 Configuring a Port Group

Configuring a Temporary Port Group
# Run the port-group group-member command to add GE1/0/9 to GE1/0/15 to a temporary
port group.
[HUAWEI] port-group group-member gigabitethernet 1/0/9 to gigabitethernet 1/0/15
[HUAWEI-port-group]
# Run the interface range command to add GE1/0/16 to GE1/0/20 to a temporary port group.
(The interface range command is supported by only V200R003C00 and later versions.)
[HUAWEI] interface range gigabitethernet 1/0/16 to gigabitethernet 1/0/20
[HUAWEI-port-group]
Configuring a Permanent Port Group

# Run the port-group command to add GE1/0/1 to GE1/0/8 to permanent port group
portgroup1.
[HUAWEI] port-group portgroup1
[HUAWEI-port-group-portgroup1] group-member gigabitethernet 1/0/1 to
gigabitethernet 1/0/8
6.2 Configuring Port Isolation

Configuring a Port Isolation Group
# Configure port isolation on GE1/0/1 and GE1/0/2 to implement Layer 2 isolation and Layer
3 interworking on the two interfaces.
[HUAWEI] port-isolate mode l2
[HUAWEI-GigabitEthernet1/0/1] port-isolate enable group 1
[HUAWEI-GigabitEthernet1/0/2] port-isolate enable group 1
# Configure port isolation on GE1/0/10 to GE1/0/20 to implement Layer 2 and Layer 3

isolation on these interfaces.
[HUAWEI] port-isolate mode all
[HUAWEI] port-group portgroup1
[HUAWEI-port-group-portgroup1] group-member gigabitethernet 1/0/10 to
[HUAWEI-port-group-portgroup1] port-isolate enable group 2
NOTE
All S series chassis switches support Layer 2 and Layer 3 isolation. S series box switches support Layer
2 and Layer 3 isolation excluding the S2700SI and S2700EI in V100R006C05 and the S1720, S2720,
S2750EI, S5700LI, S5710-X-LI, S5710-C-LI and S5700S-LI in V200R001 and later versions.
Issue 05 (2015-10-23)

27
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Configuring Unidirectional Isolation

# Configure unidirectional isolation to isolate GE1/0/5 from GE1/0/6, GE1/0/7, and GE1/0/8
unidirectionally. This configuration ensures that Layer 2 data packets from GE1/0/5 cannot
reach GE1/0/6, GE1/0/7, and GE1/0/8.
[HUAWEI] port-isolate mode l2
[HUAWEI-GigabitEthernet1/0/5] am isolate gigabitethernet 1/0/6 to 1/0/8
6.3 Configuring the Working Mode of a Combo Interface

# Configure GE1/0/1 to work in electrical mode.
[HUAWEI-GigabitEthernet1/0/1] combo-port copper
To configure the working mode of a combo interface, run the combo-port { auto | copper |
fiber } command in the combo interface view.
l
When the auto mode is specified, the system checks whether the combo optical interface
has an optical module installed, and selects the interface working mode as follows:
When the electrical interface is not connected, the combo interface works as an
optical interface if the combo optical interface has an optical module installed.
When the electrical interface is connected using a network cable and the combo
interface is Up, the combo interface works as an electrical interface even if the
combo optical interface has an optical module installed. However, the combo
interface works as an optical interface after the device restarts.
When the electrical interface is connected using a network cable and the combo
interface is Down, the combo interface works as an optical interface if the combo
optical interface has an optical module installed.
In summary, when the auto mode is specified and the combo optical interface has an
optical module installed, the combo interface works as an optical interface after the
device restarts.
l
You can forcibly specify the working mode of the combo interface based on the peer
interface type. If the local combo electrical interface is connected to a peer electrical
interface, configure the combo interface to work in copper mode. If the local combo
optical interface is connected to a peer optical interface, configure the combo interface to
work in fiber mode.
6.4 Configuring the Interface Rate

Manually Configuring the Interface Rate in Auto-Negotiation Mode
# Set the negotiation rate to 100 Mbit/s for Ethernet interface GE1/0/1 working in autonegotiation mode.
[HUAWEI-GigabitEthernet1/0/1] negotiation auto
[HUAWEI-GigabitEthernet1/0/1] auto speed 100
Issue 05 (2015-10-23)

28
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
NOTE
GE optical interfaces do not support manually configuring the interface rate in auto-negotiation mode,
except the GE optical interface that has an GE copper module installed.
Configuring the Interface Rate in Non-Auto-Negotiation Mode

# Set the negotiation rate to 100 Mbit/s for Ethernet interface GE1/0/1 working in non-autonegotiation mode.
[HUAWEI-GigabitEthernet1/0/1] undo negotiation auto
[HUAWEI-GigabitEthernet1/0/1] speed 100
6.5 Configuring the Duplex Mode

Configuring the Duplex Mode for an Interface in Auto-Negotiation Mode
# Set the duplex mode to full-duplex for Ethernet electrical interface GE1/0/1 working in
auto-negotiation mode.
[HUAWEI-GigabitEthernet1/0/1] negotiation auto
[HUAWEI-GigabitEthernet1/0/1] auto duplex full
Configuring the Duplex Mode for an Interface in Non-Auto-Negotiation Mode

# Set the duplex mode to half-duplex for Ethernet electrical interface GE1/0/1 working in
non-auto-negotiation mode.
[HUAWEI-GigabitEthernet1/0/1] undo negotiation auto
[HUAWEI-GigabitEthernet1/0/1] duplex half
NOTE
Physical service interfaces of the S5710HI, S6700EI, S5720HI, S5720EI and S6720EI do not support
the duplex mode configuration.
Physical service interfaces of the X1E series cards on a modular switch do not support the duplex mode
configuration.
6.6 Switching an Interface to Layer 3 Mode

# Change the working mode of GE1/0/1 from Layer 2 mode to Layer 3 mode.
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] ip address 10.10.10.10 255.255.255.0
To switch an interface to Layer 3 mode, run the undo portswitch command in the interface
view.
By default, an Ethernet interface works in Layer 2 mode.
When you run this command on an interface, the mode switching configuration takes effect
when only attribute configurations (such as shutdown and description configurations) exist
on the interface. If service configurations (such as the port link-type trunk configuration)
Issue 05 (2015-10-23)

29
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
exist on the interface, you need to clear all service configurations before running this
command.
Since V200R003, interfaces on the S5700EI, S5700HI, S5710EI, S5710HI, S5720EI,
S5720HI, S6700EI, S6720EI, S7700, and S9700 support switching between Layer 2 and
Layer 3 modes.
For switches in V200R005C00 and later versions, after running the undo portswitch
command to switch an Ethernet interface to Layer 3 mode, you can assign an IP address to the
interface.
6.7 One-Click Configuration Deletion on an Interface

# Run the clear configuration interface command in the system view to delete
configurations on GE1/0/1.
[HUAWEI] clear configuration interface gigabitethernet 1/0/1
Warning: All configurations of the interface will be cleared, and its state will
be shutdown. Continue? [Y/N] :y
Info: Total 5 command(s) executed, 5 successful, 0 failed.
# Run the clear configuration this command in the interface view to delete configurations on
GE1/0/1.
[HUAWEI-GigabitEthernet1/0/1] clear configuration this
Warning: All configurations of the interface will be cleared, and its state will
be shutdown. Continue? [Y/N] :y
Info: Total 3 command(s) executed, 3 successful, 0 failed.
Issue 05 (2015-10-23)

30
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
7 Common Link Aggregation Operations
Common Link Aggregation Operations
About This Chapter

This chapter describes common Ethernet link aggregation operations.
7.1 Adding Member Interfaces to an Eth-Trunk in a Batch
7.2 Deleting a Specified Member Interface from an Eth-Trunk
7.3 Deleting an Eth-Trunk
7.4 Displaying the Eth-Trunk Configuration
7.5 Displaying Information About Eth-Trunk Member Interfaces
7.6 Displaying the Numbers of Eth-Trunks and Member Interfaces Supported by the Device
Issue 05 (2015-10-23)

31
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
7.1 Adding Member Interfaces to an Eth-Trunk in a Batch

# Add GigabitEthernet1/0/1 to GigabitEthernet1/0/5 to Eth-Trunk 1.
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/5
7.2 Deleting a Specified Member Interface from an EthTrunk

You can use either of the following methods to delete a specified member interface from an
Eth-Trunk:
l
Run the undo trunkport interface-type { interface-number1 [ to interface-number2 ] }

&<1-8> command in the Eth-Trunk view to delete a specified member interface from an
Eth-Trunk.
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] undo trunkport gigabitethernet 1/0/1
Run the undo eth-trunk command in the member interface view to delete a specified
member interface from an Eth-Trunk.
[HUAWEI-GigabitEthernet1/0/1] undo eth-trunk
7.3 Deleting an Eth-Trunk

Prerequisites
All member interfaces have been deleted from an Eth-Trunk. See 7.2 Deleting a Specified
Member Interface from an Eth-Trunk.
Procedure
Run the undo interface eth-trunk trunk-id command in the system view.
[HUAWEI] undo interface eth-trunk 10
7.4 Displaying the Eth-Trunk Configuration

# Display the configuration of all Eth-Trunks.
<HUAWEI> display eth-trunk
Eth-Trunk10's state information is:
Local:
LAG ID: 10
WorkingMode: LACP
Preempt Delay Time: 10
Hash arithmetic: According to SIP-XOR-DIP
System Priority: 120
System ID: 0018-82d4-04c3
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up
Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
Issue 05 (2015-10-23)

32
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
ActorPortName
PortState Weight
GigabitEthernet1/0/2
10111100 1
10111100 1
10100000 1

Status
PortType
PortPri PortNo PortKey
Selected 1GE
10
262
2609
Selected 1GE
10
263
2609
Unselect 1GE
32768
264
2609
Partner:
-------------------------------------------------------------------------------ActorPortName
SysPri SystemID
PortState
32768 00e0-fc6e-bb11 32768 262
2609
10111100
32768 00e0-fc6e-bb11 32768 263
2609
10111100
32768 00e0-fc6e-bb11 32768 264
2609
10110000
WorkingMode: NORMAL
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up
-------------------------------------------------------------------------------PortName
Status
Weight
Up
1
# Display the configuration of Eth-Trunk 10 in LACP mode.

<HUAWEI> display eth-trunk 10
Local:
LAG ID: 10
WorkingMode: LACP
Preempt Delay Time: 10
System Priority: 120
System ID: 0018-82d4-04c3
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up
-------------------------------------------------------------------------------ActorPortName
Status
PortType
PortState Weight
Selected 1GE
10
262
2609
10111100 1
Selected 1GE
10
263
2609
10111100 1
Unselect 1GE
32768
264
2609
10100000 1
Partner:
-------------------------------------------------------------------------------ActorPortName
SysPri
SystemID PortPri PortNo PortKey
PortState
32768 00e0-fc6e-bb11 32768 262
2609
10111100
32768 00e0-fc6e-bb11 32768 263
2609
10111100
32768 00e0-fc6e-bb11 32768 264
2609
10110000
# Display the configuration of Eth-Trunk 11 in manual load balancing mode.

<HUAWEI> display eth-trunk 11
WorkingMode: NORMAL
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up
-------------------------------------------------------------------------------PortName
Status
Weight
Up
1
Issue 05 (2015-10-23)

33
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
7.5 Displaying Information About Eth-Trunk Member

Interfaces
# Display information about member interfaces of Eth-Trunk 2.
<HUAWEI> display trunkmembership eth-trunk 2
Trunk ID: 2
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Interface GigabitEthernet1/0/1, valid, operate up, weight=1
Interface GigabitEthernet1/0/2, valid, operate up, weight=1
7.6 Displaying the Numbers of Eth-Trunks and Member

Interfaces Supported by the Device
NOTE
V200R005 and later versions support the display trunk configuration command.
# Display the numbers of LAGs and member interfaces.

<HUAWEI> display trunk configuration
-------------------------------------------------Item
Default
Current
Configured
-------------------------------------------------trunk-group
128
2
4
trunk-member
8
16
16
--------------------------------------------------
Table 7-1 Description of the display trunk configuration command output
Issue 05 (2015-10-23)
Item
Meaning
Default
Default Eth-Trunk specifications supported by the device.
Current
Current Eth-Trunk specifications supported by the device.
Configured
Configured Eth-Trunk specifications. If the configured EthTrunk specifications are different from the current Eth-Trunk
specifications, the configured Eth-Trunk specifications take
effect after the device restarts.
trunk-group
Maximum number of Eth-Trunks supported by the device.
trunk-member
Maximum number of member interfaces in each Eth-Trunk.

34
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
8 Common VLAN Operations
Common VLAN Operations
About This Chapter

This chapter describes common VLAN operations.
8.1 Creating VLANs in a Batch
8.2 Adding Interfaces to a VLAN in a Batch
8.3 Restoring the Default VLAN Configuration of an Interface
8.4 Deleting a VLAN or VLANs in a Batch
8.5 Changing the Link Type of an Interface
Issue 05 (2015-10-23)

35
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
8.1 Creating VLANs in a Batch

Run the vlan batch command in the system view to create VLANs in a batch.
l
Create 10 contiguous VLANs in a batch: VLAN 11 to VLAN 20.

