Sie sind auf Seite 1von 263

HP 12500 Routing Switch Series

Layer 2 - LAN Switching


Configuration Guide

Part number: 5998-2820


Software version: 12500-CMW520-R1825P01
Document version: 6W180-20130118
Legal and notice information

© Copyright 2013 Hewlett-Packard Development Company, L.P.


No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
Contents

Configuring VLANs ······················································································································································ 1 


Overview············································································································································································ 1 
VLAN fundamentals·················································································································································· 1 
Types of VLAN ·························································································································································· 2 
Protocols and standards ·········································································································································· 3 
Configuring basic VLAN settings····································································································································· 3 
Configuring basic settings of a VLAN interface ············································································································ 3 
VLAN interface overview ········································································································································· 3 
Configuration procedure ········································································································································· 4 
VLAN interface configuration example ·················································································································· 4 
Configuring port-based VLANs ········································································································································ 6 
Introduction to port-based VLANs ··························································································································· 6 
Assigning an access port to a VLAN ····················································································································· 8 
Assigning a trunk port to a VLAN··························································································································· 9 
Assigning a hybrid port to a VLAN ····················································································································· 10 
Port-based VLAN configuration example ············································································································ 11 
Configuring MAC-based VLANs ·································································································································· 12 
Introduction to MAC-based VLAN ······················································································································· 12 
Configuration procedure ······································································································································ 13 
MAC-based VLAN configuration example ········································································································· 15 
Configuring protocol-based VLANs ····························································································································· 17 
Introduction to protocol-based VLAN ·················································································································· 17 
Configuration procedure ······································································································································ 17 
Protocol-based VLAN configuration example····································································································· 18 
Configuring IP subnet-based VLANs ···························································································································· 21 
Introduction to IP subnet-based VLAN ················································································································· 21 
Configuration procedure ······································································································································ 21 
IP subnet-based VLAN configuration example ··································································································· 23 
Displaying and maintaining VLAN ······························································································································ 25 

Configuring the super VLAN ····································································································································· 27 


Overview········································································································································································· 27 
Configuration procedure ··············································································································································· 27 
Displaying and maintaining super VLAN ···················································································································· 29 
Super VLAN configuration example ···························································································································· 29 
Network requirements ··········································································································································· 29 
Configuration procedure ······································································································································ 30 
Verifying the configuration ··································································································································· 30 

Configuring the voice VLAN ····································································································································· 33 


Overview········································································································································································· 33 
OUI addresses ······················································································································································· 33 
Voice VLAN assignment modes ··························································································································· 34 
Security mode and normal mode of voice VLANs ····························································································· 36 
Configuration prerequisites ··········································································································································· 37 
Configuration guidelines ··············································································································································· 37 
Configuring QoS priority settings for voice traffic on an interface ·········································································· 37 
Configuring a port to operate in automatic voice VLAN assignment mode ···························································· 38 
Configuration restrictions and guidelines ··········································································································· 38 
Configuration procedure ······································································································································ 38 

i
Configuring a port to operate in manual voice VLAN assignment mode ································································ 39 
Configuration restrictions and guidelines ··········································································································· 39 
Configuration procedure ······································································································································ 39 
Displaying and maintaining voice VLAN ···················································································································· 40 
Voice VLAN configuration examples ··························································································································· 40 
Automatic voice VLAN mode configuration example ······················································································· 40 
Manual voice VLAN assignment mode configuration example ······································································· 42 

Configuring the MAC address table ························································································································ 45 


Overview········································································································································································· 45 
How a MAC address table entry is created ······································································································· 45 
Types of MAC address table entries ··················································································································· 46 
MAC address table-based frame forwarding ···································································································· 46 
Configuring the MAC address table ···························································································································· 46 
Configuring static, dynamic, and blackhole MAC address table entries ······················································· 47 
Configuring a multiport unicast MAC address table entry ··············································································· 47 
Configuring the aging timer for dynamic MAC address entries ······································································ 48 
Configuring the MAC learning limit ···················································································································· 49 
Enabling MAC address migration log notifying ········································································································· 50 
Displaying and maintaining the MAC address table ································································································· 50 
MAC address table configuration example ················································································································ 51 

Configuring spanning tree protocols ························································································································ 53 


STP ··················································································································································································· 53 
STP protocol packets ············································································································································· 53 
Basic concepts in STP············································································································································ 54 
Calculation process of the STP algorithm ··········································································································· 55 
RSTP ················································································································································································· 60 
PVST················································································································································································· 60 
MSTP················································································································································································ 60 
STP, RSTP, and PVST limitations ·························································································································· 60 
MSTP features ························································································································································ 60 
MSTP basic concepts ············································································································································ 61 
How MSTP works ·················································································································································· 64 
Implementation of MSTP on devices···················································································································· 65 
Protocols and standards ················································································································································ 65 
Spanning tree configuration task lists ·························································································································· 65 
Configuration restrictions and guidelines ··········································································································· 65 
STP configuration task list ····································································································································· 66 
RSTP configuration task list ··································································································································· 67 
PVST configuration task list··································································································································· 68 
MSTP configuration task list ································································································································· 69 
Setting the spanning tree mode ···································································································································· 70 
Configuring an MST region ·········································································································································· 70 
Configuration restrictions and guidelines ··········································································································· 70 
Configuration procedure ······································································································································ 71 
Configuring the root bridge or a secondary root bridge ·························································································· 71 
Configuring the current switch as the root bridge of a specific spanning tree··············································· 72 
Configuring the current switch as a secondary root bridge of a specific spanning tree······························· 72 
Configuring the switch priority ····································································································································· 72 
Configuring the maximum hops of an MST region ···································································································· 73 
Configuring the network diameter of a switched network························································································· 74 
Configuring spanning tree timers ································································································································· 74 
Configuration restrictions and guidelines ··········································································································· 75 
Configuration procedure ······································································································································ 75 

ii
Configuring the timeout factor ······································································································································ 75 
Configuring the maximum port rate ····························································································································· 76 
Configuration guidelines ······································································································································ 76 
Configuration procedure ······································································································································ 76 
Configuring edge ports ················································································································································· 76 
Configuration restrictions and guidelines ··········································································································· 77 
Configuration procedure ······································································································································ 77 
Configuring path costs of ports ···································································································································· 77 
Specifying a standard for the switch to use when calculating the default path cost ····································· 77 
Configuring the path costs of ports ····················································································································· 79 
Configuration example ········································································································································· 80 
Configuring the port priority ········································································································································· 80 
Configuring the port link type ······································································································································· 81 
Configuration restrictions and guidelines ··········································································································· 81 
Configuration procedure ······································································································································ 81 
Configuring the mode a port uses to recognize/send MSTP packets ······································································ 81 
Enabling the spanning tree feature ······························································································································ 82 
Enabling the spanning tree protocol in STP, RSTP, or MSTP mode ································································· 82 
Enabling the spanning tree protocol in PVST mode ·························································································· 83 
Performing mCheck ························································································································································ 83 
Performing mCheck globally ································································································································ 84 
Performing mCheck in interface view ················································································································· 84 
Configuring the VLAN Ignore feature ·························································································································· 84 
Configuration procedure ······································································································································ 84 
Configuration example ········································································································································· 85 
Configuring Digest Snooping ······································································································································· 85 
Configuration restrictions and guidelines ··········································································································· 86 
Configuration procedure ······································································································································ 86 
Configuration example ········································································································································· 87 
Configuring No Agreement Check ······························································································································ 87 
Configuration prerequisites ·································································································································· 89 
Configuration procedure ······································································································································ 89 
Configuration example ········································································································································· 89 
Configuring TC snooping ·············································································································································· 90 
Configuration restrictions and guidelines ··········································································································· 90 
Configuration procedure ······································································································································ 90 
Configuring protection functions ·································································································································· 91 
Enabling BPDU guard ··········································································································································· 91 
Enabling root guard ·············································································································································· 91 
Enabling loop guard ············································································································································· 92 
Enabling TC-BPDU guard······································································································································ 93 
Displaying and maintaining the spanning tree ··········································································································· 93 
Spanning tree configuration examples ························································································································ 95 
MSTP configuration example ······························································································································· 95 
PVST configuration example ································································································································ 98 

Configuring Ethernet link aggregation ·················································································································· 102 


Overview······································································································································································· 102 
Basic concepts ····················································································································································· 102 
Aggregating links in static mode ······················································································································· 105 
Aggregating links in dynamic mode ················································································································· 107 
Load sharing criteria for link aggregation groups ··························································································· 109 
Ethernet link aggregation configuration task list ······································································································· 109 
Configuring an aggregation group ··························································································································· 109 
Configuration guidelines ···································································································································· 109 

iii
Configuring a static aggregation group ··········································································································· 110 
Configuring a dynamic aggregation group ····································································································· 111 
Configuring an aggregate interface ·························································································································· 113 
Configuring the description of an aggregate interface/subinterface ···························································· 114 
Configuring the MTU of a Layer 3 aggregate interface/subinterface ·························································· 114 
Enabling link state trapping for an aggregate interface ················································································· 114 
Limiting the number of Selected ports for an aggregation group ·································································· 115 
Shutting down an aggregate interface ············································································································· 116 
Restoring the default settings for an aggregate interface ··············································································· 117 
Configuring load sharing for link aggregation groups ···························································································· 117 
Enabling link-aggregation traffic redirection ············································································································· 118 
Enhancing the Selected port capacity for link aggregation in IRF mode ······························································· 118 
Displaying and maintaining Ethernet link aggregation ··························································································· 119 
Ethernet link aggregation configuration examples ··································································································· 119 
Layer 2 static aggregation configuration example ·························································································· 120 
Layer 2 dynamic aggregation configuration example ···················································································· 122 
Layer 3 static aggregation configuration example ·························································································· 123 
Layer 3 dynamic aggregation configuration example ···················································································· 125 

Configuring port isolation······································································································································· 127 


Overview······································································································································································· 127 
Operating mechanism ········································································································································ 127 
Non-isolated VLAN ············································································································································· 127 
Configuration restrictions and guidelines ·················································································································· 128 
Port isolation configuration task list ···························································································································· 128 
Assigning ports to an isolation group ························································································································ 128 
Configuring non-isolated VLANs ································································································································ 129 
Displaying and maintaining port isolation ················································································································ 129 
Port isolation configuration examples ························································································································ 129 
Port isolation without non-isolated VLAN configuration example ·································································· 130 
Port isolation with non-isolated VLAN configuration example ······································································· 131 

Configuring QinQ ··················································································································································· 134 


Overview······································································································································································· 134 
Background and benefits ···································································································································· 134 
How QinQ works ················································································································································ 134 
QinQ frame structure ·········································································································································· 135 
Implementations of QinQ ··································································································································· 136 
Modifying the TPID in a VLAN tag ···················································································································· 136 
QinQ configuration task list ········································································································································ 137 
Enabling basic QinQ··················································································································································· 137 
Configuring selective QinQ ········································································································································ 138 
Configuring an outer VLAN tagging policy ····································································································· 138 
Configuring an inner-outer VLAN 802.1p priority mapping policy ······························································ 139 
Setting the TPID value in VLAN tags ·························································································································· 140 
QinQ configuration examples ···································································································································· 140 
Basic QinQ configuration example ··················································································································· 140 
Selective QinQ configuration example ············································································································· 143 

Configuring VLAN mapping ·································································································································· 145 


Overview······································································································································································· 145 
Application scenario of one-to-one VLAN mapping ························································································ 145 
Application scenario of one-to-two and two-to-two VLAN mapping ······························································ 146 
Concepts and terms ············································································································································ 146 
VLAN mapping implementations ······················································································································· 147 
VLAN mapping configuration task list ······················································································································· 149 

iv
Configuring one-to-one VLAN mapping ···················································································································· 149 
Configuration prerequisites ································································································································ 149 
Configuring an uplink policy······························································································································ 149 
Configuring a downlink policy ·························································································································· 150 
Configuring the customer-side port ···················································································································· 151 
Configuring the network-side port ····················································································································· 151 
Configuring one-to-two VLAN mapping ···················································································································· 152 
Configuration prerequisites ································································································································ 152 
Configuring an uplink policy······························································································································ 152 
Configuring the customer-side port ···················································································································· 153 
Configuring the network-side port ····················································································································· 153 
Configuring two-to-two VLAN mapping····················································································································· 154 
Configuring an uplink policy for the customer-side port ················································································· 154 
Configuring a downlink policy for the customer-side port ·············································································· 155 
Configuring the customer-side port ···················································································································· 156 
Configuring the network-side port ····················································································································· 157 
VLAN mapping configuration examples ··················································································································· 157 
One-to-one VLAN mapping configuration example ························································································ 157 
One-to-two and two-to-two VLAN mapping configuration example ······························································ 159 

Configuring BPDU tunneling··································································································································· 162 


Overview······································································································································································· 162 
Background ·························································································································································· 162 
BPDU tunneling implementation ························································································································· 163 
Configuration prerequisites ········································································································································· 164 
Enabling BPDU tunneling ············································································································································ 164 
Configuring destination multicast MAC address for BPDUs ···················································································· 164 
BPDU tunneling configuration example ····················································································································· 165 
Network requirements ········································································································································· 165 
Configuration procedure ···································································································································· 165 

Configuring GVRP ··················································································································································· 167 


Overview······································································································································································· 167 
GARP ···································································································································································· 167 
GVRP····································································································································································· 170 
Protocols and standards ····································································································································· 170 
GVRP configuration task list ········································································································································ 171 
Configuring GVRP functions········································································································································ 171 
Configuration restrictions and guidelines ········································································································· 171 
Configuration procedure ···································································································································· 171 
Configuring GARP timers ············································································································································ 172 
Displaying and maintaining GVRP····························································································································· 173 
GVRP configuration examples ···································································································································· 174 
GVRP normal registration mode configuration example ················································································· 174 
GVRP fixed registration mode configuration example ···················································································· 175 
GVRP forbidden registration mode configuration example ············································································ 177 

Configuring loopback detection ···························································································································· 179 


Overview······································································································································································· 179 
Basic concepts in loopback detection ··············································································································· 179 
How loopback detection works ························································································································· 180 
Loopback detection configuration task list ················································································································ 181 
Enabling loopback detection ······································································································································ 181 
Enabling loopback detection in system view···································································································· 181 
Enabling loopback detection in VLAN view ····································································································· 181 
Configuring the loopback detection action ··············································································································· 182 

v
Configuring the loopback detection interval ············································································································· 182 
Displaying and maintaining loopback detection ······································································································ 182 
Loopback detection configuration example ·············································································································· 183 

Configuring VLAN termination ······························································································································· 187 


Overview······································································································································································· 187 
VLAN termination types ······································································································································ 187 
Application scenarios ········································································································································· 187 
VLAN termination networking solutions ············································································································ 188 
VLAN termination configuration task list ··················································································································· 190 
Configuring QinQ termination ··································································································································· 190 
Configuring unambiguous QinQ termination ·································································································· 190 
Configuring ambiguous QinQ termination······································································································· 191 
Enabling a VLAN termination-enabled interface to transmit broadcast and multicast packets ··························· 191 
Configuring the TPID for VLAN-tagged packets········································································································ 191 
VLAN termination configuration examples ················································································································ 192 
Unambiguous QinQ termination configuration example ················································································ 192 
Ambiguous QinQ termination configuration example ···················································································· 194 
Ambiguous QinQ termination configuration example (lite solution) ····························································· 197 
Configuration example for QinQ termination supporting DHCP relay ························································· 199 

Configuring MAC-in-MAC ······································································································································ 203 


MAC-in-MAC overview ··············································································································································· 203 
Basic concepts ····················································································································································· 203 
MAC-in-MAC frame encapsulation ··················································································································· 204 
MAC-in-MAC frame forwarding ························································································································ 205 
Protocols and standards ····································································································································· 206 
MAC-in-MAC configuration task list ··························································································································· 206 
Configuring MAC-in-MAC··········································································································································· 206 
Enabling L2VPN ·················································································································································· 206 
Creating a MAC-in-MAC instance····················································································································· 207 
Configuring a B-VLAN ········································································································································ 207 
Configuring an uplink port ································································································································· 207 
Configuring a downlink port ······························································································································ 208 
Applying a global CAR action ·························································································································· 209 
Displaying and maintaining MAC-in-MAC ··············································································································· 209 
MAC-in-MAC configuration example ························································································································ 209 
Troubleshooting ···························································································································································· 211 

Configuring LLDP ····················································································································································· 212 


Overview······································································································································································· 212 
Background ·························································································································································· 212 
Basic concepts ····················································································································································· 212 
How LLDP works ·················································································································································· 216 
Protocols and standards ····································································································································· 217 
LLDP configuration task list ·········································································································································· 217 
Performing basic LLDP configuration ·························································································································· 217 
Enabling LLDP ······················································································································································ 217 
Setting LLDP operating mode ····························································································································· 218 
Setting the LLDP re-initialization delay ·············································································································· 218 
Enabling LLDP polling·········································································································································· 219 
Configuring the advertisable TLVs ····················································································································· 219 
Configuring the management address and its encoding format ···································································· 220 
Setting other LLDP parameters ···························································································································· 221 
Configuring the encapsulation format for LLDPDUs ························································································· 222 
Configuring CDP compatibility ··································································································································· 222 

vi
Configuration prerequisites ································································································································ 223 
Configuring CDP compatibility ·························································································································· 223 
Configuring LLDP trapping ·········································································································································· 223 
Displaying and maintaining LLDP ······························································································································· 224 
LLDP configuration examples ······································································································································ 224 
Basic LLDP configuration example ····················································································································· 225 
CDP-compatible LLDP configuration example ··································································································· 227 

Configuring MVRP ·················································································································································· 229 


Overview······································································································································································· 229 
Introduction to MRP ············································································································································· 229 
MVRP implementation ········································································································································· 232 
Protocols and standards ····································································································································· 233 
MVRP configuration task list ········································································································································ 233 
Configuring MVRP ······················································································································································· 233 
Configuring MRP timers ··············································································································································· 235 
Enabling GVRP compatibility ······································································································································ 236 
Displaying and maintaining MVRP ···························································································································· 236 
MVRP configuration examples ···································································································································· 237 
Configuration example for MVRP in normal registration mode ····································································· 237 
Configuration example for MVRP in fixed registration mode ········································································· 245 
Configuration example for MVRP in forbidden registration mode ································································ 247 

Support and other resources ·································································································································· 250 


Contacting HP ······························································································································································ 250 
Subscription service ············································································································································ 250 
Related information ······················································································································································ 250 
Documents ···························································································································································· 250 
Websites······························································································································································· 250 
Conventions ·································································································································································· 251 

Index ········································································································································································ 253 

vii
Configuring VLANs

In this chapter, EB cards refer to the interface cards prefixed with EB.

Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on
Ethernet networks. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all
broadcast traffic is contained within it, as shown in Figure 1.
Figure 1 A VLAN diagram

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, all
workstations and servers used by a particular workgroup can be connected to the same LAN, regardless
of their physical locations.
VLAN technology delivers the following benefits:
• Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves
network performance.
• Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer
2. To enable communication between VLANs, routers or Layer 3 switches are required.
• Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same
VLAN regardless of their physical locations, network construction and maintenance is much easier
and more flexible.

VLAN fundamentals
To enable a switch to identify frames of different VLANs, a VLAN tag field is inserted into the data link
layer encapsulation.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by the Institute of Electrical and
Electronics Engineers (IEEE) in 1999.

1
In the header of a traditional Ethernet data frame, the field after the destination MAC address and the
source MAC address is the Type field indicating the upper layer protocol type, as shown in Figure 2.
Figure 2 Traditional Ethernet frame format

IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 3.
Figure 3 Position and format of VLAN tag

A VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical format
indicator (CFI), and VLAN ID.
• The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN-tagged.
• The 3-bit priority field indicates the 802.1p priority of the frame. For more information about frame
priority, see ACL and QoS Configuration Guide.
• The 1-bit CFI field specifies whether the MAC addresses are encapsulated in the standard format
when packets are transmitted across different media. Value 0 indicates that MAC addresses are
encapsulated in the standard format; value 1 indicates that MAC addresses are encapsulated in a
non-standard format. The value of the filed is 0 by default.
• The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095.
As 0 and 4095 are reserved by the protocol, a VLAN ID actually ranges from 1 to 4094.
A switch handles an incoming frame depending on whether the frame is VLAN tagged and the value of
the VLAN tag, if any. For more information, see "Introduction to port-based VLANs."

NOTE:
• The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, Ethernet
also supports other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw. The
VLAN tag fields are added to frames encapsulated in these formats for VLAN identification.
• When a frame carrying multiple VLAN tags passes through, the switch processes the frame according
to its outer VLAN tag and transmits its inner tags as payload.

Types of VLAN
You can implement VLAN based on the following criteria:
• Port
• MAC address
• Protocol
• IP subnet

2
Protocols and standards
• IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local
Area Networks

Configuring basic VLAN settings


Step Command Remarks
1. Enter system view. system-view N/A

Optional.
2. Create VLANs. vlan { vlan-id1 [ to vlan-id2 ] | all } You can use this command to
create multiple VLANs in bulk.

By default, only the default VLAN


(that is, VLAN 1) exists in the
system.
3. Enter VLAN view. vlan vlan-id
If the specified VLAN does not
exist, this command creates the
VLAN first.

Optional.
4. Configure a name for the By default, the name of a VLAN is
name text
VLAN. its VLAN ID, for example, VLAN
0001.

Optional.
5. Configure the description of
description text By default, VLAN ID is used, for
the current VLAN.
example, VLAN 0001.

NOTE:
As the default VLAN, VLAN 1 cannot be created or removed.

Configuring basic settings of a VLAN interface


IMPORTANT:
Before creating a VLAN interface for a VLAN, create the VLAN first.

VLAN interface overview


For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3
forwarding. To achieve this, VLAN interfaces are used.
VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do
not exist as physical entities on switches. For each VLAN, you can create one VLAN interface. You can
assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic
destined for an IP network segment different from that of the VLAN.

3
Configuration procedure
To configure basic settings of a VLAN interface:

Step Command Remarks


1. Enter system view. system-view N/A
2. Create a VLAN interface
interface vlan-interface If the VLAN interface already exists,
and enter VLAN interface
vlan-interface-id you enter its view directly.
view.
Optional.
3. Assign an IP address to the ip address ip-address { mask |
VLAN interface. mask-length } [ sub ] By default, no IP address is assigned to
any VLAN interface.

Optional.
4. Configure the description of By default, the VLAN interface name is
description text
the VLAN interface. used, for example, Vlan-interface1
Interface.

5. Set the MTU for the VLAN Optional.


mtu size
interface. The default setting is 1500 bytes.
6. Restore the default settings
default Optional.
for the VLAN interface.
Optional.
By default, a VLAN interface is in the
down state. After you bring up a VLAN
interface, the VLAN interface is up if
one or more ports in the VLAN is up,
and goes down if all ports in the VLAN
7. Bring up the VLAN interface. undo shutdown go down.
A VLAN interface shut down with the
shutdown command, however, will be
in the DOWN (Administratively) state
until you bring it up, regardless of how
the state of the ports in the VLAN
changes.

VLAN interface configuration example


Network requirements
As shown in Figure 4, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to
different IP subnets and cannot communicate with each other.
Configure VLAN interfaces on Switch A and configure the PCs to enable Layer 3 communication
between the PCs.

4
Figure 4 Network diagram

Configuration procedure
1. Configure Switch A:
# Create VLAN 5 and assign GigabitEthernet 3/0/1 to it.
<SwitchA> system-view
[SwitchA] vlan 5
[SwitchA-vlan5] port gigabitethernet 3/0/1
# Create VLAN 10 and assign GigabitEthernet 3/0/2 to it.
[SwitchA-vlan5] vlan 10
[SwitchA-vlan10] port gigabitethernet 3/0/2
[SwitchA-vlan10] quit
# Create VLAN-interface 5 and configure its IP address as 192.168.0.10/24.
[SwitchA] interface vlan-interface 5
[SwitchA-Vlan-interface5] ip address 192.168.0.10 24
[SwitchA-Vlan-interface5] quit
# Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 192.168.1.20 24
[SwitchA-Vlan-interface10] return
2. Configure the default gateway of PC A as 192.168.0.10.
3. Configure the default gateway of PC B as 192.168.1.20.

Verifying the configuration


1. The PCs can ping each other.
2. Display brief information about Layer 3 interfaces on Switch A to verify the configuration.
<SwitchA> display ip interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IP Address Description
Vlan5 up up 192.168.0.10 Vlan-inte...
Vlan10 up up 192.168.1.20 Vlan-inte...

5
Configuring port-based VLANs
Introduction to port-based VLANs
Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is
assigned to the VLAN.

Port link type


You can configure the link type of a port as access, trunk, or hybrid. The link types use the following
VLAN tag handling methods:
• An access port belongs to only one VLAN and sends traffic untagged.
It is usually used to connect a terminal device unable to recognize VLAN tagged-packets or when
there is no need to separate different VLAN members. As shown in Figure 5, Device A is connected
to common PCs that cannot recognize VLAN tagged-packets, and you must configure Device A’s
ports that connect the PCs as access ports.
• A trunk port can carry multiple VLANs to receive and send traffic for them.
Except traffic of the port VLAN ID (PVID), traffic sent through a trunk port will be VLAN tagged.
Usually, ports connecting network devices are configured as trunk ports. As shown in Figure 5,
because Device A and Device B need to transmit packets of VLAN 2 and VLAN 3, you must
configure the ports connecting Device A and Device B as trunk ports, and assign them to VLAN 2
and VLAN 3.
• Like a trunk port, a hybrid port can carry multiple VLANs to receive and send traffic for them.
Unlike a trunk port, a hybrid port allows traffic of all VLANs to pass through untagged. Usually,
hybrid ports are configured to connect network devices whose support for VLAN tagged-packets
you are uncertain about. As shown in Figure 5, Device C connects a small-sized LAN in which
some PCs belong to VLAN 2 while some other PCs belong to VLAN 3. In this case, you must
configure Device B’s port connecting to Device C as a hybrid port that allows packets of VLAN 2
and VLAN 3 to pass through untagged.

6
Figure 5 Network diagram

PVID
By default, VLAN 1 is the PVID for all ports. You can configure the PVID for a port as required.
Use the following guidelines when you configure the PVID on a port:
• An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of
the port. The PVID of the access port changes along with the VLAN to which the port belongs.
• A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.
• You can use a nonexistent VLAN as the PVID for a hybrid or trunk port but not for an access port.
After you remove the VLAN that an access port resides in with the undo vlan command, the PVID
of the port changes to VLAN 1. The removal of the VLAN specified as the PVID of a trunk or hybrid
port, however, does not affect the PVID setting on the port.
• HP recommends that you set the same PVID on local and remote ports.
• Make sure a port is assigned to its PVID. Otherwise, when receiving frames tagged with the PVID
or untagged frames (including protocol packets such as MSTP BPDUs), the port filters out these
frames.
• The following table shows how ports of different link types handle frames:

Actions (in the inbound direction) Actions (in the outbound


Port type
Untagged frame Tagged frame direction)
• Receive the frame if its
VLAN ID is the same as
Tag the frame with the the PVID. Remove the PVID and send the
Access
PVID. • Drop the frame if its VLAN frame.
ID is different from the
PVID.

7
Actions (in the inbound direction) Actions (in the outbound
Port type
Untagged frame Tagged frame direction)
• Remove the tag and send the
frame if the frame carries the
PVID and the port is assigned
to the PVID.
Trunk
Check whether the • Send the frame without
PVID is permitted on the • Receive the frame if its removing the tag if its VLAN
port: VLAN is carried on the is carried on the port but is
• If yes, tag the frame port. different from the default one.
with the PVID. • Drop the frame if its VLAN Send the frame if its VLAN is
• If not, drop the is not carried on the port. carried on the port. The frame is
frame. sent with the VLAN tag removed
Hybrid or intact depending on your
configuration with the port
hybrid vlan command. This is
true of the PVID.

Assigning an access port to a VLAN


IMPORTANT:
• Before assigning an access port to a VLAN, create the VLAN first.
• In VLAN view, you can assign only Layer 2 Ethernet ports to the current VLAN.

You can assign an access port to a VLAN in VLAN view, Ethernet interface view, Layer 2 aggregate
interface view, or port group view.
To assign one or multiple access ports to a VLAN in VLAN view:

Step Command Remarks


1. Enter system view. system-view N/A

If the specified VLAN does not exist, this


2. Enter VLAN view. vlan vlan-id
command creates the VLAN first.
3. Assign one or a group of
access ports to the current port interface-list By default, all ports belong to VLAN 1.
VLAN.

To assign an access port (in interface view) or multiple access ports (in port group view) to a VLAN:

Step Command Remarks


1. Enter system view. system-view N/A

8
Step Command Remarks
• Enter Ethernet interface view:
interface interface-type
interface-number
• Enter Layer 2 aggregate
2. Enter interface view or port group interface view:
N/A
view. interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual
port-group-name
Optional.
3. Configure the link type of the port
port link-type access By default, the link type of a port
or ports as access.
is access.

Optional.
4. Assign the current access ports to
port access vlan vlan-id By default, all access ports
a VLAN.
belong to VLAN 1.

Assigning a trunk port to a VLAN


A trunk port can carry multiple VLANs. You can assign it to a VLAN in interface view or port group view.
To assign a trunk port to one or multiple VLANs:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view:
interface interface-type
interface-number
• Enter Layer 2 aggregate interface
2. Enter interface view or port
view: N/A
group view.
interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual port-group-name
By default, the link type of
a port is access.
3. Configure the link type of the To change the link type of
port link-type trunk
port or ports as trunk. a port from trunk to hybrid
or vice versa, you must set
the link type to access first.

4. Assign the trunk ports to the By default, a trunk port


port trunk permit vlan { vlan-id-list | all }
specified VLANs. carries only VLAN 1.

9
Step Command Remarks
Optional.
By default, the PVID is
VLAN 1.
After configuring the PVID
for a trunk port, you must
5. Configure the PVID of the trunk use the port trunk permit
port trunk pvid vlan vlan-id vlan command to
ports.
configure the trunk port to
allow packets from the
PVID to pass through, so
that the egress port can
forward packets from the
PVID.

Assigning a hybrid port to a VLAN


A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view or port group
view.
To assign a hybrid port to one or multiple VLANs:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view:
interface interface-type
interface-number
• Enter Layer 2 aggregate interface
2. Enter interface view or port
view: N/A
group view.
interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual port-group-name
By default, the link type of
a port is access.
3. Configure the link type of the To change the link type of
port link-type hybrid
ports as hybrid. a port from trunk to hybrid
or vice versa, you must set
the link type to access first.

By default, a hybrid port


allows only packets of
VLAN 1 to pass through
4. Assign the hybrid ports to the port hybrid vlan vlan-id-list { tagged | untagged.
specified VLANs. untagged }
Before assigning a hybrid
port to a VLAN, create the
VLAN first.

10
Step Command Remarks
Optional.
By default, the PVID is
VLAN 1.
After configuring the PVID
for a hybrid port, you must
5. Configure the PVID of the hybrid use the port hybrid vlan
port hybrid pvid vlan vlan-id
port. command to configure the
hybrid port to allow
packets from the PVID to
pass through, so that the
egress port can forward
packets from the PVID.

Port-based VLAN configuration example


Network requirements
As shown in Figure 6, Host A and Host C belong to Department A, and access the enterprise network
through different switches. Host B and Host D belong to Department B. They also access the enterprise
network through different switches.
To ensure communication security and prevent broadcast storms, VLANs are configured in the enterprise
network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to Department A, and
VLAN 200 is assigned to Department B.
Make sure hosts within the same VLAN can communicate with each other, in other words, Host A can
communicate with Host C, and Host B can communicate with Host D.
Figure 6 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 100, and assign port GigabitEthernet 3/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port GigabitEthernet 3/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign port GigabitEthernet 3/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port GigabitEthernet 3/0/2
[DeviceA-vlan200] quit

11
# Configure port GigabitEthernet 3/0/3 as a trunk port, and assign it to VLANs 100 and 200,
thus enabling GigabitEthernet 3/0/3 to forward traffic of VLANs 100 and 200 to Device B.
[DeviceA] interface gigabitethernet 3/0/3
[DeviceA-GigabitEthernet3/0/3] port link-type trunk
[DeviceA-GigabitEthernet3/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B as you configure Device A.
3. Configure Host A and Host C to be on the same network segment, 192.168.100.0/24 for
example. Configure Host B and Host D to be on the same network segment, 192.168.200.0/24
for example

Verifying the configuration


1. Host A and Host C can ping each other successfully, but they both fail to ping Host B. Host B and
Host D can ping each other successfully, but they both fail to ping Host A.
2. Check whether the configuration is successful by displaying relevant VLAN information.
# Display information about VLANs 100 and 200 on Device A:
[DeviceA-GigabitEthernet3/0/3] display vlan 100
VLAN ID: 100
VLAN Type: static
Route Interface: not configured
Description: VLAN 0100
Name: VLAN 0100
Broadcast MAX-ratio: 100%
Tagged Ports:
GigabitEthernet3/0/3
Untagged Ports:
GigabitEthernet3/0/1
[DeviceA-GigabitEthernet3/0/3] display vlan 200
VLAN ID: 200
VLAN Type: static
Route Interface: not configured
Description: VLAN 0200
Name: VLAN 0200
Broadcast MAX-ratio: 100%
Tagged Ports:
GigabitEthernet3/0/3
Untagged Ports:
GigabitEthernet3/0/2

Configuring MAC-based VLANs


Introduction to MAC-based VLAN
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is
mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network
access for terminal devices.

12
Static MAC-based VLAN assignment
Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In
such a network, you can create a MAC address-to-VLAN map containing multiple MAC
address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port
to MAC-based VLANs.
With static MAC-based VLAN assignment configured on a port, the device processes received frames by
using the following guidelines:
• When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map
based on the source MAC address of the frame for a match.
{ The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC
address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on
the source MAC address and each mask. If the result of an AND operation matches the
corresponding MAC address, the device tags the frame with the corresponding VLAN ID.
{ If the fuzzy match fails, the device performs an exact match. In the exact match, the device
searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a
MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the
device tags the frame with the corresponding VLAN ID.
{ If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP
subnet or protocol, and forwards the frame.
{ If no VLAN is available, the device tags the frame with the PVID of the receiving port and
forwards the frame.
• When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is
permitted by the port, or otherwise drops the frame.

Dynamic MAC-based VLAN


You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication
based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic
MAC-based VLAN on the device, you must configure the username-to-VLAN entries on the access
authentication server.
When a user passes authentication of the access authentication server, the device obtains VLAN
information from the server, generates a MAC address-to-VLAN entry by using the source MAC address
of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the
user goes offline, the device automatically deletes the MAC address-to-VLAN entry, and removes the port
from the MAC-based VLAN.
For more information about 802.1X, MAC, and portal authentication, see Security Configuration Guide.

Configuration procedure
IMPORTANT:
• MAC-based VLANs are available only on hybrid ports.
• Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user
access devices, do not enable this function together with link aggregation.

To configure static MAC-based VLAN assignment:

13
Step Command Remarks
1. Enter system view. system-view N/A

The priority keyword can be


configured but does not take effect.
2. Associate MAC addresses mac-vlan mac-address mac-address
Packets are always forwarded
with a VLAN. vlan vlan-id [ priority priority ]
according to the default priority of the
port.
• Enter Ethernet interface view:
interface interface-type
3. Enter interface view or port interface-number
N/A
group view. • Enter port group view:
port-group manual
port-group-name
4. Configure the link type of By default, the link type of a port is
port link-type hybrid
the ports as hybrid. access.
5. Configure the current
hybrid ports to permit By default, a hybrid port only permits
port hybrid vlan vlan-id-list { tagged
packets from specific the packets of VLAN 1 to pass
| untagged }
MAC-based VLANs to through.
pass through.
6. Enable MAC-based By default, MAC-based VLAN is
mac-vlan enable
VLAN. disabled.

To configure dynamic MAC-based VLAN:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view:
interface interface-type
2. Enter interface view or port interface-number
N/A
group view. • Enter port group view:
port-group manual
port-group-name
3. Configure the link type of By default, the link type of a port is
port link-type hybrid
the ports as hybrid. access.
4. Configure the hybrid ports to
By default, a hybrid port only permits
permit packets from specific port hybrid vlan vlan-id-list
the packets of VLAN 1 to pass
MAC-based VLANs to pass { tagged | untagged }
through.
through.
By default, MAC-based VLAN is
5. Enable MAC-based VLAN. mac-vlan enable
disabled.
6. Configure
For more information, see Security
802.1X/MAC/portal N/A
Command Reference.
authentication.

14
MAC-based VLAN configuration example
Network requirements
As shown in Figure 7:
• GigabitEthernet 3/0/1 of Device A and Device C are each connected to a meeting room. Laptop
1 and Laptop 2 are used for meeting and may be used in any of the two meeting rooms.
• Laptop 1 and Laptop 2 are owned by different departments. The two departments use VLAN 100
and VLAN 200, respectively.
• The MAC address of Laptop 1 is 000d-88f8-4e71, and that of Laptop 2 is 0014-222c-aa69.
Configure MAC-based VLANs, so that each laptop can access only its own department server no matter
which meeting room it is used in.
Figure 7 Network diagram

Configuration consideration
• Create VLANs 100 and 200.
• Configure the uplink ports of Device A and Device C as trunk ports, and assign them to VLANs 100
and 200.
• Configure the downlink ports of Device B as trunk ports, and assign them to VLANs 100 and 200.
Assign the uplink ports of Device B to VLANs 100 and 200.
• Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with
VLAN 200.

Configuration procedure
1. Configure Device A:
# Create VLANs 100 and 200.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit

15
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with
VLAN 200.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Laptop 1 and Laptop 2 to access the network through GigabitEthernet 3/0/1:
Configure GigabitEthernet 3/0/1 as a hybrid port that sends packets of VLANs 100 and 200
untagged, and enable MAC-based VLAN on it.
[DeviceA] interface gigabitethernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type hybrid
[DeviceA-GigabitEthernet3/0/1] port hybrid vlan 100 200 untagged
Please wait... Done.
[DeviceA-GigabitEthernet3/0/1] mac-vlan enable
[DeviceA-GigabitEthernet3/0/1] quit
# Configure the uplink port GigabitEthernet 3/0/2 as a trunk port, and assign it to VLANs 100
and 200. so that the laptops can access Server 1 and Server 2.
[DeviceA] interface gigabitethernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port link-type trunk
[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan 100 200
[DeviceA-GigabitEthernet3/0/2] quit
2. Configure Device B:
# Create VLANs 100 and 200. Assign GigabitEthernet 3/0/13 to VLAN 100, and
GigabitEthernet 3/0/14 to VLAN 200.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port GigabitEthernet 3/0/13
[DeviceB-vlan100] quit
[DeviceB] vlan 200
[DeviceB-vlan200] port GigabitEthernet 3/0/14
[DeviceB-vlan200] quit
# Configure GigabitEthernet 3/0/3 and GigabitEthernet 3/0/4 as trunk ports, and assign them
to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 3/0/3
[DeviceB-GigabitEthernet3/0/3] port link-type trunk
[DeviceB-GigabitEthernet3/0/3] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet3/0/3] quit
[DeviceB] interface gigabitethernet 3/0/4
[DeviceB-GigabitEthernet3/0/4] port link-type trunk
[DeviceB-GigabitEthernet3/0/4] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet3/0/4] quit
3. Configure Device C as you configure Device A.

Verifying the configuration


1. Laptop 1 can access Server 1 only, and Laptop 2 can access Server 2 only.
2. On Device A and Device C, you can see that VLAN 100 is associated with the MAC address of
Laptop 1, and VLAN 200 is associated with the MAC address of Laptop 2.

16
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC ADDR MASK VLAN ID PRIO STATE
--------------------------------------------------------
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S

Total MAC VLAN address count:2

Configuration guidelines
1. MAC-based VLAN can be configured only on hybrid ports.
2. MAC-based VLAN is typically configured on the downlink ports of access layer switches, and
hence cannot be configured together with the link aggregation function.

Configuring protocol-based VLANs


Introduction to protocol-based VLAN
Protocol-based VLAN configuration applies to hybrid ports only. In this approach, inbound packets are
assigned to different VLANs based on their protocol types and encapsulation formats. The protocols that
can be used for VLAN assignment include IP, IPX, and AppleTalk (AT). The encapsulation formats include
Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
A protocol type and an encapsulation format comprise a protocol template. You can create multiple
protocol templates for a protocol-based VLAN, and different protocol templates are assigned different
protocol-index values. Therefore, a protocol template can be uniquely identified by a protocol-based
VLAN ID and a protocol index combined. When you use commands to associate protocol templates with
ports, use protocol-based vlan-id + protocol index to specify the protocol templates. An untagged packet
reaching a port associated with protocol templates will be processed as follows.
• If the protocol type and encapsulation format carried in the packet matches a protocol template, the
packet will be tagged with the VLAN tag corresponding to the protocol template.
• If the packet matches no protocol templates, the packet will be tagged with the PVID of the port.
The port processes a tagged packet as it processes tagged packets of a port-based VLAN.
• If the port is assigned to the VLAN corresponding to the VLAN tag carried in the packet, it forwards
the packet.
• If not, it drops the packet.
This feature is mainly used to assign packets of the specific service type to a specific VLAN.

Configuration procedure
To configure a protocol-based VLAN:

Step Command Remarks


1. Enter system view. system-view N/A

17
Step Command Remarks
If the specified VLAN does not
2. Enter VLAN view. vlan vlan-id exist, this command creates the
VLAN first.

protocol-vlan [ protocol-index ] { at
| ipv4 | ipv6 | ipx { ethernetii | llc
3. Create a protocol template for the | raw | snap } | mode { ethernetii By default, no protocol template
VLAN. etype etype-id | llc { dsap dsap-id exists.
[ ssap ssap-id ] | ssap ssap-id } |
snap etype etype-id } }

4. Exit VLAN view. quit N/A

Use any command.


• In Ethernet interface view,
• Enter Ethernet interface view: the subsequent
interface interface-type configurations apply to the
interface-number current port.

• Enter Layer 2 aggregate • In port group view, the


5. Enter interface view or port group interface view: subsequent configurations
view. interface bridge-aggregation apply to all ports in the port
interface-number group.

• Enter port group view: • In Layer 2 aggregate


port-group manual interface view, the
port-group-name subsequent configurations
apply to the Layer 2
aggregate interface and all
its member ports.
6. Configure the port link type as
port link-type hybrid N/A
hybrid.
7. Configure current hybrid ports to
By default, all hybrid ports
permit the packets of the specified port hybrid vlan vlan-id-list
permit packets of VLAN 1 to
protocol-based VLANs to pass { tagged | untagged }
pass through only.
through.
8. Associate the hybrid ports with port hybrid protocol-vlan vlan
the specified protocol-based vlan-id { protocol-index [ to N/A
VLAN. protocol-end ] | all }

Protocol-based VLAN configuration example


Network requirements
In a lab environment as shown in Figure 8, most hosts run the IPv4 protocol, while the rest of the hosts run
the IPv6 protocol for teaching purpose. To avoid interference, isolate IPv4 traffic and IPv6 traffic at Layer
2.

18
Figure 8 Network diagram

Configuration consideration
Create VLANs 100 and 200. Associate VLAN 100 with IPv4, and VLAN 200 with IPv6. Configure
protocol-based VLANs to isolate IPv4 traffic and IPv6 traffic at Layer 2.

Configuration procedure
1. Configure Device:
# Create VLAN 100, and assign port GigabitEthernet 3/0/11 to VLAN 100.
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
[Device-vlan100] port GigabitEthernet 3/0/11
# Create VLAN 200, and assign port GigabitEthernet 3/0/12 to VLAN 200.
[Device-vlan100] quit
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
[Device-vlan200] port GigabitEthernet 3/0/12
# Create an IPv6 protocol template in the view of VLAN 200, and an IPv4 protocol template in the
view of VLAN 100.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
[Device] vlan 100
[Device-vlan100] protocol-vlan 1 ipv4
[Device-vlan100] quit
# Configure port GigabitEthernet 3/0/1 as a hybrid port that forwards packets of VLANs 100
and 200 untagged.
[Device] interface gigabitethernet 3/0/1
[Device-GigabitEthernet3/0/1] port link-type hybrid

19
[Device-GigabitEthernet3/0/1] port hybrid vlan 100 200 untagged
Please wait... Done.
# Associate port GigabitEthernet 3/0/1 with the IPv4 protocol template of VLAN 100, and the
IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet3/0/1] port hybrid protocol-vlan vlan 100 1
[Device-GigabitEthernet3/0/1] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet3/0/1] quit
# Configure GigabitEthernet 3/0/2 as a hybrid port that forwards packets of VLANs 100 and
200 untagged, and associate GigabitEthernet 3/0/2 with the IPv4 protocol template of VLAN
100, and the IPv6 protocol template of VLAN 200.
[Device] interface gigabitethernet 3/0/2
[Device-GigabitEthernet3/0/2] port link-type hybrid
[Device-GigabitEthernet3/0/2] port hybrid vlan 100 200 untagged
Please wait... Done.
[Device-GigabitEthernet3/0/2] port hybrid protocol-vlan vlan 100 1
[Device-GigabitEthernet3/0/2] port hybrid protocol-vlan vlan 200 1
2. Keep the default settings of L2 Switch A and L2 Switch B.
3. Configure IPv4 Host A, IPv4 Host B, and IPv4 Server to be on the same network segment,
192.168.100.0/24 for example, and configure IPv6 Host A, IPv6 Host B, and IPv6 Server to be
on the same network segment, 2001::1/64 for example.

Verifying the configuration


1. The hosts and the server in VLAN 100 can ping one another successfully. The hosts and the server
in VLAN 200 can ping one another successfully. The hosts/server in VLAN 100 cannot ping the
hosts/server in VLAN 200, and vice versa.
2. Display protocol-based VLAN information on Device to check whether the configurations have
become valid.
# Display protocol-based VLAN configuration on Device.
[Device-GigabitEthernet3/0/2] display protocol-vlan vlan all
VLAN ID:100
Protocol Index Protocol Type
======================================================
1 ipv4
VLAN ID:200
Protocol Index Protocol Type
======================================================
1 ipv6
# Display protocol-based VLAN information on the ports of Device.
[Device-GigabitEthernet3/0/2] display protocol-vlan interface all
Interface: GigabitEthernet 3/0/1
VLAN ID Protocol Index Protocol Type
======================================================
100 1 ipv4
200 1 ipv6
Interface: GigabitEthernet 3/0/2
VLAN ID Protocol Index Protocol Type
======================================================
100 1 ipv4

20
200 1 ipv6

Configuration guidelines
Protocol-based VLAN configuration applies to hybrid ports only.

Configuring IP subnet-based VLANs


Introduction to IP subnet-based VLAN
In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks.
A port configured with IP subnet-based VLANs assigns an incoming untagged packet to a VLAN based
on the source IP address of the packet.
This feature is used to assign packets from the specified network segment or IP address to a specific VLAN,
and is implemented through ACLs and QoS policies. For more information about ACLs and QoS policies,
see ACL and QoS Configuration Guide.

Configuration procedure
To configure an IP subnet-based VLAN:

Step Command Remarks


1. Enter system view. system-view N/A

If the specified VLAN does


2. Enter VLAN view. vlan vlan-id not exist, this command
creates the VLAN first.

3. Return to system view. quit N/A


• Enter Ethernet interface view:
4. Enter interface view or interface interface-type interface-number
N/A
port group view. • Enter port group view:
port-group manual port-group-name
5. Configure the link type By default, the link type of
port link-type hybrid
as hybrid. a port is access.

6. Configure the hybrid port By default, a hybrid port


or ports to permit the allows only packets from
port hybrid vlan vlan-id-list { tagged | untagged }
specified IP subnet-based VLAN 1 to pass through
VLANs to pass through. untagged.

Optional.
7. Configure the PVID of the
port hybrid pvid vlan vlan-id By default, the PVID of a
hybrid port or ports.
hybrid port is VLAN 1.

8. Return to system view. quit N/A

Only IPv4 basic ACLs


9. Create an IPv4 basic or (numbering 2000 to
acl number acl-number [ name acl-name ]
advanced ACL and enter 2999) and IPv4 advanced
[ match-order { auto | config } ]
its view. ACLs (numbering 3000 to
3999) are supported.

21
Step Command Remarks

• Create an IPv4 basic ACL rule:


rule [ rule-id ] { deny | permit } [ fragment |
logging | counting | source { sour-addr
sour-wildcard | any } | time-range
time-range-name | vpn-instance
vpn-instance-name ]
Use either command.
• Create an IPv4 advanced ACL rule:
rule [ rule-id ] { deny | permit } protocol You must configure at
[ { { ack ack-value | fin fin-value | psh least the source IPv4
10. Create an IPv4 ACL rule
psh-value | rst rst-value | syn syn-value | urg address and subnet mask.
to match a specific IP
subnet. urg-value } * | established } | destination For more information
{ dest-addr dest-wildcard | any } | about the rule command,
destination-port operator port1 [ port2 ] | see ACL and QoS
dscp dscp | fragment | icmp-type Command Reference.
{ icmp-type icmp-code | icmp-message } |
logging | counting | precedence precedence
| source { sour-addr sour-wildcard | any } |
source-port operator port1 [ port2 ] |
time-range time-range-name | tos tos |
vpn-instance vpn-instance-name ] *

11. Return to system view. quit N/A

By default, the operator of


12. Create a class. traffic classifier tcl-name [ operator { and | or } ]
a class is AND.
13. Use the IPv4 basic or
advanced ACL as the
if-match acl { acl-number | name acl-name } N/A
match criteria of the
class.
For more information
about the if-match
14. Configure the class to
if-match protocol arp command, see ACL and
match ARP packets.
QoS Command
Reference.

15. Return to system view. quit N/A

16. Create a class. traffic classifier tcl-name [ operator { and | or } ] N/A


17. Use the IPv4 basic or
advanced ACL as the
if-match acl {acl-number | name acl-name } N/A
match criteria of the
class.
18. Return to system view. quit N/A

19. Create a traffic behavior. traffic behavior behavior-name N/A


20. Configure the traffic
behavior to mark
remark service-vlan-id vlan-id-value N/A
matching packets with a
specific VLAN.
21. Return to system view. quit N/A
22. Create a policy and
qos policy policy-name N/A
enter policy view.

22
Step Command Remarks
23. Associate the classes
with the traffic behavior
in the policy to transmit
ARP packets and IPv4 classifier tcl-name behavior behavior-name N/A
packets from the
specified subnet in the
specified VLAN.
24. Return to system view. quit N/A
• (Approach 1) Apply the policy to an interface
or multiple interfaces:
a. Enter interface or port group view:
Enter Ethernet interface view:
interface interface-type
interface-number
Use any approach.
OR:
Enter port group view: To apply the policy to a
port-group manual port-group-name Layer 2 aggregate
25. Apply the QoS policy. interface, you must apply
b. qos apply policy policy-name { inbound
| outbound } the policy to every
member port of the Layer
• (Approach 2) Apply the policy to the
2 aggregate interface.
specified VLANs:
qos vlan-policy policy-name vlan vlan-id-list
{ inbound | outbound }
• (Approach 3) Apply the policy globally:
qos apply policy policy-name global
{ inbound | outbound }

IP subnet-based VLAN configuration example


Network requirements
As shown in Figure 9, PC A and PC B in a lab are located on different IP subnets. PC A and PC B are
connected to Switch through L2 Switch. Configure Switch to assign different VLANs and gateways to the
PCs by IP subnet.
Figure 9 Network diagram

23
Configuration considerations
To satisfy the requirements, you can configure IP subnet-based VLANs.
• Create VLAN 10 and VLAN 20.
• Assign users on subnet 1.1.1.0/24 to VLAN 10, and users on 2.1.1.0/24 to VLAN 20.

Configuration procedure
1. Configure Switch:
# Create VLAN-interface 10 and VLAN-interface 20. (Details not shown.)
# Configure port GigabitEthernet 3/0/1 as a hybrid port to permit packets from VLANs 1, 10,
and 20 to pass through untagged, and configure the PVID of the port as 1.
[Switch] interface GigabitEthernet 3/0/1
[Switch-GigabitEthernet3/0/1] port link-type hybrid
[Switch-GigabitEthernet3/0/1] port hybrid vlan 10 20 1 untagged
Please wait... Done.
[Switch-GigabitEthernet3/0/1] port hybrid pvid vlan 1
# Configure ACL 3000 to permit packets from subnet 1.1.1.0/24 to pass through, and ACL 3001
to permit packets from subnet 2.1.1.0/24 to pass through.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule 0 permit ip source 1.1.1.0 0.0.0.255
[Switch-acl-adv-3000] quit
[Switch] acl number 3001
[Switch-acl-adv-3001] rule 0 permit ip source 2.1.1.0 0.0.0.255
[Switch-acl-adv-3001] quit
# Configure a QoS policy named test to transmit ARP and IPv4 packets from subnet 1.1.1.0/24
through VLAN 10 and transmit ARP and IPv4 packets from subnet 2.1.1.0/24 through VLAN 20.
[Switch] traffic classifier 1
[Switch-classifier-1] if-match acl 3000
[Switch-classifier-1] quit
[Switch] traffic classifier 2
[Switch-classifier-2] if-match acl 3000
[Switch-classifier-2] if-match protocol arp
[Switch-classifier-2] quit
[Switch] traffic classifier 3
[Switch-classifier-3] if-match acl 3001
[Switch-classifier-3] quit
[Switch] traffic classifier 4
[Switch-classifier-4] if-match acl 3001
[Switch-classifier-4] if-match protocol arp
[Switch-classifier-4] quit
[Switch] traffic behavior 1
[Switch-behavior-1] remark service-vlan-id 10
[Switch-behavior-1] quit
[Switch] traffic behavior 2
[Switch-behavior-2] remark service-vlan-id 20
[Switch-behavior-2] quit
[Switch] qos policy test
[Switch-qospolicy-test] classifier 1 behavior 1

24
[Switch-qospolicy-test] classifier 2 behavior 1
[Switch-qospolicy-test] classifier 3 behavior 2
[Switch-qospolicy-test] classifier 4 behavior 2
[Switch-qospolicy-test] quit
# Apply the QoS policy to the incoming packets of port GigabitEthernet 3/0/1.
[Switch] interface GigabitEthernet 3/0/1
[Switch-GigabitEthernet3/0/1] qos apply policy test inbound

Verifying the configuration


Ping the gateway (IP address of VLAN-interface 10, for example, 1.1.1.1) from PC A, and the gateway (IP
address of VLAN-interface 20, for example, 2.1.1.1) from PC B.
The ping operations succeed.
Log in to Switch and display ARP entries.
[Switch] display arp
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
1.1.1.100 0000-0000-0001 10 GE3/0/1 N/A D
2.1.1.100 0000-0000-0002 20 GE3/0/1 N/A D

Configuration precautions
IP subnet-based VLANs are only effective on hybrid ports.

Displaying and maintaining VLAN


Task Command Remarks
display vlan [ vlan-id1 [ to vlan-id2 ] | all |
Display VLAN information. dynamic | reserved | static ] [ | { begin | Available in any view.
exclude | include } regular-expression ]

display interface [ vlan-interface ] [ brief


[ down ] ] [ | { begin | exclude | include }
Display VLAN interface regular-expression ]
Available in any view.
information. display interface vlan-interface
vlan-interface-id [ brief ] [ | { begin | exclude |
include } regular-expression ]

Display hybrid ports or trunk ports display port { hybrid | trunk } [ | { begin |
Available in any view.
on the switch. exclude | include } regular-expression ]

display mac-vlan { all | dynamic |


Display MAC address-to-VLAN mac-address mac-address | static | vlan
Available in any view.
entries. vlan-id } [ | { begin | exclude | include }
regular-expression ]

Display all ports with MAC-based display mac-vlan interface [ | { begin |


Available in any view.
VLAN enabled. exclude | include } regular-expression ]

Display protocol information and display protocol-vlan vlan { vlan-id [ to


protocol indexes of the specified vlan-id ] | all } [ | { begin | exclude | include } Available in any view.
VLANs. regular-expression ]

25
Task Command Remarks
display protocol-vlan interface { interface-type
Display protocol-based VLAN interface-number [ to interface-type
Available in any view.
information on specified ports. interface-number ] | all } [ | { begin | exclude
| include } regular-expression ]

reset counters interface vlan-interface


Clear statistics on a port. Available in user view.
[ vlan-interface-id ]

26
Configuring the super VLAN

Overview
Super VLAN, also called VLAN aggregation, was introduced to save IP address space.
A super VLAN is associated with multiple sub-VLANs. You can create a VLAN interface for a super VLAN
and assign an IP address to the VLAN interface. However, you cannot create a VLAN interface for a
sub-VLAN. You cannot assign a physical port to a super VLAN, but you can assign a physical port to a
sub-VLAN. All ports of a sub-VLAN use the VLAN interface IP address of the associated super VLAN.
Packets cannot be forwarded between sub-VLANs at Layer 2.
To enable Layer 3 communication between sub-VLANs, you should configure the VLAN interface IP
address of the associated super VLAN as the gateway IP address. This enables multiple sub-VLANs to
share the same gateway address, which saves IP address resources.
After creating a super VLAN and the VLAN interface, enable local proxy Address Resolution Protocol
(ARP) on the switch. The super VLAN can use local proxy ARP to forward and process ARP requests and
responses and to provide Layer 3 communication between sub-VLANs. For more information about local
proxy ARP, see Layer 3—IP Services Configuration Guide.

Configuration procedure
To configure a super VLAN, complete the following tasks:
1. Configure sub-VLANs.
2. Configure a super VLAN, and associate the super VLAN with the sub-VLANs configured earlier.
3. Configure a VLAN interface for the super VLAN. The VLAN interface enables communication
among hosts and sub-VLANs.

Configuring sub-VLANs

Step Command Remarks


1. Enter system view. system-view N/A

If the specified VLAN already


2. Create a sub-VLAN and enter
vlan vlan-id exists, this command enters VLAN
VLAN view.
view only.

Configuring a super VLAN


When you configure a super VLAN, follow these guidelines:
• Do not configure a VLAN as a super VLAN and a sub-VLAN at the same time.
• To make Layer 2 multicast take effect on a sub-VLAN, you must enable Layer 2 multicast on the
sub-VLAN and the associated super VLAN at the same time.
• A super VLAN supports Layer 3 multicast. When the multicast source is in a sub-VLAN associated
with the super VLAN, the multicast source can forward multicast streams to the multicast receivers in
the sub-VLAN and forward multicast streams to other Layer 3 interfaces, but the multicast source

27
cannot forward multicast streams to any other sub-VLAN (regardless of whether the sub-VLAN is
associated with the super VLAN). For the multicast source in a sub-VLAN to correctly forward
multicast streams, the sub-VLAN where the multicast source resides must have learned the ARP
entries of the multicast source.
• The multicast streams entering through a Layer 3 interface (except the VLAN interface of the super
VLAN) cannot be forwarded to the receivers in the super VLAN.
• The IPv4 Layer 3 multicast feature of a super VLAN is mutually exclusive with the IPv4 Layer 2
multicast feature of a super VLAN or sub-VLAN. The IPv6 Layer 3 multicast feature of a super VLAN
is mutually exclusive with the IPv6 Layer 2 multicast feature of a super VLAN or sub-VLAN.
• A super VLAN does not support BIDIR-PIM or multicast VPN.
To configure a super VLAN:

Step Command Remarks


1. Enter system view. system-view N/A

If the specified VLAN does not


exist, this command creates the
2. Enter VLAN view. vlan vlan-id
VLAN first, and then enters VLAN
view.

3. Configure the VLAN as a By default, a user-defined VLAN is


supervlan
super VLAN. not a super VLAN.

VLANs specified by vlan-list must


be the sub-VLANs configured
earlier.
Before associating the super VLAN
with the specified sub-VLANs,
4. Associate the super VLAN make sure that Layer 2 multicast
subvlan vlan-list features (including IGMP
with the specified sub-VLANs.
snooping, MLD snooping, PIM
snooping, and IPv6 PIM snooping)
are disabled for the sub-VLANs.
For more information about
multicast, see IP Multicast
Configuration Guide.

Configuring a VLAN interface for the super VLAN


When you create a VLAN interface for the super VLAN, follow these guidelines:
• You cannot configure a super VLAN as the guest VLAN for a port, and vice versa. For more
information about guest VLANs, see Security Configuration Guide.
• You can configure DHCP and dynamic routing for the VLAN interface of a super VLAN, but these
features cannot take effect.
• HP does not recommend configuring VRRP for the VLAN interface of a super VLAN, because it
affects network performance.
• You cannot create a VLAN interface for a sub-VLAN.
To configure a VLAN interface for the super VLAN:

Step Command Remarks


1. Enter system view. system-view N/A

28
Step Command Remarks
2. Create a VLAN interface, and interface vlan-interface The value of vlan-interface-id must
enter VLAN interface view. vlan-interface-id be the ID of the super VLAN.

By default, the IP address of a


VLAN interface is not configured.
3. Configure the IP address of ip address ip-address { mask |
the VLAN interface. mask-length } [ sub ] This step configures an IP address
for the VLAN interface
corresponding to the super VLAN.

By default, local proxy ARP is


disabled.
For more information about the
local proxy ARP function, see Layer
4. Enable local proxy ARP. local-proxy-arp enable 3—IP Services Configuration
Guide. For more information about
the local-proxy-arp enable
command, see Layer 3—IP
Services Command Reference.

Displaying and maintaining super VLAN


Task Command Remarks
display supervlan [ supervlan-id ] [ |
Display the mapping between a
{ begin | exclude | include } Available in any view.
super VLAN and its sub-VLANs.
regular-expression ]

Super VLAN configuration example


IMPORTANT:
By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. Before
configuring these interfaces, use the undo shutdown command to bring them up.

Network requirements
As shown in Figure 10:
• Create super VLAN 10, and configure its VLAN interface IP address as 10.0.0.1/24.
• Create the sub-VLANs VLAN 2, VLAN 3, and VLAN 5.
• Assign GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to VLAN 2, GigabitEthernet 3/0/3
and GigabitEthernet 3/0/4 to VLAN 3, and GigabitEthernet 3/0/5 and GigabitEthernet 3/0/6
to VLAN 5.
• The sub-VLANs are isolated at Layer 2 but connected at Layer 3.

29
Figure 10 Network diagram

Configuration procedure
# Create VLAN 10, and configure its VLAN interface IP address as 10.0.0.1/24.
<Sysname> system-view
[Sysname] vlan 10
[Sysname-vlan10] interface vlan-interface 10
[Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0

# Enable local proxy ARP.


[Sysname-Vlan-interface10] local-proxy-arp enable
[Sysname-Vlan-interface10] quit

# Create VLAN 2, and assign ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to it.
[Sysname] vlan 2
[Sysname-vlan2] port gigabitethernet 3/0/1 gigabitethernet 3/0/2

# Create VLAN 3, and assign ports GigabitEthernet 3/0/3 and GigabitEthernet 3/0/4 to it.
[Sysname-vlan2] quit
[Sysname] vlan 3
[Sysname-vlan3] port gigabitethernet 3/0/3 gigabitethernet 3/0/4

# Create VLAN 5, and assign ports GigabitEthernet 3/0/5 and GigabitEthernet 3/0/6 to it.
[Sysname-vlan3] quit
[Sysname] vlan 5
[Sysname-vlan5] port gigabitethernet 3/0/5 gigabitethernet 3/0/6

# Configure VLAN 10 as the super VLAN, and configure VLAN 2, VLAN 3, and VLAN 5 as its
sub-VLANs.
[Sysname-vlan5] quit
[Sysname] vlan 10
[Sysname-vlan10] supervlan
[Sysname-vlan10] subvlan 2 3 5
[Sysname-vlan10] quit
[Sysname] quit

Verifying the configuration


# Display information about super VLAN to verify the configuration above.
<Sysname> display supervlan

30
SuperVLAN ID : 10
SubVLAN ID : 2-3 5

VLAN ID: 10
VLAN Type: static
It is a Super VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged Ports: none
Untagged Ports: none

VLAN ID: 2
VLAN Type: static
It is a Sub VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged Ports: none
Untagged Ports:
GigabitEthernet3/0/1 GigabitEthernet3/0/2

VLAN ID: 3
VLAN Type: static
It is a Sub VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: none
Untagged Ports:
GigabitEthernet3/0/3 GigabitEthernet3/0/4

VLAN ID: 5
VLAN Type: static
It is a Sub VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0005
Name: VLAN 0005
Tagged Ports: none
Untagged Ports:

31
GigabitEthernet3/0/5 GigabitEthernet3/0/6

32
Configuring the voice VLAN

Overview
As voice communication technologies grow more mature, voice devices are more and more widely
deployed, especially on broadband networks, where voice traffic and data traffic often co-exist. Usually,
compared to data traffic, voice traffic is given a higher transmission priority for the purpose of reducing
transmission delay and packet loss.
A voice VLAN is configured especially for voice traffic. After assigning the ports connecting to voice
devices to a voice VLAN, the system automatically configures quality of service (QoS) parameters for
voice traffic, thus improving the transmission priority of voice traffic and ensuring voice quality.
Common voice devices include IP phones and integrated access devices (IADs). Only IP phones are used
in the voice VLAN configuration examples in this chapter.

OUI addresses
A switch determines whether a received packet is a voice packet by checking its source MAC address.
A packet whose source MAC address complies with the voice device’s Organizationally Unique
Identifier (OUI) address is regarded as voice traffic.
In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique
identifier assigned to a vendor by IEEE. OUI addresses mentioned in this chapter, however, are different
from those in common sense. OUI addresses in this chapter are used by the system to determine whether
a received packet is a voice packet. They are the results of the AND operation of the two arguments
mac-address and oui-mask in the voice vlan mac-address command.
You can configure the OUI addresses of a device in advance or use the default OUI addresses. You can
remove the default OUI address of a switch manually and then add new ones manually. Table 1 lists the
default OUI address for each vendor’s devices.
Table 1 The default OUI addresses of different vendors

Number OUI address Vendor


1 0001-e300-0000 Siemens phone

2 0003-6b00-0000 Cisco phone

3 0004-0d00-0000 Avaya phone

4 00d0-1e00-0000 Pingtel phone

5 0060-b900-0000 Philips/NEC phone

6 00e0-7500-0000 Polycom phone

7 00e0-bb00-0000 3Com phone

33
Voice VLAN assignment modes
Introduction to voice VLAN assignment modes
A port can be assigned to a voice VLAN in one of the following modes:
• In automatic mode, the system matches the source MAC address carried in the untagged packets
sent when an IP phone is powered on against the switch’s OUI addresses. If a match is found, the
switch automatically assigns the receiving port to the voice VLAN, issues ACL rules, and configures
the packet precedence. You can configure voice VLAN aging time on the switch. The switch
removes a port from the voice VLAN if no packet is received from the port during the aging time.
Assigning/removing ports to/from a voice VLAN are automatically performed by the switch. The
automatic mode is suitable for scenarios where PCs and IP phones connected in series access the
network through the switch and ports on the switch transmit both voice traffic and data traffic at the
same time, as shown in Figure 11. When the voice VLAN works normally, in case of a switch reboot,
the switch reassigns ports in automatic voice VLAN assignment mode to the voice VLAN after the
reboot, thus ensuring that existing voice connections can work normally. In this case, port
assignment to the voice VLAN is not triggered by voice traffic streams.
Figure 11 PCs and IP phones connected in series access the network

• In manual mode, you need to manually assign an IP phone accessing port to a voice VLAN. Then,
the switch matches the source MAC addresses carried in the packets against the switch’s OUI
addresses. If a match is found, the switch issues ACL rules and configures the packet precedence.
In this mode, assigning/removing ports to/from a voice VLAN are performed manually. The
manual mode is suitable for scenarios where only IP phones access the network through the switch
and ports on the switch only transmit voice traffic, as shown in Figure 12. In this mode, ports
assigned to a voice VLAN transmit voice traffic exclusively, which prevents the impact of data traffic
on the transmission of voice traffic.
Figure 12 Only IP phones access the network

Both modes forward tagged packets according to their tags.