[HUAWEI] vlan batch 11 to 20
Create 10 noncontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 noncontiguous VLANs or VLAN range at one time. If more than
10 noncontiguous VLANs need to be created, run this command multiple times. For example, vlan
batch 10 15 to 19 25 28 to 30 indicates four noncontiguous VLAN ranges.
8.2 Adding Interfaces to a VLAN in a Batch

Configure a port group to add interfaces to a VLAN in a batch.
l
Set the link type of interfaces to access.

[HUAWEI] port-group pg1 //Create a port group named pg1.
[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 to
gigabitethernet1/0/5 //Add gigabitethernet1/0/1 to gigabitethernet1/0/5 to
the port group.
[HUAWEI-port-group-pg1] port link-type access //Set the link type of
gigabitethernet1/0/1 to gigabitethernet1/0/5 to access.
[HUAWEI-port-group-pg1] port default vlan 10 //Add gigabitethernet1/0/1 to
gigabitethernet1/0/5 to VLAN 10.
Set the link type of interfaces to trunk.

the port group.
[HUAWEI-port-group-pg1] port link-type trunk //Set the link type of
gigabitethernet1/0/1 to gigabitethernet1/0/5 to trunk.
[HUAWEI-port-group-pg1] port trunk allow-pass vlan 10 20 //Add
gigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 10 and VLAN 20.
Set the link type of interfaces to hybrid.

the port group.
[HUAWEI-port-group-pg1] port link-type hybrid //Set the link type of
gigabitethernet1/0/1 to gigabitethernet1/0/5 to hybrid.
[HUAWEI-port-group-pg1] port hybrid tagged vlan 10 //Add
gigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 10 in tagged mode.
[HUAWEI-port-group-pg1] port hybrid untagged vlan 20 //Add
gigabitethernet1/0/1 to gigabitethernet1/0/5 to VLAN 20 in untagged mode.
Issue 05 (2015-10-23)

36
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
8.3 Restoring the Default VLAN Configuration of an

Interface
The default VLAN configuration of an interface involves the PVID and VLAN 1 that the
interface joins.
l
Restore the default configuration of the access interface.

[HUAWEI-GigabitEthernet1/0/1] undo port default vlan
Restore the default configuration of the trunk interface.

[HUAWEI] interface gigabitethernet
[HUAWEI-GigabitEthernet1/0/1] undo
[HUAWEI-GigabitEthernet1/0/1] port
1/0/1
port trunk pvid vlan
port trunk allow-pass vlan all
trunk pvid vlan 1
Restore the default configuration of the hybrid interface.

[HUAWEI] interface gigabitethernet
[HUAWEI-GigabitEthernet1/0/1] port
1/0/1
port hybrid pvid vlan
port hybrid vlan all
hybrid untagged vlan 1
8.4 Deleting a VLAN or VLANs in a Batch

The device supports deletion of a single VLAN or VLANs in a batch.
l
Delete VLAN 10.

[HUAWEI] undo vlan 10
Delete VLAN 10 to VLAN 20 in a batch.

[HUAWEI] undo vlan batch 10 to 20
NOTE
The earlier versions of V200R005, before deleting a VLAN where a VLANIF interface has been
configured, run the undo interface vlanif command to delete the VLANIF interface.
8.5 Changing the Link Type of an Interface

The link type of an interface can be access, trunk, hybrid, or Dot1q-tunnel. The methods used
to change the link type of an interface in different versions are different.
l
In V200R005 and later versions, run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command and enter y or n as prompted. When the interface uses the
default VLAN configuration, the system does not display any message. The link type of
the interface is changed directly.
When you enter y and press Enter, the device automatically deletes the non-default
VLAN configuration of the interface and set the link type of the interface to the
specified one.
When you enter n and press Enter, the device retains the current link type and
VLAN configuration of the interface.
Change the link type of the interface to hybrid.

Issue 05 (2015-10-23)

37
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
Warning: This command will delete VLANs on this port. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment...done.
In earlier versions of V200R005, an interface joins VLAN 1 by default, and the PVID of
an interface is VLAN 1. You can run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command to change the link type of the interface.
Change the link type of the interface to access.

[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 10
the interface to VLAN 10.
//Set the PVID of
Change the link type of the interface to trunk.

[HUAWEI-GigabitEthernet0/0/1] port link-type trunk
[HUAWEI-GigabitEthernet0/0/1] port trunk pvid vlan 10
//Set the PVID
of the interface to VLAN 10.
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 10 20
//Add
the interface to VLAN 2, VLAN 10, and VLAN 20.
Change the link type of the interface to hybrid.

[HUAWEI-GigabitEthernet0/0/1] port hybrid pvid vlan 10
//Set the PVID
of the interface to VLAN 10.
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 2 10
//Add the
interface to VLAN 2 and VLAN 10 in untagged mode.
[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 20
//Add the
interface to VLAN 20 in tagged mode.
Change the link type of the interface to Dot1q-tunnel.

[HUAWEI-GigabitEthernet0/0/1] port link-type dot1q-tunnel
//Set the PVID of
the interface to VLAN 10. The interface adds VLAN 10 to all received
data packets.
When you change the link type of an interface that does not use the default VLAN
configuration, the system displays the message "Error: Please renew the default
configurations."
You need to restore the default configuration of the interface, and then change the link
type of the interface.
Restore the default VLAN configuration of an access or Dot1q-tunnel interface.

[HUAWEI-GigabitEthernet0/0/1] undo port default vlan
Restore the default VLAN configuration of a trunk interface.

[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1
Restore the default configuration of a hybrid interface.

[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan
Issue 05 (2015-10-23)

38
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all

[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1
Issue 05 (2015-10-23)

39
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
9 Common QinQ Operations
Common QinQ Operations
About This Chapter

This chapter describes common QinQ operations.
9.1 Configuring Basic QinQ
9.2 Configuring Selective QinQ
9.3 Configuring the Device to Add Double Tags to Untagged Packets
9.4 Deleting the Selective QinQ Configuration
Issue 05 (2015-10-23)

40
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
9.1 Configuring Basic QinQ

Basic QinQ is also called common QinQ and is implemented based on interfaces. When an
interface enabled with basic QinQ receives a packet, the device tags the packets with the
default VLAN ID of the interface.
l
If the received packet carries one VLAN tag, the packet then has double tags.
If the received packet does not carry any VLAN tag, the packet then carries the default
VLAN tag of an interface.
# Create VLAN 10 in the outer tag.

[HUAWEI] vlan 10
# Configure downlink interface GE1/0/1.

[HUAWEI-GigabitEthernet1/0/1] port link-type dot1q-tunnel
//Set the link type
to Dot1q-tunnel.
//GE1/0/1 tags all received
data packets with VLAN 10.
# Configure uplink interface GE1/0/2 to transparently transmit packets with VLAN 10 in the
outer tag.
9.2 Configuring Selective QinQ

Selective QinQ, also called VLAN stacking or QinQ stacking, is implemented based on
interfaces and VLANs.
Configure the device to tag VLAN 2 in the outer tag of packets with VLANs 100 to 200 in
inner tags, to tag VLAN 3 in the outer tag of packets with VLANs 300 to 400, and to
transparently transmit packets from VLAN 1000.
l
Configure selective QinQ on a fixed switch.

# Create VLAN 2, VLAN 3, and VLAN 1000.
[HUAWEI] vlan batch 2 3 1000

[HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable
//VLAN
translation must be enabled on the fixed device.
//The interface
joins VLAN 2 and VLAN 3 in untagged mode.
//The interface
transparently transmits packets tagged with VLAN 1000.
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking vlan 100 to 200 stack-vlan
2
//The interface adds VLAN 2 in the outer tag of packets with VLANs 100 to
200 in inner tags.
3
400 in inner tags.
[HUAWEI-GigabitEthernet0/0/1] port vlan-mapping vlan 1000 map-vlan 1000
//
The S5700EI, S3700EI, and S3700SI must be configured to map the VLAN to
itself from which single-tagged packets need to be transparently transmitted.
Issue 05 (2015-10-23)

41
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
# Configure uplink interface GE0/0/5 to transparently transmit packets from VLAN 2,

VLAN 3, and VLAN 1000.
Configure selective QinQ on a modular switch.

# Create VLAN 2, VLAN 3, and VLAN 1000.
[HUAWEI] vlan batch 2 3 1000

//The interface
joins VLAN 2 and VLAN 3 in untagged mode.
//The interface
transparently transmits packets tagged with VLAN 1000.
2
200 in inner tags.
3
400 in inner tags.
[HUAWEI-GigabitEthernet1/0/1] port vlan-mapping vlan 1000 map-vlan 1000
//
The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and EH1D2S24CSA0 and
EH1D2G24SSA0 cards of the S9700 must be configured to map the VLAN to itself
from which single-tagged packets need to be transparently transmitted.
# Configure uplink interface GE2/0/1 to transparently transmit packets from VLAN 2,

VLAN 3, and VLAN 1000.
9.3 Configuring the Device to Add Double Tags to

Untagged Packets
# Configure GE0/0/1 to add double tags to received untagged packets.
[HUAWEI] vlan 10
//Create VLAN 10 in the outer tag.
[HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable
//VLAN translation
must be enabled on the fixed device. This command does not need to be used on the
modular device.
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 10
//The interface
joins VLAN 10 in untagged mode.
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10 stackinner-vlan 5
//The interface tags untagged packets with inner VLAN 5 and outer
VLAN 10.
Issue 05 (2015-10-23)

42
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
NOTE
l The S5700SI, S5700EI, ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and
EH1D2G24SSA0 and EH1D2S24CSA0 cards of the S9700 do not support this configuration.
l When you configure the device to add double tags to untagged packets, run the port link-type
hybrid command to change the link type of the interface to hybrid if the following message is
displayed:
[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking untagged stack-vlan 10
stack-inner-vlan 5
Error: The port is not a Trunk or Hybrid port.
l When you configure the fixed device to add double tags to untagged packets, run the qinq vlantranslation enable command to enable VLAN translation if the following message is displayed:
stack-inner-vlan 5
Error: Please configure qinq vlan-translation enable on this port first.
l When you configure the device to add double tags to untagged packets, run the undo port hybrid
pvid vlan command to restore the PVID of the interface to be 1 if the following message is
displayed:
stack-inner-vlan 5
Error: This port has been configured with default VLAN or PVID, please
undo it first.
9.4 Deleting the Selective QinQ Configuration

# Delete all the selective QinQ configuration of an interface.
[HUAWEI-GigabitEthernet1/0/1] undo port vlan-stacking all
# Delete the configuration of an inner VLAN in selective QinQ.

[HUAWEI-GigabitEthernet1/0/1] undo port vlan-stacking vlan 3 stack-vlan 10
Delete the selective QinQ configuration with VLAN 3 in the inner tag.
Issue 05 (2015-10-23)

//
43
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
10
10 Common STP/RSTP Operations
Common STP/RSTP Operations
About This Chapter

This chapter describes common STP/RSTP operations.
10.1 Enabling STP/RSTP
10.2 Disabling STP/RSTP
10.3 Configuring Root Protection
10.4 Configuring an Edge Port
10.5 Changing the STP/RSTP Cost
10.6 Displaying the STP/RSTP Status
10.7 Displaying the Root Bridge
Issue 05 (2015-10-23)

44
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
10.1 Enabling STP/RSTP

Enabling STP/RSTP Globally
Run the stp enable command in the system view.
[HUAWEI] stp enable
Enabling STP/RSTP on an Interface

Run the stp enable command in the interface view.
[HUAWEI-GigabitEthernet1/0/1] stp enable
10.2 Disabling STP/RSTP

Disabling STP/RSTP Globally
Run the undo stp enable command in the system view.
[HUAWEI] undo stp enable
Disabling STP/RSTP on an Interface

Run the undo stp enable command in the interface view.
[HUAWEI-GigabitEthernet1/0/1] undo stp enable
10.3 Configuring Root Protection

Run the stp root-protection command in the interface view.
[HUAWEI-GigabitEthernet1/0/1] stp root-protection
10.4 Configuring an Edge Port

Run the stp edged-port enable command in the interface view.
[HUAWEI-GigabitEthernet1/0/1] stp edged-port enable
10.5 Changing the STP/RSTP Cost

Run the stp cost cost command in the interface view.
Issue 05 (2015-10-23)

45
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI-GigabitEthernet1/0/1] stp cost 20000
10.6 Displaying the STP/RSTP Status

# Display the spanning tree status and statistics.
<HUAWEI>
MSTID
0
0
0
0
0
display stp brief

Port
Role
DESI
DESI
DESI
DESI
DESI
STP State
FORWARDING
FORWARDING
FORWARDING
FORWARDING
FORWARDING
Protection
NONE
NONE
NONE
NONE
NONE
10.7 Displaying the Root Bridge

# Display the spanning tree status of the root bridge.
<HUAWEI> display stp bridge root
MSTID
Root ID Root Cost Hello Max Forward Root Port
Time Age
Delay
----- -------------------- ---------- ----- --- ------- ----------------0 61440.781d-ba56-f06c
0
2 20
15
Issue 05 (2015-10-23)