Required configurations on ports of different links types for supporting tagged or untagged voice traffic

34
CAUTION:
• If an IP phone sends tagged voice traffic and its accessing port is configured with 802.1X authentication
and guest VLAN, you should assign different VLAN IDs for the voice VLAN, the PVID of the connecting
port, and the 802.1X guest VLAN.
• If an IP phone sends untagged voice traffic, to implement the voice VLAN feature, you must configure the
PVID of the IP phone’s accessing port as the voice VLAN. In this case, the 802.1X authentication function
cannot be implemented.

The following tables list the required configurations on ports of different link types in order for these ports
to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment
modes are configured.
• IP phones send tagged voice traffic
Table 2 Required configurations on ports of different links types for supporting tagged voice traffic

Voice VLAN Support for


Port link type assignment tagged voice Configuration requirements
mode traffic
Automatic
Access No N/A
Manual

Automatic PVID of the port cannot be the voice VLAN.

Trunk Yes PVID of the port cannot be the voice VLAN.


Manual Configure the port to permit packets of its PVID to
pass through.

Automatic PVID of the port cannot be the voice VLAN.

Hybrid Yes PVID of the port cannot be the voice VLAN.


Manual Configure the port to permit packets of the voice
VLAN to pass through tagged.

• IP phones send untagged voice traffic


When IP phones send untagged voice traffic, you can only configure the voice traffic receiving
ports on the switch to operate in manual voice VLAN assignment mode.
Table 3 Required configurations on ports of different links types for supporting tagged voice traffic

Voice VLAN Support for


Port link type assignment untagged voice Configuration requirements
mode traffic
Automatic No N/A
Access Configure the PVID of the port as the voice
Manual Yes
VLAN.

Automatic No N/A
Trunk Configure the PVID of the port as the voice VLAN
Manual Yes
and assign the port to the voice VLAN.

Automatic No N/A

Hybrid Configure the PVID of the port as the voice VLAN


Manual Yes and configure the port to permit packets of the
voice VLAN to pass through untagged.

35
NOTE:
• The PVIDs for all ports are VLAN 1. You can configure the PVID of a port and assign a port to certain
VLANs by using commands. For more information, see "Configuring VLANs."
• Use the display interface command to display the PVID of a port and the VLANs to which the port is
assigned.

Security mode and normal mode of voice VLANs


Voice VLAN-enabled ports operate in security mode or normal mode, depending on their inbound
packet filtering mechanisms:
• Normal mode—In this mode, voice VLAN-enabled ports receive packets carrying the voice VLAN
tag and forward packets in the voice VLAN without checking their source MAC addresses against
the OUI addresses configured for the switch. If the PVID of the port is the voice VLAN and the port
operates in manual VLAN assignment mode, the port forwards all received untagged packets in the
voice VLAN. In normal mode, the voice VLANs are vulnerable to traffic attacks. Vicious users may
forge a large amount of voice packets and send them to the switch to consume the voice VLAN
bandwidth, affecting normal voice communication.
• Security mode—In this mode, only voice packets whose source MAC addresses match the
recognizable OUI addresses can pass through the voice VLAN-enabled inbound port, while all
other packets are dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode, thus reducing the
consumption of system resources due to source MAC addresses checking.
HP does not recommend that you transmit both voice traffic and non-voice traffic in a voice VLAN. If you
have to, make sure the voice VLAN security mode is disabled.
If you have configured the MAC learning limit, when the number of MAC addresses an interface has
learned reaches the limit, the device does not forward the VLAN-tagged packets whose source MAC
addresses have not been learned. For more information about the MAC address learning limit, see
"Configuring the MAC address table."
Table 4 How a voice VLAN-enabled port processes packets in security or normal mode

Voice VLAN
Packet type Packet processing mode
mode
Untagged packets If the source MAC address of a packet matches an OUI
Packets carrying the address configured for the switch, it is forwarded in the voice
Security mode voice VLAN tag VLAN; otherwise, it is dropped.

Packets carrying other Forwarded or dropped depending on whether the port allows
tags packets of these VLANs to pass through

Untagged packets The port does not check the source MAC addresses of inbound
packets. In this way, both voice traffic and non-voice traffic
Packets carrying the can be transmitted in the voice VLAN.
Normal mode voice VLAN tag

Packets carrying other Forwarded or dropped depending on whether the port allows
tags packets of these VLANs to pass through

36
Configuration prerequisites
1. Create a VLAN
Before configuring a VLAN as a voice VLAN, create the VLAN first.
2. Configure QoS priority settings for voice traffic on an interface
Configure QoS priority settings for voice VLAN traffic on an interface before enabling voice VLAN
on the interface. If the configuration order is reversed, your priority configuration will fail. For more
information, see "Configuring QoS priority settings for voice traffic on an interface."
3. Configure the voice VLAN assignment mode.
For more information, see "Configuring a port to operate in automatic voice VLAN assignment
mode" and "Configuring a port to operate in manual voice VLAN assignment mode."

Configuration guidelines
• When EB cards are operating in standard ACL mode, the ports on the EB cards do not support
voice VLAN. For more information about the standard ACL mode, see ACL and QoS Configuration
Guide.
• A port can belong to only one voice VLAN at a time.
• Voice VLAN cannot be enabled on member ports of an aggregation group. For more information
about link aggregation member ports, see "Configuring Ethernet link aggregation."

Configuring QoS priority settings for voice traffic on


an interface
IMPORTANT:
Configure the QoS priority settings for voice traffic on an interface before enabling voice VLAN on the
interface. If the configuration order is reversed, your priority trust setting will fail.

In voice VLAN applications, you can improve the quality of voice traffic by configuring the appropriate
QoS priority settings, including the Class of Service (CoS) and Differentiated Services Code Point (DSCP)
values, for voice traffic. Voice traffic carries its own QoS priority settings. You can configure the switch
either to modify or not to modify the QoS priority settings carried by incoming voice traffic.
To configure QoS priority settings for voice traffic:

Step Command Remarks


1. Enter system view. system-view N/A

interface interface-type
2. Enter interface view. N/A
interface-number

37
Step Command Remarks
• Configure the interface to
trust the QoS priority settings
in incoming voice traffic, that
is, not to modify the CoS and Use either command.
DSCP values marked for By default, an interface modifies the
incoming traffic of the voice CoS value and the DSCP value
VLAN: marked for voice VLAN traffic into 6
3. Configure QoS priority
voice vlan qos trust and 46.
settings for voice traffic.
• Configure the interface to The voice vlan qos command and the
modify the CoS and DSCP voice vlan qos trust command can
values marked for incoming overwrite each other, whichever is
traffic of the voice VLAN into configured last.
specified values:
voice vlan qos cos-value
dscp-value

Configuring a port to operate in automatic voice


VLAN assignment mode
Configuration restrictions and guidelines
• A protocol-based VLAN on a hybrid port can process only untagged inbound packets, whereas the
voice VLAN in automatic mode on a hybrid port can process only tagged voice traffic. Therefore,
do not configure a VLAN as both a protocol-based VLAN and a voice VLAN. For more information,
see "Configuring VLANs."
• With MSTP enabled, if a port is blocked in the MST instance (MSTI) of the target MAC-based VLAN,
the port drops the received packets, instead of delivering them to the CPU. As a result, the receiving
port will not be dynamically assigned to the corresponding VLAN. Do not configure dynamic
MAC-based VLAN assignment together with MSTP, because the former is mainly configured on the
access side.
• With PVST enabled, if the target MAC-based VLAN is not permitted on a port, the port is placed in
the blocked state and drops the received packets, instead of delivering them to the CPU. As a result,
the receiving port will not be dynamically assigned to the corresponding VLAN. Do not configure
dynamic MAC-based VLAN assignment together with PVST, because the former is mainly
configured on the access side.

Configuration procedure
To set a port to operate in automatic voice VLAN assignment mode:

Step Command Remarks


1. Enter system view. system-view N/A

38
Step Command Remarks
Optional.
The default setting is 1440
minutes.
2. Set the voice VLAN aging
voice vlan aging minutes The voice VLAN aging time
time.
configuration is only applicable on
ports in automatic voice VLAN
assignment mode.

Optional.
3. Enable the voice VLAN
voice vlan security enable By default, the voice VLAN security
security mode.
mode is enabled.

Optional.

4. Add a recognizable OUI voice vlan mac-address oui mask By default, each voice VLAN has
address. oui-mask [ description text ] default OUI addresses configured.
For the default OUI addresses of
different vendors, see Table 1.

interface interface-type
5. Enter Ethernet interface view. N/A
interface-number

Optional.
By default, automatic voice VLAN
6. Configure the port to operate
assignment mode is enabled.
in automatic voice VLAN voice vlan mode auto
assignment mode. The voice VLAN assignment modes
on different ports are independent
of one another.
7. Enable voice VLAN on the
voice vlan vlan-id enable By default, voice VLAN is disabled.
port.

Configuring a port to operate in manual voice


VLAN assignment mode
Configuration restrictions and guidelines
• You can configure different voice VLANs on different ports at the same time. However, one port can
be configured with only one voice VLAN, and this voice VLAN must be a static VLAN that already
exists on the device.
• Voice VLAN cannot be enabled on the member ports of a link aggregation group. For more
information about the member ports, see "Configuring Ethernet link aggregation."
• To make voice VLAN take effect on a port that is enabled with voice VLAN and operates in manual
voice VLAN assignment mode, you must manually assign the port to the voice VLAN.

Configuration procedure
To configure a port to operate in manual voice VLAN assignment mode:

39
Step Command Remarks
1. Enter system view. system-view N/A

Optional.
2. Enable the voice VLAN
voice vlan security enable By default, the voice VLAN security
security mode.
mode is enabled.

Optional.

3. Add a recognizable OUI voice vlan mac-address oui mask By default, each voice VLAN has
address. oui-mask [ description text ] default OUI addresses configured.
For the default OUI addresses of
different vendors, see Table 1.

interface interface-type
4. Enter interface view. N/A
interface-number

5. Configure the port to operate By default, a port operates in


in manual voice VLAN undo voice vlan mode auto automatic voice VLAN assignment
assignment mode. mode.

6. Assign the access, trunk, or After you assign an access port to


hybrid port in manual voice For the configuration procedure, the voice VLAN, the voice VLAN
VLAN assignment mode to the see "Configuring VLANs." becomes the PVID of the port
voice VLAN. automatically.

Optional.
7. Configure the voice VLAN as This operation is required for
For the configuration procedure,
the PVID of the trunk or hybrid untagged inbound voice traffic
see "Configuring VLANs."
port. and prohibited for tagged inbound
voice traffic.
8. Enable voice VLAN on the
voice vlan vlan-id enable N/A
port.

Displaying and maintaining voice VLAN


Task Command Remarks
display voice vlan state [ | { begin | exclude
Display the voice VLAN state. Available in any view.
| include } regular-expression ]

Display the OUI addresses display voice vlan oui [ | { begin | exclude |
Available in any view.
currently supported by system. include } regular-expression ]

Voice VLAN configuration examples


Automatic voice VLAN mode configuration example
Network requirements
As shown in Figure 13, IP phone A (0011-1100-0001) connects to a downstream device named PC A
(0022-1100-0002) and to GigabitEthernet 3/0/1 on an upstream device named Switch A; IP phone B
(0011-2200-0001) connects to a downstream device named PC B (0022-2200-0002) and to
GigabitEthernet 3/0/2 on Switch A.

40
Switch A uses voice VLAN 2 to transmit voice packets for IP phone A and voice VLAN 3 to transmit voice
packets for IP phone B.
Configure GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to operate in automatic voice VLAN
assignment mode. In addition, if one of them has not received any voice packet in 30 minutes, the port
is removed from the corresponding voice VLAN automatically.
Figure 13 Network diagram

Configuration procedure
# Create VLAN 2 and VLAN 3.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
Please wait... Done.

# Set the voice VLAN aging time to 30 minutes.


[SwitchA] voice vlan aging 30

# Since GigabitEthernet 3/0/1 might receive both voice traffic and data traffic at the same time, to
ensure the quality of voice packets and effective bandwidth use, configure voice VLANs to operate in
security mode, that is, configure the voice VLANs to transmit only voice packets. (Optional. By default,
voice VLANs operate in security mode.)
[SwitchA] voice vlan security enable

# Configure the allowed OUI addresses as MAC addresses prefixed by 0011-1100-0000 or


0011-2200-0000. In this way, Switch A identifies packets whose MAC addresses match any of the
configured OUI addresses as voice packets.
[SwitchA] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone
A
[SwitchA] voice vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP phone
B

# Configure GigabitEthernet 3/0/1 as a hybrid port.


[SwitchA] interface gigabitethernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] port link-type hybrid

# Configure GigabitEthernet 3/0/1 to operate in automatic voice VLAN assignment mode. (Optional.
By default, a port operates in automatic voice VLAN assignment mode.)
[SwitchA-GigabitEthernet3/0/1] voice vlan mode auto

41
# Configure VLAN 2 as the voice VLAN for GigabitEthernet 3/0/1.
[SwitchA-GigabitEthernet3/0/1] voice vlan 2 enable
[SwitchA-GigabitEthernet3/0/1] quit

# Configure GigabitEthernet 3/0/2.


[SwitchA] interface gigabitethernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port link-type hybrid
[SwitchA-GigabitEthernet3/0/2] voice vlan mode auto
[SwitchA-GigabitEthernet3/0/2] voice vlan 3 enable

Verifying the configuration


# Display the OUI addresses, OUI address masks, and description strings supported currently.
<SwitchA> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
0011-1100-0000 ffff-ff00-0000 IP phone A
0011-2200-0000 ffff-ff00-0000 IP phone B
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone

# Display the current states of voice VLANs.


<SwitchA> display voice vlan state
Maximum of Voice VLANs: 128
Current Voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes
Voice VLAN enabled port and its mode:
PORT VLAN MODE COS DSCP
--------------------------------------------------------------------
GigabitEthernet3/0/1 2 AUTO 6 46
GigabitEthernet3/0/2 3 AUTO 6 46

Manual voice VLAN assignment mode configuration example


Network requirements
As shown in Figure 14, the IP phones send untagged voice traffic.
Configure GigabitEthernet 3/0/1 as a hybrid port. Create VLAN 2 and configure it as a voice VLAN
permitting only voice traffic to pass through. Configure GigabitEthernet 3/0/1 to operate in manual
voice VLAN assignment mode. Configure GigabitEthernet 3/0/1 to allow voice traffic with an OUI
address of 0011-2200-0000, a mask of ffff-ff00-0000, and a description string of test to be forwarded
in the voice VLAN.

42
Figure 14 Network diagram

Configuration procedure
# Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security
mode by default.)
<SwitchA> system-view
[SwitchA] voice vlan security enable

# Add a recognizable OUI address 0011-2200-0000.


[SwitchA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test

# Create VLAN 2.
[SwitchA] vlan 2
[SwitchA-vlan2] quit

# Configure GigabitEthernet 3/0/1 to operate in manual voice VLAN assignment mode.


[SwitchA] interface gigabitethernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] undo voice vlan mode auto

# Configure GigabitEthernet 3/0/1 as a hybrid port.


[SwitchA-GigabitEthernet3/0/1] port link-type hybrid

# Configure the voice VLAN (VLAN 2) as the PVID of GigabitEthernet 3/0/1 and configure
GigabitEthernet 3/0/1 to permit the voice traffic of VLAN 2 to pass through untagged.
[SwitchA-GigabitEthernet3/0/1] port hybrid pvid vlan 2
[SwitchA-GigabitEthernet3/0/1] port hybrid vlan 2 untagged

# Enable voice VLAN on GigabitEthernet 3/0/1.


[SwitchA-GigabitEthernet3/0/1] voice vlan 2 enable

Verifying the configuration


# Display the OUI addresses, OUI address masks, and description strings supported currently.
<SwitchA> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
0011-2200-0000 ffff-ff00-0000 test
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone

43
# Display the current voice VLAN state.
<SwitchA> display voice vlan state
Maximum of Voice VLANs: 128
Current Voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled port and its mode:
PORT VLAN MODE
-----------------------------------------------
GigabitEthernet3/0/1 2 MANUAL

44
Configuring the MAC address table

NOTE:
• At present, MAC address table configuration applies to Layer 2 Ethernet ports and Layer 2 aggregate
interfaces only.
• This document covers only the configuration of static, dynamic, blackhole, and multiport unicast MAC
address table entries. For the configuration of static multicast MAC address table entries, see IP Multicast
Configuration Guide.

Overview
A MAC address table is maintained for frame forwarding. Each entry in this table indicates the following
information:
• The MAC address of a connected network device.
• The interface to which the device is connected.
• The VLAN to which the interface belongs.
When forwarding a frame, the switch first looks up the MAC address table by the destination MAC
address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather
than broadcast, so broadcasts are reduced.

How a MAC address table entry is created


A MAC address table entry can be dynamically learned or manually configured.

Dynamically generate MAC address table entries


Usually, a switch can populate its MAC address table automatically by learning the source MAC
addresses of incoming frames on each port.
When a frame arrives at a port, Port A for example, the switch performs the following tasks:
1. Checks the source MAC address (MAC-SOURCE for example) of the frame.
2. Looks up the source MAC address in the MAC address table.
{ If an entry is found, the switch updates the entry.
{ If no entry is found, the switch adds an entry for MAC-SOURCE and Port A.
3. After learning this source MAC address, when the switch receives a frame destined for
MAC-SOURCE, it finds the MAC-SOURCE entry in the MAC address table and forwards the frame
out of Port A.
The switch performs the learning process each time it receives a frame from an unknown source MAC
address, until the MAC address table is fully populated.
To adapt to network changes, MAC address table entries must be constantly updated. Each dynamically
learned MAC address table entry has an aging timer. If an entry is not updated when the aging timer
expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.

45
Manually configure MAC address table entries
With dynamic MAC address learning, a switch does not distinguish illegitimate frames from legitimate
frames. This causes security hazards. For example, if a hacker sends frames with a forged source MAC
address to a port different from the one where the real MAC address is connected, the switch will create
an entry for the forged MAC address, and will forward frames destined for the legal user to the hacker
instead.
To enhance the security of a port, you can manually add MAC address entries in the MAC address table
of the switch to bind specific user switches to the port. Because manually configured entries have higher
priority than the dynamically learned ones, this prevents hackers from stealing data using forged MAC
addresses.

Types of MAC address table entries


A MAC address table may contain these types of entries:
• Static entries—Manually added and never age out.
• Dynamic entries—Manually added or dynamically learned, and might age out.
• Blackhole entries—Manually configured and never age out. Blackhole entries include source
blackhole MAC addresses and destination blackhole MAC address entries. They are configured for
filtering out frames with specific source or destination MAC addresses. For example, to block all
packets destined for a specific user for security concerns, you can configure the MAC address of
this user as a destination blackhole MAC address entry.
• Multiport unicast entries—Manually added for forwarding frames with a specific destination MAC
address out of multiple ports and never age out.

NOTE:
A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address entry,
but not vice versa.

MAC address table-based frame forwarding


When forwarding a frame, the switch adopts the following two forwarding modes based on the MAC
address table:
• Unicast mode—If an entry is available for the destination MAC address, the switch forwards the
frame directly from the hardware.
• Broadcast mode—If the switch receives a frame with an all-ones destination address, or no entry is
available for the destination MAC address, the switch broadcasts the frame to all the interfaces
except the receiving interface.

Configuring the MAC address table


The configuration tasks discussed in the following sections are all optional and can be performed in any
order.

46
Configuring static, dynamic, and blackhole MAC address
table entries
Usually, a switch can populate its MAC address table automatically by learning the source MAC
addresses of incoming frames.
To improve port security, you can manually add MAC address entries to the MAC address table to bind
ports with MAC addresses, fending off MAC address spoofing attacks.
In addition, you can configure blackhole MAC address entries to filter out packets with certain source or
destination MAC addresses.
To add or modify a static, dynamic, or blackhole MAC address table entry in system view:

Step Command Remarks


1. Enter system view. system-view N/A

2. Add or modify a mac-address { dynamic | static } mac-address


dynamic or static MAC interface interface-type interface-number vlan
address entry. vlan-id
Use either command.
3. Add or modify a
blackhole MAC address mac-address blackhole mac-address vlan vlan-id
entry.

To add or modify a static or dynamic MAC address table entry in interface view:

Step Command Remarks


1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2
interface interface-type interface-number N/A
aggregate interface
view.
3. Add or modify a static or Make sure that you have
mac-address { dynamic | static } mac-address
dynamic MAC address created the VLAN and assign
vlan vlan-id
entry. the interface to the VLAN.

Configuring a multiport unicast MAC address table entry


Multiport unicast MAC address entries enable you to deliver a single-destination packet out of multiple
ports. For example, when a group of servers are processing a request from a client, the client is not
concerned with the details of these servers and believes that only one server is responding. In this case,
you can configure a multiport unicast MAC address entry on the device connected to the group of servers.
In this manner, the device forwards the frame destined for the server group, which is considered as one
server by the client, to every server.
To configure a multiport unicast MAC address table entry in system view:

Step Command Remarks


1. Enter system view. system-view N/A

47
Step Command Remarks
No multiport unicast MAC
address table entries exist by
2. Configure a multiport unicast mac-address multiport mac-address default.
MAC address table entry. interface interface-list vlan vlan-id Make sure that you have
created the VLAN and assign
the interfaces to the VLAN.

To configure a multiport unicast MAC address table entry in interface view:

Step Command Remarks


1. Enter system view. system-view N/A

• Enter Layer 2 Ethernet Use either command.


interface view or Layer 2 Settings in Layer 2 Ethernet
aggregate interface view: interface view or Layer 2
2. Enter interface view or port group interface interface-type aggregate interface view take
view. interface-number effect on the current interface only.
• Enter port group view: Settings in port group view take
port-group manual effect on all member ports in the
port-group-name port group.

No multiport unicast MAC address


table entries exist by default.
3. Configure a multiport unicast MAC mac-address multiport
address table entry. mac-address vlan vlan-id Make sure that you have created
the VLAN and assign the interface
or interfaces to the VLAN.

NOTE:
• On a switch operating in IRF mode, do not specify the same MAC address for both a multiport unicast
MAC address table entry and a static neighbor table entry. Otherwise, a conflict will occur. For more
information about static neighbor entries, see Layer 3—IP Services Configuration Guide.
• To associate a unicast MAC address to an Ethernet interface that belongs to an aggregation group,
configure the multiport unicast MAC address table entry in Layer 2 aggregate interface view, instead of
Layer 2 Ethernet interface view.

Configuring the aging timer for dynamic MAC address entries


The MAC address table on your switch uses an aging mechanism for dynamic entries, so dynamic MAC
address entries that are not updated within their aging time are deleted to make room for new entries,
and the MAC address table is promptly updated to accommodate the latest network changes.

Configuration restrictions and guidelines


Set the aging timer appropriately. Too long an aging interval may cause the MAC address table to retain
outdated entries, exhaust the MAC address table resources, and fail to update its entries to
accommodate the latest network changes. Too short an interval may result in removal of valid entries,
causing unnecessary broadcasts, which may affect switch performance.

48
The MAC address aging timer takes effect globally on dynamic MAC address entries (learned or
administratively configured) only.
In a stable network, when there has been no traffic activity for a long time, all dynamic entries in the MAC
address table maintained by the switch are deleted, and the switch broadcasts a large amount of data
packets, which may be listened to by unwanted users, resulting in security hazards. To avoid this, you can
configure mac-address timer no-aging for dynamic MAC address entries, so that dynamic MAC address
entries will not be aged out. This can reduce broadcasts and improve the stability and security of the
network.

Configuration procedure
To configure the aging timer for dynamic MAC address entries:

Step Command Remarks


1. Enter system view. system-view N/A

Optional.
2. Configure the aging timer for
mac-address timer { aging seconds The value range of the aging timer
dynamic MAC address
| no-aging } is 10 to 3600 seconds and the
entries.
default value is 300 seconds.

Configuring the MAC learning limit


Configuring the MAC learning limit on ports
To prevent the MAC address table from getting so large that the forwarding performance of the switch
degrades, you can limit the number of MAC addresses that can be learned on a port.
To configure the MAC learning limit on an Ethernet port, the Ethernet ports in a port group, or a Layer 2
aggregate interface:

Step Command Remarks


1. Enter system view. system-view N/A

• Enter Ethernet interface view:


interface interface-type
Use any command.
interface-number
• Enter port group view: Settings in Ethernet interface view
2. Enter Ethernet interface, port or Layer 2 aggregate interface
port-group manual
group, or Layer 2 aggregate view take effect on the current port
port-group-name
interface view. only. Settings in port group view
• Enter Layer 2 aggregate take effect on all the member ports
interface view:
in the port group.
interface bridge-aggregation
interface-number
3. Configure the MAC learning By default, the maximum number
limit on an interface, and of MAC addresses that can be
configure whether frames with learned on an interface is not
mac-address max-mac-count
unknown source MAC specified, and frames with
{ count | disable-forwarding }
addresses can be forwarded unknown source MAC addresses
when the MAC learning limit is are forwarded when the MAC
reached. learning limit is reached.

49
Configuring the MAC learning limit on a VLAN
You may also limit the number of MAC addresses that can be learned on a per-VLAN basis.
To configure the MAC learning limit on a VLAN:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enter VLAN view. vlan vlan-id N/A


3. Configure the MAC leaning
By default, the maximum number of
limit on a VLAN, and
MAC addresses that can be learned on
configure whether or not mac-address max-mac-count
a VLAN is not specified, and frames with
frames with unknown source { count |
unknown source MAC addresses are
MAC addresses can be disable-forwarding }
forwarded when the MAC learning limit
forwarded in the VLAN when
is reached.
the upper limit is reached.

Enabling MAC address migration log notifying


To discover and locate Layer 2 loops, you can enable MAC address migration log notifying.
MAC address migration refers to this process: a device learns a MAC address from an interface, Port A
for example, and the device later learns the MAC address from another interface, Port B for example. If
Port A and Port B belong to the same VLAN, the outgoing interface in the entry for the MAC address is
changed to Port B from Port A, which means that the MAC address migrates from Port A to Port B.
If a MAC address migrates between two specific interfaces frequently, a Layer 2 loop probably occurs in
the network. Network connection error and misconfiguration are prone to create network loops. Layer 2
loops cause devices to repeatedly send the same packet, which could exhaust the network resource and
even bring down the network.
To enable MAC address migration log notifying:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enable MAC address mac-flapping notification By default, MAC address migration log
migration log notifying. enable notifying is disabled.

The MAC address migration logs of the last 1 minute are displayed once every 1 minute.
You can use the display mac-flapping information command to view the MAC address migration
records after a device starts up.

Displaying and maintaining the MAC address table

50
Task Command Remarks
display mac-address [ mac-address [ vlan
vlan-id ] | [ [ dynamic | static ] [ interface
Display MAC address table Available in any
interface-type interface-number ] | blackhole ]
information. view.
[ vlan vlan-id ] [ count ] ] [ | { begin | exclude |
include } regular-expression ]

display mac-address multiport [ vlan vlan-id ]


Display the multiport unicast MAC Available in any
[ count ] [ | { begin | exclude | include }
address table entries. view.
regular-expression ]

Display the aging timer for display mac-address aging-time [ | { begin | Available in any
dynamic MAC address entries. exclude | include } regular-expression ] view.

Display the MAC address


display mac-flapping information [ slot Available in any
migration record (in standalone
slot-number ] view.
mode).

Display the MAC address display mac-flapping information [ chassis Available in any
migration record (in IRF mode). chassis-number [ slot slot-number ] ] view.

MAC address table configuration example


NOTE:
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these
interfaces, use the undo shutdown command to bring them up.

Network requirements
As shown in Figure 15:
• The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to
GigabitEthernet 3/0/1 of the switch. To prevent MAC address spoofing, add a static entry for the
host in the MAC address table of the switch.
• The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this
host once behaved suspiciously on the network, add a destination blackhole MAC address entry for
the host MAC address, so all packets destined for the host will be dropped.
• Set the aging timer for dynamic MAC address entries to 500 seconds.
Figure 15 Network diagram

51
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface Gigabitethernet 3/0/1 vlan 1

# Add a destination blackhole MAC address entry.


[Sysname] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500

# Display the MAC address entry for port GigabitEthernet 3/0/1.


[Sysname] display mac-address interface Gigabitethernet 3/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-dc71 1 Config static GigabitEthernet3/0/1 NOAGED

--- 1 mac address(es) found on port GigabitEthernet3/0/1 ---

# Display information about destination blackhole MAC addresses.


[Sysname] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-abcd 1 Blackhole N/A NOAGED

--- 1 mac address(es) found ---

# View the aging time of dynamic MAC address entries.


[Sysname] display mac-address aging-time
Mac address aging time: 500s

52
Configuring spanning tree protocols

As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by
selectively blocking redundant links in a network, and also allows for link redundancy.
Recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Multiple Spanning Tree
Protocol (MSTP), and the Per VLAN Spanning Tree Protocol (PVST).

STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a
local area network (LAN). Networks often have redundant links as backups in case of failures, but loops
are a very serious problem. Devices running STP detect loops in the network by exchanging information
with one another, and eliminate loops by selectively blocking certain ports to prune the loop structure
into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would occur in
a loop network and prevents decreased device performance caused by receiving duplicate packets.
In the narrow sense, STP refers to IEEE 802.1d STP. In the broad sense, STP refers to the IEEE 802.1d STP
and various enhanced spanning tree protocols derived from that protocol.

STP protocol packets


STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
packets. Throughout this document, BPDUs refer to STP BPDUs.
STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the network devices to complete spanning tree calculation.
STP uses the following types of BPDUs:
• Configuration BPDUs, used for calculating a spanning tree and maintaining the spanning tree
topology.
• Topology change notification (TCN) BPDUs, which notify network devices of network topology
changes.
A configuration BPDU contains the following information for network devices to complete spanning tree
calculation:
• Root bridge ID—Comprises the priority and MAC address of the root bridge.
• Root path cost—The cost of the path to the root bridge.
• Designated bridge ID—Comprises the priority and MAC address of the designated bridge.
• Designated port ID—Comprises the port priority and global port number.
• Message age—The times that the configuration BPDU has been forwarded on the network.
• Max age—The maximum age of the configuration BPDU.
• Hello time—The transmission interval of the configuration BPDU.
• Forward delay—The delay before a port transitions to the forwarding state.

53
Basic concepts in STP
Root bridge
A tree network must have a root bridge.
There is only one root bridge in the entire network. The root bridge is not permanent, but can change with
changes of the network topology.
Upon initialization of a network, each device generates and periodically sends out configuration BPDUs
with itself as the root bridge. After network convergence, only the root bridge generates and periodically
sends out configuration BPDUs. The other devices only forward the BPDUs.

Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates with
the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.

Designated bridge and designated port


Table 5 Description of designated bridges and designated ports

Classification Designated bridge Designated port


Device directly connected with the local
Port through which the designated
For a device device and responsible for forwarding BPDUs
bridge forwards BPDUs to this device
to the local device

Port through which the designated


Device responsible for forwarding BPDUs to
For a LAN bridge forwards BPDUs to this LAN
this LAN segment
segment

As shown in Figure 16, Device B and Device C are directly connected to a LAN. If Device A forwards
BPDUs to Device B through port A1, the designated bridge for Device B is Device A, and the designated
port of Device B is port A1 on Device A. If Device B forwards BPDUs to the LAN, the designated bridge
for the LAN is Device B, and the designated port for the LAN is port B2 on Device B.
Figure 16 Designated bridges and designated ports

Path cost
Path cost is a reference value used for link selection in STP. STP calculates path costs to select the most
robust links and blocks redundant links that are less robust, to prune the network into a loop-free tree.

54
Calculation process of the STP algorithm
The STP algorithm uses the following calculation process:
1. Initial state
Upon initialization of a device, each port generates a BPDU with itself as the designated port, the
device as the root bridge, 0 as the root path cost, and the device ID as the designated bridge ID.
2. Root bridge selection
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with its own
device ID as the root bridge ID. By exchanging configuration BPDUs, the devices compare their
root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.
3. Non-root bridge: selection of root port and designated ports
Table 6 describes the process of selecting the root port and designated ports.
Table 6 Selection of the root port and designated ports

Step Description
A non-root-bridge device regards the port on which it received the optimum configuration BPDU
1
as the root port. Table 7 describes how the optimum configuration BPDU is selected.

Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of its other ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus the path
cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the configuration BPDU on the port
whose port role is to be determined:
• If the calculated configuration BPDU is superior, the device considers this port as the
designated port, replaces the configuration BPDU on the port with the calculated configuration
3
BPDU, and periodically sends out the calculated configuration BPDU.
• If the configuration BPDU on the port is superior, the device blocks this port without updating its
configuration BPDU. The blocked port can receive BPDUs, but cannot send BPDUs or forward
data traffic.

NOTE:
When the network topology is stable, only the root port and designated ports forward user traffic, while
other ports are all in the blocked state to receive BPDUs but not forward BPDUs or user traffic.

Table 7 Selection of the optimum configuration BPDU

Step Actions
Upon receiving a configuration BPDU on a port, the device compares the priority of the received
configuration BPDU with that of the configuration BPDU generated by the port, and:

1
• If the former priority is lower, the device discards the received configuration BPDU and keeps
the configuration BPDU the port generated.
• If the former priority is higher, the device replaces the content of the configuration BPDU
generated by the port with the content of the received configuration BPDU.

55
Step Actions
The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.

The following are the principles of configuration BPDU comparison:


• The configuration BPDU with the lowest root bridge ID has the highest priority.
• If configuration BPDUs have the same root bridge ID, their root path costs are compared. For
example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The
configuration BPDU with the smallest S value has the highest priority.
• If all configuration BPDUs have the same ports value, their designated bridge IDs, designated port
IDs, and the IDs of the receiving ports are compared in sequence. The configuration BPDU
containing a smaller ID wins out.
A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.
The following describes with an example how the STP algorithm works. This example shows a simplified
spanning tree calculation process.
Figure 17 The STP algorithm

As shown in Figure 17, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the
path costs of links among the three devices are 5, 10, and 4.
4. Initial state of each device
Table 8 Initial state of each device

Device Port name Configuration BPDU on the port


Port A1 {0, 0, 0, Port A1}
Device A
Port A2 {0, 0, 0, Port A2}

Port B1 {1, 0, 1, Port B1}


Device B
Port B2 {1, 0, 1, Port B2}

Port C1 {2, 0, 2, Port C1}


Device C
Port C2 {2, 0, 2, Port C2}

56
NOTE:
In Table 8, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.

5. Comparison process and result on each device


Table 9 Comparison process and result on each device

Configuration BPDU on
Device Comparison process
ports after comparison
• Port A1 receives the configuration BPDU of Port B1 {1, 0, 1, Port
B1}, finds that its existing configuration BPDU {0, 0, 0, Port A1}
is superior to the received configuration BPDU, and discards the
received one.
• Port A2 receives the configuration BPDU of Port C1 {2, 0, 2, Port • Port A1: {0, 0, 0, Port
C1}, finds that its existing configuration BPDU {0, 0, 0, Port A2}
A1}
Device A is superior to the received configuration BPDU, and discards the
received one.
• Port A2: {0, 0, 0, Port
A2}
• Device A finds that it is both the root bridge and designated
bridge in the configuration BPDUs of all its ports, and considers
itself as the root bridge. It does not change the configuration
BPDU of any port and starts to periodically send out
configuration BPDUs.
• Port B1 receives the configuration BPDU of Port A1 {0, 0, 0, Port
A1}, finds that the received configuration BPDU is superior to its
existing configuration BPDU {1, 0, 1, Port B1}, and updates its • Port B1: {0, 0, 0, Port
configuration BPDU. A1}
• Port B2 receives the configuration BPDU of Port C2 {2, 0, 2, Port • Port B2: {1, 0, 1, Port
C2}, finds that its existing configuration BPDU {1, 0, 1, Port B2} B2}
is superior to the received configuration BPDU, and discards the
received one.
• Device B compares the configuration BPDUs of all its ports,
Device B decides that the configuration BPDU of Port B1 is the optimum,
and selects Port B1 as the root port with the configuration BPDU
unchanged.
• Based on the configuration BPDU and path cost of the root port, • Root port (Port B1): {0,
Device B calculates a designated port configuration BPDU for 0, 0, Port A1}
Port B2 {0, 5, 1, Port B2}, and compares it with the existing • Designated port (Port
configuration BPDU of Port B2 {1, 0, 1, Port B2}. Device B finds B2): {0, 5, 1, Port B2}
that the calculated one is superior, decides that Port B2 is the
designated port, replaces the configuration BPDU on Port B2
with the calculated one, and periodically sends out the
calculated configuration BPDU.
• Port C1 receives the configuration BPDU of Port A2 {0, 0, 0, Port
A2}, finds that the received configuration BPDU is superior to its
existing configuration BPDU {2, 0, 2, Port C1}, and updates its • Port C1: {0, 0, 0, Port
configuration BPDU. A2}
Device C
• Port C2 receives the original configuration BPDU of Port B2 {1, • Port C2: {1, 0, 1, Port
0, 1, Port B2}, finds that the received configuration BPDU is B2}
superior to the existing configuration BPDU {2, 0, 2, Port C2},
and updates its configuration BPDU.

57
Configuration BPDU on
Device Comparison process
ports after comparison
• Device C compares the configuration BPDUs of all its ports,
decides that the configuration BPDU of Port C1 is the optimum,
and selects Port C1 as the root port with the configuration BPDU
unchanged.
• Root port (Port C1): {0,
• Based on the configuration BPDU and path cost of the root port, 0, 0, Port A2}
Device C calculates the configuration BPDU of Port C2 {0, 10, 2,
• Designated port (Port
Port C2}, and compares it with the existing configuration BPDU
C2): {0, 10, 2, Port C2}
of Port C2 {1, 0, 1, Port B2}. Device C finds that the calculated
configuration BPDU is superior to the existing one, selects Port
C2 as the designated port, and replaces the configuration
BPDU of Port C2 with the calculated one.
• Port C2 receives the updated configuration BPDU of Port B2 {0,
5, 1, Port B2}, finds that the received configuration BPDU is
• Port C1: {0, 0, 0, Port
superior to its existing configuration BPDU {0, 10, 2, Port C2},
A2}
and updates its configuration BPDU.
• Port C2: {0, 5, 1, Port
• Port C1 receives a periodic configuration BPDU {0, 0, 0, Port
B2}
A2} from Port A2, finds that it is the same as the existing
configuration BPDU, and discards the received one.
• Device C finds that the root path cost of Port C1 (10) (root path
cost of the received configuration BPDU (0) plus path cost of Port
C1 (10)) is larger than that of Port C2 (9) (root path cost of the
received configuration BPDU (5) plus path cost of Port C2 (4)),
decides that the configuration BPDU of Port C2 is the optimum,
and selects Port C2 as the root port with the configuration BPDU
unchanged. • Blocked port (Port C1):
• Based on the configuration BPDU and path cost of the root port, {0, 0, 0, Port A2}
Device C calculates a designated port configuration BPDU for • Root port (Port C2): {0,
Port C1 {0, 9, 2, Port C1} and compares it with the existing 5, 1, Port B2}
configuration BPDU of Port C1 {0, 0, 0, Port A2}. Device C finds
that the existing configuration BPDU is superior to the calculated
one and blocks Port C1 with the configuration BPDU
unchanged. Then Port C1 does not forward data until a
spanning tree calculation process is triggered by a new event,
for example, the link between Device B and Device C is down.

NOTE:
In Table 9, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.

After the comparison processes described in Table 9, a spanning tree with Device A as the root bridge
is established, and the topology is shown in Figure 18.

58
Figure 18 The final calculated spanning tree

The configuration BPDU forwarding mechanism of STP


The configuration BPDUs of STP are forwarded following these guidelines:
• Upon network initiation, every switch regards itself as the root bridge, generates configuration
BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
• If it is the root port that received a configuration BPDU and the received configuration BPDU is
superior to the configuration BPDU of the port, the device increases the message age carried in the
configuration BPDU following a certain rule and starts a timer to time the configuration BPDU while
sending out this configuration BPDU through the designated port.
• If the configuration BPDU received on a designated port has a lower priority than the configuration
BPDU of the local port, the port immediately sends out its own configuration BPDU in response.
• If a path becomes faulty, the root port on this path no longer receives new configuration BPDUs and
the old configuration BPDUs will be discarded due to timeout. The device generates a configuration
BPDU with itself as the root and sends out the BPDUs and TCN BPDUs. This triggers a new spanning
tree calculation process to establish a new path to restore the network connectivity.
However, the newly calculated configuration BPDU cannot be propagated throughout the network
immediately, so the old root ports and designated ports that have not detected the topology change
continue forwarding data along the old path. If the new root ports and designated ports begin to
forward data as soon as they are elected, a temporary loop may occur.

STP timers
STP calculation involves the following timers: forward delay, hello time, and max age.
• Forward delay
Forward delay is the delay time for state transition.
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the
change. However, the resulting new configuration BPDU cannot propagate throughout the
network immediately. If the newly elected root ports and designated ports start to forward data
right away, a temporary loop is likely to occur.
For this reason, as a mechanism for state transition in STP, the newly elected root ports or
designated ports require twice the forward delay time before transiting to the forwarding state to
make sure the new configuration BPDU has propagated throughout the network.
• Hello time
The device sends hello packets at the hello time interval to the neighboring devices to make sure
the paths are fault-free.
• Max age

59
The device uses the max age to determine whether a stored configuration BPDU has expired and
discards it if the max age is exceeded.

RSTP
RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to
enter the forwarding state much faster than STP.
A newly elected RSTP root port rapidly enters the forwarding state if the old root port on the device has
stopped forwarding data and the upstream designated port has started forwarding data.
A newly elected RSTP designated port rapidly enters the forwarding state if it is an edge port (which
directly connects to a user terminal rather than to another network device or a shared LAN segment) or
it connects to a point-to-point link (to another device). Edge ports directly enter the forwarding state.
Connecting to a point-to-point link, a designated port enters the forwarding state immediately after the
device receives a handshake response from the directly connected device.

PVST
PVST was introduced to improve link bandwidth usage in network environments where multiple virtual
LANs (VLANs) exist. Unlike STP and RSTP whose bridges in a LAN must forward their VLAN packets in
the same spanning tree, PVST allows each VLAN to build a separate spanning tree.
PVST uses the following BPDUs:
• STP BPDUs—Sent by access ports according to the VLAN status, or by trunk ports and hybrid ports
according to the status of VLAN 1.
• PVST BPDUs—Sent by trunk port and hybrid ports according to the status of permitted VLANs
except VLAN 1.

MSTP
STP, RSTP, and PVST limitations
STP does not support rapid state transition of ports. A newly elected port must wait twice the forward
delay time before transiting to the forwarding state, even if it connects to a point-to-point link or is an
edge port.
Although RSTP supports rapid network convergence, it has the same drawback as STP—All bridges
within a LAN share the same spanning tree, and the packets of all VLANs are forwarded along the same
spanning tree, so redundant links cannot be blocked based on VLAN and load sharing among VLANs
cannot be implemented.
The number of PVST BPDUs generated grows with that of permitted VLANs on trunk ports. When the
status of a trunk port transitions, network devices might be overloaded to re-calculate a large number of
spanning trees.

MSTP features
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In addition to
supporting rapid network convergence, it also provides a better load sharing mechanism for redundant

60
links by allowing data flows of different VLANs to be forwarded along separate paths. For more
information about VLANs, see "Configuring VLANs."
MSTP includes the following features:
• MSTP divides a switched network into multiple regions, each containing multiple spanning trees
that are independent of one another.
• MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one instance.
• MSTP prunes a loop network into a loop-free tree, avoiding proliferation and endless cycling of
packets in a loop network. In addition, it provides multiple redundant paths for data forwarding,
supporting load balancing of VLAN data.
• MSTP is compatible with STP and RSTP, but is incompatible with PVST.

MSTP basic concepts


Figure 19 shows a switched network that comprises four MST regions, each MST region comprising four
MSTP devices. Figure 20 shows the networking topology of MST region 3. This section describes some
basic concepts of MSTP.
Figure 19 Basic concepts in MSTP

VLAN 1 MSTI 1 VLAN 1 MSTI 1


VLAN 2 MSTI 2 VLAN 2 MSTI 2
Other VLANs MSTI 0 Other VLANs MSTI 0

MST region 1 MST region 4

MST region 2 MST region 3

VLAN 1 MSTI 1 VLAN 1 MSTI 1


VLAN 2 MSTI 2 CST VLAN 2&3 MSTI 2
Other VLANs MSTI 0 Other VLANs MSTI 0

61
Figure 20 Network diagram and topology of MST region 3

MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the
network segments among them. All these devices have the following characteristics:
• A spanning tree protocol enabled
• Same region name
• Same VLAN-to-instance mapping configuration
• Same MSTP revision level
• Physically linked together
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST
region. In Figure 19, the switched network comprises four MST regions, MST region 1 through MST region
4, and all devices in each MST region have the same MST region configuration.

MSTI
MSTP can generate multiple spanning trees in an MST region, and each spanning tree is independent of
another and maps to specific VLANs. Each spanning tree is referred to as a multiple spanning tree
instance (MSTI).
In Figure 20, MST region 3 comprises three MSTIs, MSTI 1, MSTI 2, and MSTI 0.

VLAN-to-instance mapping table


As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs.
In Figure 20, the VLAN-to-instance mapping table of MST region 3 is: VLAN 1 to MSTI 1, VLAN 2 and
VLAN 3 to MSTI 2, and other VLANs to MSTI 0. MSTP achieves load balancing by means of the
VLAN-to-instance mapping table.

CST
The common spanning tree (CST) is a single spanning tree that connects all MST regions in a switched
network. If you regard each MST region as a device, the CST is a spanning tree calculated by these
devices through STP or RSTP.
The blue lines in Figure 19 represent the CST.

62
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0, a
special MSTI to which all VLANs are mapped by default.
In Figure 19, MSTI 0 is the IST in MST region 3.

CIST
The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in a
switched network. It consists of the ISTs in all MST regions and the CST.
In Figure 19, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the entire
network.

Regional root
The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI. Based
on the topology, different spanning trees in an MST region may have different regional roots.
For example, in MST region 3 in Figure 20, the regional root of MSTI 1 is Device B, the regional root of
MSTI 2 is Device C, and the regional root of MSTI 0 (also known as the IST) is Device A.

Common root bridge


The common root bridge is the root bridge of the CIST.
In Figure 19, for example, the common root bridge is a device in MST region 1.

Port roles
A port can play different roles in different MSTIs. As shown in Figure 21, an MST region comprises Device
A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root
bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other
MST regions. Port D3 of Device D directly connects to a host.
Figure 21 Port roles

63
MSTP calculation involves these port roles:
• Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have
any root port.
• Designated port—Forwards data to the downstream network segment or device.
• Alternate port—The backup port for a root port or master port. When the root port or master port
is blocked, the alternate port takes over.
• Backup port—The backup port of a designated port. When the designated port is invalid, the
backup port becomes the new designated port. A loop occurs when two ports of the same
spanning tree device are interconnected, so the device blocks one of the ports. The blocked port
acts as the backup.
• Edge port—An edge port does not connect to any network device or network segment, but directly
connects to a user host.
• Master port—A port on the shortest path from the local MST region to the common root bridge. The
master port is not always located on the regional root. It is a root port on the IST or CIST and still a
master port on the other MSTIs.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running device.
In MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But
that is not true with master ports. A master port on MSTIs is a root port on the CIST.

Port states
In MSTP, a port may be in one of the following states:
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user
traffic.
• Learning—The port receives and sends BPDUs, and learns MAC addresses, but does not forward
user traffic. Learning is an intermediate port state.
• Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward
user traffic.
When in different MSTIs, a port can be in different states. A port state is not exclusively associated with
a port role. Table 10 lists the port states supported by each port role ("√" indicates that the port supports
the state, and "—" indicates that the port does not support the state).
Table 10 Port states supported by different port roles

Port role (right)


Root port/master
Designated port Alternate port Backup port
Port state port
(below)
Forwarding √ √ — —

Learning √ √ — —

Discarding √ √ √ √

How MSTP works


MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a
calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among
these MSTIs, MSTI 0 is the IST.

64
Similar to STP, MSTP uses configuration BPDUs to calculate spanning trees. However, an important
difference is that an MSTP BPDU carries the MSTP configuration of the device from which the BPDU is
sent.

CIST calculation
The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process,
the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within
each MST region through calculation, and, at the same time, MSTP regards each MST region as a single
device and generates a CST among these MST regions through calculation. The CST and ISTs constitute
the CIST of the entire network.

MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation process,
which is similar to spanning tree calculation in STP. For more information, see "Calculation process of the
STP algorithm."
In MSTP, a VLAN packet is forwarded along the following paths:
• Within an MST region, the packet is forwarded along the corresponding MSTI.
• Between two MST regions, the packet is forwarded along the CST.

Implementation of MSTP on devices


MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices
running MSTP and used for spanning tree calculation.
In addition to basic MSTP functions, the following functions are provided for ease of management:
• Root bridge hold
• Root bridge backup
• Root guard
• BPDU guard
• Loop guard
• TC-BPDU guard
• Support for hot swapping of interface cards and active/standby changeover.

Protocols and standards


• IEEE 802.1d: Media Access Control (MAC) Bridges
• IEEE 802.1w: Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration
• IEEE 802.1s: Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees

Spanning tree configuration task lists


Configuration restrictions and guidelines
• Before configuring a spanning tree, you must determine the spanning tree protocol to be used (STP,
RSTP, PVST, or MSTP) and plan the device roles (the root bridge or leaf node).

65
• If GVRP and a spanning tree protocol are enabled on a device at the same time, GVRP packets are
forwarded along the CIST. To advertise a certain VLAN within the network through GVRP, make
sure this VLAN is mapped to the CIST when you configure the VLAN-to-instance mapping table. For
more information about GVRP, see "Configuring GVRP."
• The spanning tree configurations are mutually exclusive with any of the following functions on a port:
RRPP, Smart Link, and BPDU tunnel.
• The spanning tree configurations made in system view take effect globally. Configurations made in
Ethernet interface view take effect on the current interface only. Configurations made in port group
view take effect on all member ports in the port group. Configurations made in Layer 2 aggregate
interface view take effect only on the aggregate interface. Configurations made on an aggregation
member port can take effect only after the port is removed from the aggregation group.
• After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system performs
spanning tree calculation on the Layer 2 aggregate interface but not on the aggregation member
ports. The spanning tree protocol enable state and forwarding state of each selected member port
is consistent with those of the corresponding Layer 2 aggregate interface.
• Though the member ports of an aggregation group do not participate in spanning tree calculation,
the ports still reserve its spanning tree configurations for participating spanning tree calculation
after leaving the aggregation group.

STP configuration task list


Complete the following tasks to configure STP:

Task Remarks
Required.
Setting the spanning tree mode Configure the switch to
operate in STP mode.

Configuring the root bridge or a secondary root


Optional.
bridge

Configuring the switch priority Optional.

Configuring the network diameter of a switched


Configuring the root Optional.
network
bridge
Configuring spanning tree timers Optional.

Configuring the timeout factor Optional.

Configuring the maximum port rate Optional.

Configuring the mode a port uses to recognize/send


Optional.
MSTP packets

Enabling the spanning tree feature Required.

Required.
Setting the spanning tree mode Configure the switch to
operate in STP mode.
Configuring the leaf
nodes Configuring the switch priority Optional.

Configuring the timeout factor Optional.

Configuring the maximum port rate Optional.

66
Task Remarks
Configuring path costs of ports Optional.

Configuring the port priority Optional.

Configuring the mode a port uses to recognize/send


Optional.
MSTP packets

Enabling the spanning tree feature Required.

Configuring the VLAN Ignore feature Optional.

Configuring TC snooping Optional.

Configuring protection functions Optional.

RSTP configuration task list


Complete the following tasks to configure RSTP:

Task Remarks
Required.
Setting the spanning tree mode Configure the switch to
operate in RSTP mode.

Configuring the root bridge or a secondary root


Optional.
bridge

Configuring the switch priority Optional.

Configuring the network diameter of a switched


Optional.
network
Configuring the root
Configuring spanning tree timers Optional.
bridge
Configuring the timeout factor Optional.

Configuring the maximum port rate Optional.

Configuring edge ports Optional.

Configuring the port link type Optional.

Configuring the mode a port uses to recognize/send


Optional.
MSTP packets

Enabling the spanning tree feature Required.

Required.
Setting the spanning tree mode Configure the switch to
operate in RSTP mode.

Configuring the switch priority Optional.


Configuring the leaf Configuring the timeout factor Optional.
nodes
Configuring the maximum port rate Optional.

Configuring edge ports Optional.

Configuring path costs of ports Optional.

Configuring the port priority Optional.

67
Task Remarks
Configuring the port link type Optional.

Configuring the mode a port uses to recognize/send


Optional.
MSTP packets

Enabling the spanning tree feature Required.

Performing mCheck Optional.

Configuring the VLAN Ignore feature Optional.

Configuring TC snooping Optional.

Configuring protection functions Optional.

PVST configuration task list


Complete the following tasks to configure PVST:

Task Remarks
Required.
Setting the spanning tree mode Configure the switch to
operate in PVST mode.

Configuring the root bridge or a secondary root


Optional.
bridge

Configuring the switch priority Optional.

Configuring the network diameter of a switched


Configuring the root Optional.
network
bridge
Configuring spanning tree timers Optional.

Configuring the timeout factor Optional.

Configuring the maximum port rate Optional.

Configuring edge ports Optional.

Configuring the port link type Optional.

Enabling the spanning tree feature Required.

Required.
Setting the spanning tree mode Configure the switch to
operate in PVST mode.

Configuring the switch priority Optional.

Configuring the timeout factor Optional.


Configuring the leaf Configuring the maximum port rate Optional.
nodes
Configuring edge ports Optional.

Configuring path costs of ports Optional.

Configuring the port priority Optional.

Configuring the port link type Optional.

Enabling the spanning tree feature Required.

68
Task Remarks
Performing mCheck Optional.

Configuring the VLAN Ignore feature Optional.

Configuring TC snooping Optional.

Configuring protection functions Optional.

MSTP configuration task list


Complete the following tasks to configure MSTP:

Task Remarks
Optional.
Setting the spanning tree mode By default, the switch
operates in MSTP mode.

Configuring an MST region Required.

Configuring the root bridge or a secondary root


Optional.
bridge

Configuring the switch priority Optional.

Configuring the maximum hops of an MST region Optional.

Configuring the network diameter of a switched


Configuring the root Optional.
network
bridge
Configuring spanning tree timers Optional.

Configuring the timeout factor Optional.

Configuring the maximum port rate Optional.

Configuring edge ports Optional.

Configuring the port link type Optional.

Configuring the mode a port uses to recognize/send


Optional.
MSTP packets

Enabling the spanning tree feature Required.

Optional.
Setting the spanning tree mode By default, the switch
operates in MSTP mode.

Configuring an MST region Required.

Configuring the switch priority Optional.


Configuring the leaf Configuring the timeout factor Optional.
nodes
Configuring the maximum port rate Optional.

Configuring edge ports Optional.

Configuring path costs of ports Optional.

Configuring the port priority Optional.

Configuring the port link type Optional.

69
Task Remarks
Configuring the mode a port uses to recognize/send
Optional.
MSTP packets

Enabling the spanning tree feature Required.

Performing mCheck Optional.

Configuring the VLAN Ignore feature Optional.

Configuring Digest Snooping Optional.

Configuring No Agreement Check Optional.

Configuring TC snooping Optional.

Configuring protection functions Optional.

Setting the spanning tree mode


The spanning tree modes include:
• STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device of a port
supports only STP.
• RSTP mode—All ports of the device send RSTP BPDUs. When a RSTP port receives STP BPDUs from
a peer device, it automatically transition to the STP mode. When a RSTP port receives MSTP BPDUs
from a peer device, it stays in RSTP mode.
• MSTP mode—All ports of the device send MSTP BPDUs. When an MSTP port receives STP BPDUs
from a peer device, it automatically transition to the STP mode. When an MSTP port receives RSTP
BPDUs from a peer device, it stays in MSTP mode.
• PVST mode—All ports of the device send PVST BPDUs and maintain a spanning tree for each
VLAN.
MSTP mode is compatible with RSTP mode, RSTP mode is compatible with STP mode, and PVST mode is
incompatible with any other mode.
To set the spanning tree mode:

Step Command Remarks


1. Enter system view. system-view N/A

The default setting is MSTP


2. Set the spanning tree mode. stp mode { mstp | pvst | rstp | stp }
mode.

Configuring an MST region


Configuration restrictions and guidelines
• Two or more spanning tree devices belong to the same MST region only if they are configured to
have the same format selector (0 by default, not configurable), MST region name, MST region
revision level, and the same VLAN-to-instance mapping entries in the MST region, and they are
interconnected via a physical link.

70
• The configuration of MST region–related parameters, especially the VLAN-to-instance mapping
table, will result in a new spanning tree calculation. To reduce the possibility of topology instability,
the MST region configuration takes effect only after you activate it by using the active
region-configuration command, or enable a spanning tree protocol by using the stp enable
command in the case that the spanning tree protocol is disabled.
• The switch in PVST mode supports more MSTIs than in MSTP mode. When you change the spanning
tree mode from PVST to MSTP, exceeding MSTIs (arranged in ascending order of their IDs) and their
configurations are silently deleted and cannot be recovered even if you change the spanning tree
mode back. To prevent loss of MSTIs, map all VLANs in the MST regions to the CIST in PVST mode.

Configuration procedure
To configure an MST region:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enter MST region view. stp region-configuration N/A

Optional.
3. Configure the MST region
region-name name The MST region name is the MAC
name.
address by default.

Optional.
4. Configure the • instance instance-id vlan Use either command.
VLAN-to-instance mapping vlan-list
All VLANs in an MST region are
table. • vlan-mapping modulo modulo mapped to the CIST (or MSTI 0) by
default.

5. Configure the MSTP revision Optional.


revision-level level
level of the MST region. The default setting is 0.
6. Display the MST region
configurations that are not check region-configuration Optional.
activated yet.
7. Activate MST region
active region-configuration N/A
configuration manually.
8. Display the activated display stp region-configuration [ | Optional.
configuration information of { begin | exclude | include }
the MST region. regular-expression ] Available in any view.

Configuring the root bridge or a secondary root


bridge
The root bridge of a spanning tree is determined through spanning tree calculation. Alternatively, you
can specify the switch as the root bridge or a secondary root bridge.
A switch has independent roles in different spanning trees. It can act as the root bridge in one spanning
tree and as a secondary root bridge in another. However, a switch cannot be the root bridge and a
secondary root bridge in the same spanning tree.

71
A spanning tree can have one root bridge only. If two or more switches are selected as the root bridge
in a spanning tree at the same time, the switch with the lowest MAC address wins out.
When the root bridge of an instance fails or is shut down, the secondary root bridge (if you have
specified one) can take over the role of the primary root bridge. However, if you specify a new primary
root bridge for the instance then, the secondary root bridge will not become the root bridge. If you have
specified multiple secondary root bridges for an instance, when the root bridge fails, the secondary root
bridge with the lowest MAC address is selected as the new root bridge.

Configuring the current switch as the root bridge of a specific


spanning tree
Step Command Remarks
1. Enter system view. system-view N/A

• In STP/RSTP mode:
stp root primary
• In PVST mode: Use any command.
2. Configure the switch as the
stp vlan vlan-list root primary By default, a switch does not
root bridge.
• In MSTP mode: function as the root bridge.
stp [ instance instance-id ] root
primary

Configuring the current switch as a secondary root bridge of a


specific spanning tree
Step Command Remarks
1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp root secondary
Use any command.
• In PVST mode:
2. Configure the switch as a By default, a switch does not
stp vlan vlan-list root secondary
secondary root bridge. function as a secondary root
• In MSTP mode: bridge.
stp [ instance instance-id ] root
secondary

NOTE:
• You can specify one root bridge for each spanning tree, regardless of the switch priority settings. Once
you specify a switch as the root bridge or a secondary root bridge, you cannot change its priority.
• You can configure the current switch as the root bridge by setting the switch priority to 0. For the switch
priority configuration, see "Configuring the switch priority."

Configuring the switch priority

72
IMPORTANT:
• After you configure the switch as the root bridge or a secondary root bridge, you cannot change the
priority of the switch.
• During root bridge selection, if all devices in a spanning tree have the same priority, the one with the
lowest MAC address will be selected as the root bridge of the spanning tree.

Priority is a factor in spanning tree calculation. The priority of a switch determines whether the switch can
be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. You can set
the priority of a switch to a low value to specify the switch as the root bridge of the spanning tree. A
spanning tree switch can have different priorities in different MSTIs.
To configure the priority of a switch in a specified MSTI:

Step Command Remarks


1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp priority priority
• In PVST mode: Use any command.
2. Configure the priority of the
stp vlan vlan-list priority priority The default setting is
switch.
• In MSTP mode: 32768.
stp [ instance instance-id ] priority
priority

Configuring the maximum hops of an MST region


By setting the maximum hops of an MST region, you can restrict the region size. The maximum hops
configured on the regional root bridge will be used as the maximum hops of the MST region.
The regional root bridge always sends a configuration BPDU with a hop count set to the maximum value.
When a switch receives this configuration BPDU, it decrements the hop count by 1 and uses the new hop
count in the BPDUs it propagates. When the hop count of a BPDU reaches 0, it is discarded by the device
that received it. This prevents devices beyond the reach of the maximum hop from taking part in spanning
tree calculation, which limits the size of the MST region.
Make this configuration on the root bridge only. All other devices in the MST region use the maximum
hop value set for the root bridge.
To configure the maximum number of hops of an MST region:

Step Command Remarks


1. Enter system view. system-view N/A
2. Configure the maximum hops
stp max-hops hops The default setting is 20.
of the MST region.

73
Configuring the network diameter of a switched
network
Any two terminal devices in a switched network are interconnected through a specific path composed of
a series of devices. The network diameter is the number of devices on the path composed of the most
devices. The network diameter is a parameter that indicates the network size. A bigger network diameter
indicates a larger network size. Based on the network diameter you configured, the system automatically
sets an optimal hello time, forward delay, and max age for the switch.
To configure the network diameter of a switched network:

Step Command Remarks


1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode:
stp bridge-diameter diameter
2. Configure the network diameter of Use either command.
the switched network. • In PVST mode:
The default setting is 7.
stp vlan vlan-list bridge-diameter
diameter

NOTE:
• In STP/RSTP/MSTP mode, each MST region is considered as a device and the configured network
diameter is effective only for the CIST (or the common root bridge), but not for MSTIs.
• In PVST mode, the network diameter configuration is effective on the root bridge only.

Configuring spanning tree timers


The following timers are used for spanning tree calculation:
• Forward delay
It is the delay time for port state transition. To prevent temporary loops on a network, the spanning
tree sets an intermediate port state, the learning state, before it transitions from the discarding state
to the forwarding state, and requires that the port transitions its state after a forward delay timer to
make sure the state transition of the local port keeps synchronized with the peer.
• Hello time
The switch detects whether a link failure has occurred with the hello time interval. The spanning
tree sends out a configuration BPDU every hello time interval. If the switch receives no
configuration BPDUs within the hello time interval, it recalculates the spanning tree.
• Max age
In the CIST of an MSTP network or each VLAN of a PVST network, the switch determines whether
a configuration BPDU received by a port has expires based on the max age timer. If yes, a new
spanning tree calculation process starts. The max age timer is ineffective for MSTIs.
To prevent network instability, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ƒ max age
• Max age ƒ 2 × (hello time + 1 second)

74
HP does not recommend you to manually set the spanning tree timers. Instead, you can specify the
network diameter and let spanning tree protocols automatically calculate the timers based on the
network diameter. If the network diameter uses the default value, the timers also use their default values.
Configure the timers on the root bridge only, and the timer settings on the root bridge apply to all the
devices on the entire switched network.

Configuration restrictions and guidelines


• The length of the forward delay timer is related to the network diameter of the switched network. The
larger the network diameter is, the longer the forward delay time should be. If the forward delay
timer is too short, temporary redundant paths may be introduced. If the forward delay timer is too
long, it may take a long time for the network to converge. HP recommends you to use the default
setting.
• An appropriate hello time setting enables the switch to promptly detect link failures on the network
without using excessive network resources. If the hello time is too long, the switch will consider
packet loss as a link failure and trigger a new spanning tree calculation process. If the hello time is
too short, the switch will frequently send the same configuration BPDUs, which add the device
burden and waste network resources. HP recommends you to use the default setting.
• If the max age timer is too short, the switch will frequently launch spanning tree calculation and may
consider network congestion as a link failure. If the max age timer is too long, the switch may fail
to detect link failures and launch spanning tree calculations promptly, reducing the auto-sensing
capability of the network. HP recommends you to use the default setting.

Configuration procedure
To configure the spanning tree timers:

Step Command Remarks


1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode: Optional.
stp timer forward-delay time
2. Configure the forward delay Use either command.
timer. • In PVST mode:
stp vlan vlan-list timer The default setting is 1500
forward-delay time centiseconds.

• In STP/RSTP/MSTP mode: Optional.


stp timer hello time Use either command.
3. Configure the hello timer.
• In PVST mode: The default setting is 200
stp vlan vlan-list timer hello time centiseconds.
• In STP/RSTP/MSTP mode: Optional.
stp timer max-age time
Use either command.
4. Configure the max age timer. • In PVST mode:
stp vlan vlan-list timer max-age The default setting is 2000
time centiseconds.

Configuring the timeout factor


The timeout factor is a parameter used to decide the timeout time, in the following formula: Timeout time
= timeout factor × 3 × hello time.

75
After the network topology is stabilized, each non-root-bridge device forwards configuration BPDUs to
the downstream devices at the interval of hello time to check whether any link is faulty. If a device does
not receive a BPDU from the upstream device within nine times the hello time, it assumes that the
upstream device has failed and starts a new spanning tree calculation process.
Sometimes a device may fail to receive a BPDU from the upstream device because the upstream device
is busy. If a spanning tree calculation occurs, the calculation can fail and also waste the network
resources. In a stable network, you can prevent undesired spanning tree calculations by setting the
timeout factor to 5, 6, or 7.
To configure the timeout factor:

Step Command Remarks


1. Enter system view. system-view N/A

2. Configure the timeout factor of the switch. stp timer-factor factor The default setting is 3.

Configuring the maximum port rate


The maximum rate of a port refers to the maximum number of BPDUs the port can send within each hello
time. The maximum rate of a port is related to the physical status of the port and the network structure.

Configuration guidelines
The higher the maximum port rate is, the more BPDUs will be sent within each hello time, and the more
system resources will be used. By setting an appropriate maximum port rate, you can limit the rate at
which the port sends BPDUs and prevent spanning tree protocols from using excessive network resources
when the network becomes instable. HP recommends you to use the default setting.

Configuration procedure
To configure the maximum rate of a port or a group of ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view or Layer 2
aggregate interface view:
2. Enter interface view or
interface interface-type interface-number Use either command.
port group view.
• Enter port group view:
port-group manual port-group-name
3. Configure the maximum
stp transmit-limit limit The default setting is 10.
rate of the ports.

Configuring edge ports


If a port directly connects to a user terminal rather than another device or a shared LAN segment, this
port is regarded as an edge port. When network topology change occurs, an edge port will not cause
a temporary loop. Because a device does not know whether a port is directly connected to a terminal,

76
you must manually configure the port to be an edge port. After that, this port can transition rapidly from
the blocked state to the forwarding state without delay.

Configuration restrictions and guidelines


• With BPDU guard disabled, when a port set as an edge port receives a BPDU from another port,
it will become a non-edge port again. To restore the edge port, re-enable it.
• If a port directly connects to a user terminal, configure it as an edge port and enable BPDU guard
for it. This enables the port to transition to the forwarding state fast while ensuring network security.
• Among loop guard, root guard and edge port settings, only one function (whichever is configured
the earliest) can take effect on a port at the same time.

Configuration procedure
To specify a port or a group of ports as edge port or ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view or Layer 2
aggregate interface view:
2. Enter interface view or
interface interface-type interface-number Use either command.
port group view.
• Enter port group view:
port-group manual port-group-name
3. Configure the current All ports are non-edge ports
stp edged-port enable
ports as edge ports. by default.