46
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
11
11 Common DHCP Operations
Common DHCP Operations
About This Chapter

This chapter describes common DHCP operations.
Table 11-1 lists the versions and products that support the DHCP server, relay, client, and
DHCP snooping functions.
Table 11-1 Applicable products and versions
Version
Model
V100R006C05
l Supporting the DHCP server and relay functions:

S3700SI and S3700EI
l Supporting the DHCP client function: all
products
l Supporting the DHCP snooping function:
S2700EI, S3700SI and S3700EI
V200R001C00&C01

S9700, S7700, S6700, S5710EI, S5700HI,
S5700EI, S5700SI, S3700HI
products
l Supporting the DHCP snooping function: all
products
V200R002C00

S9700, S7700, S6700, S5710EI, S5700HI,
S5700EI, S5700SI
products
products
Issue 05 (2015-10-23)

47
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Version
Model
V200R003C00&C02&C10

S9700, S7700, S6700, S5710HI, S5710EI,
S5700HI, S5700EI, S5700SI
products
products
V200R005C00&C01

S9700, S7700, S6700, S5710HI, S5710EI,
S5700HI, S5700EI, S5700SI, S5700LI, S5700SL, S2750EI
products
products
V200R006C00 and later versions
l Supporting the DHCP server and relay function:

all products
products
products
11.1 Configuring IP Addresses Not Dynamically Assigned

11.2 Modifying the Lease
11.3 Assigning Fixed IP Addresses to Clients
11.4 Withdrawing the Fixed IP Addresses Assigned to Clients
11.5 Checking IP Addresses Used
11.6 Clearing Conflicting Addresses
11.7 Increasing the Address Pool Range
11.8 Decreasing the Address Pool Range
11.9 Preventing a Device from Obtaining an IP Address from a Pseudo DHCP Server
11.10 Disabling the DHCP Service
Issue 05 (2015-10-23)

48
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
11.1 Configuring IP Addresses Not Dynamically Assigned

You can configure some IP addresses that are not dynamically assigned in the following
scenarios:
l
An enterprise requires that the IP addresses assigned to employees' computers should be

within the range of 10.1.1.2-10.1.1.254 (gateway address 10.1.1.1). To ensure stability of
the DNS server deployed in the enterprise, the server IP address should be manually
configured to 10.1.1.10. Therefore, 10.1.1.10 can be configured as an IP address that is
not dynamically assigned.
Assume that an enterprise assigns the IP addresses 10.1.1.2-10.1.1.100 (gateway address

10.1.1.1) to the clients in department A and 10.1.1.101-10.1.1.254 to those in department
B based on the global mode. When the device functions as the DHCP server, create two
address pools: pool1 (assigns addresses to hosts in department A) and pool2 (assigns
addresses to hosts in department B). The network masks are both 24 for the address
pools. Configure 10.1.1.101-10.1.1.254 in pool1 and 10.1.1.1-10.1.1.100 in pool2 as IP
addresses that are not dynamically assigned.
Configure the IP addresses that are not dynamically assigned on the device functioning as the
DHCP server. For example, in an address pool with a mask length of 24 on the network
segment 10.1.1.0, configure 10.1.1.100-10.1.1.200 as IP addresses that are not dynamically
assigned.
l
Configuration in the global address pool:

[HUAWEI] ip pool pool1
[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24
[HUAWEI-ip-pool-pool1] gateway-list 10.1.1.1
[HUAWEI-ip-pool-pool1] excluded-ip-address 10.1.1.100 10.1.1.200
Configuration in the interface address pool:

[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 10.1.1.1 24
[HUAWEI-Vlanif100] dhcp select interface
[HUAWEI-Vlanif100] dhcp server excluded-ip-address 10.1.1.100 10.1.1.200
11.2 Modifying the Lease

You can modify the lease for the device functioning as a DHCP server or client. When a
DHCP server assigns leases, it compares the lease expected by a DHCP client with the leases
in the DHCP server address pool and assigns a shorter lease to the DHCP client.
By default, the lease is one day for the device functioning as a DHCP server and is not
configured for the device functioning as a DHCP client.
# On the device functioning as a DHCP server, modify the lease of the IP addresses in the
global address pool pool1 or interface address pool VLANIF100 to 10 days.
l

[HUAWEI-ip-pool-pool1] lease day 10
l
Issue 05 (2015-10-23)

49
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI-Vlanif100] dhcp server lease day 10
# Modify the lease to 10 days (864000 seconds) on the device functioning as a DHCP client.
[HUAWEI-Vlanif100] dhcp client expected-lease 864000
11.3 Assigning Fixed IP Addresses to Clients

In network planning, some devices need to use fixed IP addresses to ensure stability. For
example, the devices can be DNS servers in an enterprise and printers in an office building. A
fixed IP address can be statically configured (using the ip address command) or obtained
through DHCP. The following is an example of assigning fixed IP addresses to clients through
DHCP.
Configure fixed IP addresses to clients on the device functioning as the DHCP server. For
example, in an address pool with a mask length of 24 in the network segment 10.1.1.0,
configure the IP address 10.1.1.100 to be assigned only to the client with the MAC address
dcd2-fc96-e4c0.
l

[HUAWEI-ip-pool-pool1] static-bind ip-address 10.1.1.100 mac-address dcd2fc96-e4c0

[HUAWEI-Vlanif100] dhcp server static-bind ip-address 10.1.1.100 mac-address
dcd2-fc96-e4c0
11.4 Withdrawing the Fixed IP Addresses Assigned to

Clients
Withdraw the IP addresses assigned to clients on the device functioning as the DHCP server.
For example, in an address pool with a mask length of 24 in the network segment 10.1.1.0,
withdraw the IP address 10.1.1.5 assigned to a client. You can run the display ip pool
{ interface interface-pool-name | name ip-pool-name } used command to check static
binding relationships between the clients and IP addresses. For the command output, see 11.5
Checking IP Addresses Used.
l

a.
Withdraw the IP address 10.1.1.5.

<HUAWEI> reset ip pool name pool1 10.1.1.5
b.
Cancel the static binding relationship.

[HUAWEI-ip-pool-pool1] undo static-bind ip-address 10.1.1.5

a.
Withdraw the IP address 10.1.1.5.

<HUAWEI> reset ip pool interface vlanif100 10.1.1.5
Issue 05 (2015-10-23)

50
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
b.
Cancel the static binding relationship.

[HUAWEI-Vlanif100] undo dhcp server static-bind ip-address 10.1.1.5
11.5 Checking IP Addresses Used

On the device functioning as a DHCP server, run the display ip pool { interface interfacepool-name | name ip-pool-name } used command to check the IP addresses used.
For example, the following command output indicates that there are 253 available IP
addresses (10.1.1.1-10.1.1.254, excluding the gateway address 10.1.1.2) in the global address
pool pool1. The IP address 10.1.1.254 is used by the DHCP client with the MAC address
0235-2036-adcc, and 10.1.1.5 is used by the DHCP client with the MAC address
00e0-0987-7895.
<HUAWEI> display
Pool-name
Pool-No
Lease
Domain-name
DNS-server0
NBNS-server0
Netbios-type
Position
Gateway-0
Network
Mask
VPN instance
ip pool name pool1 used

: pool1
: 0
: 1 Days 0 Hours 0 Minutes
: : : : : Local
Status
: 10.1.1.2
: 10.1.1.0
: 255.255.255.0
: --
: Unlocked
----------------------------------------------------------------------------Start
End
Total
Used
Idle(Expired)
Conflict
Disable
----------------------------------------------------------------------------10.1.1.1
10.1.1.254
253
252(0)
----------------------------------------------------------------------------Network section :
----------------------------------------------------------------------------Index
IP
MAC
Lease
Status
----------------------------------------------------------------------------253
4
10.1.1.254
10.1.1.5
0235-2036-adcc
00e0-0987-7895
178
60
Used
Static-
bind
-----------------------------------------------------------------------------
11.6 Clearing Conflicting Addresses

Clear conflicting addresses in the address pool on a device functioning as a DHCP server. The
conflicting addresses then can be used. For example, clear the conflicting IP addresses in the
global address pool pool1 or interface address pool VLANIF100.
NOTE
The clients with conflicting addresses need to be reconnected to obtain new IP addresses.
Issue 05 (2015-10-23)

51
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches

<HUAWEI> reset ip pool name pool1 conflict

<HUAWEI> reset ip pool interface vlanif100 conflict
11.7 Increasing the Address Pool Range

You can reduce the mask length of an address pool to increase the address pool range. For
example, a DHCP server can assign IP addresses (in an address pool with a mask length of
25) to 126 users. Then 120 users are added to the network and also obtain IP addresses
through DHCP. In this case, you need to reduce the mask length of the address pool to 24.
Before increasing the address pool range, check whether IP addresses have been assigned to
clients. For details, see 11.5 Checking IP Addresses Used.
NOTE
l After the mask length is changed from 25 to 24, 128 new users can be assigned IP addresses.
l The increased address range cannot conflict with other address ranges on the network.
l The ratio of the client quantity to the address pool range is planned according to the clients' online status.
If all clients (for example, enterprise employees' PCs) are online concurrently, ensure that the number of
addresses that can be assigned in the address pool is equal to or greater than the number of clients. If the
clients (for example, PCs in public areas such as hotels and Internet cafes) are not online concurrently, the
number of addresses that can be assigned in the address pool can be less than the number of clients.
If the addresses have not been assigned:

Reduce the mask length of the address pool on the device functioning as the DHCP
server to increase the address pool range.

[HUAWEI-ip-pool-pool1] undo network
length.
//Adjust the mask

[HUAWEI-Vlanif100] ip address 10.1.1.1 24 //Adjust the mask length.
[HUAWEI-Vlanif100] dhcp select interface //Re-enable the interface
address pool function.
If the addresses have been assigned:

On the device functioning as the DHCP server, perform the following operations in
sequence to increase the address pool range: withdraw IP addresses (only in the global
address pool), configure the function to prevent repetitive IP address allocation, and
adjust the mask length of the address pool.

<HUAWEI> reset ip pool name pool1 all //Withdraw all IP addresses.
[HUAWEI] dhcp server ping packet 3 //Enable the function of preventing
repetitive IP address allocation.
[HUAWEI] dhcp server ping timeout 100 //Enable the function of
preventing repetitive IP address allocation.
[HUAWEI-ip-pool-pool1] network 10.1.1.0 mask 24 //Adjust the mask
length.
Issue 05 (2015-10-23)

52
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches

11.8 Decreasing the Address Pool Range

You can increase the mask length of an address pool to decrease the address pool range. For
example, a DHCP server can assign IP addresses (in an address pool with a mask length of
24) to 254 users. Then 140 users are deleted from the network. To save address resources, you
can increase the mask length of the address pool to 25 so that the address pool range is
decreased. Before decreasing the address pool range, check whether IP addresses have been
assigned to clients. For details, see 11.5 Checking IP Addresses Used.
NOTE
After the mask length is increased from 24 to 25, 128 IP addresses can be saved.
If the addresses have not been assigned:

Increase the mask length of an address pool on a device functioning as the DHCP server
to decrease the address pool range.

length.
//Adjust the mask

If the addresses have been assigned:

On the device functioning as the DHCP server, perform the following operations in
sequence to decrease the address pool range: withdraw IP addresses (only in the global
address pool), configure the function to prevent repetitive IP address allocation, and
adjust the mask length of the address pool.
NOTE
After the address pool range is decreased, the clients that have IP addresses beyond the range will
re-apply for addresses when their leases expire.

<HUAWEI> reset ip pool name pool1 all //Withdraw all IP addresses.
Issue 05 (2015-10-23)

53
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
length.

//Adjust the mask

11.9 Preventing a Device from Obtaining an IP Address

from a Pseudo DHCP Server
On the Layer 2 access device or the first DHCP relay device, configure DHCP snooping to
prevent the device from obtaining an IP address from a pseudo DHCP server.
NOTE
l For a Layer 2 access device, steps 1-3 are mandatory. Configure this function in sequence.
l For a DHCP relay device, only steps 1 and 2 are mandatory.
1.
Enable DHCP snooping globally.

[HUAWEI] dhcp snooping enable
2.
Enable DHCP snooping on the interface connected to the DHCP client (configuring all
interfaces connected to the DHCP client and using GE1/0/1 as an example).
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
3.
Configure the interface connected to the DHCP server as a trusted interface.