Configuring path costs of ports


Path cost is a parameter related to the rate of a port. On a spanning tree device, a port can have different
path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows to be forwarded
along different physical links, achieving VLAN-based load balancing.
The device can automatically calculate the default path cost; alternatively, you can also configure the
path cost for ports.

Specifying a standard for the switch to use when calculating the


default path cost
CAUTION:
If you change the standard that the switch uses in calculating the default path costs, you restore the path
costs to the default.

You can specify a standard for the switch to use in automatic calculation for the default path cost. The
switch supports the following standards:
• dot1d-1998—The switch calculates the default path cost for ports based on IEEE 802.1d-1998.
• dot1t—The switch calculates the default path cost for ports based on IEEE 802.1t.

77
• legacy—The switch calculates the default path cost for ports based on a private standard.
To specify a standard for the switch to use when calculating the default path cost:

Step Command Remarks


1. Enter system view. system-view N/A
2. Specify a standard for the
switch to use when calculating stp pathcost-standard Optional.
the default path costs of its { dot1d-1998 | dot1t | legacy } The default setting is legacy.
ports.

NOTE:
When calculating path cost for an aggregate interface, IEEE 802.1t takes into account the number of
Selected ports in its aggregation group, but IEEE 802.1d-1998 does not. The calculation formula of IEEE
802.1t is: Path Cost = 200,000,000/link speed (in 100 kbps), where link speed is the sum of the link
speed values of the Selected ports in the aggregation group.

Table 11 shows the mappings between the link speed and the path cost.
Table 11 Mappings between the link speed and the path cost

Path cost
Link speed Port type IEEE
IEEE 802.1t Private standard
802.1d-1998
0 N/A 65535 200,000,000 200,000

Single Port 2,000,000 2,000

Aggregate interface
containing 2 Selected 1,000,000 1,800
ports

10 Mbps Aggregate interface 100


containing 3 Selected 666,666 1,600
ports

Aggregate interface
containing 4 Selected 500,000 1,400
ports

Single Port 200,000 200

Aggregate interface
containing 2 Selected 100,000 180
ports

100 Mbps Aggregate interface 19


containing 3 Selected 66,666 160
ports

Aggregate interface
containing 4 Selected 50,000 140
ports

1000 Mbps Single Port 4 20,000 20

78
Path cost
Link speed Port type IEEE
IEEE 802.1t Private standard
802.1d-1998
Aggregate interface
containing 2 Selected 10,000 18
ports

Aggregate interface
containing 3 Selected 6666 16
ports

Aggregate interface
containing 4 Selected 5000 14
ports

Single Port 2000 2

Aggregate interface
containing 2 Selected 1000 1
ports

10 Gbps Aggregate interface 2


containing 3 Selected 666 1
ports

Aggregate interface
containing 4 Selected 500 1
ports

Configuring the path costs of ports


Step Command Remarks
1. Enter system view. system-view N/A
• Enter Ethernet interface view or
Layer 2 aggregate interface view:
interface interface-type
2. Enter interface view or port
interface-number Use either command.
group view.
• Enter port group view:
port-group manual
port-group-name
• In STP/RSTP mode:
stp cost cost
Use any command.
• In PVST mode:
3. Configure the path cost of the By default, the system
stp vlan vlan-list cost cost
ports. automatically calculates the
• In MSTP mode: path cost of each port.
stp [ instance instance-id ] cost
cost

NOTE:
When the path cost of a port changes, the system re-calculates the role of the port and initiates a state
transition.

79
Configuration example
# In MSTP mode, specify the switch to calculate the default path costs of its ports by using IEEE
802.1d-1998, and set the path cost of GigabitEthernet 3/0/3 to 200 on MSTI 2.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
[Sysname] interface gigabitethernet 3/0/3
[Sysname-GigabitEthernet3/0/3] stp instance 2 cost 200

# In PVST mode, specify the switch to calculate the default path costs of its ports by using IEEE
802.1d-1998, and set the path cost of GigabitEthernet 3/0/3 to 2000 on VLANs 20 through 30.
<Sysname> system-view
[Sysname] stp mode pvst
[Sysname] stp pathcost-standard dot1d-1998
[Sysname] interface gigabitethernet 3/0/3
[Sysname-GigabitEthernet3/0/3] stp vlan 20 to 30 cost 2000

Configuring the port priority


The priority of a port is an important factor in determining whether the port can be elected as the root
port of a device. If all other conditions are the same, the port with the highest priority will be elected as
the root port.
On a spanning tree device, a port can have different priorities and play different roles in different
spanning trees, so that data of different VLANs can be propagated along different physical paths,
implementing per-VLAN load balancing. You can set port priority values based on the actual networking
requirements.
To configure the priority of a port or a group of ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view or
Layer 2 aggregate interface view:
interface interface-type
2. Enter interface view or port group
interface-number Use either command.
view.
• Enter port group view:
port-group manual
port-group-name

• In STP/RSTP mode:
stp port priority priority
• In PVST mode: Use any command.
stp vlan vlan-list port priority
3. Configure the port priority. The default setting is
priority
128 for all ports.
• In MSTP mode:
stp [ instance instance-id ] port
priority priority

NOTE:
If the port priority changes, the system re-calculates the port role and initiate a state transition.

80
Configuring the port link type
A point-to-point link directly connects two devices. If two root ports or designated ports are connected
over a point-to-point link, they can rapidly transition to the forwarding state after a proposal-agreement
handshake process.

Configuration restrictions and guidelines


• You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that
operates in full duplex mode. HP recommends you to use the default setting and let the switch to
automatically detect the port link type.
• The stp point-to-point force-false or stp point-to-point force-true command configured on a port in
MSTP or PVST mode is effective for all MSTIs or VLANs.
• If the physical link to which the port connects is not a point-to-point link but you set it to be one, the
configuration may bring a temporary loop.

Configuration procedure
To configure the link type of a port or a group of ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view
or Layer 2 aggregate
interface view:
2. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name
By default, the link type is auto
stp point-to-point { auto |
3. Configure the port link type. where the port automatically
force-false | force-true }
detects the link type.

Configuring the mode a port uses to


recognize/send MSTP packets
A port can receive/send MSTP packets in the following formats:
• dot1s—802.1s-compliant standard format
• legacy—Compatible format
By default, the packet format recognition mode of a port is auto. The port automatically distinguishes the
two MSTP packet formats, and determines the format of packets it will send based on the recognized
format.
You can configure the MSTP packet format on a port. When operating in MSTP mode after the
configuration, the port sends and receives only MSTP packets of the format you have configured to
communicate with devices that send packets of the same format.

81
MSTP provides MSTP packet format incompatibility guard. In MSTP mode, if a port is configured to
recognize/send MSTP packets in a mode other than auto, and receives a packet in a format different
from the specified type, the port will become a designated port and remain in the discarding state to
prevent the occurrence of a loop.
MSTP provides MSTP packet format frequent change guard. If a port receives MSTP packets of different
formats frequently, the MSTP packet format configuration contains errors. If the port is operating in MSTP
mode, it will be shut down for protection. Ports disabled in this way can be re-activated after a detection
interval. For more information about the detection interval, see Fundamentals Configuration Guide.
To configure the MSTP packet format to be supported on a port or a group of ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface
view or Layer 2 aggregate
interface view:
2. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name
3. Configure the mode the port uses to stp compliance { auto | dot1s |
The default setting is auto.
recognize/send MSTP packets. legacy }

Enabling the spanning tree feature


CAUTION:
You can disable the spanning tree feature for certain ports with the undo stp enable command to exclude
them from spanning tree calculation and save CPU resources of the switch. However, use this command
with caution because the ports with the spanning tree feature disabled will keep forwarding data traffic
and discard STP BPDUs, and loops can occur.

You must enable the spanning tree feature for the switch before any other spanning tree related
configurations can take effect.

Enabling the spanning tree protocol in STP, RSTP, or MSTP


mode
In STP/RSTP/MSTP mode, make sure the spanning tree feature is enabled globally and on the desired
ports.
To enable the spanning tree protocol in STP, RSTP, or MSTP mode:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enable the spanning tree feature By default, the spanning tree


stp enable
globally. feature is globally enabled.

82
Step Command Remarks
• Enter Ethernet interface view
or Layer 2 aggregate
interface view:
3. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name
Optional.
4. Enable the spanning tree feature for
stp enable By default, the spanning tree
the port or group of ports.
feature is enabled for all ports.

Enabling the spanning tree protocol in PVST mode


In the PVST mode, make sure the spanning tree feature is enabled globally and on the desired VLANs
and ports.
To enable the spanning tree protocol in PVST mode:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enable the spanning tree feature By default, the spanning tree


stp enable
globally. feature is globally enabled.

3. Enable the spanning tree feature for By default, PVST is enabled for
stp vlan vlan-list enable
the desired VLANs. all VLANs.
• Enter Ethernet interface view
or Layer 2 aggregate
interface view:
4. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name
Optional.
5. Enable the spanning tree feature for
stp enable By default, the spanning tree
the port or group of ports.
feature is enabled for all ports.

Performing mCheck
If a port on a device running MSTP, RSTP, or PVST connects to an STP device, this port will automatically
transition to the STP mode. However, it cannot automatically transition back to the original mode when:
• The STP device is shut down or removed.
• The STP device transitions to the MSTP, RSTP, or PVST mode.
To forcibly transition the port to operate in the original mode, you can perform an mCheck operation. An
mCheck operation takes effect on a device that operates in MSTP, RSTP, or PVST mode.

83
The following methods for performing mCheck produce the same result.

Performing mCheck globally


Step Command
1. Enter system view. system-view

2. Perform mCheck. stp mcheck

Performing mCheck in interface view


Step Command
1. Enter system view. system-view
2. Enter Ethernet interface view or Layer 2 aggregate
interface interface-type interface-number
interface view.
3. Perform mCheck. stp mcheck

Configuring the VLAN Ignore feature


Traffic of a VLAN on a complex network may be blocked by the spanning tree.
Figure 22 VLAN connectivity blocked by MSTP

As shown in Figure 22:


• Port A1 on Device A allows the traffic of VLAN 1 to pass through, and Port A2 allows the traffic of
VLAN 2 to pass through.
• Port B1 on Device B allows the traffic of VLAN 1 to pass through, and Port B2 allows the traffic of
VLAN 2 to pass through.
• Device A and Device B run a spanning tree protocol. Device A is the root bridge, and Port A1 and
Port A2 are designated ports. On Device B, Port B1 is the root port, and port B2 is the blocked port.
Traffic of VLAN 2 is blocked.
• Enabling the VLAN Ignore feature for a VLAN can make ports of the VLAN forward packets
normally rather than comply with the spanning tree calculation result.

Configuration procedure
To configure the VLAN Ignore feature:

84
Step Command Remarks
1. Enter system view. system-view N/A

2. Enable VLAN Ignore for the By default, VLAN Ignore is


stp ignored vlan vlan-list
specified VLANs. disabled.

display stp ignored-vlan [ | Optional.


3. Display VLAN Ignore-enabled
{ begin | exclude | include }
VLANs. Available in any view.
regular-expression ]

Configuration example
Network requirements
As shown in Figure 23:
• Device A and Device B are directly connected.
• GigabitEthernet 4/0/1 on Device A and GigabitEthernet 4/0/1 on Device B allow the traffic of
VLAN 1 to pass through. GigabitEthernet 4/0/2 on Device A and GigabitEthernet 4/0/2 on
Device B allow the traffic of VLAN 2 to pass through.
• Device A is the root bridge, and Device A and Device B both run a spanning tree protocol.
GigabitEthernet 4/0/2 on Device B is blocked, causing traffic of VLAN 2 to be blocked.
Configure VLAN Ignore to keep GigabitEthernet 4/0/2 of Device B in the forwarding state.
Figure 23 Network diagram
Root
bridge VLAN 1
GE4/0/1 GE4/0/1

GE4/0/2 VLAN 2 GE4/0/2


Device A Device B

Root port Designated port Blocked port

Normal link Blocked link

Configuration procedure
# Enable VLAN Ignore for VLAN 2 on Device B.
<DeviceB> system-view
[DeviceB] stp ignored vlan 2

# Display the VLAN Ignore-enabled VLAN.


[DeviceB] display stp ignored-vlan
STP-Ignored VLAN: 2

Configuring Digest Snooping


As defined in IEEE 802.1s, interconnected devices are in the same region only when their MST
region-related configurations (region name, revision level, and VLAN-to-instance mappings) are
identical. A spanning tree device identifies devices in the same MST region by checking the configuration
ID in BPDU packets. The configuration ID includes the region name, revision level, and configuration

85
digest that is in 16-byte length and is the result calculated via the HMAC-MD5 algorithm based on
VLAN-to-instance mappings.
Spanning tree implementations vary with vendors, and the configuration digests calculated using private
keys is different, so devices of different vendors in the same MST region cannot communicate with each
other.
To enable communication between an HP device and a third-party device, enable the Digest Snooping
feature on the port connecting the HP device to the third-party device in the same MST region.

Configuration restrictions and guidelines


• Before enabling Digest Snooping, make sure associated devices of different vendors are connected
and run spanning tree protocols.
• With the Digest Snooping feature enabled, comparison of configuration digest is not needed for
in-the-same-region check, so the VLAN-to-instance mappings must be the same on associated ports.
• With global Digest Snooping enabled, modification of VLAN-to-instance mappings and removing
of the current region configuration using the undo stp region-configuration command can cause
loops or traffic interruption if the VLAN-to-instance mappings on the device differ from those on the
neighboring devices. Perform these operations with caution.
• To make Digest Snooping take effect, you must enable Digest Snooping both globally and on
associated ports. To make the configuration effective on all configured ports and while reducing
impact on the network, enable Digest Snooping on all associated ports first and then globally.
• To prevent loops, do not enable Digest Snooping on MST region edge ports.
• HP recommends you to enable Digest Snooping first and then the spanning tree feature. To avoid
traffic interruption, do not configure Digest Snooping when the network is already working well.
• You can enable Digest Snooping only on the HP device that is connected to a third-party device that
uses its private key to calculate the configuration digest.

Configuration procedure
To configure Digest Snooping:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view or
Layer 2 aggregate interface
view:
2. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name

3. Enable Digest Snooping on the By default, Digest Snooping


stp config-digest-snooping
interface or port group. is disabled on a port.

4. Return to system view. quit N/A

By default, Digest Snooping


5. Enable global Digest Snooping. stp config-digest-snooping
is disabled globally.

86
Configuration example
Network requirements
As shown in Figure 24, Device A and Device B connect to Device C, which is a third-party device. All
these devices are in the same region.
Enable Digest Snooping on Device A’s and Device B’s ports that connect to Device C, so that the three
devices can communicate with one another.
Figure 24 Network diagram

Configuration procedure
# Enable Digest Snooping on GigabitEthernet 4/0/1 of Device A and enable global Digest Snooping
on Device A.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] stp config-digest-snooping
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] stp config-digest-snooping

# Enable Digest Snooping on GigabitEthernet 4/0/1 of Device B and enable global Digest Snooping
on Device B.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] stp config-digest-snooping
[DeviceB-GigabitEthernet4/0/1] quit
[DeviceB] stp config-digest-snooping

Configuring No Agreement Check


In RSTP and MSTP, the following types of messages are used for rapid state transition on designated
ports:
• Proposal—Sent by designated ports to request rapid transition
• Agreement—Used to acknowledge rapid transition requests

87
Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port
receives an agreement packet from the downstream device. RSTP and MSTP devices have the following
differences:
• For MSTP, the downstream device’s root port sends an agreement packet only after it receives an
agreement packet from the upstream device.
• For RSTP, the downstream device sends an agreement packet regardless of whether an agreement
packet from the upstream device is received.
Figure 25 shows the rapid state transition mechanism on MSTP designated ports.
Figure 25 Rapid state transition of an MSTP designated port
Upstream device Downstream device

(1) Proposal for rapid transition The root port blocks non-edge
ports.

The root port changes to the


(2) Agreement forwarding state and sends an
Agreement to the upstream
device.

The designated port (3) Agreement


changes to the
forwarding state.

Root port Designated port

Figure 26 shows rapid state transition of an RSTP designated port.


Figure 26 Rapid state transition of an RSTP designated port
Upstream device Downstream device

The root port blocks non-edge


(1) Proposal for rapid transition ports, changes to the forwarding
state, and sends an Agreement to
the upstream device.

The designated (2) Agreement


port changes to the
forwarding state.

Root port Designated port

If the upstream device is a third-party device, the rapid state transition implementation may be limited.
For example, when the upstream device uses a rapid transition mechanism similar to that of RSTP, and the
downstream device adopts MSTP and does not operate in RSTP mode, the root port on the downstream
device receives no agreement packet from the upstream device and sends no agreement packets to the
upstream device. As a result, the designated port of the upstream device fails to transit rapidly and can
only change to the forwarding state after a period twice the Forward Delay.
You can enable the No Agreement Check feature on the downstream device’s port to enable the
designated port of the upstream device to transit its state rapidly.

88
Configuration prerequisites
Before you configure the No Agreement Check function, complete the following tasks:
• Connect a device to a third-party upstream device supporting spanning tree protocols via a
point-to-point link.
• Configure the same region name, revision level and VLAN-to-instance mappings on the two devices,
assigning them to the same region.

Configuration procedure
To make the No Agreement Check feature take effect, enable it on the root port.
To configure No Agreement Check:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view or Layer 2
aggregate interface view:
2. Enter interface view or port interface interface-type
Use either command.
group view. interface-number
• Enter port group view:
port-group manual port-group-name
3. Enable No Agreement By default, No Agreement
stp no-agreement-check
Check. Check is disabled.

Configuration example
Network requirements
As shown in Figure 27:
• Device A connects to Device B, a third-party device that has a different spanning tree
implementation. Both devices are in the same region.
• Device B is the regional root bridge, and Device A is the downstream device.
Figure 27 No Agreement Check configuration
Root bridge
GE4/0/1 GE4/0/1

Device A Device B

Root port Designated port

Configuration procedure
# Enable No Agreement Check on GigabitEthernet 4/0/1 of Device A.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] stp no-agreement-check

89
Configuring TC snooping
Figure 28 shows a topology change (TC) snooping application scenario. Device A and Device B are both
IRF-enabled switches and form an IRF fabric; they operate at the distribution layer and do not have any
spanning tree protocol enabled. The IRF fabric formed by Device A and Device B connect to multiple
access-layer customer networks, such as Customer 1 and Customer 2. Device C, Device D, and Device
E in customer network Customer 1 are all enabled with a spanning tree protocol. Customer 1 is
dual-uplinked to the IRF fabric for high availability. The IRF fabric transparently transmits STP BPDUs from
Customer 1 at Layer 2. Other customer networks (such as Customer 2) act the same as Customer 1.
Figure 28 TC snooping application scenario

In the network, the IRF fabric transparently transmits the received STP BPDUs and does not participate in
STP calculations. When a topology change occurs to the IRF fabric or attached access-layer networks,
the IRF fabric may need a long time to learn the correct MAC address table entries and ARP entries,
resulting in long network disruption. To avoid the network disruption, you can enable TC snooping on the
IRF fabric.
TC snooping enables the device to actively clear the MAC address table entries and ARP entries upon
receiving TC-BPDUs and to re-learn the MAC address table entries and ARP entries, so that the device
can normally forward the user traffic.

Configuration restrictions and guidelines


• TC snooping and the spanning tree feature are mutually exclusive. Globally disable the spanning
tree feature before you enable TC snooping.
• TC snooping is ineffective on the ports on which BPDU tunneling is enabled for STP. For more
information about BPDU tunneling, see "Configuring BPDU tunneling."

Configuration procedure
To configure TC snooping:

90
Step Command Description
1. Enter system view. system-view N/A

2. Globally disable the By default, the spanning tree feature is enabled


undo stp enable
spanning tree feature. globally.

3. Enable TC snooping. stp tc-snooping By default, TC snooping is disabled.

Configuring protection functions


A spanning tree device supports the following protection functions:
• BPDU guard
• Root guard
• Loop guard
• TC-BPDU guard

Enabling BPDU guard


IMPORTANT:
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see Interface Configuration Guide.

For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file
servers. The access ports are configured as edge ports to allow rapid transition. When these ports
receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new
spanning tree calculation process. This causes a change of network topology. Under normal conditions,
these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, the network will become instable.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs,
the system will close these ports and notify the NMS that these ports have been closed by the spanning
tree protocol. Ports disabled in this way will be re-activated by the device after a detection interval. For
more information about this detection interval, see Fundamentals Configuration Guide.
Configure BPDU guard on a device with edge ports configured.
To enable BPDU guard:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enable the BPDU guard By default, BPDU guard is


stp bpdu-protection
function for the switch. disabled.

Enabling root guard

91
IMPORTANT:
On a port, the root guard function and the loop guard function are mutually exclusive.

The root bridge and secondary root bridge of a spanning tree should be located in the same MST region.
Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core
region during network design. However, due to possible configuration errors or malicious attacks in the
network, the legal root bridge may receive a configuration BPDU with a higher priority. The current legal
root bridge will be superseded by another device, causing an undesired change of the network topology.
As a result, the traffic that should go over high-speed links is switched to low-speed links, resulting in
network congestion.
To prevent this situation, MSTP provides the root guard function. If the root guard function is enabled on
a port of a root bridge, this port plays the role of designated port on all MSTIs. Once this port receives
a configuration BPDU with a higher priority from an MSTI, it immediately sets that port to the listening
state in the MSTI, without forwarding the packet (this is equivalent to disconnecting the link connected
with this port in the MSTI). If the port receives no BPDUs with a higher priority within twice the forwarding
delay, it will revert to its original state.
Configure root guard on a designated port.
To enable root guard:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view or
Layer 2 aggregate interface
view:
2. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name
3. Enable the root guard function for By default, root guard is
stp root-protection
the ports. disabled.

Enabling loop guard


CAUTION:
• Do not enable loop guard on a port connecting user terminals. Otherwise, the port will stay in the
discarding state in all MSTIs because it cannot receive BPDUs.
• On a port, the loop guard function is mutually exclusive with the edge port settings or the root guard
function.

A device that keeps receiving BPDUs from the upstream device can maintain the state of the root port and
blocked ports. However, link congestion or unidirectional link failures may cause these ports to fail to
receive BPDUs from the upstream devices. The device will reselect the port roles: Those ports in
forwarding state that failed to receive upstream BPDUs will become designated ports, and the blocked
ports will transition to the forwarding state, resulting in loops in the switched network. The loop guard
function can suppress the occurrence of such loops.

92
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives BPDUs,
its state transitions normally. Otherwise, it stays in the discarding state to prevent temporary loops.
Configure loop guard on the root port and alternate ports of a device.
To enable loop guard:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Ethernet interface view or Layer
2 aggregate interface view:
2. Enter interface view or port interface interface-type
Use either command.
group view. interface-number
• Enter port group view:
port-group manual port-group-name
3. Enable the loop guard By default, loop guard is
stp loop-protection
function for the ports. disabled.

Enabling TC-BPDU guard


When a switch receives topology change (TC) BPDUs, it flushes the forwarding address entries. If
someone forges TC-BPDUs to attack the switch, the switch will receive a large number of TC-BPDUs within
a short time and be busy with forwarding address entry flushing. This affects network stability.
With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address
entry flushes that the switch can perform every a certain period of time (10 seconds). For TC-BPDUs
received in excess of the limit, the switch performs a forwarding address entry flush when the time period
expires. This prevents frequent flushing of forwarding address entries.
To enable TC-BPDU guard:

Step Command Remarks


1. Enter system view. system-view N/A

Optional.
2. Enable the TC-BPDU guard function. stp tc-protection enable By default, TC-BPDU guard is
enabled.
3. Configure the maximum number of Optional.
stp tc-protection threshold
forwarding address entry flushes that the
number The default setting is 6.
switch can perform every 10 seconds.

NOTE:
HP does not recommend you disable this feature.

Displaying and maintaining the spanning tree


Task Command Remarks
Display information about ports blocked display stp abnormal-port [ | { begin | Available in any
by spanning tree protection functions. exclude | include } regular-expression ] view.

93
Task Command Remarks
display stp bpdu-statistics [ interface
interface-type interface-number [ instance Available in any
Display BPDU statistics on ports.
instance-id ] ] [ | { begin | exclude | view.
include } regular-expression ]

Display information about ports shut


display stp down-port [ | { begin | Available in any
down by spanning tree protection
exclude | include } regular-expression ] view.
functions.

Display the historical information of port display stp [ instance instance-id ] history
Available in any
role calculation for the specified MSTI or [ slot slot-number ] [ | { begin | exclude |
view.
all MSTIs (in standalone mode). include } regular-expression ]

display stp [ instance instance-id ] history


Display the historical information of port
[ chassis chassis-number slot slot-number ] Available in any
role calculation for the specified MSTI or
[ | { begin | exclude | include } view.
all MSTIs (in IRF mode).
regular-expression ]

Display the statistics of TC/TCN BPDUs


display stp [ instance instance-id ] tc [ slot
sent and received by all ports in the Available in any
slot-number ] [ | { begin | exclude |
specified MSTI or all MSTIs (in standalone view.
include } regular-expression ]
mode).

display stp [ instance instance-id ] tc


Display the statistics of TC/TCN BPDUs
[ chassis chassis-number slot slot-number ] Available in any
sent and received by all ports in the
[ | { begin | exclude | include } view.
specified MSTI or all MSTIs (in IRF mode).
regular-expression ]

display stp [ instance instance-id ]


Display the spanning tree status and [ interface interface-list | slot slot-number ] Available in any
statistics (in standalone mode). [ brief ] [ | { begin | exclude | include } view.
regular-expression ]

display stp [ instance instance-id ]


[ interface interface-list | chassis
Display the spanning tree status and Available in any
chassis-number slot slot-number ] [ brief ]
statistics (in IRF mode). view.
[ | { begin | exclude | include }
regular-expression ]

display stp region-configuration [ |


Display the MST region configuration Available in any
{ begin | exclude | include }
information that has taken effect. view.
regular-expression ]

Display the root bridge information of all display stp root [ | { begin | exclude | Available in any
MSTIs. include } regular-expression ] view.

Display the list of VLANs with VLAN display stp ignored-vlan [ | { begin | Available in any
Ignore enabled. exclude | include } regular-expression ] view.

Available in user
Clear the spanning tree statistics. reset stp [ interface interface-list ]
view.

94
Spanning tree configuration examples
MSTP configuration example
Network requirements
As shown in Figure 29:
• All devices on the network are in the same MST region. Device A and Device B work at the
distribution layer. Device C and Device D work at the access layer.
• Configure MSTP so that packets of different VLANs are forwarded along different spanning trees:
Packets of VLAN 10 are forwarded along MSTI 1, those of VLAN 30 are forwarded along MSTI 3,
those of VLAN 40 are forwarded along MSTI 4, and those of VLAN 20 are forwarded along MSTI
0.
• VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is
terminated on the access layer devices, so the root bridges of MSTI 1 and MSTI 3 are Device A and
Device B, and the root bridge of MSTI 4 is Device C.
Figure 29 Network diagram
/1

GE
3/0

3/0
GE

/1
/1

GE
3/0

3/0
GE

/1

Configuration procedure
1. Configure VLANs and VLAN member ports: (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example

95
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
[DeviceA-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Specify the current device as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Enable the spanning tree feature globally.
[DeviceA] stp enable
3. Configure Device B:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
[DeviceB-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Specify the current device as the root bridge of MSTI 3.
[DeviceB] stp instance 3 root primary
# Enable the spanning tree feature globally.
[DeviceB] stp enable
4. Configure Device C:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
[DeviceC-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Specify the current device as the root bridge of MSTI 4.
[DeviceC] stp instance 4 root primary
# Enable the spanning tree feature globally.

96
[DeviceC] stp enable
5. Configure Device D:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40
[DeviceD-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Enable the spanning tree feature globally.
[DeviceD] stp enable
6. Verify the configuration:
You can use the display stp brief command to display brief spanning tree information on each
device after the network is stable.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 ALTE DISCARDING NONE
0 GigabitEthernet3/0/2 DESI FORWARDING NONE
0 GigabitEthernet3/0/3 ROOT FORWARDING NONE
1 GigabitEthernet3/0/1 DESI FORWARDING NONE
1 GigabitEthernet3/0/3 DESI FORWARDING NONE
3 GigabitEthernet3/0/2 DESI FORWARDING NONE
3 GigabitEthernet3/0/3 ROOT FORWARDING NONE
# Display brief spanning tree information on Device B.
[DeviceB] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 DESI FORWARDING NONE
0 GigabitEthernet3/0/2 DESI FORWARDING NONE
0 GigabitEthernet3/0/3 DESI FORWARDING NONE
1 GigabitEthernet3/0/2 DESI FORWARDING NONE
1 GigabitEthernet3/0/3 ROOT FORWARDING NONE
3 GigabitEthernet3/0/1 DESI FORWARDING NONE
3 GigabitEthernet3/0/3 DESI FORWARDING NONE
# Display brief spanning tree information on Device C.
[DeviceC] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 DESI FORWARDING NONE
0 GigabitEthernet3/0/2 ROOT FORWARDING NONE
0 GigabitEthernet3/0/3 DESI FORWARDING NONE
1 GigabitEthernet3/0/1 ROOT FORWARDING NONE

97
1 GigabitEthernet3/0/2 ALTE DISCARDING NONE
4 GigabitEthernet3/0/3 DESI FORWARDING NONE
# Display brief spanning tree information on Device D.
[DeviceD] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 ROOT FORWARDING NONE
0 GigabitEthernet3/0/2 ALTE DISCARDING NONE
0 GigabitEthernet3/0/3 ALTE DISCARDING NONE
3 GigabitEthernet3/0/1 ROOT FORWARDING NONE
3 GigabitEthernet3/0/2 ALTE DISCARDING NONE
4 GigabitEthernet3/0/3 ROOT FORWARDING NONE
Based on the output, you can draw the MSTI mapped to each VLAN, as shown in Figure 30.
Figure 30 MSTIs mapped to different VLANs

PVST configuration example


Network requirements
As shown in Figure 31, Device A and Device B work at the distribution layer. Device C and Device D work
at the access layer.
Configure PVST so that packets of different VLANs are forwarded along different spanning trees.
VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is
terminated on the access layer devices. The root bridge of VLAN 10 and VLAN 20 is Device A, that of
VLAN 30 is Device B, and that of VLAN 40 is Device C.

98
Figure 31 Network diagram

/1

GE
3/0

3/0
GE

/1
/1

GE
3/0

3/0
GE

/1
Configuration procedure
1. Configure VLANs and VLAN member ports: (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Specify the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 10,
20, and 30.
[DeviceA] stp enable
[DeviceA] stp vlan 10 20 30 enable
3. Configure Device B:
# Set the spanning tree mode to PVST.
<DeviceB> system-view
[DeviceB] stp mode pvst
# Specify the device as the root bridge of VLAN 30.
[DeviceB] stp vlan 30 root primary
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 10,
20, and 30.
[DeviceB] stp enable
[DeviceB] stp vlan 10 20 30 enable
4. Configure Device C:
# Set the spanning tree mode to PVST.

99
<DeviceC> system-view
[DeviceC] stp mode pvst
# Specify the current device as the root bridge of VLAN 40.
[DeviceC] stp vlan 40 root primary
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 10,
20, and 40.
[DeviceC] stp enable
[DeviceC] stp vlan 10 20 40 enable
5. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 20,
30, and 40.
[DeviceD] stp enable
[DeviceD] stp vlan 20 30 40 enable
6. Verify the configuration:
You can use the display stp brief command to display brief spanning tree information on each
device after the network is stable.
[DeviceA] display stp brief
VLAN Port Role STP State Protection
10 GigabitEthernet3/0/1 DESI DISCARDING NONE
10 GigabitEthernet3/0/3 DESI FORWARDING NONE
20 GigabitEthernet3/0/1 DESI FORWARDING NONE
20 GigabitEthernet3/0/2 DESI FORWARDING NONE
20 GigabitEthernet3/0/3 DESI FORWARDING NONE
30 GigabitEthernet3/0/2 DESI FORWARDING NONE
30 GigabitEthernet3/0/3 ROOT FORWARDING NONE
# Display brief spanning tree information on Device B.
[DeviceB] display stp brief
VLAN Port Role STP State Protection
10 GigabitEthernet3/0/2 DESI FORWARDING NONE
10 GigabitEthernet3/0/3 ROOT FORWARDING NONE
20 GigabitEthernet3/0/1 DESI FORWARDING NONE
20 GigabitEthernet3/0/2 DESI FORWARDING NONE
20 GigabitEthernet3/0/3 ROOT FORWARDING NONE
30 GigabitEthernet3/0/1 DESI FORWARDING NONE
30 GigabitEthernet3/0/3 DESI FORWARDING NONE
# Display brief spanning tree information on Device C.
[DeviceC] display stp brief
VLAN Port Role STP State Protection
10 GigabitEthernet3/0/1 ROOT FORWARDING NONE
10 GigabitEthernet3/0/2 ALTE FORWARDING NONE
20 GigabitEthernet3/0/1 ROOT FORWARDING NONE
20 GigabitEthernet3/0/2 ALTE FORWARDING NONE
20 GigabitEthernet3/0/3 DESI DISCARDING NONE
40 GigabitEthernet3/0/3 DESI FORWARDING NONE

100
# Display brief spanning tree information on Device D.
[DeviceD] display stp brief
VLAN Port Role STP State Protection
20 GigabitEthernet3/0/1 ALTE FORWARDING NONE
20 GigabitEthernet3/0/2 ROOT DISCARDING NONE
20 GigabitEthernet3/0/3 ALTE DISCARDING NONE
30 GigabitEthernet3/0/1 ROOT FORWARDING NONE
30 GigabitEthernet3/0/2 ALTE DISCARDING NONE
40 GigabitEthernet3/0/3 ROOT FORWARDING NONE
Based on the output, you can draw the spanning tree mapped to each VLAN, as shown in Figure
32.
Figure 32 Spanning trees mapped to different VLANs

101
Configuring Ethernet link aggregation

When the device operating in IRF mode is enabled with enhanced IRF mode, it does not support creating
Layer 3 Ethernet interfaces/subinterfaces or Layer 3 aggregate interfaces/subinterfaces.
The device supports a maximum of 240 aggregation groups. An aggregation group supports a
maximum number of 12 Selected ports on a single device. For IRF mode, the maximum number of
Selected ports supported by an aggregation group is 12 multiplied by the number of IRF member
devices.