[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted
11.10 Disabling the DHCP Service

Disable the DHCP service on the device functioning as a DHCP server or DHCP relay, or
configured with DHCP snooping. By default, the DHCP service is disabled.
[HUAWEI] undo dhcp enable
Issue 05 (2015-10-23)

54
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
12
12 Common ARP Operations
Common ARP Operations
About This Chapter

This chapter describes common ARP operations.
12.1 Checking ARP entries
12.2 Updating ARP Entries
12.3 Setting the Aging Time of ARP Entries
12.4 Configuring Static ARP Entries
12.5 Configuring ARP Proxy
12.6 Shielding ARP Miss Alarms Based on Source IP Addresses
12.7 Configuring Dynamic ARP Detection
12.8 Configuring ARP Gateway Anti-Collision
Issue 05 (2015-10-23)

55
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
12.1 Checking ARP entries

In routine maintenance, you can run the display arp command in any view to check ARP
entry information on the device.
By checking ARP entries on a gateway device, the network administrator can view
information about the connected users, including IP addresses, MAC addresses, and
interfaces. For example, the network administrator can check ARP entry information to query
the MAC address based on the IP address of a user.
When the gateway does not learn the IP address of a connected user, the network
administrator can ping the broadcast address on the network segment on the gateway. For
example, if the gateway IP address is 10.10.10.1/24, the network administrator runs the ping
10.10.10.255 command on the gateway. Then the user on the same network segment sends an
ARP Reply packet. After receiving the ARP Reply packet, the gateway can learn the user's IP
address.
# Check ARP entries on the network segment 172.16.0.0/16.
<HUAWEI> display arp network 172.16.0.0 16
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INSTANCE
VLAN/
CEVLAN
INTERFACE
VPN-
-----------------------------------------------------------------------------172.16.10.3
0025-9efb-be55
S--
GE1/0/6
0200-0000-00e8
0025-9ef4-abcd
S-I -
GE1/0/19
D-0
GE1/0/6
100/172.16.20.3
172.16.10.1
Vlanif100
172.16.10.2
0025-9efb-be55
20
100/172.16.20.1
0025-9ef4-abcd
I GE1/0/19
172.16.20.2
0200-0000-00e8 18
D-0
GE1/0/19
-----------------------------------------------------------------------------Total:6
Dynamic:2
Static:2
Interface:2
In the command output, the ARP entry of each row is described as follows:
l
The IP address is 172.16.10.3, MAC address is 0025-9efb-be55, and type is S (indicating

a static ARP entry). For this static ARP entry, the outbound interface is GE1/0/6 and
VLAN ID is 100.
The IP address is 172.16.20.3, MAC address is 0200-0000-00e8, and type is S

(indicating a static ARP entry). For this static ARP entry, the outbound interface is
GE1/0/19.
The IP address is 172.16.10.1, MAC address is 0025-9ef4-abcd, and type is I (indicating

an interface ARP entry). This ARP entry indicates that 172.16.10.1 is the IP address of
the interface VLANIF 100.
The IP address is 172.16.10.2, MAC address is 0025-9efb-be55, and type is D

(indicating a dynamic ARP entry). This dynamic ARP entry is learned from the interface
GE1/0/6, the VLAN ID is 100, and the remaining lifetime is 20 minutes.
Issue 05 (2015-10-23)

56
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
The IP address is 172.16.20.1, MAC address is 0025-9ef4-abcd, and type is I (indicating

an interface ARP entry). This ARP entry indicates that 172.16.20.1 is the IP address of
the interface GE1/0/19.
The IP address is 172.16.20.2, MAC address is 0200-0000-00e8, and type is D

(indicating a dynamic ARP entry). This dynamic ARP entry is learned from the interface
GE1/0/19, and the remaining lifetime is 18 minutes.
NOTE
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP
packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP
Request packets to the destination network segment.
l
When a temporary ARP entry is not aged out:

l
Before receiving an ARP Reply packet, the device discards the IP packets matching the
temporary ARP entry, and no ARP Miss message is triggered.
After receiving the ARP Reply packet, the device generates a correct ARP entry to replace
the temporary entry.
After the temporary ARP entry ages out, the device deletes this entry.
12.2 Updating ARP Entries

Before updating ARP entries, clear ARP entries on the device so that the device will relearn
the entries.
NOTICE
After ARP entries are cleared, mappings between IP addresses and MAC addresses are
deleted. As a result, users may not access specified nodes. Exercise caution when you clear
ARP entries.
# Clear all ARP entries on the device.
<HUAWEI> reset arp all
# Clear the dynamic ARP entries with the IP address 172.16.10.1 on the device.
<HUAWEI> reset arp dynamic ip 172.16.10.1 //If the IP address is not specified,
all dynamic ARP entries are deleted from the device.
# Clear all static ARP entries on the device.

<HUAWEI> reset arp static
Warning: This operation will reset all static ARP entries, and clear the
configurations of all static ARP, continue?[Y/N]:y
# Clear the static ARP entries with the IP address 172.16.20.1, MAC address
0023-0045-0067, and outbound interface GE1/0/1 on the device.
[HUAWEI] undo arp static 172.16.20.1 0023-0045-0067 interface gigabitethernet
1/0/1
# Clear the ARP entries learned from VLANIF 100 with the IP address 172.16.20.1 on the
device.
<HUAWEI> reset arp interface vlanif 100 ip 172.16.20.1 //If the IP address is not
specified, all ARP entries learned by VLANIF 100 are deleted from the device.
Issue 05 (2015-10-23)

57
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
12.3 Setting the Aging Time of ARP Entries

The ARP aging time takes effect only for dynamic ARP entries. The default ARP aging time
is 20 minutes. You can run the arp expire-time expire-time command in the system view or
interface view to configure the aging time of dynamic ARP entries. The value range of expiretime is as follows: 60-62640 (chassis switches) and 30-62640 (box switches), in seconds.
If you run the command only in the system view, the aging time takes effect for dynamic ARP
entries learned by all interfaces on the device. If you run the command both in the view of an
interface and the system view, the aging time configured in the interface view takes effect for
the dynamic ARP entries learned by the interface.
# Set the aging time of dynamic ARP entries to 1800s.
[HUAWEI] vlan batch 100
[HUAWEI-Vlanif100] arp expire-time 1800
# After the configuration is complete, you can run the display current configuration |
include arp command in any view to check the configured aging time of dynamic ARP
entries.
<HUAWEI> display current-configuration | include arp
arp expire-time 1800
12.4 Configuring Static ARP Entries

Static ARP entries will not age and cannot be overridden by dynamic ARP entries. You can
manually configure a static ARP entry, or use automatic scanning and fixed ARP to batch
configure static ARP entries.
Manually Configuring a Static ARP Entry

NOTE
If the outbound interface is an Ethernet interface in Layer 2 mode, you are advised to configure a long
static ARP entry. Specify the VLAN and outbound interface when configuring the entry.
# Configure a static ARP entry with the IP address 172.16.10.2, MAC address
0023-0045-0067, and outbound interface GE1/0/1 in Layer 2 mode. This static ARP entry
belongs to VLAN 100.
[HUAWEI-Vlanif100] ip address 172.16.10.1 24 //The IP address of the VLANIF
interface must be in the same network segment with the IP address (172.16.10.2)
in the static ARP entry.
[HUAWEI-Vlanif100] quit
[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 //The interface
GigabitEthernet1/0/1 is in Layer 2 mode and needs to be added to VLAN 100.
[HUAWEI] arp static 172.16.10.2 0023-0045-0067 vid 100 interface gigabitethernet
1/0/1
# Configure a static ARP entry with the IP address 172.16.20.2, MAC address
0023-0045-0068, and outbound interface GE1/0/2 in Layer 3 mode.
Issue 05 (2015-10-23)

58
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI-GigabitEthernet1/0/2] undo portswitch
[HUAWEI-GigabitEthernet1/0/2] ip address 172.16.20.1 24 //The IP address of
GigabitEthernet1/0/2 must be in the same network segment with the IP address
(172.16.20.2) in the static ARP entry.
[HUAWEI] arp static 172.16.20.2 0023-0045-0068 interface gigabitethernet 1/0/2
# Configure a static ARP entry with the IP address 172.16.30.2 and MAC address
0023-0045-0069. This static ARP entry belongs to the VPN instance vpn1.
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] quit
[HUAWEI-vpn-instance-vpn1] quit
[HUAWEI] arp static 172.16.30.2 0023-0045-0069 vpn-instance vpn1
# Configure a static ARP entry with the IP address 172.16.40.2 and MAC address
02bf-0045-0070. (For example, you can configure such short static ARP entry when the
device is connected to the NLB server cluster in multi-port ARP mode.)
[HUAWEI] arp static 172.16.40.2 02bf-0045-0070
Using Automatic Scanning and Fixed ARP to Batch Configure Static ARP Entries
# The IP address of VLANIF 103 is 172.16.50.1/24. Perform automatic scanning on the ARP
entries with the IP addresses 172.16.50.2 to 172.16.50.4, and convert the learned ARP entries
into static ARP entries.
[HUAWEI] display arp network 172.16.50.0 24
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
INSTANCE
VLAN/
CEVLAN
VPN-
-----------------------------------------------------------------------------172.16.50.1
00e0-0987-7895
I Vlanif103
-----------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
[HUAWEI-Vlanif103] arp scan 172.16.50.2 to 172.16.50.4 //Automatic scanning is
performed on VLANIF 103. The IP addresses 172.16.50.2 to 172.16.50.4 are in the
same network segment with the IP address 172.16.50.1 of VLANIF 103. That is, the
start and end IP addresses in the ARP automatically scanned area must be in the
same network segment with the IP address (primary or secondary) of the VLANIF
interface.
Warning: This operation may take a long time, press CTRL+C to break. Continue?
[Y/N]:y
Processing...
Info: ARP scanning is completed.
[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //After automatic scanning,
Issue 05 (2015-10-23)

59
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
check ARP entries. The device newly learns three 3 dynamic ARP entries.
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/
CEVLAN
-----------------------------------------------------------------------------172.16.50.1
Vlanif103
172.16.50.2
GE1/0/3
00e0-0987-7895
I -
0200-0000-0212
20
D-0
0200-0000-0212
20
D-0
0200-0000-0212
20
D-0
103/172.16.50.3
GE1/0/3
103/172.16.50.4
GE1/0/3
103/-----------------------------------------------------------------------------Total:4
Dynamic:3
Static:0
Interface:1
[HUAWEI-Vlanif103] arp fixup //Configure fixed ARP entries on VLANIF 103 by
converting dynamic ARP entries learned into static ARP entries.
Warning: This operation may generate configuration of static ARP, and take a long
time, press CTRL+C to break. Continue?[Y/N]:y
Processing...
Info: ARP fixup is completed.
[HUAWEI-Vlanif103] display arp network 172.16.50.0 24 //Check fixed ARP entries.
The three dynamic ARP entries that newly learned by the device have been
converted into static ARP entries.
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/
CEVLAN
-----------------------------------------------------------------------------172.16.50.2
0200-0000-0212
S--
GE1/0/3
0200-0000-0212
S--
GE1/0/3
0200-0000-0212
S--
GE1/0/3
103/172.16.50.3
103/172.16.50.4
103/172.16.50.1
00e0-0987-7895
I Vlanif103
-----------------------------------------------------------------------------Total:4
Issue 05 (2015-10-23)
Dynamic:0
Static:3
Interface:1

60
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
12.5 Configuring ARP Proxy

Proxy ARP Classification
Proxy ARP is classified into the following types: routed proxy ARP, intra-VLAN proxy ARP,
and inter-VLAN Proxy ARP. Table 12-1 describes the usage scenarios.
Table 12-1 Proxy ARP Type
Proxy ARP Type
Scenario
Routed Proxy ARP
Hosts that need to communicate and are not configured with

default gateways belong to the same network segment but
different physical networks (different broadcast domains).
Intra-VLAN Proxy ARP
Hosts that need to communicate belong to the same network

segment and VLAN but port isolation is configured in the
VLAN.
Inter-VLAN Proxy ARP
Hosts that need to communicate belong to the same network

segment but different VLANs.
Routed Proxy ARP

# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable routed proxy ARP.
[HUAWEI-Vlanif100] arp-proxy enable
Intra-VLAN Proxy ARP

# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable intra-VLAN proxy ARP.
[HUAWEI-Vlanif100] arp-proxy inner-sub-vlan-proxy enable
Inter-VLAN Proxy ARP

# Configure IP address 172.16.1.1/24 on VLANIF 100 and enable inter-VLAN proxy ARP.
[HUAWEI-Vlanif100] arp-proxy inter-sub-vlan-proxy enable
Issue 05 (2015-10-23)

61
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
12.6 Shielding ARP Miss Alarms Based on Source IP

Addresses
When a source IP address triggers an ARP Miss alarm, you can cancel the rate limit on ARP
Miss messages of this IP address to shield the ARP Miss alarm.
# Cancel the rate limit on ARP Miss messages of IP address 10.0.0.1. (The S2750, S5710-CLI, S5710-X-LI, S5700LI, and S5700S-LI do not support this command.)
[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 0
# Cancel the rate limit on ARP Miss messages of all source IP addresses. (The S2750, S5710C-LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this command.)
[HUAWEI] arp-miss speed-limit source-ip maximum 0
12.7 Configuring Dynamic ARP Detection

Dynamic ARP inspection (DAI) is used to prevent Man in The Middle (MITM) attacks. If
DAI is not configured, ARP entries of authorized users on the device may be updated by the
pseudo ARP packets sent by attackers.
DAI is used to check ARP packets according to binding tables (dynamic and static DHCP
binding tables).
When receiving an ARP packet, the device compares the source IP address, source MAC
address, interface, and VLAN in the ARP packet with the information in the binding table.
You can configure the parameters to be compared, for example, the source IP address and
VLAN.
l
If the parameters match the table information, the user is authorized and the device
allows the ARP packet to pass through.
If the parameters do not match the table information, the device considers that it is an
attack packet and discards the packet.
# Configure DHCP snooping on the device and enable DAI on the interface connecting the
device to the user side.
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the
interface connecting the device to the user side.
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the interface
connecting the device to the DHCP server as a trusted interface. If DHCP snooping
is deployed on the DHCP relay device, the trusted interface configuration is
optional.
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static
binding table on the device for the users configured with static IP addresses.
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI
on the interface connecting the device to the user side.
Issue 05 (2015-10-23)

62
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
# Configure DHCP snooping on the device and enable DAI in the user-side VLAN.
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN that the
user device belongs to.
[HUAWEI] vlan 200
[HUAWEI-vlan200] dhcp snooping enable
[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //
Configure the interface connecting the device to the DHCP server as a trusted
interface. If DHCP snooping is deployed on the DHCP relay device, the trusted
interface configuration is optional.
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static
binding table on the device for the users configured with static IP addresses.
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the userside VLAN.
12.8 Configuring ARP Gateway Anti-Collision

If an attacker forges the gateway address to send ARP packets with the source IP address
being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the
incorrect gateway address. As a result, all traffic from hosts to the gateway is sent to the
attacker and the attacker intercepts user information. Communication of users is interrupted.
To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The
gateway considers that a gateway collision occurs when a received ARP packet meets either
of the following conditions:
l
The source IP address in the ARP packet is the same as the IP address of the VLANIF
interface matching the inbound interface of the packet.
The source IP address in the ARP packet is the virtual IP address of the inbound
interface but the source MAC address in the ARP packet is not the virtual MAC address
of the Virtual Router Redundancy Protocol (VRRP) group.
The device generates an ARP anti-collision entry and discards the received ARP packets with
the same source MAC address and VLAN ID in a specified period. This function prevents
ARP packets with the bogus gateway address from being broadcast in a VLAN.
# Enable the ARP gateway anti-collision function on the gateway device. By default, the ARP
gateway anti-collision function is disabled.
[HUAWEI] arp anti-attack gateway-duplicate enable
Issue 05 (2015-10-23)

63
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
13
13 Common ACL Operations
Common ACL Operations
About This Chapter

This chapter describes common ACL operations, including how to delete time ranges, how to
delete ACL and ACL6, and how to configure time-based ACL.
13.1 Deleting a Time Range
13.2 Deleting ACL and ACL6
13.3 Configuring a Time-Based ACL Rule
13.4 Configuring a Packet Filtering Rule Based on the Source IP Address (Host Address)
13.5 Configuring a Packet Filtering Rule Based on the Source IP Address Segment
13.6 Configuring a Packet Filtering Rule Based on the IP Fragment Information and Source
IP Address Segment
13.7 Configuring a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP
Address (Host Address) and Destination IP Address Segment
13.8 Configuring a Packet Filtering Rule for TCP Protocol Packets Based on TCP Destination
Port Number, Source IP Address (Host Address), and Destination IP Address Segment
13.9 Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address
Segment and TCP Flags
13.10 Configuring Packet Filtering Rules Based on the Source MAC Address, Destination
MAC Address, and Layer 2 Protocol Types
13.11 Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and
Inner VLAN IDs
13.12 Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String
Masks, and User-Defined Character Strings
Issue 05 (2015-10-23)

64
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
13.1 Deleting a Time Range

Before deleting a time range, you must delete the ACL rules associated with the time range or
delete the ACL to which the ACL rules belong.
For example, ACL 2001 contains rule 5 and is associated with time range time1.
#
time-range time1 from 00:00 2014/1/1 to 23:59 2014/12/31
#
acl number 2001
rule 5 permit time-range time1
#
Before deleting time1, delete rule 5 or ACL 2001.

l
Delete rule 5, and then time1.

[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] undo rule 5
[HUAWEI] undo time-range time1
Delete ACL 2001, and then time1.

[HUAWEI] undo acl 2001
[HUAWEI] undo time-range time1
13.2 Deleting ACL and ACL6

You do not need to delete the service configurations before using these commands to delete an
ACL or ACL6. These commands will delete an ACL or ACL6 regardless of whether it is
applied to a service module.
l
To delete an ACL, run the undo acl { [ number ] acl-number | all } or undo acl name
acl-name command in the system view.
To delete an ACL6, run the undo acl ipv6 { all | [ number ] acl6-number } or undo acl
ipv6 name acl6-name command in the system view.
13.3 Configuring a Time-Based ACL Rule

Create a time range working-time (for example, 8:00-18:00 on Monday through Friday) and
configure a rule in ACL work-acl. The rule rejects the packets from network segment
192.168.1.0/24 within the set working-time.
[HUAWEI] time-range working-time 8:00 to 18:00 working-day
[HUAWEI] acl name work-acl basic
[HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range
working-time
Related Information
Support Community
l
Issue 05 (2015-10-23)
Basic Knowledge About ACL

65
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
ACL Matching
ACL Application
13.4 Configuring a Packet Filtering Rule Based on the

Source IP Address (Host Address)
To allow the packets from a host to pass, add a rule to an ACL. For example, to allow packets
from host 192.168.1.3 to pass, create the following rule in ACL 2001.
[HUAWEI] acl 2001
Related Information
Support Community
l
ACL Matching
ACL Application

Source IP Address Segment
To allow the packets from a host to pass and reject the packets from other hosts on the same
network segment, configure rules in an ACL. For example, to allow the packets from host
192.168.1.3 to pass and reject the packets from other hosts on network segment
192.168.1.0/24, configure the following rules in ACL 2001 and set the description of ACL
2001 to Permit only 192.168.1.3 through.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] description Permit only 192.168.1.3 through
Related Information
Support Community
l
ACL Matching
ACL Application
13.6 Configuring a Packet Filtering Rule Based on the IP

Fragment Information and Source IP Address Segment
To reject the non-initial fragments from a network segment, configure a rule in an ACL. For
example, to reject the non-initial fragments from network segment 192.168.1.0/24, configure
the following rule in ACL 2001.
Issue 05 (2015-10-23)

66
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment
Related Information
Support Community
l
ACL Matching
ACL Application
13.7 Configuring a Packet Filtering Rule for ICMP

Protocol Packets Based on Source IP Address (Host
Address) and Destination IP Address Segment
To allow the ICMP packets from a host that are destined for a network segment to pass,
configure a rule in an ACL. For example, to allow the ICMP packets from host 192.168.1.3
that are destined for network segment 192.168.2.0/24 to pass, configure the following rule in
ACL 3001.
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination
192.168.2.0 0.0.0.255
Related Information
Support Community
l
ACL Matching
ACL Application
13.8 Configuring a Packet Filtering Rule for TCP Protocol

Packets Based on TCP Destination Port Number, Source
IP Address (Host Address), and Destination IP Address
Segment
l
To prohibit Telnet connections between the specified host and the hosts on a network
segment, configure a rule in an advanced ACL. For example, to prohibit Telnet
connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24,
configure the following rule in the advanced ACL deny-telnet.
[HUAWEI] acl name deny-telnet
[HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source
192.168.1.3 0 destination 192.168.2.0 0.0.0.255
Issue 05 (2015-10-23)
To prohibit the specified hosts from accessing web pages (HTTP is used to access web
pages, and TCP port number is 80), configure rules in an advanced ACL. For example,
to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the
67
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
following rules in ACL no-web and set the description for the ACL to Web access
restrictions.
[HUAWEI] acl name no-web
[HUAWEI-acl-adv-no-web] description Web access restrictions
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source
192.168.1.3 0
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source
192.168.1.4 0
Related Information
Support Community
l
ACL Matching
ACL Application
13.9 Configuring a Packet Filtering Rule for TCP Packets

Based on the Source IP Address Segment and TCP Flags
To implement unidirectional access control on a network segment, configure rules in an ACL.
For example, to implement unidirectional access control on network segment 192.168.2.0/24,
configure the following rules in ACL 3002. In the following rules, the hosts on
192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake
packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow
the RST TCP packets through, and Do not Allow the other TCP packet through.
To meet the preceding requirement, configure two permit rules to allow the packets with the
ACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to
reject other TCP packets from this network segment.
[HUAWEI] acl 3002
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
[HUAWEI-acl-adv-3002] display this
// If you do not specify an ID for a created
rule, you can view the rule ID allocated by the system, and configure a
description for the rule by specifying the rule ID.
#
acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
// The
rule ID allocated by the system is 5.
#
return
[HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
#
acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn
rule 5 description Allow the ACK TCP packets through
rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
// The rule ID
allocated by the system is 10.
#
return
[HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through
[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
#
acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn
Issue 05 (2015-10-23)

68
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
rule 5 description Allow the ACK TCP packets through

rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
rule 10 description Allow the RST TCP packets through
rule 15 deny tcp source 192.168.2.0 0.0.0.255
// The rule ID allocated by
the system is 15.
#
return
[HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packet
through
Related Information
Support Community
l
ACL Matching
ACL Application
13.10 Configuring Packet Filtering Rules Based on the

Source MAC Address, Destination MAC Address, and
Layer 2 Protocol Types
l
To allow the ARP packets with the specified destination and source MAC addresses and
Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow
the ARP packets with destination MAC address 0000-0000-0001, source MAC address
0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule
in ACL 4001.
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac
0000-0000-0002 l2-protocol 0x0806
To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in
a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863,
configure the following rule in ACL 4001.
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863
Related Information
Support Community
l
ACL Matching
ACL Application

Source MAC Address Segment and Inner VLAN IDs
To reject the packets from the specified MAC address segments in a VLAN, configure a rule
in a Layer 2 ACL. For example, to reject the packets from source MAC address segment
Issue 05 (2015-10-23)

69
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL
deny-vlan10-mac.
[HUAWEI] acl name deny-vlan10-mac link
[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000
ffff-ffff-0000
Related Information
Support Community
l
ACL Matching
ACL Application
13.12 Configuring Packet Filtering Rules Based on Layer 2

Headers, Offsets, Character String Masks, and UserDefined Character Strings
l
To reject the ARP packets from the specified host, configure a rule in a user-defined
ACL. For example, to reject the ARP packets from host 192.168.0.2, configure the
following rule in ACL 5001.
In the following rule:
0x00000806 indicates the ARP protocol.
0x0000ffff is the character string mask.
10 indicates the protocol type field offset in the ARP packets (without VLAN ID).
c0a80002 is the hexadecimal format of 192.168.0.2.
26 and 30 respectively indicate the offsets of the higher and lower two bytes in the
source IP addresses in ARP packets (without VLAN ID). The source IP address in
an ARP packet begins at the 28th byte in Layer 2 header and occupies 4 bytes. The
Layer 2 header offset defined in a user-defined ACL must be 4n+2 (n is an integer).
Therefore, the source IP address is divided into two segments for matching. The
lower two bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher
two bytes among the four bytes behind offset 30 (4 x 7 + 2) are matched separately.
To filter ARP packets with VLAN IDs, add 4 to each of the following offsets.
Issue 05 (2015-10-23)

70
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Figure 13-1 Source IP address field offset in Layer 2 header of an ARP packet
0
40+2=2byte
15
23
31 bit
4 byte
Ethernet Address of destination(0-31)

Ethernet Address of sender(0-15)

Frame Type
Hardware Type
Protocol Type
Hardware Length
Protocol Length
OP 46+2=26byte
Ethernet Address of sender(0-15) 24 byte

28 byte
IP Address of sender47+2=30byte
32 byte

IP Address of destination(0-15)
40 byte
IP Address of destination(16-31)
[HUAWEI] acl 5001
[HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8
0x0000ffff 26 0x00020000 0xffff0000 30
To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.