Overview
Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one
logical link, called an aggregate link. Link aggregation delivers the following benefits:
• Increases bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed
across the member ports.
• Improves link reliability. The member ports dynamically back up one another. When a member port
fails, its traffic is automatically switched to other member ports.
As shown in Figure 33, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link, Link Aggregation 1. The bandwidth of this
aggregate link is as high as the total bandwidth of these three physical Ethernet links. At the same time,
the three Ethernet links back up one another.
Figure 33 Ethernet link aggregation

Basic concepts
Aggregation group, member port, and aggregate interface
Ethernet link aggregation is implemented through link aggregation groups. An aggregation group is a
group of Ethernet interfaces aggregated together, which are called member ports of the aggregation
group. For each aggregation group, a logical interface, called an aggregate interface is created. To an
upper layer entity that uses the link aggregation service, a link aggregation group looks like a single
logical link and data traffic is transmitted through the aggregate interface.
There are two types of aggregate interfaces: Bridge-Aggregation (BAGG) interfaces, which are Layer 2
aggregate interfaces, and Route-Aggregation (RAGG) interfaces, which are Layer 3 aggregate
interfaces. When an aggregate interface is created, an aggregation group of the same type and
numbered the same is created automatically. For example, when you create interface
Bridge-Aggregation 1, Layer 2 aggregation group 1 is created.
To a Layer 2 aggregation group, you can assign only Layer 2 Ethernet interfaces; to a Layer 3
aggregation group, only Layer 3 Ethernet interfaces.

102
NOTE:
• On a Layer 3 aggregate interface, you can create subinterfaces, which are called "Layer 3 aggregate
subinterfaces." These subinterfaces are logical interfaces that operate at the network layer. They can
receive VLAN tagged packets for their Layer 3 aggregate interface.
• The rate of an aggregate interface equals the total rate of its member ports in selected state and its
duplex mode is the same as that of the selected member ports. For more information about the states of
member ports in an aggregation group, see "Aggregation states of member ports in an aggregation
group."

Aggregation states of member ports in an aggregation group


A member port in an aggregation group can be in either of the following two aggregation states:
• Selected—A Selected port can forward user traffic.
• Unselected—An Unselected port cannot forward user traffic.

Operational key
When aggregating ports, the system automatically assigns each port an operational key based on port
information such as port rate and duplex mode. Any change to this information triggers a recalculation
of this operational key.
In an aggregation group, all selected member ports are assigned the same operational key.

Configuration classes
Every configuration setting on a member port in a link aggregation group may affect the aggregation
state of the port in the group more or less. They are divided into three configuration classes:
• Port attribute configurations, including port rate, duplex mode, and link status (up/down), which
are the most basic port configurations.
• Class-two configurations, as described in Table 12. A member port can be placed in selected state
only if it has the same class-two configurations as the aggregate interface.
Table 12 Class-two configurations

Item Considerations
Whether the port has joined an isolation group, and the isolation group to which
Port isolation
the port belongs

QinQ enable state (enable/disable), TPID for VLAN tags, outer VLAN tags to be
QinQ added, inner-to-outer VLAN priority mappings, inner-to-outer VLAN tag
mappings, inner VLAN ID substitution mappings

Permitted VLAN IDs, PVID, link type (trunk, hybrid, or access), IP subnet-based
VLAN
VLAN configuration, protocol-based VLAN configuration, VLAN tagging mode

MAC address learning capability, MAC address learning limit, forwarding of


MAC address learning frames with unknown destination MAC addresses after the MAC address
learning limit is reached

103
NOTE:
• Class-two configurations made on an aggregate interface are automatically synchronized to all its
member ports. These configurations are retained on the member ports even after the aggregate
interface is removed.
• Any class-two configuration change may affect the aggregation state of link aggregation member ports
and thus ongoing traffic. To make sure that you are aware of the risk, the system displays a warning
message every time you attempt to change a class-two configuration setting on a member port.

• Class-one configurations, which are configurations that do not affect the aggregation state of the
member port even if they are different from those on the aggregate interface. GVRP and MSTP
settings are examples of class-one configurations.

Reference port
When setting the aggregation state of the ports in an aggregation group, the system automatically picks
a member port as the reference. This port is called the reference port of the aggregation group. The port
attribute and class-two configurations of every other member port are compared with those of the
reference port.

LACP protocol
The IEEE 802.3ad Link Aggregation Control Protocol (LACP) enables dynamic aggregation of physical
links. It uses link aggregation control protocol data units (LACPDUs) for exchanging aggregation
information between LACP-enabled network devices.
1. LACP functions
Based on the fields carried in LACPDUs, the functions delivered by the IEEE 802.3ad LACP fall into
basic LACP functions and extended LACP functions, as described in Table 13.
Table 13 Basic and extended LACP functions

Category Description
Implemented through the basic LACPDU fields including the system LACP priority,
system MAC address, port aggregation priority, port number, and operational key.
Each member port in a LACP-enabled aggregation group exchanges the above
Basic LACP functions information with its peer. When a member port receives an LACPDU, it compares
the received information with the information received on the other member ports. In
this way the two systems reach an agreement on which ports should be placed in the
selected state.

Implemented by extending the LACPDU with new Type/Length/Value (TLV) fields.


This is how the LACP multi-active detection (MAD) mechanism of the Intelligent
Resilient Framework (IRF) feature is implemented.
Extended LACP
• If a switch supports both LACP extensions and IRF, it can participate in LACP
functions
MAD either as an IRF member switch or an intermediate switch.
• If a switch supports LACP extensions but not IRF, it can participate in LACP MAD
only as an intermediate switch.

For more information about IRF, IRF member switches, intermediate switches, and the LACP MAD
mechanism, see IRF Configuration Guide.
2. LACP priorities
There are two types of LACP priorities: system LACP priority and port aggregation priority, as
described in Table 14.

104
Table 14 LACP priorities

Type Description Remarks


Used by two peer devices (or systems) to determine which one is superior in
link aggregation.
System LACP The smaller
priority In dynamic link aggregation, the system that has higher system LACP the priority
priority sets the selected state of member ports on its side first and then the value, the
system that has lower priority sets port state accordingly. higher the
priority.
Port aggregation Determines the likelihood of a member port to be selected on a system. The
priority higher port aggregation priority, the higher likelihood.

3. LACP timeout interval


The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the
peer port. If a local member port fails to receive LACPDUs from the peer within three times the
LACP timeout interval, the member port assumes that the peer port has failed. You can configure
the LACP timeout interval as the short timeout interval (1 second) or the long timeout interval (30
seconds).

Link aggregation modes


There are two link aggregation modes: dynamic and static. Dynamic link aggregation uses LACP while
static link aggregation does not. A link aggregation group operating in static mode is called a static link
aggregation group, while a link aggregation group operating in dynamic mode is called a dynamic link
aggregation group. Table 15 compares the two aggregation modes.
Table 15 A comparison between static and dynamic aggregation modes

LACP status
Aggregation
on member Pros Cons
mode
ports
The member ports cannot
change their aggregation state
Aggregation is stable. The
in consistent with their peers.
Static Disabled aggregation state of the member
The administrator needs to
ports is not affected by their peers.
manually maintain link
aggregations.

The administrator does not need to The aggregation state of


maintain link aggregations. The peer member ports is easily affected
Dynamic Enabled systems maintain the aggregation by the network environment,
state of the member ports which makes dynamic
automatically. aggregation less stable.

In a dynamic link aggregation group:


• A Selected port can receive and send LACPDUs.
• An Unselected port can receive and send LACPDUs only if it is up and have the same class-two
configurations as the aggregate interface.

Aggregating links in static mode


LACP is disabled on the member ports in a static aggregation group. The aggregation state of the
member ports must be maintained manually.

105
Static link aggregation comprises:
• Selecting a reference port
• Setting the aggregation state of each member port

Selecting a reference port


The system selects a reference port from the member ports that are in the up state and have the same
class-two configurations as the aggregate interface.
The candidate ports are sorted by aggregation priority, duplex, and speed in the following order:
• Lowest aggregation priority value
• Full duplex/high speed
• Full duplex/low speed
• Half duplex/high speed
• Half duplex/low speed
The one at the top is selected as the reference port. If two ports have the same aggregation priority,
duplex mode, and speed, the one with the lower port number wins out.

Setting the aggregation state of each member port


After selecting the reference port, the static aggregation group sets the aggregation state of each
member port as shown in Figure 34.
Figure 34 Setting the aggregation state of a member port in a static aggregation group

106
NOTE:
• Any port attribute or class-two configuration change on a member port may change the aggregation
state and cause service interruption.
• A port that joins the static aggregation group after the Selected port limit has been reached will not be
placed in the selected state even if it otherwise should be. This is can prevent ongoing traffic on the
current Selected ports from being interrupted. You should avoid the situation, however, as it can cause
the aggregation state of a port to change after a reboot.

Aggregating links in dynamic mode


LACP is automatically enabled on all member ports in a dynamic aggregation group. The protocol
maintains the aggregation state of ports automatically.
Dynamic link aggregation comprises:
• Selecting a reference port
• Setting the aggregation state of each member port

Selecting a reference port


The local system (the actor) negotiates with the remote system (the partner) to select a reference port as
follows:
1. Compare the system ID (comprising the system LACP priority and the system MAC address) of the
actor with that of the partner. The system with the lower LACP priority value wins out. If they are the
same, compare the system MAC addresses. The system with the lower MAC address wins out.
2. Compare the port IDs of the ports on the system with the smaller system ID. A port ID comprises a
port aggregation priority and a port number. First compare the port aggregation priorities. The
port with the lower aggregation priority value wins out. If two ports have the same aggregation
priority, compare their port numbers. The port with the smaller port number wins out. Thus, the port
with the lowest port ID is selected as the reference port.

Setting the aggregation state of each member port


After the reference port is selected, the system with the lower system ID sets the state of each member port
in the dynamic aggregation group on its side as shown in Figure 35.

107
Figure 35 Setting the state of a member port in a dynamic aggregation group

Meanwhile, the system with the higher system ID, being aware of the aggregation state changes on the
remote system, changes the aggregation state of its ports accordingly.

NOTE:
• A dynamic link aggregation group preferably sets full-duplex ports as the Selected ports, and will set
one, and only one, half-duplex port as a Selected port when none of the full-duplex ports can be
selected or only half-duplex ports exist in the group.
• Any member port attribute or class-two configuration change may affect the aggregation state of link
aggregation member ports and ongoing traffic.
• In a dynamic aggregation group, when the aggregation state of a local port changes, the aggregation
state of the peer port also changes accordingly.
• A port that joins a dynamic aggregation group after the Selected port limit has been reached is placed
in Selected state if it is more eligible for being selected than a current member port.

108
Load sharing criteria for link aggregation groups
In a link aggregation group, traffic may be load-shared across the selected member ports based on a set
of criteria, depending on your configuration.
You can choose one of the following criteria or any combination for load sharing:
• MAC addresses
• IP addresses
• Service port numbers
• Ingress ports
• MPLS labels

Ethernet link aggregation configuration task list


Task Remarks
Configuring an Configuring a static aggregation group
aggregation Select either task.
group Configuring a dynamic aggregation group

Configuring the description of an aggregate


Optional.
interface/subinterface

Configuring the MTU of a Layer 3 aggregate


Optional.
interface/subinterface
Configuring an
aggregate Enabling link state trapping for an aggregate interface Optional.
interface Limiting the number of Selected ports for an aggregation
Optional.
group

Shutting down an aggregate interface Optional.

Restoring the default settings for an aggregate interface Optional.

Configuring load sharing for link aggregation groups Optional.

Enabling link-aggregation traffic redirection Optional.

Enhancing the Selected port capacity for link aggregation in IRF mode Optional.

Configuring an aggregation group


You can choose to create a Layer 2 or Layer 3 link aggregation group depending on the ports to be
aggregated:
• To aggregate Layer 2 Ethernet interfaces, create a Layer 2 link aggregation group;
• To aggregate Layer 3 Ethernet interfaces, create a Layer 3 link aggregation group.

Configuration guidelines
You cannot assign a port to a Layer 2 aggregation group if any of the features listed in Table 16 is
configured on the port.

109
Table 16 Features incompatible with Layer 2 aggregation groups

Feature Reference
RRPP RRPP configuration in High Availability Configuration Guide

MAC authentication MAC authentication configuration in Security Configuration Guide

IP source guard IP source guard configuration in Security Configuration Guide

802.1X 802.1X configuration in Security Configuration Guide

Ports specified as source interfaces


Portal configuration in Security Configuration Guide
in portal-free rules

You cannot assign a port to a Layer 3 aggregation group if any of the features listed in Table 17 is
configured on the port.
Table 17 Interfaces that cannot be assigned to a Layer 3 aggregation group

Interface type Reference


IP addressing configuration in Layer 3—IP Services
Interfaces configured with IP addresses
Configuration Guide

VRRP VRRP configuration in High Availability Configuration Guide

Portal Portal in Security Configuration Guide

If a port is used as a reflector port for port mirroring, do not assign it to an aggregation group. For more
information about reflector ports, see Network Management and Monitoring Configuration Guide.
Removing an aggregate interface also removes the corresponding aggregation group. At the same time,
any member ports of the aggregation group leave the aggregation group.
Do not configure any Layer 3 features, such as MPLS and VPN, on a port to be added to a Layer 3
aggregation group. Remove any Layer 3 feature configured on a port before adding it to a Layer 3
aggregation group.
After adding a port to a Layer 3 aggregation group, configure Layer 3 features on the aggregate
interface instead of on the member port. If you configure any Layer 3 feature mistakenly on a member
port, remove the Layer 3 feature configuration from the member port and then run the shutdown and
undo shutdown commands on the aggregate interface.

Configuring a static aggregation group


Configuring a Layer 2 static aggregation group

Step Command Remarks


1. Enter system view. system-view N/A

When you create a Layer 2


2. Create a Layer 2 aggregate aggregate interface, the system
interface bridge-aggregation
interface and enter Layer 2 automatically creates a static
interface-number
aggregate interface view. aggregation group numbered the
same.
3. Return to system view. quit N/A

110
Step Command Remarks
a. Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number Repeat this step to assign multiple
4. Assign an Ethernet interface
b. Assign the Ethernet Layer 2 Ethernet interfaces to the
to the aggregation group.
interface to the aggregation group.
aggregation group:
port link-aggregation
group number

Optional.
By default, the aggregation priority
of a port is 32768.
5. Assign the port an link-aggregation port-priority
aggregation priority. port-priority Changing the aggregation priority
of a port may affect the
aggregation state of the ports in
the static aggregation group.

Configuring a Layer 3 static aggregation group

Step Command Remarks


1. Enter system view. system-view N/A

When you create a Layer 3


2. Create a Layer 3 aggregate aggregate interface, the system
interface route-aggregation
interface and enter the Layer automatically creates a Layer 3
interface-number
3 aggregate interface view. static aggregation group
numbered the same.

3. Return to system view. quit N/A

a. Enter Layer 3 Ethernet


interface view:
interface interface-type
interface-number Repeat this step to assign multiple
4. Assign an Ethernet interface
b. Assign the Ethernet Layer 3 Ethernet interfaces to the
to the aggregation group.
interface to the aggregation group.
aggregation group:
port link-aggregation
group number

Optional.
By default, the aggregation priority
of a port is 32768.
5. Assign the port an link-aggregation port-priority
aggregation priority. port-priority Changing the aggregation priority
of a port may affect the
aggregation state of the ports in
the static aggregation group.

Configuring a dynamic aggregation group

111
NOTE:
To guarantee a successful dynamic aggregation, make sure that the peer ports of the ports aggregated at
one end are also aggregated. The two ends can automatically negotiate the aggregation state of each
member port.

Configuring a Layer 2 dynamic aggregation group

Step Command Remarks


1. Enter system view. system-view N/A

Optional.
By default, the system LACP priority
is 32768.
2. Set the system LACP priority. lacp system-priority system-priority Changing the system LACP priority
may affect the aggregation state of
the ports in dynamic aggregation
groups.

When you create a Layer 2


3. Create a Layer 2 aggregate aggregate interface, the system
interface bridge-aggregation
interface and enter the Layer automatically creates a Layer 2
interface-number
2 aggregate interface view. static aggregation group
numbered the same.
4. Configure the aggregation By default, an aggregation group
group to operate in dynamic link-aggregation mode dynamic operates in static aggregation
aggregation mode. mode.
5. Return to system view. quit N/A
a. Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number Repeat this step to assign multiple
6. Assign an Ethernet interface
b. Assign the Ethernet Layer 2 Ethernet interfaces to the
to the aggregation group.
interface to the aggregation group.
aggregation group:
port link-aggregation
group number

Optional.
By default, the aggregation priority
of a port is 32768.
7. Assign the interface an link-aggregation port-priority
aggregation priority. port-priority Changing the aggregation priority
of a port may affect the
aggregation state of the ports in
the dynamic aggregation group.

Optional.
8. Set the LACP timeout interval
on the port to the short timeout lacp period short By default, the LACP timeout
interval (1 second). interval on a port is the long
timeout interval (30 seconds).

Configuring a Layer 3 dynamic aggregation group

112
Step Command Remarks
1. Enter system view. system-view N/A

Optional.
By default, the system LACP priority
is 32768.
2. Set the system LACP priority. lacp system-priority system-priority Changing the system LACP priority
may affect the aggregation state of
the ports in the dynamic
aggregation group.

When you create a Layer 3


3. Create a Layer 3 aggregate aggregate interface, the system
interface route-aggregation
interface and enter the Layer automatically creates a Layer 3
interface-number
3 aggregate interface view. static aggregation group
numbered the same.
4. Configure the aggregation By default, an aggregation group
group to operate in dynamic link-aggregation mode dynamic operates in static aggregation
aggregation mode. mode.
5. Return to system view. quit N/A
a. Enter Layer 3 Ethernet
interface view:
interface interface-type
interface-number Repeat this step to assign multiple
6. Assign an Ethernet interface
b. Assign the Ethernet Layer 3 Ethernet interfaces to the
to the aggregation group.
interface to the aggregation group.
aggregation group:
port link-aggregation
group number

Optional.
By default, the aggregation priority
of a port is 32768.
7. Assign the port an
lacp port-priority port-priority Changing the aggregation priority
aggregation priority.
of a port may affect the
aggregation state of ports in the
dynamic aggregation group.

Optional.
8. Set the LACP timeout interval
on the port to the short timeout lacp period short By default, the LACP timeout
interval (1 second). interval on a port is the long
timeout interval (30 seconds).

Configuring an aggregate interface


NOTE:
In addition to the configurations in this section, most of the configurations that can be performed on Layer
2 or Layer 3 Ethernet interfaces can also be performed on Layer 2 or Layer 3 aggregate interfaces.

113
Configuring the description of an aggregate
interface/subinterface
You can configure the description of an aggregate interface for administration purposes such as
describing the purpose of the interface.
To configure the description of an aggregate interface/subinterface:

Step Command Remarks


1. Enter system view. system-view N/A

• Enter Layer 2 aggregate


interface view:
interface bridge-aggregation
interface-number
2. Enter aggregate interface • Enter Layer 3 aggregate
Use either command.
view. interface/subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber
}

Optional.
3. Configure the description of By default, the description of an
the aggregate description text interface is interface-name Interface,
interface/subinterface. such as Bridge-Aggregation1
Interface.

Configuring the MTU of a Layer 3 aggregate


interface/subinterface
Maximum transmission unit (MTU) of an interface affects IP packets fragmentation and reassembly on the
interface.
To change the MTU of a Layer 3 aggregate interface/subinterface:

Step Command Remarks


1. Enter system view. system-view N/A

interface route-aggregation
2. Enter Layer 3 aggregate
{ interface-number | N/A
interface/subinterface view.
interface-number.subnumber }

3. Configure the MTU of the Optional.


mtu size
interface/subinterface. The default setting is 1500 bytes.

Enabling link state trapping for an aggregate interface


You can configure an aggregate interface to generate linkUp trap messages when its link goes up and
linkDown trap messages when its link goes down. For more information, see Network Management and
Monitoring Configuration Guide.

114
To enable link state trapping on an aggregate interface:

Step Command Remarks


1. Enter system view. system-view N/A

Optional.
2. Enable the trap function snmp-agent trap enable [ standard By default, link state trapping is
globally. [ linkdown | linkup ] * ] enabled globally and on all
interfaces.

• Enter Layer 2 aggregate interface


view:
interface bridge-aggregation
interface-number
3. Enter aggregate interface
view. • Enter Layer 3 aggregate Use either command.
interface/subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber }

Optional.
4. Enable link state trapping
for the aggregate enable snmp trap updown By default, link state trapping is
interface. enabled for the aggregate
interface.

Limiting the number of Selected ports for an aggregation group


CAUTION:
• For static aggregation groups, the minimum and maximum numbers of Selected ports for the two ends must be
consistent.
• Configuring the minimum number of Selected ports required to bring up an aggregation group may cause all
the member ports in the aggregation group to become unselected.
• Configuring the maximum number of Selected ports in an aggregation group may cause some of the selected
member ports in the aggregation group to become unselected.
• If you configure both the maximum and minimum numbers of Selected ports allowed in an aggregation group,
make sure that the former is no smaller than the latter.

The bandwidth of an aggregate link increases along with the number of selected member ports. To avoid
congestion caused by insufficient Selected ports on an aggregate link, you can set the minimum number
of Selected ports required for bringing up the specific aggregate interface.
This minimum threshold setting affects the aggregation state of both aggregation member ports and the
aggregate interface:
• All member ports change to the Unselected state and the link of the aggregate interface goes down,
when the number of member ports eligible for being selected is smaller than the minimum
threshold.
• When the minimum threshold is reached, the eligible member ports change to the Selected state,
and the link of the aggregate interface goes up.
By default, the maximum number of Selected ports allowed in an aggregation group is limited by the
hardware capabilities of the member ports. After you manually configure the maximum number of

115
Selected ports in an aggregation group, the maximum number of Selected ports allowed in the
aggregation group is the smaller value of the two upper limits.
You can configure redundancy between two ports using the following guideline: Assign two ports to an
aggregation group, and configure the maximum number of Selected ports allowed in the aggregation
group as 1. In this way, only one Selected port is allowed in the aggregation group at any point in time,
while the Unselected port serves as a backup port.
To limit the number of Selected ports for an aggregation group:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
2. Enter aggregate interface interface-number
Use either command.
view. • Enter Layer 3 aggregate
interface view:
interface route-aggregation
interface-number

By default, the minimum number of


Selected ports is not specified.
3. Set the minimum number of
link-aggregation selected-port Make sure that the minimum
Selected ports for the
minimum number number of Selected ports required
aggregation group.
to bring up an aggregation group
is the same on both ends.

By default, the maximum number of


4. Set the maximum number of Selected ports allowed in an
link-aggregation selected-port
Selected ports for the aggregation group is limited only
maximum number
aggregation group. by the hardware capabilities of the
member ports.

Shutting down an aggregate interface


Shutting down or bringing up an aggregate interface affects the aggregation state and link state of ports
in the corresponding aggregation group in the following ways:
• When an aggregate interface is shut down, all Selected ports in the corresponding aggregation
group become unselected and their link state becomes down.
• When an aggregate interface is brought up, the aggregation state of ports in the corresponding
aggregation group is recalculated and their link state becomes up.
To bring up an aggregate interface:

Step Command Remarks


1. Enter system view. system-view N/A

116
Step Command Remarks
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
2. Enter aggregate interface
view. • Enter Layer 3 aggregate interface Use either command.
or subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber }

3. Shut down the aggregate By default, aggregate interfaces


shutdown
interface. are up.

NOTE:
Shutting down a Layer 3 aggregate subinterface does not affect any aggregation group, because Layer 3
aggregate subinterfaces are not associated with any aggregation groups.

Restoring the default settings for an aggregate interface


Step Command Remarks
1. Enter system view. system-view N/A

• Enter Layer 2 aggregate interface


view:
interface bridge-aggregation
interface-number
2. Enter aggregate interface
view. • Enter Layer 3 aggregate interface Use either command.
or subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber }

3. Restore the default settings for


the aggregate interface or default N/A
subinterface.

Configuring load sharing for link aggregation


groups
You can determine how traffic is load-shared in a link aggregation group by configuring load sharing
criteria. The criteria can be MPLS labels, service port numbers, IP addresses, MAC addresses, or
receiving ports of packets, or any combination of them. The system uses the hash algorithm to calculate
the load sharing scheme for link aggregation groups based on the load sharing criteria you configured.
To configure load sharing for link aggregation groups:

117
Step Command Remarks
1. Enter system view. system-view N/A

link-aggregation load-sharing mode Optional.


2. Configure the load { destination-ip | destination-mac | By default, load sharing is enabled for
sharing criteria for destination-port | ingress-port | | link aggregation groups.
link aggregation mpls-label1 | mpls-label2 | The setting you make by using this
groups. mpls-label3 | source-ip | source-mac command affects all load-sharing link
| source-port } * aggregation groups.

Enabling link-aggregation traffic redirection


CAUTION:
• To prevent traffic interruption, you must enable link-aggregation traffic redirection on switches at both
ends of the aggregate link.
• To prevent packet loss that might occur at a reboot, do not enable MSTP and link-aggregation traffic
redirection at the same time.

The link-aggregation traffic redirection function is available on switches or IRF member switches. It can
redirect traffic between cards or IRF member switches for a cross-card or cross-switch link aggregation
group. With this function, you can prevent traffic interruption when rebooting a card or IRF member
switch that contains link aggregation member ports. For more information about IRF, see IRF
Configuration Guide.
To enable link-aggregation traffic redirection:

Step Command Remarks


1. Enter system view. system-view N/A

Optional.
2. Enable link-aggregation traffic link-aggregation lacp
redirection. traffic-redirect-notification enable By default, link-aggregation traffic
redirection is disabled.

NOTE:
Link-aggregation traffic redirection applies to dynamic link aggregation groups only.

Enhancing the Selected port capacity for link


aggregation in IRF mode
The Selected port capacity for link aggregation refers to the maximum number of Selected ports allowed
in an aggregation group. Generally, this capacity is the same in both IRF mode and non-IRF mode. After
you enhance the Selected port capacity for link aggregation, each member device in an IRF fabric has
the same Selected port capacity as in non-IRF mode, but the Selected port capacity of the IRF fabric
increases dramatically following the formula:
Selected port capacity in each aggregation group in the IRF fabric equals Selected port capacity in the
aggregation group in non-IRF mode x Number of member devices in the IRF fabric.

118
If one end is configured with this feature, make sure the other end is also configured with this feature.
Otherwise, link aggregation might not work.
To enhance the Selected port capacity for link aggregation in IRF mode:

Step Command Remarks


1. Enter system view. system-view N/A
2. Enhance the Selected port By default, the Selected port
capacity for link aggregation link-aggregation irf-enhanced capacity is not enhanced in IRF
in IRF mode. mode.

Displaying and maintaining Ethernet link


aggregation
Task Command Remarks
display interface [ bridge-aggregation |
route-aggregation ] [ brief [ down ] ] [ | { begin
Display information for an | exclude | include } regular-expression ] Available in any
aggregate interface or multiple
display interface { bridge-aggregation | view.
aggregate interfaces.
route-aggregation } interface-number [ brief ] [ |
{ begin | exclude | include } regular-expression ]

display lacp system-id [ | { begin | exclude | Available in any


Display the local system ID.
include } regular-expression ] view.

Display detailed link aggregation display link-aggregation member-port


Available in any
information for link aggregation [ interface-list ] [ | { begin | exclude | include }
view.
member ports. regular-expression ]

Display the summary of all display link-aggregation summary [ | { begin | Available in any
aggregation groups. exclude | include } regular-expression ] view.

display link-aggregation verbose


Display detailed information about
[ { bridge-aggregation | route-aggregation } Available in any
a specific or all aggregation
[ interface-number ] ] [ | { begin | exclude | view.
groups.
include } regular-expression ]

Display link-aggregation load display link-aggregation load-sharing mode [ | Available in any


sharing criteria. { begin | exclude | include } regular-expression ] view.

Clear LACP statistics for a specific


Available in user
or all link aggregation member reset lacp statistics [ interface interface-list ]
view.
ports.

Clear statistics for a specific or all reset counters interface [ { bridge-aggregation | Available in user
aggregate interfaces. route-aggregation } [ interface-number ] ] view.

Ethernet link aggregation configuration examples

119
NOTE:
• In an aggregation group, only ports that have the same port attributes and class-two configurations (see
"Configuration classes") as the reference port (see "Reference port") can operate as Selected ports.
Make sure that all member ports have the same port attributes and class-two configurations as the
reference port. The other settings only need to be configured on the aggregate interface, not on the
member ports.
• By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the down state. Before
configuring these interfaces, use the undo shutdown command to bring them up.

Layer 2 static aggregation configuration example


Network requirements
As shown in Figure 36:
• Configure a Layer 2 static link aggregation group on both Device A and Device B, and enable
VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and
VLAN 20 at one end to communicate with VLAN 20 at the other end.
• Enable traffic to be load-shared across aggregation group member ports based on source and
destination MAC addresses.
Figure 36 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign port GigabitEthernet 4/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 4/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign port GigabitEthernet 4/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 4/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1

120
[DeviceA-Bridge-Aggregation1] quit
# Assign ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 to link aggregation group
1.
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] interface gigabitethernet 4/0/2
[DeviceA-GigabitEthernet4/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/2] quit
[DeviceA] interface gigabitethernet 4/0/3
[DeviceA-GigabitEthernet4/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
Please wait... Done.
[DeviceA-Bridge-Aggregation1] quit
# Configure Device A to use the source and destination MAC addresses of packets as the global
link-aggregation load sharing criteria.
[DeviceA] link-aggregation load-sharing mode source-mac destination-mac
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:
# Display summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary

Aggregation Interface Type:


BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation
Aggregation Mode: S -- Static, D -- Dynamic
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor System ID: 0x8000, 000f-e2ff-0001

AGG AGG Partner ID Select Unselect Share


Interface Mode Ports Ports Type
-------------------------------------------------------------------------------
BAGG1 S none 3 0 Shar
The output shows that link aggregation group 1 is a load shared Layer 2 static aggregation group
and it contains three Selected ports.
# Display the global link-aggregation load sharing criteria on Device A.
[DeviceA] display link-aggregation load-sharing mode

Link-Aggregation Load-Sharing Mode:


destination-mac address, source-mac address
The output shows that all link aggregation groups created on the device perform load sharing
based on source and destination MAC addresses.

121
Layer 2 dynamic aggregation configuration example
Network requirements
As shown in Figure 37:
• Configure a Layer 2 dynamic link aggregation group on both Device A and Device B, enable VLAN
10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and VLAN 20
at one end to communicate with VLAN 20 at the other end.
• Enable traffic to be load-shared across aggregation group member ports based on source and
destination MAC addresses.
Figure 37 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port GigabitEthernet 4/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 4/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port GigabitEthernet 4/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 4/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and configure the link aggregation
mode as dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
# Assign ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 to link aggregation group
1.
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] interface gigabitethernet 4/0/2
[DeviceA-GigabitEthernet4/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/2] quit

122
[DeviceA] interface gigabitethernet 4/0/3
[DeviceA-GigabitEthernet4/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
Please wait... Done.
[DeviceA-Bridge-Aggregation1] quit
# Configure the device to use the source and destination MAC addresses of packets as the global
link-aggregation load sharing criteria.
[DeviceA] link-aggregation load-sharing mode source-mac destination-mac
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:
# Display summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary

Aggregation Interface Type:


BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation
Aggregation Mode: S -- Static, D -- Dynamic
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor System ID: 0x8000, 000f-e2ff-0001

AGG AGG Partner ID Select Unselect Share


Interface Mode Ports Ports Type
-------------------------------------------------------------------------------
BAGG1 D 0x8000, 000f-e2ff-0002 3 0 Shar
The output shows that link aggregation group 1 is a load shared Layer 2 dynamic aggregation
group and it contains three Selected ports.
# Display the global link-aggregation load sharing criteria on Device A.
[DeviceA] display link-aggregation load-sharing mode

Link-Aggregation Load-Sharing Mode:


destination-mac address, source-mac address
The output shows that all link aggregation groups created on the device perform load sharing
based on source and destination MAC addresses.

Layer 3 static aggregation configuration example


Network requirements
As shown in Figure 38:
• Configure a Layer 3 static link aggregation group on both Device A and Device B and configure IP
addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
• Enable traffic to be load-shared across aggregation group member ports based on source and
destination IP addresses.

123
Figure 38 Network diagram

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and
subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 3/0/1 through GigabitEthernet 3/0/3 to
aggregation group 1.
[DeviceA] interface Gigabitethernet 3/0/1
[DeviceA-Gigabitethernet3/0/1] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/1] quit
[DeviceA] interface Gigabitethernet 3/0/2
[DeviceA-Gigabitethernet3/0/2] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/2] quit
[DeviceA] interface Gigabitethernet 3/0/3
[DeviceA-Gigabitethernet3/0/3] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/3] quit
# Configure the global link-aggregation load sharing criteria as the source and destination IP
addresses of packets.
[DeviceA] link-aggregation load-sharing mode source-ip destination-ip
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:
# Display the summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary

Aggregation Interface Type:


BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation
Aggregation Mode: S -- Static, D -- Dynamic
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor System ID: 0x8000, 000f-e2ff-0001

AGG AGG Partner ID Select Unselect Share


Interface Mode Ports Ports Type
-------------------------------------------------------------------------------
RAGG1 S none 3 0 Shar
The output above shows that link aggregation group 1 is a load-sharing-capable Layer 3 static
aggregation group that contains three Selected ports.
# Display the global link-aggregation load sharing criteria on Device A.

124
[DeviceA] display link-aggregation load-sharing mode

Link-Aggregation Load-Sharing Mode:


destination-ip address, source-ip address
The output above shows that the global link-aggregation load sharing criteria are the source and
destination IP addresses of packets.