In the following rule:
0x00060000 indicates the TCP protocol.
8 indicates the protocol type offset in the IP packets. (The protocol type field in an
IP packet begins at the 10th byte in IPv4 header and occupies one byte. The IPv4
header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore,
the second higher byte among the four bytes behind offset 8 in the IPv4 header is
matched.)
[HUAWEI] acl name deny-tcp user
[HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8
Figure 13-2 TCP protocol field offset in IPv4 header

0
4
8
Version Header Length
10byte
Header
TTL
16 19
Tos
identifier
24
Total length
Flags
Protocol
Source IP address
31 bit
4 byte
Fragment offset
8 byte
Header checksum
12 byte
20 byte
Destination IP address
Options (variable length)
Data
Issue 05 (2015-10-23)

71
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Related Information
Support Community
l
ACL Matching
ACL Application
Issue 05 (2015-10-23)

72
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
14
14 Common QoS Operations
Common QoS Operations
About This Chapter

This chapter describes common QoS and MQC operations, including interface-based rate
limiting.
14.1 Configuring Interface-based Rate Limiting on the S7700/S9700
14.2 Configuring Interface-based Rate Limiting on the S2700/S5700/S6700
14.3 Deleting the Interface-based Rate Limiting Configuration on the S7700/S9700
14.4 Deleting the Interface-based Rate Limiting Configuration on the S2700/S5700/S6700
14.5 Using a Traffic Policy to Limit the Rate of Packets
14.6 Using a Traffic Policy to Filter Packets
14.7 Configuring Traffic Statistics in a Traffic Policy
Issue 05 (2015-10-23)

73
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
14.1 Configuring Interface-based Rate Limiting on the

S7700/S9700
Configuring Interface-based Rate Limiting in the Inbound Direction
Configure a QoS CAR profile named qoscar1, specify the rate limit in the QoS profile, and
apply the profile to GE1/0/1.
[HUAWEI] qos car qoscar1 cir 10000 cbs 10240
[HUAWEI-GigabitEthernet1/0/1] qos car inbound qoscar1
Configuring Interface-based Rate Limiting in the Outbound Direction

Run the qos lr cir cir-value [ cbs cbs-value ] [ outbound ] command in the interface view to
limit the rate of traffic passing through the interface.
(Optional) Configuring the Inter-frame Gap and Preamble

In V200R005C00 and later versions, you can configure the switch whether to calculate the
inter-frame gap and preamble of packets during rate limit calculation on the interface. By
default, the switch calculates the inter-frame gap and preamble of packets when the device
calculates the rate limit. You can run either of the following commands in the system view to
configure the device to not calculate the inter-frame gap and preamble of packets during rate
limit calculation, to improve rate limit accuracy.
l
Inbound: qos-car exclude-interframe
Outbound: qos-shaping exclude-interframe
14.2 Configuring Interface-based Rate Limiting on the

S2700/S5700/S6700
Configuring Interface-based Rate Limiting in the Inbound Direction
Run the qos lr inbound cir cir-value [ cbs cbs-value ] command in the interface view to limit
the rate of traffic passing through the interface.
Configuring Interface-based Rate Limiting in the Outbound Direction

Run the qos lr outbound cir cir-value [ cbs cbs-value ] command in the interface view to
limit the rate of traffic passing through the interface.
(Optional) Configuring the Inter-frame Gap and Preamble

In V200R005C00 and later versions, you can configure the switch whether to calculate the
inter-frame gap and preamble of packets during rate limit calculation on the interface. By
default, the switch calculates the inter-frame gap and preamble of packets when the device
calculates the rate limit. You can run either of the following commands in the system view to
Issue 05 (2015-10-23)

74
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
configure the device to not calculate the inter-frame gap and preamble of packets during rate
limit calculation, to improve rate limit accuracy.
l
Inbound: qos-car exclude-interframe
Outbound: qos-shaping exclude-interframe
14.3 Deleting the Interface-based Rate Limiting

Configuration on the S7700/S9700
Deleting the Interface-based Rate Limiting Configuration in the Inbound
Direction
Unbind the QoS CAR profile qoscar1 from GE1/0/1 and delete the profile.
[HUAWEI-GigabitEthernet1/0/1] undo qos car inbound
[HUAWEI] undo qos car qoscar1
Deleting the Interface-based Rate Limiting Configuration in the Outbound

Direction
Run the undo qos lr [ outbound ] command in the interface view to delete the interfacebased rate limiting configuration.
14.4 Deleting the Interface-based Rate Limiting

Configuration on the S2700/S5700/S6700
Deleting the Interface-based Rate Limiting Configuration in the Inbound
Direction
Run the undo qos lr inbound command in the interface view to delete the interface-based
rate limiting configuration.
Deleting the Interface-based Rate Limiting Configuration in the Outbound

Direction
Run the undo qos lr outbound command in the interface view to delete the interface-based
rate limiting configuration.
14.5 Using a Traffic Policy to Limit the Rate of Packets

Limiting the Traffic Rate Based on IP Addresses
Set the rate limit of packets from the PC at 192.168.1.10 to 4 Mbit/s.
[HUAWEI] acl 2000
Issue 05 (2015-10-23)

75
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches

[HUAWEI-classifier-c1] if-match acl 2000
[HUAWEI-behavior-b1] car cir 4096
Limiting the Rate of Packets from Devices on a Network Segment

Set the rate limit of packets from devices on the network segment of 192.168.1.0 to 50 Mbit/s.
[HUAWEI] acl 2000
Limiting the Traffic Rate Based on IP Addresses and Protocols

Set the rate limit of HTTP traffic (port 80) from devices on the network segment of
192.168.1.0 to 10 Mbit/s.
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0
0.0.0.255
[HUAWEI-acl-adv-3000] quit
14.6 Using a Traffic Policy to Filter Packets

Preventing a Specified Device from Accessing a Network
Prevent the PC at 192.168.1.10 from accessing the network.
[HUAWEI] acl 2000
Issue 05 (2015-10-23)

76
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches

[HUAWEI-behavior-b1] deny
Preventing All Devices on a Network Segment from Accessing a Network

Prevent all devices on the network segment of 192.168.1.0 from accessing a network.
[HUAWEI] acl 2000
Filtering Packets of Specified Protocols

l
Prevent SMTP packets with TCP destination port 25.
Prevent POP3 packets with TCP destination port 110.
Prevent HTTP packets with TCP destination port 80.
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 25
14.7 Configuring Traffic Statistics in a Traffic Policy

Configuring the Switch to Collect Traffic Statistics About a Specified Host
Configure the switch to collect statistics on packets with the source MAC address of
0000-0000-0003.
Issue 05 (2015-10-23)

77
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] acl 4000
[HUAWEI-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff
[HUAWEI-acl-L2-4000] quit
[HUAWEI-behavior-b1] statistic enable
[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound
Configuring the Switch to Collect Statistics on ICMP Packets

[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 0 permit icmp source 192.168.1.1 0 destination
192.168.2.1 0
[HUAWEI-acl-adv-3000] rule 5 permit icmp source 192.168.2.1 0 destination
192.168.1.1 0
[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound
Configuring the Switch to Collect Statistics on ARP Packets

Configure the switch to collect statistics on ARP Request and Reply packets.
[HUAWEI] traffic classifier arp-request
[HUAWEI-classifier-arp-request] if-match l2-protocol arp
[HUAWEI-classifier-arp-request] if-match source-mac 1111-1111-1111
[HUAWEI-classifier-arp-request] if-match destination-mac ffff-ffff-ffff
[HUAWEI-classifier-arp-request] quit
[HUAWEI] traffic classifier arp-reply
[HUAWEI-classifier-arp-reply] if-match l2-protocol arp
[HUAWEI-classifier-arp-reply] if-match source-mac 2222-2222-2222
[HUAWEI-classifier-arp-reply] if-match destination-mac 1111-1111-1111
[HUAWEI-classifier-arp-reply] quit
[HUAWEI] traffic policy arp-request
[HUAWEI-trafficpolicy-arp-request] classifier arp-request behavior b1
[HUAWEI-trafficpolicy-arp-request] quit
[HUAWEI] traffic policy arp-reply
[HUAWEI-trafficpolicy-arp-reply] classifier arp-reply behavior b1
[HUAWEI-trafficpolicy-arp-reply] quit
[HUAWEI-GigabitEthernet1/0/1] traffic-policy arp-request inbound
[HUAWEI-GigabitEthernet1/0/1] traffic-policy arp-reply outbound
Issue 05 (2015-10-23)

78
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Checking Packet Statistics

After traffic statistics is defined in a traffic policy, run the following command to view packet
statistics.
# Display statistics on incoming packets matching the traffic policy that has been applied to
the system.
<HUAWEI> display traffic policy statistics interface gigabitethernet 1/0/1
inbound verbose rule-base
Interface: GigabitEthernet1/0/1
Traffic policy inbound: arp-request
Rule number: 1
Current status:
success
Statistics interval: 300
--------------------------------------------------------------------Classifier: arp-request operator and
Behavior: b1
if-match l2-protocol arp
if-match source-mac 1111-1111-1111
if-match destination-mac ffff-ffff-ffff
Board : 0
--------------------------------------------------------------------Passed
|
Packets:
0
|
Bytes:
0
|
Rate(pps):
0
|
Rate(bps):
0
--------------------------------------------------------------------Dropped
|
Packets:
0
|
Bytes:
0
|
Rate(pps):
0
|
Rate(bps):
0
--------------------------------------------------------------------NOTE
SA cards of S series do not support byte-based traffic statistics. The information is displayed as -.
Issue 05 (2015-10-23)

79
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
15
15 Common IPSG Operations
Common IPSG Operations
About This Chapter

This chapter describes the common IPSG operations.
15.1 Configuring IPSG Based on a Static Binding Table
15.2 Configuring IPSG Based on DHCP Snooping Dynamic Binding Table
15.3 Deleting Static Binding Entries
Issue 05 (2015-10-23)

80
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
15.1 Configuring IPSG Based on a Static Binding Table

IPSG based on a static binding table filters IP packets received by untrusted interfaces, to
prevent malicious hosts from stealing authorized hosts' IP addresses to access the network
without permission. IPSG based on a static binding table is applicable to a LAN where a
small number of hosts reside and the hosts use static IP addresses. The configuration
procedure is as follows:
1.
Run the user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] }

&<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface
interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command in the
system view to configure a static binding entry.
NOTE
IPSG matches packets against all options in the static binding entry. Ensure that the created
binding entry is correct and contains all the options to check. The device forwards the packets
from hosts only when the packets match all options in the binding entry, and discards the packets
not matching the binding entry.
The device can bind multiple IP addresses or IP address segments to the same interface or MAC
address.
2.
If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For
example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12
interface gigabitethernet 1/0/1 to bind multiple IP addresses to the same interface.
If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to
end-ip. When the keyword to is used, the IP address segments cannot overlap. For example,
you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address
0001-0001-0001 to bind multiple IP addresses to the same MAC address.
Run the ip source check user-bind enable command in the interface or VLAN view to
enable IPSG.
Enabling IPSG on an interface: IPSG checks all packets received by the interface
against the binding entry. Choose this method if you need to check IP packets on
the specified interfaces and trust other interfaces. In addition, this method is
convenient if an interface belongs to multiple VLANs because you do not need to
enable IPSG in each VLAN.
Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in
the VLAN against the binding entry. Choose this method if you need to check IP
packets in the specified VLANs and trust other VLANs. In addition, this method is
convenient if multiple interfaces belong to the same VLAN because you do not
need to enable IPSG on each interface.
The following example shows how to configure IPSG based on the static binding table:
# Create a static binding entry (source IP address 192.168.1.1 and source MAC address
0003-0003-0003) and enable IPSG on GE1/0/1.
[HUAWEI] user-bind static ip-address 192.168.1.1 mac-address 0003-0003-0003
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable
# Create a static binding entry (source IP address 192.168.2.1, source MAC address
0002-0002-0002, interface GE1/0/1, and VLAN 10) and enable IPSG in VLAN 10.
Issue 05 (2015-10-23)

81
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] user-bind static ip-address 192.168.2.1 mac-address 0002-0002-0002

interface gigabitethernet 1/0/1 vlan 10
[HUAWEI] vlan 10
[HUAWEI-vlan10] ip source check user-bind enable
15.2 Configuring IPSG Based on DHCP Snooping

Dynamic Binding Table
IPSG based on a DHCP snooping dynamic binding table filters IP packets received by
untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to
access the network without permission. IPSG based on a dynamic binding table is applicable
to the LAN where a large number of hosts reside and the hosts obtain IP addresses through
DHCP. The configuration procedure is as follows:
1.
Configure DHCP snooping so that a DHCP snooping dynamic binding table is

generated.
a.
Run the dhcp enable command in the system view to enable DHCP globally.
b.
Run the dhcp snooping enable command in the system view to enable DHCP
snooping globally.
c.
Run the dhcp snooping enable command in the interface or VLAN view to enable
DHCP snooping on the interface or in the VLAN.
d.
Run the dhcp snooping trusted command in the interface view or the dhcp
snooping trusted interface interface-type interface-number command in the
VLAN view to configure a trusted interface.
The device directly forwards the IP packets received by the trusted interface
without checking them against the binding entry.
2.
Run the ip source check user-bind enable command in the interface or VLAN view to
enable IPSG.
The following example shows how to configure IPSG based on DHCP snooping dynamic
binding table:
# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG on
GE1/0/2.
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/2] ip source check user-bind enable
# Configure DHCP snooping, specify GE1/0/1 as a trusted interface, and enable IPSG in
VLAN 10.
Issue 05 (2015-10-23)

82
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches

[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] dhcp snooping trusted interface gigabitethernet 1/0/1
[HUAWEI-vlan10] ip source check user-bind enable
15.3 Deleting Static Binding Entries

If a binding entry is incorrect or the network rights of a bound host have been changed, you
can run the undo user-bind static [ { { ip-address | ipv6-address } { start-ip [ to end-ip ] }
&<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address | interface
interface-type interface-number | vlan vlan-id [ ce-vlan ce-vlan-id ] ] * command to delete the
entry.
l
When you delete a binding entry, the parameters specified in the undo command must be
the same as the corresponding parameters in the binding entry; otherwise, the entry
cannot be deleted.
Binding entries can be deleted in a batch, for example:
Run the undo user-bind static command to delete all binding entries.
Run the undo user-bind static interface gigabitethernet 1/0/1 command to delete
all entries on the specified interface GE1/0/1.
Run the undo user-bind static vlan 10 command to delete all entries in VLAN 10.
The following example shows how to delete a static binding entry:

Run the display dhcp static user-bind all command to view all static binding entries on the
device.
<HUAWEI> display dhcp static user-bind
all
DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address
MAC Address
VSI/VLAN(O/I/P) Interface
-------------------------------------------------------------------------------192.168.1.1
0001-0001-0001 -- /-- /--192.168.1.2
0002-0002-0002 -- /-- /-GE1/0/2
192.168.2.1
--- /-- /-GE1/0/1
192.168.2.2
--- /-- /-GE1/0/1
192.168.2.3
--- /-- /-GE1/0/1
192.168.3.1
0004-0004-0004 10 /-- /--192.168.3.2
0005-0005-0005 10 /-- /---------------------------------------------------------------------------------Print count:
7
Total count:
7
# Delete the static binding entry of IP address 192.168.1.1.