Layer 3 dynamic aggregation configuration example


Network requirements
As shown in Figure 39:
• Configure a Layer 3 dynamic link aggregation group on both Device A and Device B and configure
IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
• Enable traffic to be load-shared across aggregation group member ports based on source and
destination IP addresses.
Figure 39 Network diagram

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, configure the link aggregation mode
as dynamic, and configure an IP address and subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 3/0/1 through GigabitEthernet 3/0/3 to
aggregation group 1.
[DeviceA] interface Gigabitethernet 3/0/1
[DeviceA-Gigabitethernet3/0/1] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/1] quit
[DeviceA] interface Gigabitethernet 3/0/2
[DeviceA-Gigabitethernet3/0/2] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/2] quit
[DeviceA] interface Gigabitethernet 3/0/3
[DeviceA-Gigabitethernet3/0/3] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/3] quit
# Configure to use the source and destination IP addresses of packets as the global
link-aggregation load sharing criteria.
[DeviceA] link-aggregation load-sharing mode source-ip destination-ip
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:

125
# Display the summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary

Aggregation Interface Type:


BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation
Aggregation Mode: S -- Static, D -- Dynamic
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor System ID: 0x8000, 000f-e2ff-0001

AGG AGG Partner ID Select Unselect Share


Interface Mode Ports Ports Type
-------------------------------------------------------------------------------
RAGG1 D 0x8000, 000f-e2ff-0002 3 0 Shar
The output shows that link aggregation group 1 is a load-shared Layer 3 dynamic aggregation
group and it contains three Selected ports.
# Display the global link-aggregation load sharing criteria on Device A.
[DeviceA] display link-aggregation load-sharing mode

Link-Aggregation Load-Sharing Mode:


destination-ip address, source-ip address
The output shows that the global link-aggregation load sharing criteria are the source and
destination IP addresses of packets.

126
Configuring port isolation

Overview
Assigning access ports to different VLANs is a typical way to isolate Layer 2 traffic for data privacy and
security, but this approach is VLAN resource demanding. To save VLAN resources, you can use the port
isolation feature, which can isolate ports on the switch or IRF member switch basis without using VLANs
and allows for flexibility and security.

Operating mechanism
The feature isolates ports regardless of the VLANs that the ports are assigned to. The ports in the same
isolation group cannot communicate with each other at Layer 2, but they can communicate with the ports
outside the isolation group bidirectionally if the outside ports belong to the same VLAN as the isolation
group ports.
IMPORTANT:
• The ports in an isolation group support the following functions only: MAC address learning, QoS
actions (such as accounting, filter deny, car cir committed-information-rate red discard, and traffic
mirroring) in the incoming direction of the ports, and link aggregation.
• Do not configure Layer 2 protocols (such as GVRP) or Layer 3 protocols (such as multicast and routing)
on the ports in an isolation group. Doing so can cause network malfunction.

Non-isolated VLAN
A non-isolated VLAN allows the ports in an isolation group to communicate with each other within the
VLAN at Layer 2.
Figure 40 shows a network scenario that requires the non-isolated VLAN configuration.
• Switch B and Switch C communicate with a public server cluster through Switch A.
• Switch A connects to Switch B through GigabitEthernet 3/0/2, and connects to Switch C through
GigabitEthernet 3/0/3.
• Both GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to VLAN 2 and VLAN 3.
After GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to isolation group 1, Switch B
cannot communicate with Switch C at Layer 2, Host A cannot communicate with Host C although they
both belong to VLAN 2, and Host B cannot communicate with Host D although they both belong to VLAN
3.
To enable Layer 2 communication between Host B and Host D, you can configure VLAN 3 as a
non-isolated VLAN for isolation group 1.

127
Figure 40 Non-isolated VLAN in an isolation group

Configuration restrictions and guidelines


Port isolation is available when the switch is operating in standalone mode or in IRF mode with
enhanced-IRF disabled. For more information about IRF, see IRF Configuration Guide.
You cannot configure the port isolation feature together with the MAC-based VLAN feature. For more
information about MAC-based VLANs, see "Configuring VLANs."

Port isolation configuration task list


Task Remarks
Assigning ports to an isolation group Required.

Configuring non-isolated VLANs Optional.

Assigning ports to an isolation group


Step Command Remarks
1. Enter system view. system-view N/A

2. Create an isolation group and You can use this command to


enter isolation group view. port-isolate group group-number directly enter the view of an
existing isolation group.
3. Exit isolation group view. quit N/A

128
Step Command Remarks
• Enter Ethernet interface view:
interface interface-type
interface-number
• Enter Layer 2 aggregate
interface view:
4. Enter interface view. Use one of the commands.
interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual
port-group-name

5. Assign the ports to the port-isolate enable group No ports are assigned to an
isolation group. group-number isolation group by default.

NOTE:
The number of ports that can be assigned to an isolation group is not limited.

Configuring non-isolated VLANs


To configure non-isolated VLANs for an isolation group:

Step Command Remarks


1. Enter system view. system-view N/A
2. Create an isolation group You can use this command to directly
and enter isolation group port-isolate group group-number enter the view of an existing isolation
view. group.

3. Configure non-isolated community-vlan vlan { vlan-id-list By default, an isolation group does


VLANs. | all } not contain any non-isolated VLANs.

Displaying and maintaining port isolation


Task Command Remarks
display port-isolate group [ group-number ] [ |
Display the port isolation
{ begin | exclude | include } Available in any view.
information.
regular-expression ]

Port isolation configuration examples


IMPORTANT:
By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. Before
configuring these interfaces, bring them up with the undo shutdown command.

129
Port isolation without non-isolated VLAN configuration example
Network requirements
As shown in Figure 41, the switch is operating in hybrid mode and provides access to the Internet through
GigabitEthernet 4/0/1. Ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/4 belong to VLAN
2.
Configure port isolation, so the switch prevents Host A, Host B, and Host C from communicating with one
another at Layer 2, but allows them to access the Internet.
Figure 41 Network diagram

Configuration procedure
# Create VLAN 2 and assign ports to the VLAN.
<Switch> system-view
[Switch] vlan 2
[Switch-vlan2] port gigabitethernet 4/0/1 to gigabitethernet 4/0/4
[Switch-vlan2] quit

# Create isolation group 2.


[Switch] port-isolate group 2

# Assign ports GigabitEthernet 4/0/2, GigabitEthernet 4/0/3, and GigabitEthernet 4/0/4 to isolation
group 2 as isolated ports.
[Switch] interface gigabitethernet 4/0/2
[Switch-GigabitEthernet4/0/2] port-isolate enable group 2
[Switch-GigabitEthernet4/0/2] quit
[Switch] interface gigabitethernet 4/0/3
[Switch-GigabitEthernet4/0/3] port-isolate enable group 2
[Switch-GigabitEthernet4/0/3] quit
[Switch] interface gigabitethernet 4/0/4
[Switch-GigabitEthernet4/0/4] port-isolate enable group 2
[Switch-GigabitEthernet4/0/4] quit

Verifying the configuration


# Display information about isolation group 2.

130
[Switch] display port-isolate group 2
Port-isolate group information:
Uplink port support: NO
Group ID: 2
Group members:
GigabitEthernet4/0/2 GigabitEthernet4/0/3 GigabitEthernet4/0/4

Port isolation with non-isolated VLAN configuration example


Network requirements
As shown in Figure 42, Switch A accesses the Internet through GigabitEthernet 3/0/1. The company
branches Site 1 and Site 2 transfer service traffic in VLAN 2 and VLAN 3, and are connected to Switch
A through Switch B and Switch C, respectively.
Configure port isolation and non-isolated VLANs, so the switches allow the company hosts to access the
Internet, enable Host B and Host D to exchange video conferencing traffic in VLAN 3, and isolate other
Layer 2 traffic between Switch B and Switch C.
Figure 42 Network diagram

Configuring Switch A
# Create VLAN 2 and VLAN 3, and assign trunk ports GigabitEthernet 3/0/2 and GigabitEthernet
3/0/3 to the VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
[SwitchA] interface GigabitEthernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port link-type trunk
[SwitchA-GigabitEthernet3/0/2] port trunk permit vlan 2 3
[SwitchA-GigabitEthernet3/0/2] quit

131
[SwitchA] interface GigabitEthernet 3/0/3
[SwitchA-GigabitEthernet3/0/3] port link-type trunk
[SwitchA-GigabitEthernet3/0/3] port trunk permit vlan 2 3
[SwitchA-GigabitEthernet3/0/3] quit

# Create isolation group 1.


[SwitchA] port-isolate group 1
[SwitchA-port-isolate-group1] quit

# Assign ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 that connect to Switch B and Switch
C to isolation group 1.
[SwitchA] interface GigabitEthernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port-isolate enable group 1
[SwitchA-GigabitEthernet3/0/2] quit
[SwitchA] interface GigabitEthernet 3/0/3
[SwitchA-GigabitEthernet3/0/3] port-isolate enable group 1
[SwitchA-GigabitEthernet3/0/3] quit

# Configure VLAN 3 as a non-isolated VLAN in isolation group 1.


[SwitchA] port-isolate group 1
[SwitchA-port-isolate-group1] community-vlan vlan 3
[SwitchA-port-isolate-group1] quit

Configuring Switch B
# Create VLAN 2 and VLAN 3, assign GigabitEthernet 2/0/2 to VLAN 2, and assign GigabitEthernet
2/0/3 to VLAN 3.
<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] port GigabitEthernet 2/0/2
[SwitchB-vlan2] vlan 3
[SwitchB-vlan3] port GigabitEthernet 2/0/3
[SwitchB-vlan3] quit

# Configure GigabitEthernet 2/0/1 as a trunk port and assign the port to VLAN 2 and VLAN 3.
[SwitchB] interface GigabitEthernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] port trunk permit vlan 2 3

Configuring Switch C
Configure Switch C as you configure Switch B.

Verifying the configuration


# Display information about isolation group 1 on Switch A.
[SwitchA] display port-isolate group 1
Port-isolate group information:
Uplink port support: NO
Group ID: 1
Group members:
GigabitEthernet3/0/2 GigabitEthernet3/0/3

132
The output shows that ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to
isolation group 1.
# Display the configuration of isolation group 1.
[SwitchA] port-isolate group 1
[SwitchA -port-isolate-group1] display this
#
port-isolate group 1
community-vlan vlan 3
#
return

The output shows that Switch A contains isolation group 1, in which VLAN 3 is a non-isolated VLAN.

133
Configuring QinQ

Throughout this document, customer network VLANs (CVLANs), also called inner VLANs, refer to the
VLANs that a customer uses on the private network; and service provider network VLANs (SVLANs), also
called outer VLANs, refer to the VLANs that a service provider uses to carry VLAN tagged traffic for
customers.

Overview
QinQ stands for 802.1Q in 802.1Q. QinQ is a flexible, easy-to-implement Layer 2 VPN technology
based on IEEE 802.1Q. QinQ enables the edge device on a service provider network to insert an outer
VLAN tag in the Ethernet frames from customer networks, so that the Ethernet frames travel across the
service provider network (public network) with double VLAN tags. QinQ enables a service provider to
use a single SVLAN to serve customers who have multiple CVLANs.

Background and benefits


The IEEE 802.1Q VLAN tag uses 12 bits for VLAN IDs. A device supports a maximum of 4094 VLANs.
This is far from enough for isolating users in actual networks, especially in metropolitan area networks
(MANs).
By tagging tagged frames, QinQ expands the available VLAN space from 4094 to 4094 × 4094. QinQ
delivers the following benefits:
• Releases the stress on the SVLAN resource.
• Enables customers to plan their CVLANs without conflicting with SVLANs.
• Provides an easy-to-implement Layer 2 VPN solution for small-sized MANs or intranets.
• Allows the customers to keep their VLAN assignment schemes unchanged when the service provider
upgrades the service provider network.

How QinQ works


The devices in the public network forward a frame only according to its outer VLAN tag and learn its
source MAC address into the MAC address table of the outer VLAN. The inner VLAN tag of the frame is
transmitted as the payload.

134
Figure 43 Typical QinQ application scenario

As shown in Figure 43, customer network A has CVLANs 1 through 10, and customer network B has
CVLANs 1 through 20. The service provider assigns SVLAN 3 to customer network A and SVLAN 4 to
customer network B. When a tagged Ethernet frame from customer network A arrives at the edge of the
service provider network, the edge device tags the frame with outer VLAN 3. When a tagged Ethernet
frame from customer network B arrives at the edge of the service provider network, the edge device tags
it with outer VLAN 4. As a result, no overlap of VLAN IDs among customers exists, and traffic from
different customers can be identified separately.

NOTE:
The QinQ feature is implemented based on the 802.1q standard. It is necessary that all the switches along
the tunnel support the 802.1q standard.

QinQ frame structure


A QinQ frame is transmitted double-tagged over the service provider network. As shown in Figure 44,
the inner VLAN tag is the CVLAN tag, and the outer one is the SVLAN tag that the service provider has
allocated to the customer.
Figure 44 Single-tagged Ethernet frame header and double-tagged Ethernet frame header

135
The default maximum transmission unit (MTU) of an interface is 1500 bytes. The size of an outer VLAN
tag is 4 bytes. HP recommends you to increase the MTU of each interface on the service provider network
to at least 1504 bytes. For more information about interface MTU configuration, see Interface
Configuration Guide.

Implementations of QinQ
HP provides the following QinQ implementations: basic QinQ and selective QinQ.
1. Basic QinQ
Basic QinQ enables a port to tag any incoming frames with its default VLAN tag, regardless of
whether they have been tagged or not. If an incoming frame has been tagged, it becomes a
double-tagged frame. If not, it becomes a frame tagged with the port’s default VLAN tag.
2. Selective QinQ
Selective QinQ is more flexible than basic QinQ. In addition to all the functions of basic QinQ,
selective QinQ enables a port to perform the following per-CVLAN actions for incoming frames:
{ Tag frames from different CVLANs with different SVLAN tags.
{ Mark the outer VLAN 802.1p priority based on the existing inner VLAN 802.1p priority.
Besides being able to separate the service provider network from the customer networks, selective
QinQ provides abundant service features and allows more flexible networking.

Modifying the TPID in a VLAN tag


A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag. The default
value of this field, as defined in IEEE 802.1Q, is 0x8100.
Figure 45 shows the 802.1Q-defined tag structure of an Ethernet frame.
Figure 45 VLAN tag structure of an Ethernet frame

Devices of different vendors may set the TPID of the outer VLAN tag of QinQ frames to different values.
For compatibility with these devices, modify the TPID value so that the QinQ frames, when sent to the
public network, carry the TPID value identical to the value of a particular vendor to allow interoperability
with the devices of that vendor.
The TPID in an Ethernet frame has the same position as the protocol type field in a frame without a VLAN
tag. To avoid problems in packet forwarding and handling in the network, do not set the TPID value to
any of the values in Table 18.
Table 18 Reserved protocol type values

Protocol type Value


ARP 0x0806

136
Protocol type Value
PUP 0x0200

RARP 0x8035

IP 0x0800

IPv6 0x86DD

PPPoE 0x8863/0x8864

MPLS 0x8847/0x8848

IPX/SPX 0x8137

IS-IS 0x8000

LACP 0x8809

802.1X 0x888E

Cluster 0x88A7

Reserved 0xFFFD/0xFFFE/0xFFFF

QinQ configuration task list


Complete the follows tasks to configure QinQ:

Task Remarks
Enabling basic QinQ Required.

Configuring an outer VLAN tagging


policy Perform at least one of these
Configuring selective QinQ
Configuring an inner-outer VLAN tasks.
802.1p priority mapping policy

Setting the TPID value in VLAN tags Optional.

Enabling basic QinQ


CAUTION:
The basic QinQ function must be enabled on network devices in the service provider network with
customer networks connected to them.

To enable basic QinQ:

Step Command Remarks


1. Enter system view. system-view N/A

137
Step Command Remarks

• Enter Ethernet interface view or Layer 2


aggregate interface view:
2. Enter interface view or
interface interface-type interface-number Use either command.
port group view.
• Enter port group view:
port-group manual port-group-name

By default, basic QinQ is


3. Enable basic QinQ. qinq enable
disabled.

Configuring selective QinQ


Configuring an outer VLAN tagging policy
You can configure QoS policies to have different outer VLAN tags encapsulated for frames based on
their inner VLAN tags. For more information about QoS policies, see ACL and QoS Configuration
Guide.
To configure an outer VLAN tagging policy:

Step Command Remarks


1. Enter system view. system-view N/A

By default, the relationship


between the rules in a class is
2. Create a class and enter class traffic classifier tcl-name [ operator logical AND, that is, the switch
view. { and | or } ] considers a packet belongs to a
class only when the packet
matches all the rules in the class.

You can configure more match


3. Define a match criterion. if-match match-criteria
criteria as needed.

4. Return to system view. quit N/A


5. Create a traffic behavior and
traffic behavior behavior-name N/A
enter traffic behavior view.
6. Configure the action of Configure more actions for the
nest top-most vlan-id vlan-id-value
inserting an SVLAN tag. behavior as needed.

7. Return to system view. quit N/A


8. Create a policy and enter
qos policy policy-name N/A
policy view.
9. Associate the traffic class with classifier tcl-name behavior
N/A
the traffic behavior. behavior-name

10. Return to system view. quit N/A

138
Step Command Remarks
• Enter Ethernet interface view:
interface interface-type
interface-number
11. Enter interface view: Use either command.
• Enter port group view:
port-group manual
port-group-name
12. Apply the QoS policy to the
qos apply policy policy-name
Ethernet interface or all ports N/A
{ inbound | outbound }
in the port group.

Configuring an inner-outer VLAN 802.1p priority mapping


policy
To map different inner VLAN 802.1p priorities to different outer VLAN 802.1p priorities, you can perform
the following configuration. For more information about QoS policies, see ACL and QoS Configuration
Guide.
To configure an inner-outer VLAN 802.1p priority mapping policy:

Step Command Remarks


1. Enter system view. system-view N/A

By default, the relationship


between the rules in a class is logic
2. Create a class and enter class traffic classifier tcl-name [ operator AND, that is, the switch considers
view. { and | or } ] a packet belongs to a class only
when the packet matches all the
rules in the class.

3. Define an inner VLAN 802.1p if-match customer-dot1p You can configure more match
priority match criterion. 8021p-list criteria as needed.

4. Return to system view. quit N/A


5. Create a traffic behavior and
traffic behavior behavior-name N/A
enter traffic behavior view.
6. Configuring the action of Configure more actions for the
remark dot1p 8021p
setting the 802.1p priority. traffic behavior as needed.

7. Return to system view. quit N/A


8. Create a policy and enter
qos policy policy-name N/A
policy view.
9. Associate the traffic class with classifier tcl-name behavior
N/A
the traffic behavior. behavior-name

10. Return to system view. quit N/A


• Enter Ethernet interface view:
interface interface-type
interface-number
11. Enter interface view: Use either command.
• Enter port group view:
port-group manual
port-group-name

139
Step Command Remarks
12. Apply the QoS policy to the
qos apply policy policy-name
Ethernet interface or all ports N/A
{ inbound | outbound }
in the port group.

Setting the TPID value in VLAN tags


CAUTION:
• Perform the configuration on ports (of switches in the service provider network) with customer networks
connected to them. HP recommends that you configure the qinq ethernet-type command and the qinq
enable command on the same card.
• The qinq ethernet-type command must be used with the qinq enable command.
• A card supports only one TPID value in addition to its default TPID.

To set the TPID value in VLAN tags:

Step Command Remarks


1. Enter system view. system-view N/A

• Enter Ethernet interface view or Layer 2


aggregate interface view:
2. Enter interface view or
interface interface-type interface-number Use either command.
port group view.
• Enter port group view:
port-group manual port-group-name

3. Set the TPID value in the Optional.


outer VLAN tag that the qinq ethernet-type hex-value
port adds to frames. The default setting is 0x8100.

QinQ configuration examples


IMPORTANT:
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these
interfaces, use the undo shutdown command to bring them up.

Basic QinQ configuration example


Network requirements
As shown in Figure 46:
• The two branches of Company A, Site 1 and Site 2, are connected through the service provider
network and use CVLANs 10 through 70. The two branches of Company B, Site 3 and Site 4, are
connected through the service provider network and use CVLANs 30 through 90.

140
• PE 1 and PE 2 are edge devices on the service provider network and are connected through
third-party devices with a TPID value of 0x8200.
Configure the edge and third-party devices to enable communication between the branches of Company
A through SVLAN 100, and communication between the branches of Company B through SVLAN 200.
Figure 46 Network diagram

Configuration procedure

IMPORTANT:
Make sure the devices in the service provider network have been configured to allow QinQ packets to
pass through.

1. Configure PE 1:
a. Configure GigabitEthernet 4/0/1:
# Configure GigabitEthernet 4/0/1 as a trunk port and assign it to VLAN 100.
<PE1> system-view
[PE1] interface gigabitethernet 4/0/1
[PE1-GigabitEthernet4/0/1] port link-type trunk
[PE1-GigabitEthernet4/0/1] port trunk permit vlan 100
# Configure VLAN 100 as the default VLAN ID for the port.
[PE1-GigabitEthernet4/0/1] port trunk pvid vlan 100
# Enable basic QinQ on the port.
[PE1-GigabitEthernet4/0/1] qinq enable
[PE1-GigabitEthernet4/0/1] quit
b. Configure GigabitEthernet 4/0/2:
# Configure GigabitEthernet 4/0/2 as a trunk port and assign it to VLAN 100 and VLAN 200.
[PE1] interface gigabitethernet 4/0/2
[PE1-GigabitEthernet4/0/2] port link-type trunk

141
[PE1-GigabitEthernet4/0/2] port trunk permit vlan 100 200
# Set the TPID value in the outer VLAN tag to 0x8200 on the port.
[PE1-GigabitEthernet4/0/2] qinq ethernet-type 8200
[PE1-GigabitEthernet4/0/2] quit
c. Configure GigabitEthernet 4/0/3:
# Configure GigabitEthernet 4/0/3 as a trunk port and assign it to VLAN 200.
[PE1] interface gigabitethernet 4/0/3
[PE1-GigabitEthernet4/0/3] port link-type trunk
[PE1-GigabitEthernet4/0/3] port trunk permit vlan 200
# Configure VLAN 200 as the default VLAN ID for the port.
[PE1-GigabitEthernet4/0/3] port trunk pvid vlan 200
# Enable basic QinQ on the port.
[PE1-GigabitEthernet4/0/3] qinq enable
[PE1-GigabitEthernet4/0/3] quit
2. Configure PE 2:
a. Configure GigabitEthernet 4/0/1:
# Configure GigabitEthernet 4/0/1 as a trunk port and assign it to VLAN 200.
<PE2> system-view
[PE2] interface gigabitethernet 4/0/1
[PE2-GigabitEthernet4/0/1] port link-type trunk
[PE2-GigabitEthernet4/0/1] port trunk permit vlan 200
# Configure VLAN 200 as the default VLAN ID for the port.
[PE2-GigabitEthernet4/0/1] port trunk pvid vlan 200
# Enable basic QinQ on the port.
[PE2-GigabitEthernet4/0/1] qinq enable
[PE2-GigabitEthernet4/0/1] quit
b. Configure GigabitEthernet 4/0/2:
# Configure GigabitEthernet 4/0/2 as a trunk port and assign it to VLAN 100 and VLAN 200.
[PE2] interface gigabitethernet 4/0/2
[PE2-GigabitEthernet4/0/2] port link-type trunk
[PE2-GigabitEthernet4/0/2] port trunk permit vlan 100 200
# Set the TPID value in the outer VLAN tag to 0x8200 on the port.
[PE2-GigabitEthernet4/0/2] qinq ethernet-type 8200
[PE2-GigabitEthernet4/0/2] quit
c. Configure GigabitEthernet 4/0/3:
# Configure GigabitEthernet 4/0/3 as a trunk port and assign it to VLAN 100.
[PE2] interface gigabitethernet 4/0/3
[PE2-GigabitEthernet4/0/3] port link-type trunk
[PE2-GigabitEthernet4/0/3] port trunk permit vlan 100
# Configure VLAN 100 as the default VLAN ID for the port.
[PE2-GigabitEthernet4/0/3] port trunk pvid vlan 100
# Enable basic QinQ on the port.
[PE2-GigabitEthernet4/0/3] qinq enable
[PE2-GigabitEthernet4/0/3] quit

142
3. On the third-party devices between PE 1 and PE 2, configure the port connecting to PE 1 and that
connecting to PE 2 to allow tagged frames of VLAN 100 and VLAN 200 to pass through.

Selective QinQ configuration example


Network requirements
As shown in Figure 47:
• Provider A and Provider B are service provider network access switches that connect the user
network.
• The user network is divided into VLAN 10 and VLAN 20.
Configure selective QinQ so that frames from the user network can pass through the service provider
network tagged with SVLAN 100.
Figure 47 Network diagram

Configuration procedure

IMPORTANT:
Because the packets in the customer network are single-tagged, when you configure match criteria for
packets, you must use the if-match service-vlan-id vlan-id-list command (which matches the outermost
VLAN tags) rather than the if-match customer-vlan-id vlan-id-list command (which matches the inner
VLAN tags of double-tagged packets).

1. Configure Provider A:
# Configure an uplink policy to tag SVLAN 100 for frames from the user network.
<ProviderA> system-view
[ProviderA] traffic classifier nest operator or
[ProviderA-classifier-nest] if-match service-vlan-id 10 20
[ProviderA-classifier-nest] quit
[ProviderA] traffic behavior nest
[ProviderA-behavior-nest] nest top-most vlan-id 100
[ProviderA-behavior-nest] quit
[ProviderA] qos policy nest
[ProviderA-qospolicy-nest] classifier nest behavior nest
[ProviderA-qospolicy-nest] quit

143
# Configure port GigabitEthernet 4/0/1 to allow frames of VLAN 100 to pass through untagged.
[ProviderA] interface gigabitethernet 4/0/1
[ProviderA-GigabitEthernet4/0/1] port link-type hybrid
[ProviderA-GigabitEthernet4/0/1] port hybrid vlan 100 untagged
# Apply the uplink policy to the inbound direction of GigabitEthernet 4/0/1.
[ProviderA-GigabitEthernet4/0/1] qos apply policy nest inbound
[ProviderA-GigabitEthernet4/0/1] quit
# Configure port GigabitEthernet 4/0/2 to allow frames of VLAN 100 to pass through.
[ProviderA] interface gigabitethernet 4/0/2
[ProviderA-GigabitEthernet4/0/2] port link-type trunk
[ProviderA-GigabitEthernet4/0/2] port trunk permit vlan 100
2. Configure Provider B as you configure Provider A.

144
Configuring VLAN mapping

The Layer 3 Ethernet interfaces of the switch do not support VLAN mapping.

Overview
VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. The switch provides the following
types of VLAN mapping:
• One-to-one VLAN mapping—Replaces one VLAN tag with another. You can use one-to-one VLAN
mapping to sub-classify traffic from a particular VLAN for granular QoS control, or adapt the VLAN
schemes of two service providers.
• One-to-two VLAN mapping—Tags single-tagged packets with an outer VLAN tag. One-to-two
VLAN mapping expands the VLAN tag space, and enables a service provider and its customers to
independently assign VLANs without the risk of VLAN assignment conflicts.
• Two-to-two VLAN mapping—Replaces the outer and inner VLAN IDs of double tagged traffic with
a new pair of VLAN IDs. The switch supports replacing only the outer VLAN ID. You can use
two-to-two VLAN mapping on the switch to enable two remote sites in the same VLAN to
communicate at Layer 2 across two service provider networks that use different VLAN assignment
schemes.

Application scenario of one-to-one VLAN mapping


Figure 48 shows an application scenario in which a customer uses a VLAN scheme different than the
service provider. For example, the customer uses VLAN 10 to transmit voice traffic, whereas the service
provider uses VLAN 100. Switch A must replace the VLAN 10 tag of incoming traffic with the VLAN 100
tag, before transmitting the traffic in the service provider network.
Figure 48 Application scenario of one-to-one VLAN mapping

145
Application scenario of one-to-two and two-to-two VLAN
mapping
Figure 49 shows a typical application scenario in which two remote sites in VPN A, Site 1 and Site 2,
must communicate across two SP networks, SP 1 and SP 2.
Figure 49 Application scenario of one-to-two and two-to-two VLAN mapping

Site 1 and Site 2 are in VLAN 2. The VLAN assigned to VPN A is VLAN 10 in the SP 1 network and
VLAN 20 in the SP 2 network.
If Site 1 sends a packet to Site 2, the packet is processed on the way to its destination using the following
workflow:
1. When the packet tagged with VLAN 2 arrives at the edge of network SP 1, PE 1 tags the packet
with outer VLAN 10 by using one-to-two VLAN mapping.
2. When the double-tagged packet enters the SP 2 network, PE 3 replaces the outer VLAN tag (VLAN
10) with VLAN 20 by performing two-to-two VLAN mapping.
3. When PE4 receives the packet with outer VLAN tag 20, it removes the outer VLAN tag and
forwards the packet to VLAN 2.
You can use QinQ to implement one-to-two VLAN mapping. For more information about QinQ, see
"Configuring QinQ."

Concepts and terms


Figure 50 shows a simplified network to help explain the concepts and terms that you may encounter
when working with VLAN mapping.

146
Figure 50 Basic concepts of VLAN mapping

SP

Network-side port
Customer-side port
Uplink traffic
Downlink traffic

• Uplink traffic—Traffic transmitted from the customer network to the service provider network.
• Downlink traffic—Traffic transmitted from the service provider network to the customer network.
• Network-side port—A port connected to or closer to the service provider network.
• Customer-side port—A port connected to or closer to the customer network.
• Uplink policy—A QoS policy that defines VLAN mapping rules for uplink traffic.
• Downlink policy—A QoS policy that defines VLAN mapping rules for downlink traffic.
• Customer VLANs (CVLANs)—VLANs assigned to customers.
• Service provider VLANs (SVLANs)—VLANs assigned for transmitting traffic across the service
provider network.
For more information about QoS policies, see ACL and QoS Configuration Guide.

VLAN mapping implementations


This section describes how VLAN mapping is implemented on the switch.

One-to-one VLAN mapping


Implement one-to-one VLAN mapping through the following configurations, as shown in Figure 51:
• Apply an uplink policy to the incoming traffic on the customer-side port, mapping each CVLAN ID
to a unique SVLAN ID. When a packet arrives, the switch replaces its CVLAN ID with the matching
SVLAN ID.
• Apply a downlink policy to the outgoing traffic, mapping each SVLAN ID back to its corresponding
CVLAN ID. When forwarding a packet out of the port, the switch replaces its SVLAN ID with the
matching CVLAN ID.

147
Figure 51 One-to-one VLAN mapping implementation

One-to-two VLAN mapping


Implement one-to-two VLAN mapping through the following configurations, as shown in Figure 52:
• Apply an uplink policy to the incoming traffic on the customer-side port to tag the incoming packets
from a certain CVLAN with an outer SVLAN tag.
• Configure the customer-side port as a hybrid port, and assign the port to SVLANs as an untagged
member. When the port forwards the packets from these SVLANs, it removes their SVLAN tag.
Figure 52 One-to-two VLAN mapping

Two-to-two VLAN mapping


Implement two-to-two VLAN mapping through the following configurations, as shown in Figure 53.
• For uplink traffic, apply an inbound policy on the customer-side port to replace the SVLAN with a
new SVLAN, and apply an outbound policy on the network-side port to replace the CVLAN with a
new CVLAN.
• For downlink traffic, apply an outbound policy on the customer-side port to replace the double tags
with the original VLAN tag pair.

148
Figure 53 Two-to-two VLAN mapping implementation

VLAN mapping configuration task list


Use the VLAN mapping methods as appropriate to the roles of your switches in the network.

Task Switch role


Configuring one-to-one VLAN mapping Access switch in an SP network (see Figure 48)

Edge switch between SP networks, for example, PE 1


Configuring one-to-two VLAN mapping
and PE 4 in Figure 49

Edge switch between SP networks, for example, PE 3


Configuring two-to-two VLAN mapping
in Figure 49

Configuring one-to-one VLAN mapping


Task Description
Configuring an uplink policy Creates CVLAN-to-SVLAN mappings (required).

Configuring a downlink policy Creates SVLAN-to-CVLAN mappings (required).

Configures settings required for one-to-one VLAN


Configuring the customer-side port
mapping (required).

Configures VLAN settings required for normal


Configuring the network-side port
communication (required).

Configuration prerequisites
Create CVLANs and SVLANs, and plan CVLAN-SVLAN mappings.

Configuring an uplink policy


To configure an uplink policy to map each CVLAN to a unique SVLAN:

Step Command Remarks


1. Enter system view. system-view N/A

149
Step Command Remarks
a. Create a class and enter class
view: Repeat these steps to configure
traffic classifier tcl-name one class for each CVLAN.
[ operator { and | or } ]
In one-to-one VLAN mapping,
2. Configure one class for a b. Specify one CVLAN as the the if-match service-vlan-id
CVLAN. match criterion: command is for matching both
if-match service-vlan-id CVLANs and SVLANs, because
vlan-id-value the switch uses the command for
c. Return to system view: matching the outmost VLAN tag.
quit

a. Create a traffic behavior and


enter traffic behavior view:
traffic behavior
behavior-name
3. Configure one behavior for Repeat these steps to configure
b. Configure an SVLAN marking
an SVLAN. one behavior for each SVLAN.
action:
remark service-vlan-id vlan-id
c. Return to system view:
quit

4. Create a QoS policy and


qos policy policy-name N/A
enter QoS policy view.
5. Associate the class with the Repeat these steps to create
classifier tcl-name behavior
behavior to map the CVLAN other CVLAN-to-SVLAN
behavior-name
to the SVLAN. mappings.