[HUAWEI] undo user-bind static ip-address 192.168.1.1 mac-address 0001-0001-0001
# Delete the static binding entry of IP address 192.168.1.2.

[HUAWEI] undo user-bind static ip-address 192.168.1.2 mac-address 0002-0002-0002
interface gigabitethernet 1/0/2
# Delete all static binding entries on GE1/0/1.

[HUAWEI] undo user-bind static interface gigabitethernet 1/0/1
# Delete all static binding entries in VLAN 10.

Issue 05 (2015-10-23)

83
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] undo user-bind static vlan 10
After the preceding steps are performed in sequence, all binding entries are deleted.
Issue 05 (2015-10-23)

84
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
16
16 Common AAA Operations
Common AAA Operations
About This Chapter

This chapter describes common AAA operations.
16.1 Configuring Authentication for Telnet Login Users (AAA Local Authentication)
16.2 Setting the User Level
16.3 Configuring the Global Default Domain
Issue 05 (2015-10-23)

85
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
16.1 Configuring Authentication for Telnet Login Users

(AAA Local Authentication)
The authentication mode must be specified on the device; otherwise, users cannot log in to the
device through Telnet. The device supports non-authentication, password authentication, and
AAA authentication, in which AAA authentication has the highest security.
To authenticate the Telnet users through AAA, enable the Telnet service on the device, set the
authentication mode of the user interface (for example, VTY) to aaa, create a local account in
the AAA view, and set the user access type and user level.
[HUAWEI] telnet server enable //Enable the Telnet service.
[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY login
users to 15.
[HUAWEI] user-interface vty 0 14 //Enter the view of VTY users at level 0-14.
[HUAWEI-ui-vty0-14] authentication-mode aaa //Set the VTY authentication mode to
AAA.
[HUAWEI-ui-vty0-14] protocol inbound telnet //By default, switches in V200R006
and earlier versions support Telnet, and switches in V200R007 and later versions
support SSH.
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1 password irreversible-cipher Huawei@1234 //Create
the local user user1 and set the password. The password is displayed in cipher
text in the configuration file, so remember the password. If you forget the
password, run this command again to overwrite the old configuration.
[HUAWEI-aaa] local-user user1 service-type telnet //Set the access type of user1
to Telnet. This user can only log in to the device through Telnet.
[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of user1
to 15. After login, the user can run the commands at level 0-15.
[HUAWEI-aaa] quit
16.2 Setting the User Level

A user level matches a certain command level. After logging in to the device, a user can run
only the commands of which the levels are the same as or lower than the user level. For
example, a user at level 2 can run only the commands at levels 0, 1, and 2.
When AAA local authentication is used, set the user level on the device. If the user level is
not set, the login users are at level 0 (visit level), and can use only the commands at level 0,
such as network diagnostic commands ping and tracert.
To allow the users to use commands of higher levels, such as monitoring, configuration, or
management level, the users must have higher user levels.
If AAA local authentication is used, you have the following methods to set the user level. The
user level set in the first method has the highest priority and the user level set in the last
method has the lowest priority.
l
Set the user level for a specified user.

[HUAWEI] aaa
[HUAWEI-aaa] local-user user1 privilege level 15
user1 to 15.
l
Issue 05 (2015-10-23)
//Set the user level of
Set the user level for all users in a domain.

86
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme sch1
[HUAWEI-aaa-service-sch1] admin-user privilege level 15
levels of all users in a domain to 15.
//Set the user
Set the user level for all users logging in through the same user interface (such as VTY
user interface).
[HUAWEI] user-interface maximum-vty 15
[HUAWEI-ui-vty0-14] user privilege level 15
VTY 14 to 15.
//Set the user level in VTY 0-
16.3 Configuring the Global Default Domain

The administrator plans to authenticate the users of a department in the domain huawei. The
user name provided for authentication always does not contain a domain name (for example,
the user name is zhangsan). In this case, the access device cannot send the user name to the
AAA server configured in the domain huawei, and therefore the user fails the authentication.
To solve the problem, you can configure the global default domain to huawei.
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] domain huawei
Issue 05 (2015-10-23)

87
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
17
17 Common NAC Operations
Common NAC Operations
About This Chapter

This chapter describes common NAC operations.
17.1 Configuring MAC Address Bypass Authentication
17.2 Configuring the Guest VLAN Function
17.3 Configuring Layer 2 Transparent Transmission of 802.1x Authentication Packets
Issue 05 (2015-10-23)

88
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
17.1 Configuring MAC Address Bypass Authentication

When there are PCs and a few dumb terminals (such as printers) on a network, you can
configure 802.1x authentication and MAC address bypass authentication so that the dumb
terminals can also connect to the 802.1x authentication network. For example, when many
PCs and some dumb terminals are connected to the interfaces GE1/0/1 and GE1/0/5, you can
enable 802.1x authentication and MAC address bypass authentication on the interfaces so that
the PCs and dumb terminals can connect to the network.
NOTE
In the V200R005C00 and later versions, only the common NAC mode supports MAC address bypass
authentication.
Batch configure multiple interfaces in the system view:

<HUAWEI>
[HUAWEI]
[HUAWEI]
[HUAWEI]
1/0/5
system-view
dot1x enable
dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5
dot1x mac-bypass interface gigabitethernet 1/0/1 gigabitethernet
Configure each interface in the interface view:

[HUAWEI] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass
[HUAWEI-GigabitEthernet1/0/5] dot1x mac-bypass
17.2 Configuring the Guest VLAN Function

You can configure the guest VLAN function to enable users to access some network resources
without authentication. For example, the users can download client software, upgrade clients,
and update the virus library. For example, configure the guest VLAN function on GE1/0/1
and GE1/0/5 so that the users on the two interfaces can update the virus library in real time.
Assume that the virus library server is located in VLAN 10.
NOTE
In the V200R005C00 and later versions, only the common NAC mode supports the guest VLAN function.
Batch configure multiple interfaces in the system view:

[HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5
[HUAWEI] authentication guest-vlan 10 interface gigabitethernet 1/0/1
Configure each interface in the interface view:

[HUAWEI-GigabitEthernet1/0/1] authentication guest-vlan 10
[HUAWEI-GigabitEthernet1/0/5] authentication guest-vlan 10
Issue 05 (2015-10-23)

89
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
17.3 Configuring Layer 2 Transparent Transmission of

802.1x Authentication Packets
The EAP packet in 802.1x authentication is a bridge protocol data unit (BPDU). By default,
Huawei switches do not perform Layer 2 forwarding for BPDUs. If a Layer switch still exists
between the 802.1x-enabled device and a user, Layer 2 transparent transmission must be
configured on the switch. Otherwise, the EAP packet sent by the user cannot reach the
authentication device and the user cannot pass authentication.
Figure 17-1 Configuring Layer 2 transparent transmission of 802.1x authentication packets
RADIUS Server
User
GE0/0/2
GE0/0/1
LAN Switch
GE0/0/3
Intranet
Switch/802.1x
authentication
User
As shown in Figure 17-1, there is the Layer 2 LAN Switch between the user and device
Switch enabled with 802.1x authentication. To ensure that the user's 802.1x authentication
packet can reach the Switch through the LAN Switch, perform the following configurations
on the LAN Switch (using the S5700HI as an example of the Layer 2 switch).
[HUAWEI] sysname LAN Switch
[LAN Switch] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180c200-0003 group-mac 0100-0000-0002
//group-mac cannot be set to the reserved
multicast MAC addresses (from 0180-C200-0000 to 0180-C200-002F) and some other
special MAC addresses.
[LAN Switch] interface gigabitethernet 0/0/1 //Connect the Layer 2 switch to the
uplink network and configure all interfaces of the users.
[LAN Switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x
enable
[LAN Switch-GigabitEthernet0/0/1] bpdu enable
[LAN Switch-GigabitEthernet0/0/1] quit
[LAN Switch] interface gigabitethernet 0/0/2
enable
[LAN Switch] interface gigabitethernet 0/0/3
enable
Issue 05 (2015-10-23)

90
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
18
18 Common VRRP Operations
Common VRRP Operations
About This Chapter

This chapter describes common VRRP operations.
18.1 Enabling the Master to Respond to Ping Packets Sent to a Virtual IP Address
18.2 Configuring Association Between VRRP and the Interface Status
18.3 Configuring Association Between VRRP and BFD
18.4 Configuring Association Between VRRP and NQA
18.5 Configuring Association Between VRRP and Routing
18.6 Configuring the VRRP Version Number
18.7 Configuring a Preemption Mode
18.8 Configuring the Mode in Which the Master Sends VRRP Advertisement Packets in a
Super-VLAN
18.9 Enabling MAC Address Triggered ARP Entry Update
Issue 05 (2015-10-23)

91
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
18.1 Enabling the Master to Respond to Ping Packets Sent

to a Virtual IP Address
# Enable the master to respond to ping packets sent to a virtual IP address.
[HUAWEI] vrrp virtual-ip ping enable
18.2 Configuring Association Between VRRP and the

Interface Status
# Configure association between VRRP and the interface status to implement an active/
standby switchover.
[HUAWEI-Vlanif10] vrrp vrid 1 virtual-ip 10.1.1.3
[HUAWEI-Vlanif10] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced 40
18.3 Configuring Association Between VRRP and BFD

# Configure association between VRRP and BFD to implement a rapid active/standby
switchover.
[HUAWEI] bfd
[HUAWEI-bfd] quit
[HUAWEI] bfd atob bind peer-ip 10.1.1.2 interface vlanif 10
[HUAWEI-bfd-session-atob] discriminator local 1
[HUAWEI-bfd-session-atob] discriminator remote 2
[HUAWEI-bfd-session-atob] min-rx-interval 100
[HUAWEI-bfd-session-atob] min-tx-interval 100
[HUAWEI-bfd-session-atob] commit
[HUAWEI-bfd-session-atob] quit
[HUAWEI-Vlanif10] vrrp vrid 1 track bfd-session 1 increased 40
18.4 Configuring Association Between VRRP and NQA

# Configure association between VRRP and NQA to implement an active/standby switchover.
Issue 05 (2015-10-23)

92
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[HUAWEI] nqa test-instance user test

[HUAWEI-nqa-user-test] test-type icmp
[HUAWEI-nqa-user-test] destination-address ipv4 10.20.1.2
[HUAWEI-nqa-user-test] frequency 15
[HUAWEI-nqa-user-test] start now
[HUAWEI-nqa-user-test] quit
[HUAWEI-Vlanif10] vrrp vrid 1 track nqa user test reduced 40
18.5 Configuring Association Between VRRP and Routing

# Configure association between VRRP and routing to implement an active/standby
switchover.
[HUAWEI-Vlanif10] vrrp vrid 1 track ip route 10.20.1.0 24 reduced 40
18.6 Configuring the VRRP Version Number

# Configure the VRRP version number.
[HUAWEI] vrrp version v3
18.7 Configuring a Preemption Mode

Configuring a Non-preemption Mode
[HUAWEI-Vlanif10] vrrp vrid 1 preempt-mode disable
Configuring a Preemption Mode

[HUAWEI-Vlanif10] vrrp vrid 1 preempt-mode timer delay 20
18.8 Configuring the Mode in Which the Master Sends

VRRP Advertisement Packets in a Super-VLAN
# Configure the mode in which the master sends VRRP Advertisement packets in a superVLAN.
[HUAWEI-Vlanif100] vrrp advertise send-mode 10
Issue 05 (2015-10-23)

93
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
18.9 Enabling MAC Address Triggered ARP Entry Update

# Enable the MAC address triggered ARP entry update function.
[HUAWEI] mac-address update arp
Issue 05 (2015-10-23)

94
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
19
19 Common SNMP Operations
Common SNMP Operations
About This Chapter

This chapter describes common SNMP operations.
19.1 Configuring Access Control
19.2 Setting the SNMP Version and Community Name
19.3 Configuring User Group and User Name
19.4 Configuring the Device to Send Traps
19.5 Deleting Community Name
Issue 05 (2015-10-23)

95
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
19.1 Configuring Access Control

To ensure device security, you can configure the access control list (ACL) and MIB views to
restrict the access of NMS to the device.
l
Configure an ACL.
ACL 2001 allows only the NMS on network segment 192.168.1.0 to access the device.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source any
Create a MIB view.

The MIB view name is alliso and accessed view includes iso.
[HUAWEI] snmp-agent mib-view included alliso iso
19.2 Setting the SNMP Version and Community Name

SNMP has three versions: v1, v2c and v3. v1 and v2c support community name, whereas v3
does not support. A lack of authentication capabilities in v1 and v2c results in vulnerability to
security threats, so v3 is recommended. When the community name is configured, ACL can
be used to restrict the access of NMS to the device.
l
SNMPv1
SNMP version is v1, read/write community name is community001, and access control
is configured.
[HUAWEI] snmp-agent sys-info version v1
[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001
SNMPv2c
SNMP version is v2c, read/write community name is community001, and access control
is configured.
[HUAWEI] snmp-agent sys-info version v2c
[HUAWEI] snmp-agent community write community001 mib-view alliso acl 2001
19.3 Configuring User Group and User Name

Only v3 supports the configuration of user group and user name. By default, SNMPv3 is
enabled on a device.
The security level of a user cannot be lower than the security level of the user group to which
the user belongs. Security levels in the descending order are as follows:
l
privacy: authentication and encryption
authentication: authentication and no encryption
none: no authentication and no encryption
If a user group is at the privacy level, the users and trap hosts of the user group must be at the
privacy level. If a user group is at the authentication level, the users and trap hosts of the user
group must be at the privacy or authentication level.
Issue 05 (2015-10-23)

96
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
In the versions earlier than V200R003C00:

# Set the user group name to group001 and security level to privacy, and configure
access control to restrict the access of the NMS to the device.
[HUAWEI] snmp-agent group v3 group001 privacy write-view alliso acl 2001
# Set the user name to user001, authentication password to Authe1234 and encryption
password to Priva1234.
[HUAWEI] snmp-agent usm-user v3 user001 group001 authentication-mode sha
Authe1234 privacy-mode des56 Priva1234
V200R003C00 and later versions:

# Set the user group name to group001 and security level to privacy, and configure
access control to restrict the access of the NMS to the device.
[HUAWEI] snmp-agent group v3 group001 privacy write-view alliso acl 2001
# Set the user name to user001, authentication password to Authe@1234 and encryption
password to Priva@1234.
[HUAWEI] snmp-agent usm-user v3 user001 group group001
[HUAWEI] snmp-agent usm-user v3 user001 authentication-mode sha
Please configure the authentication password
(8-64)
Enter Password:
// Enter authentication password Authe@1234.
Confirm Password:
// Enter authentication password Authe@1234.
[HUAWEI] snmp-agent usm-user v3 user001 privacy-mode aes256
Please configure the privacy password
(8-64)
Enter Password:
// Enter encryption password
Priva@1234.
Confirm Password:
// Enter encryption password Priva@1234.
19.4 Configuring the Device to Send Traps

After the trap function is enabled and the trap host is configured, the device automatically
sends traps to the trap host.
1.
Enable the trap function.

Enable the trap function for the SNMP module.
[HUAWEI] snmp-agent trap enable feature-name snmp
NOTE
If the trap function is not enabled for modules, each module uses the default trap configuration. To view
the default trap configuration of each module, run the display snmp-agent trap all command. The trap
function of the SNMP module is used as an example here.
2.
Configure the interface to send traps.

Configure LoopBack0 with IP address 10.1.1.1 as the interface to send traps.
[HUAWEI] interface loopback 0
[HUAWEI-LoopBack0] ip address 10.1.1.1 32
[HUAWEI-LoopBack0] quit
[HUAWEI] snmp-agent trap source loopback 0
Issue 05 (2015-10-23)

97
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
NOTE
After the interface is configured, the IP address of the interface is used to send traps. To ensure device
security, it is recommended that you configure a loopback interface to send traps. The trap sending
interface configured on the switch must be the same as that configured on the NMS; otherwise, the
NMS cannot receive traps. In addition, a reachable route must exist between the IP addresses of trap
sending interface and trap host.
3.
Configure the trap host.

Set the trap host address to 10.1.2.10, UDP port number to 50000, security name to
user001, trap version to v3, and security level to privacy.
[HUAWEI] snmp-agent target-host trap address udp-domain 10.1.2.10 udp-port
50000 params securityname user001 v3 privacy
NOTE
The trap version must be the same as the SNMP version configured on the device; otherwise, traps
cannot be sent to the NMS. When the version is set to v3, the security name must be the same as the
created user name; otherwise, traps cannot be sent to the NMS. v1 and v2c do not have limitation on the
configuration of security names.
The default UDP port number is 162. After the UDP port number is changed, you must reconfigure the
UDP port of the NMS that receives traps. If the UDP ports of the device and NMS are different, traps
cannot be sent to the NMS.
The security level of the trap host cannot be lower than the security level of the user.
19.5 Deleting Community Name

When you delete a community name, the configuration related to the community name is also
deleted. The community names are stored in cipher text on the device; therefore, you can
delete the community name in either of the following ways:
l
In plain text:
You must enter the correct community name; otherwise, the community name cannot be
deleted.
[HUAWEI] undo snmp-agent community community001
In cipher text:
Before deleting a community name in cipher text, you must query the encrypted
community name.
[HUAWEI] display snmp-agent community
Community name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#
+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%#
Group name:%^%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}+GOBz8V.pEh>=x9)J,Tuy}3Mp#
+X4QV5CAI^:Z;NlA3*&ta4}a53-%^%#
Acl:
2001
Storage-type: nonVolatile
[HUAWEI] undo snmp-agent community %#%#v_@eE"TW3Yw"7"Q2Vd!"/$XsX|}
+GOBz8V.pEh>=x9)J,Tuy}3Mp#+X4QV5CAI^:Z;NlA3*&ta4}a53-%#%#
Issue 05 (2015-10-23)

98
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
20
20 Common OSPF Operations
Common OSPF Operations
This chapter uses the Open Shortest Path First (OSPF) network shown in Figure 20-1 as an
example to describe common OSPF operations.
Figure 20-1 Basic OSPF network
Area0
SwitchA
10GE1/0/2
VLANIF20
192.168.1.1/24
10GE1/0/1
VLANIF10
192.168.0.2/24
10GE1/0/1
VLANIF10
192.168.0.1/24
SwitchB
10GE1/0/1
VLANIF20
192.168.1.2/24
10GE1/0/2
VLANIF30
192.168.2.1/24
10GE1/0/1
VLANIF30
192.168.2.2/24
10GE1/0/2
VLANIF40
172.16.1.1/24
10GE1/0/2
VLANIF50
172.17.1.1/24
10GE1/0/1
VLANIF40
172.16.1.2/24
10GE1/0/1
VLANIF50
172.17.1.2/24
SwitchC
SwitchE
Area1
SwitchD
10GE1/0/2
VLANIF60
172.18.1.1/24
SwitchF
Area2
Configuring Basic OSPF Functions

The following uses the configuration of SwitchA as an example. The configurations of other
switches are similar to the configuration of SwitchA.
<SwitchA> system-view
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
Issue 05 (2015-10-23)

99
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
[SwitchA-ospf-1-area-0.0.0.0]
VLANIF10.
VLANIF20.
[SwitchA-ospf-1] quit

network 192.168.0.0 0.0.0.255
//Enable OSPF on
quit
network 192.168.1.0 0.0.0.255
//Enable OSPF on
quit
Configuring a Stub Area

A stub area is a special area where an area border router (ABR) does not flood received
autonomous system (AS) external routes, which significantly reduces the routing table size
and transmitted routing information of routers. A border area on an OSPF network is often
configured as a stub area. For example, configure Area1 as a stub area.
The following uses the configuration of SwitchA as an example. The configurations of other
switches in Area1 are similar to the configuration of SwitchA.
[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] stub
[SwitchA-ospf-1-area-0.0.0.1] quit
Configuring an NSSA
In a not-so-stubby area (NSSA), an ABR does not flood AS external routes received from
other areas, similar to the situation in a stub area. The difference is that an ABR can import
and flood AS external routes to the entire OSPF domain. A border area connected to another
AS on an OSPF network is often configured as an NSSA. For example, configure Area2 as an
NSSA.
The following uses the configuration of SwitchB as an example. The configurations of other
switches in Area2 are similar to the configuration of SwitchB.
[SwitchB] ospf 1
[SwitchB-ospf-1] area 2
[SwitchB-ospf-1-area-0.0.0.2] nssa
[SwitchB-ospf-1-area-0.0.0.2] quit
[SwitchB-ospf-1] quit
Configuring OSPF to Import Routes

To access a device running a non-OSPF protocol, an OSPF-capable device needs to import
routes of the non-OSPF protocol into the OSPF network. For example, configure OSPF to
import direct routes of SwitchF into the OSPF network.
[SwitchF] ospf 1
[SwitchF-ospf-1] import-route direct
[SwitchF-ospf-1] quit
Setting the OSPF Interface Cost

OSPF automatically calculates the cost of an interface according to the interface bandwidth by
default. You can also manually set the OSPF interface cost. For example, set the cost of
VLANIF 20 on SwitchA to 5.
[SwitchA] interface vlanif 20
[SwitchA-Vlanif20] ospf cost 5
[SwitchA-Vlanif20] quit
Issue 05 (2015-10-23)

100
S1720&S2700&S3700&S5700&S6700&S7700&S9700
Series Switches
Configuring Association Between OSPF and BFD

To accelerate OSPF convergence when the status of a link changes, you can configure
bidirectional forwarding detection (BFD) on OSPF links. After detecting a link failure, BFD
notifies OSPF of the failure, which triggers fast OSPF convergence. When the OSPF neighbor
relationship is Down, the BFD session is deleted dynamically.
For example, set up a BFD session on the OSPF link between SwitchA and SwitchB.
# Configure SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] ospf 1
[SwitchA-ospf-1] bfd all-interfaces enable
# Configure SwitchB.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] ospf 1
[SwitchB-ospf-1] bfd all-interfaces enable
[SwitchB-ospf-1] quit
Configuring OSPF to Advertise Default Routes

Multiple switches for next-hop backup or traffic load balancing often reside on the area
border and AS border of an OSPF network. A default route can be configured to reduce
routing entries and improve resource usage on the OSPF network.
The advertising mode of the default route is determined by the type of the area to which the
default route is imported, as shown in Table 20-1.
Table 20-1 Default route advertising mode
Issue 05 (2015-10-23)
Area
Type
Generated By
Advertise
d By
LSA Type
Floodi
ng
Area
Commo
n area
The default-route-advertise command
ASBR
Type5 LSA
Comm
on area
Stub
area
Automatically
ABR
Type3 LSA
Stub
area
NSSA
The nssa [ default-route-advertise ]

command
ASBR
Type7 LSA
NSSA
Totally
NSSA
Automatically
ABR
Type3 LSA
NSSA

101

Series Switches Huawei s5700

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Series Switches Huawei s5700

Hochgeladen von

Copyright:

Verfügbare Formate

S1720&S2700&S3700&S5700&S6700&S7700&S970

Common Operation Guide

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

About This Document

About This Document

Data configuration engineers

Network monitoring engineers

System maintenance engineers

Huawei Proprietary and Confidential

About This Document

NOTE is used to address information not

The keywords of a command line are in boldface.

Command arguments are in italics.

Items (keywords or arguments) in brackets [ ] are optional.

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

The parameter before the & sign can be repeated 1 to n

A line starting with the # sign is comments.

Interface Numbering Conventions

About This Document

When configuring a password, the cipher text is recommended. To ensure device

Huawei Proprietary and Confidential

About This Document

Changes in Issue 05 (2015-10-23)

Changes in Issue 04 (2015-07-31)

Changes in Issue 03 (2015-02-12)

2.9 Using Basic ACL Rules to Control User Login

2.10 Backing Up the Configuration File

2.11 Restoring the Configuration File

2.12 Logging In to a Device Through STelnet

Changes in Issue 02 (2015-01-15)

Changes in Issue 01 (2014-10-25)

Huawei Proprietary and Confidential

3 Common Hardware Management Operations.......................................................................13

4 Common Mirroring Operations................................................................................................16

5 Common MAC Address Operations........................................................................................21

Huawei Proprietary and Confidential

5.7 Configuring a Static MAC Address..............................................................................................................................23

6 Common Ethernet Interface Operations................................................................................. 26

7 Common Link Aggregation Operations................................................................................. 31

8 Common VLAN Operations......................................................................................................35

9 Common QinQ Operations....................................................................................................... 40

10 Common STP/RSTP Operations.............................................................................................44

11 Common DHCP Operations....................................................................................................47

Huawei Proprietary and Confidential

11.2 Modifying the Lease................................................................................................................................................... 49

12 Common ARP Operations....................................................................................................... 55

13 Common ACL Operations....................................................................................................... 64

14 Common QoS Operations........................................................................................................73

Huawei Proprietary and Confidential

14.7 Configuring Traffic Statistics in a Traffic Policy....................................................................................................... 77

15 Common IPSG Operations...................................................................................................... 80

16 Common AAA Operations...................................................................................................... 85

17 Common NAC Operations...................................................................................................... 88

18 Common VRRP Operations.................................................................................................... 91

19 Common SNMP Operations....................................................................................................95