Configuring a downlink policy


To configure a downlink policy to map SVLANs back to CVLANs:

Step Command Remarks


1. Enter system view. system-view N/A
a. Create a class and enter class
view:
traffic classifier tcl-name
[ operator { and | or } ]
2. Configure one class for an b. Specify one SVLAN as the Repeat these steps to configure
SVLAN. match criterion: one class for each SVLAN.
if-match service-vlan-id
vlan-id
c. Return to system view:
quit

150
Step Command Remarks
a. Create a traffic behavior and
Repeat these steps to configure
enter traffic behavior view:
a behavior for each CVLAN.
traffic behavior
behavior-name In one-to-one VLAN mapping,
3. Configure one behavior for a b. Configure an SVLAN marking the remark service-vlan-id
CVLAN. action: command is for marking both
remark service-vlan-id the CVLAN and SVLAN tags,
vlan-id-value because the switch uses the
command for marking the
c. Return to system view:
outmost VLAN tag.
quit
4. Create a QoS policy and
qos policy policy-name N/A
enter QoS policy view.
N/A
5. Associate the class with the
classifier tcl-name behavior Repeat these steps to create
behavior to map the SVLAN
behavior-name other CVLAN-to-SVLAN
to the CVLAN.
mappings.

Configuring the customer-side port


Step Command Remarks
1. Enter system view. system-view N/A

interface interface-type
2. Enter Ethernet interface view. N/A
interface-number

3. Configure the link type of the The default link type of an


port link-type { hybrid | trunk }
port. Ethernet port is access.

• As a hybrid port:
port hybrid vlan vlan-id-list tagged
4. Assign the port to the By default, ports of any link
CVLANs. • As a trunk port: type permit VLAN 1.
port trunk permit vlan { vlan-id-list |
all }

5. Apply the uplink policy to the


qos apply policy policy-name inbound N/A
incoming traffic.
6. Apply the downlink policy to qos apply policy policy-name
N/A
the outgoing traffic. outbound

Configuring the network-side port


Step Command Remarks
1. Enter system view. system-view N/A

interface interface-type
2. Enter Ethernet interface view. N/A
interface-number

3. Configure the link type of the The default link type of ports is
port link-type { hybrid | trunk }
port. access.

151
Step Command Remarks

• As a hybrid port:
port hybrid vlan vlan-id-list tagged
4. Assign the port to the By default, ports of any link
SVLANs. • As a trunk port: type permit VLAN 1.
port trunk permit vlan { vlan-id-list |
all }

Configuring one-to-two VLAN mapping


Perform one-to-two VLAN mapping on the edge switches from which customer traffic enters SP networks,
on PE 1 and PE 4 in Figure 49 for example. One-to-two VLAN mapping enables the edge devices to
insert an outer VLAN tag to each incoming VLAN-tagged packet.
Perform these tasks to configure one-to-two VLAN mapping:

Task Description
Configuring an uplink policy Configures an uplink policy for the customer-side port (required).

Configures VLAN and other settings required for one-to-two VLAN


Configuring the customer-side port
mapping (required).

Configures VLAN and other settings required for one-to-two VLAN


Configuring the network-side port
mapping (required).

Configuration prerequisites
Create VLANs, and plan CVLAN-to-SVLAN mappings.

Configuring an uplink policy


To configure an uplink policy to insert an SVLAN to VLAN tagged packets:

Step Command Remarks


1. Enter system view. system-view N/A
a. Create a class and enter
class view:
traffic classifier tcl-name
[ operator { and | or } ]
2. Configure one class for a b. Specify one CVLAN as the
N/A
CVLAN. match criterion:
if-match service-vlan-id
vlan-id-value
c. Return to system view:
quit

152
Step Command Remarks
a. Create a traffic behavior
and enter traffic behavior
view:
traffic behavior
behavior-name
b. Add a VLAN nest action to
3. Configure one behavior for insert an outer VLAN tag Repeat these steps to configure one
an SVLAN. into the incoming packets behavior for each SVLAN.
from the CVLAN or
CVLANs:
nest top-most vlan-id
vlan-id-value
c. Return to system view:
quit
4. Create a QoS policy and
qos policy policy-name N/A
enter QoS policy view.
N/A
5. Associate the class with the classifier tcl-name behavior Repeat this step to create
behavior. behavior-name class-behavior associations for
other CVLANs.

Configuring the customer-side port


Step Command Remarks
1. Enter system view. system-view N/A

interface interface-type
2. Enter Ethernet interface view. N/A
interface-number

3. Configure the port as a hybrid The default link type of an Ethernet


port link-type hybrid
port. port is access.

4. Assign the port to the SVLANs port hybrid vlan vlan-id-list By default, a hybrid port is an
as an untagged member. untagged untagged member of only VLAN 1.
5. Assign the port to the
CVLANs as a tagged port hybrid vlan vlan-id-list tagged N/A
member.
6. Apply the uplink policy to the qos apply policy policy-name
N/A
incoming traffic. inbound

Configuring the network-side port


Step Command Remarks
1. Enter system view. system-view N/A

interface interface-type
2. Enter Ethernet interface view. N/A
interface-number

153
Step Command Remarks
• Configure the port as a trunk
port:
3. Configure the link type of the port link-type trunk The default link type of an Ethernet
port. • Configure the port as a hybrid port is access.
port:
port link-type hybrid
• As a trunk port:
By default:
port trunk permit vlan
{ vlan-id-list | all } • A trunk port is assigned to only
4. Assign the port to all SVLANs. VLAN 1.
• As a hybrid port:
port hybrid vlan vlan-id-list • A hybrid port is an untagged
tagged member of VLAN 1.

Configuring two-to-two VLAN mapping


Perform two-to-two VLAN mapping on an edge device that connects two SP networks, for example, on
PE 3 in Figure 49. The two-to-two VLAN mapping implementation of the switch enables two remote sites
in the same VLAN to communicate at Layer 2 across two service provider networks that use different
VLAN assignment schemes.
In two-to-two VLAN mapping, foreign SVLANs refer to the outer VLANs of double-tagged frames that
arrive at the customer-side port, local VLANs refer to VLANs that replace the foreign SVLANs, and
CVLANs refer to inner VLANs.
Perform these tasks to configure two-to-two VLAN mapping:

Task Description
Configuring an uplink policy for the Replaces foreign SVLANs with local SVLANs for uplink traffic
customer-side port (required).

Configuring a downlink policy for the


Replaces local SVLANs with foreign SVLANs (required).
customer-side port

Configures VLAN and other settings required for two-to-two VLAN


Configuring the customer-side port
mapping (required).

Configures VLAN and other settings required for two-to-two VLAN


Configuring the network-side port
mapping (required).

Configuring an uplink policy for the customer-side port


The uplink policy on the customer-side port changes the SVLAN ID of incoming traffic.
To configure an uplink policy for the customer-side port:

Step Command Remarks


1. Enter system view. system-view N/A

154
Step Command Remarks
a. Create a class and enter class
view:
traffic classifier tcl-name
[ operator { and | or } ]
b. Specify one CVLAN as the
match criterion: Repeat these steps to
2. Configure one class for a CVLAN if-match customer-vlan-id create one class for each
and a SVLAN. vlan-id-value CVLAN and foreign
c. Specify one SVLAN as the SVLAN pair.
match criterion:
if-match service-vlan-id
vlan-id-value
d. Return to system view:
quit
a. Create a traffic behavior and
enter traffic behavior view:
traffic behavior
behavior-name
Repeat these steps to
b. Configure an SVLAN marking
configure one SVLAN
3. Configure one behavior for an action to replace the foreign
marking action for each
SVLAN. SVLAN ID with a local SVLAN
CVLAN and foreign
ID:
SVLAN pair.
remark service-vlan-id
vlan-id-value
c. Return to system view:
quit
4. Create a QoS policy and enter
qos policy policy-name N/A
QoS policy view.

Repeat this step to create


5. Associate the class with the classifier tcl-name behavior
other class-behavior
behavior. behavior-name
associations.

6. Return to system view. quit N/A

Configuring a downlink policy for the customer-side port


The downlink policy on the customer-side port replaces a local SVLAN with its corresponding foreign
SVLAN.
To configure a downlink policy for the customer-side port:

Step Command Remarks


1. Enter system view. system-view N/A

155
Step Command Remarks
a. Create a class and enter class
view:
traffic classifier tcl-name
[ operator { and | or } ]
b. Specify one CVLAN as the
match criterion:
Repeat these steps to
2. Configure one class for a CVLAN if-match customer-vlan-id
create one class for each
and a SVLAN. vlan-id-value
local SVLAN pair.
c. Specify one SVLAN as the
match criterion:
if-match service-vlan-id
vlan-id-value
d. Return to system view:
quit
a. Create a traffic behavior and
enter traffic behavior view:
traffic behavior
behavior-name
b. Configure an SVLAN marking Repeat these steps to
3. Configure one behavior for an action to replace the foreign create one VLAN marking
SVLAN. SVLAN ID with a local SVLAN behavior for each local
ID: SVLAN.
remark service-vlan-id
vlan-id-value
c. Return to system view:
quit
4. Create a QoS policy and enter
qos policy policy-name N/A
QoS policy view.

Repeat this step to create


5. Associate the class with the classifier tcl-name behavior
other class-behavior
behavior. behavior-name
associations.

6. Return to system view. quit N/A

Configuring the customer-side port


Step Command Remarks
1. Enter system view. system-view N/A

interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
• Configure the port as a trunk
port:
port link-type trunk The default link type of an
3. Configure the link type of the port.
• Configure the port as a hybrid Ethernet port is access.
port:
port link-type hybrid

156
Step Command Remarks

• As a trunk port: By default:


port trunk permit vlan • A trunk port is assigned
4. Assign the port to the foreign { vlan-id-list | all } to only VLAN 1.
SVLANs. • As a hybrid port: • A hybrid port is an
port hybrid vlan vlan-id-list untagged member of
tagged VLAN 1.

5. Apply the uplink policy to the qos apply policy policy-name


N/A
incoming traffic. inbound

6. Apply the downlink policy to the qos apply policy policy-name


N/A
outgoing traffic. outbound

Configuring the network-side port


Step Command Remarks
1. Enter system view. system-view N/A

interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
• Configure the port as a trunk
port:
3. Configure the link type of the port link-type trunk The default link type of an Ethernet
port. • Configure the port as a hybrid port is access.
port:
port link-type hybrid
• As a trunk port:
By default:
port trunk permit vlan
4. Assign the port to the local { vlan-id-list | all } • A trunk port is assigned to only
VLAN 1.
SVLANs. • As a hybrid port:
port hybrid vlan vlan-id-list • A hybrid port is an untagged
tagged member of VLAN 1.

VLAN mapping configuration examples


IMPORTANT:
If an Ethernet or aggregate interface is down (the default state), use the undo shutdown command to bring
it up before you configuring VLAN mapping on it.

One-to-one VLAN mapping configuration example


Network requirements
As shown in Figure 54, perform one-to-one VLAN mapping on Switch A to replace the VLAN 10 tag with
the VLAN 100 tag for transmission in the service provider network.

157
Figure 54 Network diagram

Configuring Switch A
# Create the CVLANs and SVLANs.
<SwitchA> system-view
[SwitchA] vlan 10 to 100

# Configure uplink policy p1 to map CVLAN 10 to SVLAN 100.


[SwitchA] traffic classifier c1
[SwitchA-classifier-c1] if-match service-vlan-id 10
[SwitchA-classifier-c1] quit
[SwitchA] traffic behavior b1
[SwitchA-behavior-b1] remark service-vlan-id 100
[SwitchA-behavior-b1] quit
[SwitchA] qos policy p1
[SwitchA-policy-p1] classifier c1 behavior b1
[SwitchA-policy-p1] quit

# Configure downlink policy p11 to map the SVLAN back to the CVLAN.
[SwitchA] traffic classifier c11
[SwitchA-classifier-c11] if-match service-vlan-id 100
[SwitchA-classifier-c11] quit
[SwitchA] traffic behavior b11
[SwitchA-behavior-b11] remark service-vlan-id 10
[SwitchA-behavior-b11] quit
[SwitchA] qos policy p11
[SwitchA-policy-p11] classifier c11 behavior b11
[SwitchA-policy-p11] quit

# Assign customer-side port GigabitEthernet 4/0/1 to CVLAN 10 and SVLAN 100.


[SwitchA] interface gigabitethernet 4/0/1
[SwitchA-GigabitEthernet4/0/1] port link-type trunk
[SwitchA-GigabitEthernet4/0/1] port trunk permit vlan 10 100

# Apply uplink policy p1 to the incoming traffic and downlink policy p11 to the outgoing traffic
[SwitchA-GigabitEthernet4/0/1] qos apply policy p1 inbound
[SwitchA-GigabitEthernet4/0/1] qos apply policy p11 outbound

158
# Assign network-side port GigabitEthernet 4/0/2 to the CVLAN and SVLAN.
[SwitchA] interface ethernet gigabitethernet 4/0/2
[SwitchA-GigabitEthernet4/0/2] port link-type trunk
[SwitchA-GigabitEthernet4/0/2] port trunk permit vlan 10 100

One-to-two and two-to-two VLAN mapping configuration


example
Network requirements
As shown in Figure 55, Site 1 and Site 2, two remote users in VPN A, are in VLAN 10. SP 1 assigns
VLAN 100 to VPN A, and SP 2 assigns VLAN 200 to VPN A.
Configure one-to-two and two-to-two VLAN mappings to enable the two sites to communicate across the
two SP networks.
Figure 55 Network diagram

PE 1 GE4/0/1 PE 2 GE4/0/2 GE4/0/1 PE 3 GE4/0/2 PE 4


GE4/0/2 VLAN 10, 100 VLAN 10, 100 VLAN 10, 200 VLAN 10, 200 GE4/0/2

GE4/0/1 GE4/0/1
VLAN 10, 100
SP 1 SP 2 VLAN 10, 200

VLAN 10 VLAN 10

VPN A VPN A
CE a1 Site 1 Site 2 CE a2

Configuring PE 1
# Configure uplink policy test to add outer VLAN tag 100 to VLAN 10 tagged traffic.
<PE1> system-view
[PE1] traffic classifier test
[PE1-classifier-test] if-match service-vlan-id 10
[PE1-classifier-test] quit
[PE1] traffic behavior test
[PE1-behavior-test] nest top-most vlan-id 100
[PE1-behavior-test] quit
[PE1] qos policy test
[PE1-qospolicy-test] classifier test behavior test
[PE1-qospolicy-test] quit

# Set customer-side port GigabitEthernet 4/0/1 as a hybrid port, and assign it to VLAN 100 as an
untagged member, so the port forwards VLAN 100 traffic with the VLAN tag removed. Apply uplink
policy test to the incoming traffic.
[PE1] interface gigabitethernet 4/0/1
[PE1-GigabitEthernet4/0/1] port link-type hybrid
[PE1-GigabitEthernet4/0/1] port hybrid vlan 100 untagged
[PE1-GigabitEthernet4/0/1] qos apply policy test inbound
[PE1-GigabitEthernet4/0/1] quit

159
# Set network-side port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 100.
[PE1] interface gigabitethernet 4/0/2
[PE1-GigabitEthernet4/0/2] port link-type trunk
[PE1-GigabitEthernet4/0/2] port trunk permit vlan 100

Configuring PE 2
# Set port GigabitEthernet 4/0/1 as a trunk port, and assign it to VLAN 100.
<PE2> system-view
[PE2] interface gigabitethernet 4/0/1
[PE2-GigabitEthernet4/0/1] port link-type trunk
[PE2-GigabitEthernet4/0/1] port trunk permit vlan 100
[PE2-GigabitEthernet4/0/1] quit

# Set port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 100.
[PE2] interface gigabitethernet 4/0/2
[PE2-GigabitEthernet4/0/2] port link-type trunk
[PE2-GigabitEthernet4/0/2] port trunk permit vlan 100

Configuring PE 3
# Configure uplink policy down_uplink for customer-side port GigabitEthernet 4/0/1 to substitute
SVLAN ID 200 for the SVLAN ID in the incoming traffic tagged with CVLAN 10 and SVLAN 100.
<PE3> system-view
[PE3] traffic classifier down_uplink
[PE3-classifier-down_uplink] if-match customer-vlan-id 10
[PE3-classifier-down_uplink] if-match service-vlan-id 100
[PE3-classifier-down_uplink] quit
[PE3] traffic behavior down_uplink
[PE3-behavior-down_uplink] remark service-vlan-id 200
[PE3-behavior-down_uplink] quit
[PE3] qos policy down_uplink
[PE3-qospolicy-down_uplink] classifier down_uplink behavior down_uplink
[PE3-qospolicy-down_uplink] quit

# Configure downlink policy down_downlink for customer-side port GigabitEthernet 4/0/1 to replace
the SVLAN 200 tag with the SVLAN 100 tag.
[PE3] traffic classifier down_downlink
[PE3-classifier-down_downlink] if-match customer-vlan-id 10
[PE3-classifier-down_downlink] if-match service-vlan-id 200
[PE3-classifier-down_downlink] quit
[PE3] traffic behavior down_downlink
[PE3-behavior-down_downlink] remark service-vlan-id 100
[PE3-behavior-down_downlink] quit
[PE3] qos policy down_downlink
[PE3-qospolicy-down_downlink] classifier down_downlink behavior down_downlink
[PE3-qospolicy-down_downlink] quit

# Set customer-side port GigabitEthernet 4/0/1 as a trunk port, assign it to VLAN 200, and apply uplink
policy down_uplink to the incoming traffic and downlink policy down_downlink to the outgoing traffic
on the port.
[PE3] interface gigabitethernet 4/0/1
[PE3-GigabitEthernet4/0/1] port link-type trunk

160
[PE3-GigabitEthernet4/0/1] port trunk permit vlan 200
[PE3-GigabitEthernet4/0/1] qos apply policy down_uplink inbound
[PE3-GigabitEthernet4/0/1] qos apply policy down_downlink outbound
[PE3-GigabitEthernet4/0/1] quit

# Set network-side port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 200.
[PE3] interface gigabitethernet 4/0/2
[PE3-GigabitEthernet4/0/2] port link-type trunk
[PE3-GigabitEthernet4/0/2] port trunk permit vlan 200
[PE3-GigabitEthernet4/0/2] quit

Configuring PE 4
# Configure uplink policy test to add outer VLAN tag 200 to VLAN 10 tagged traffic.
<PE4> system-view
[PE4] traffic classifier test
[PE4-classifier-test] if-match service-vlan-id 10
[PE4-classifier-test] quit
[PE4] traffic behavior test
[PE4-behavior-test] nest top-most vlan-id 200
[PE4-behavior-test] quit
[PE4] qos policy test
[PE4-qospolicy-test] classifier test behavior test
[PE4-qospolicy-test] quit

# Assign port GigabitEthernet 4/0/2 to VLAN 200.


[PE4] interface gigabitethernet 4/0/2
[PE4-GigabitEthernet4/0/2] port link-type trunk
[PE4-GigabitEthernet4/0/2] port trunk permit vlan 200

# Set port GigabitEthernet 4/0/1 as a hybrid port, and assign it to VLAN 200 as un untagged member,
so the port forwards VLAN 200 traffic with the VLAN tag removed. Apply uplink policy test to the
incoming traffic on the port.
[PE4] interface gigabitethernet 4/0/1
[PE4-GigabitEthernet4/0/1] port link-type hybrid
[PE4-GigabitEthernet4/0/1] port hybrid vlan 200 untagged
[PE4-GigabitEthernet4/0/1] qos apply policy test inbound

161
Configuring BPDU tunneling

Overview
As a Layer 2 tunneling technology, Bridge Protocol Data Unit (BPDU) tunneling enables Layer 2 protocol
packets from geographically dispersed customer networks to be transparently transmitted over specific
tunnels across a service provider network.

Background
Dedicated lines are used in a service provider network to build user-specific Layer 2 networks. As a result,
a user network is broken down into parts located at different sides of the service provider network. As
shown in Figure 56, User A has two devices (CE 1 and CE 2) and both devices belong to VLAN 100.
User A’s network is divided into network 1 and network 2, which are connected by the service provider
network. When a Layer 2 protocol (for example, STP) runs on both network 1 and network 2, the Layer
2 protocol packets must be transmitted over the service provider network to implement Layer 2 protocol
calculation (for example, spanning tree calculation). When receiving a Layer 2 protocol packet, the PEs
cannot determine whether the packet is from the user network or the service provider network, and must
deliver the packet to the CPU for processing. In this case, the Layer 2 protocol calculation in User A’s
network is mixed with that in the service provider network, and the user network cannot implement
independent Layer 2 protocol calculation.
Figure 56 BPDU tunneling application scenario

With BPDU tunneling, Layer 2 protocol packets from customer networks can be transparently transmitted
over the service provider network in the following workflow:
1. After receiving a Layer 2 protocol packet from CE 1, PE 1 encapsulates the packet, replaces its
destination MAC address with a specific multicast MAC address, and forwards the packet to the
service provider network.
2. The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded
to PE 2 at the other end of the service provider network, which de-encapsulates the packet, restores
the original destination MAC address of the packet, and then sends the packet to CE 2.

162
BPDU tunneling implementation
To avoid loops in your network, you can enable STP on your switch. When the topology changes at one
side of the customer network, the devices at this side of the customer network send BPDUs to devices on
the other side of the customer network to ensure consistent spanning tree calculation in the entire
customer network. However, because BPDUs are Layer 2 multicast frames, all STP-enabled devices, both
in the customer network and in the service provider network, can receive and process these BPDUs. In this
case, neither the service provider network nor the customer network can correctly calculate its
independent spanning tree.
To allow each network to calculate an independent spanning tree with STP, BPDU tunneling was
introduced.
BPDU tunneling delivers the following benefits:
• BPDUs can be transparently transmitted. BPDUs of one customer network can be broadcast in a
specific VLAN across the service provider network, allowing that customer’s geographically
dispersed networks to implement consistent spanning tree calculation across the service provider
network.
• BPDUs of different customer networks can be confined within different VLANs for transmission on
the service provider network, so each customer network can perform independent spanning tree
calculation.
Figure 57 BPDU tunneling implementation

The upper section of Figure 57 represents the service provider network (ISP network), and the lower
section, including User A network 1 and User A network 2, represents customer networks. Enabling
BPDU tunneling on edge devices (PE 1 and PE 2) in the service provider network allows BPDUs of User
A network 1 and User A network 2 to be transparently transmitted through the service provider network,
thus ensuring consistent spanning tree calculation throughout User A network, without affecting the
spanning tree calculation of the service provider network.
Assume a BPDU is sent from User A network 1 to User A network 2:
1. At the ingress of the service provider network, PE 1 changes the destination MAC address of the
BPDU from 0x0180-C200-0000 to a special multicast MAC address, 0x010F-E200-0003 (the
default multicast MAC address) for example. In the service provider network, the modified BPDU
is forwarded as a data packet in the VLAN assigned to User A.
2. At the egress of the service provider network, PE 2 recognizes the BPDU with the destination MAC
address 0x010F-E200-0003, restores its original destination MAC address 0x0180-C200-0000,
and then sends the BPDU to CE 2.

163
NOTE:
• The switch supports BPDU tunneling for the Spanning Tree Protocol (STP) only. For more information
about STP, see "Configuring spanning tree protocols."
• Make sure, through configuration, the VLAN tags carried in BPDUs are neither changed nor removed
during the transparent transmission in the service provider network; otherwise, the devices in the service
provider network will fail to transparently transmit the customer network BPDUs correctly.

Configuration prerequisites
• Enable STP in the customer networks before configuring BPDU tunneling for STP.
• Before enabling BPDU tunneling for STP on a port, disable STP on the port.
• Assign the port on which you want to enable BPDU tunneling on the PE device and the connected
port on the CE device to the same VLAN.
• Configure ports connecting network devices in the service provider network as trunk ports allowing
packets of any VLAN to pass through.

Enabling BPDU tunneling


Step Command Remarks
1. Enter system view. system-view N/A

Use either command.


• Enter Ethernet or • Settings made in interface view
aggregate interface view: take effect only on the current port.
interface interface-type • Settings made in aggregate
2. Enter interface view or port
interface-number interface view take effect only on
group view.
• Enter port group view: the aggregate interface.
port-group manual • Settings made in port group view
port-group-name take effect on all ports in the port
group.
3. Disable STP on the ports. stp disable N/A

4. Enable BPDU tunneling for STP By default, BPDU tunneling for STP is
bpdu-tunnel dot1q stp
on the ports. disabled.

Configuring destination multicast MAC address for


BPDUs
By default, the destination multicast MAC address for BPDUs is 0x010F-E200-0003. You can change it
to 0x0100-0CCD-CDD0, 0x0100-0CCD-CDD1 or 0x0100-0CCD-CDD2 through the following
configuration.
To configure destination multicast MAC address for BPDUs:

Step Command Remarks


1. Enter system view. system-view N/A

164
Step Command Remarks
2. Configure the destination Optional.
bpdu-tunnel tunnel-dmac
multicast MAC address for The default setting is
mac-address
BPDUs. 0x010F-E200-0003.

NOTE:
For BPDUs to be recognized, the destination multicast MAC addresses configured for BPDU tunneling must
be the same on the edge devices on the service provider network.

BPDU tunneling configuration example


IMPORTANT:
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these
interfaces, use the undo shutdown command to bring them up.

Network requirements
As shown in Figure 58:
• CE 1 and CE 2 are edges devices on the geographically dispersed network of User A; PE 1 and PE
2 are edge devices on the service provider network.
• All ports that connect service provider devices and customer devices are access ports and belong
to VLAN 2; all ports that interconnect service provider devices are trunk ports and allow packets of
any VLAN to pass through.
• MSTP is enabled on User A’s network.
Configure BPDU tunneling, so that CE 1 and CE 2 implement consistent spanning tree calculation across
the service provider network and that the destination multicast MAC address carried in BPDUs be
0x0100-0CCD-CDD0.
Figure 58 Network diagram

Configuration procedure
1. Configure PE 1:
# Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.

165
<PE1> system-view
[PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2 and assign GigabitEthernet 4/0/1 to VLAN 2.
[PE1] vlan 2
[PE1-vlan2] quit
[PE1] interface gigabitethernet 4/0/1
[PE1-GigabitEthernet4/0/1] port access vlan 2
# Disable STP on GigabitEthernet 4/0/1, and then enable BPDU tunneling for STP on it.
[PE1-GigabitEthernet4/0/1] stp disable
[PE1-GigabitEthernet4/0/1] bpdu-tunnel dot1q stp
2. Configure PE 2:
# Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.
<PE2> system-view
[PE2] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2 and assign GigabitEthernet 4/0/2 to VLAN 2.
[PE2] vlan 2
[PE2-vlan2] quit
[PE2] interface gigabitethernet 4/0/2
[PE2-GigabitEthernet4/0/2] port access vlan 2
# Disable STP on GigabitEthernet 4/0/2, and then enable BPDU tunneling for STP on it.
[PE2-GigabitEthernet4/0/2] stp disable
[PE2-GigabitEthernet4/0/2] bpdu-tunnel dot1q stp

166
Configuring GVRP

The Generic Attribute Registration Protocol (GARP) provides a generic framework whereby devices in a
bridged LAN, such as end stations and switches, can register and deregister attribute values. The GARP
VLAN Registration Protocol (GVRP) is a GARP application that registers and deregisters VLAN attributes.
GVRP uses the operating mechanism of GARP to maintain and propagate dynamic VLAN registration
information for the GVRP devices on the network.

Overview
GARP
GARP provides a mechanism that allows participants in a GARP application to distribute, propagate,
and register with other participants in a LAN the attributes specific to the GARP application, such as the
VLAN or multicast address attributes.

How GARP works


Each port that participates in a GARP application (GVRP for example) is a GARP participant.
Through the GARP mechanism, the attribute information of GARP participants is rapidly propagated
across the entire LAN. As shown in Figure 59, a GARP participant registers and deregisters its attribute
information with other GARP participants by sending and withdrawing declarations, and registers and
deregisters the attribute information of other participants according to the declarations and withdrawals
it receives.
Figure 59 How GARP works

For example, GVRP registers and deregisters VLAN attributes as follows:


• When a port receives a declaration for a VLAN attribute, it registers the VLAN attribute carried in
the declaration, and joins the VLAN.
• When a port receives a withdrawal for a VLAN attribute, it deregisters the VLAN attribute carried
in the withdrawal, and leaves the VLAN.

GARP messages
A GARP participant exchanges information with other GARP participants by sending GARP messages,
including Join, Leave, and LeaveAll. These messages work together to ensure the registration and

167
de-registration of attribute information. As a GARP application, GVRP also uses GARP messages for
information exchange.
1. Join messages
A GARP participant sends Join messages when it wishes to declare its attribute values or receives
Join messages from other GARP participants. There are two types of Join messages: JoinEmpty and
JoinIn.
{ A GARP participant sends a JoinEmpty message to declare an attribute not registered on it.
{ A GARP participant sends a JoinIn message to declare an attribute registered on it.
2. Leave messages
A GARP participant sends Leave messages when it wishes to withdraw declarations of its attribute
values, or receives Leave messages from other participants. There are two types of Leave
messages: LeaveEmpty and LeaveIn.
{ A GARP participant sends a LeaveEmpty message to deregister an attribute not registered on
it.
{ A GARP participant sends a LeaveIn message to deregister an attribute registered on it.
3. LeaveAll messages
A GARP participant sends a LeaveAll message when it declares that it is deregistering all attribute
values or receives LeaveAll messages from other participants. If any participants want to maintain
the registration for a particular attribute value, they must send a Join message.

GARP timers
GARP defines the following timers to control the sending of GARP messages:
1. Hold timer
The Hold timer sets the delay that a GARP participant waits before sending a Join or Leave
message.
When an attribute value changes or a Join or Leave message arrives, the GARP participant does
not sends the message immediately. Rather, it assembles Join and Leave messages in the least
number of GARP PDUs, and sends them out when the Hold timer expires. This timer reduces the
number of GARP PDUs and saves bandwidth.
2. Join timer
A GARP participant may declare an attribute twice to ensure reliable transmission. The Join timer
sets the interval between the two declarations.
A GARP participant starts a Join timer when it declares an attribute value or receives a JoinIn
message for the attribute value. If the GARP participant does not receive any declaration for the
attribute value when the Join timer expires, it re-declares the attribute value.
Because all attributes of a GARP participant share the same Join timer, you must set the Join timer
long enough so that all attributes can be sent out in one declaration.
3. Leave timer
A GARP participant starts a Leave timer when it receives a Leave message for an attribute value.
If the GARP participant has not received a Join message for the attribute value before the timer
expires, it deregisters the attribute value.
4. LeaveAll timer
When a GARP application is enabled, a LeaveAll timer starts. The GARP participant sends a
LeaveAll message when the timer expires. Then, the LeaveAll timer restarts to begin a new cycle.

168
The LeaveAll timer and all other GARP timers also restart when the GARP participant receives a
LeaveAll message.
Set the LeaveAll timer greater than any Leave timer and not smaller than its default value (1000
centiseconds). Each time a LeaveAll timer expires, a network-wide re-join occurs.
On a GARP-enabled network, a device may send LeaveAll messages at the interval set by its
LeaveAll timer or the LeaveAll timer of another device on the network, whichever is smaller. This is
because each time a device on the network receives a LeaveAll message it resets its LeaveAll timer.

NOTE:
• The settings of GARP timers apply to all GARP applications, such as GVRP, on a LAN.
• On a GARP-enabled network, each port of a device maintains its own Hold, Join, and Leave timers, but
only one LeaveAll timer is maintained on each device globally.
• The value ranges for the Hold, Join, Leave, and LeaveAll timers are dependent on one another. For more
information, see Table 20.

GARP PDU format


Figure 60 GARP PDU format

As shown in Figure 60, GARP PDUs use the IEEE 802.3 Ethernet frame format.
Table 19 The GARP PDU fields

Field Description Value


Protocol ID Protocol identifier for GARP. 0x0001

One or multiple messages, each


Message containing an attribute type and an N/A
attribute list.

End mark Indicates the end of a GARP PDU. 0x00

0x01 for GVRP, indicating the


Attribute type Defined by the GARP application.
VLAN ID attribute

Attribute list Contains one or multiple attributes. N/A

169
Field Description Value
Consists of an Attribute Length, an
Attribute Attribute Event, and an Attribute N/A
Value.

Length of an attribute, inclusive of


Attribute length 2 to 255 (in bytes)
the attribute length field.
• 0x00: LeaveAll event
• 0x01: JoinEmpty event
• 0x02: JoinIn event
Attribute event Event described by the attribute.
• 0x03: LeaveEmpty event
• 0x04: LeaveIn event
• 0x05: Empty event
VLAN ID for GVRP

Attribute value Attribute value. If the value of the Attribute event


field is 0x00 (LeaveAll event), the
Attribute value field is invalid.

The destination MAC addresses of GARP messages are multicast MAC addresses, and vary with GARP
applications. For example, the destination MAC address of GVRP is 01-80-C2-00-00-21. A device
distributes GARP messages to different GARP applications according to the destination MAC addresses
carried in GARP messages.

GVRP
GVRP overview
As a GARP application, GVRP enables a device to propagate local VLAN registration information to
other participant devices, and to dynamically update the VLAN registration information from other
devices to its local database, including active VLAN members and through which port they can be
reached. This makes sure all GVRP participants on a bridged LAN maintain the same VLAN registration
information. The VLAN registration information propagated by GVRP includes both manually configured
local static entries and dynamic entries from other devices.

GVRP registration modes


VLANs manually created are called static VLANs, and VLANs created by GVRP are called dynamic
VLANs. GVRP provides three registration modes on a port, including Normal, Fixed, and Forbidden. In
different registration modes, a port handles static and dynamic VLANs differently:
• Normal—Allows dynamic VLAN registration and deregistration on the trunk port, and allows the
declarations for dynamic and static VLANs to be sent.
• Fixed—Prevents dynamic VLAN registration and deregistration on the trunk port, and allows only
the declarations for static VLANs to be sent. In this mode, the trunk port, even if it is assigned to all
VLANs, allows only packets of static VLANs to pass through.
• Forbidden—Prevents dynamic VLAN registration and deregistration on the trunk port, and allows
only the declarations for VLAN 1 to be sent. In this mode, the trunk port, even if it is assigned to all
VLANs, allows only packets of VLAN 1 to pass through.

Protocols and standards


• IEEE 802.1Q, Virtual Bridged Local Area Networks

170
GVRP configuration task list
Task Remarks
Configuring GVRP functions Required.

Configuring GARP timers Optional.

NOTE:
• GVRP configuration made in Ethernet interface view or Layer-2 aggregate interface view takes effect on
the current interface only. GVRP configuration made in port group view takes effect on all the member
ports in the group.
• GVRP configuration made on a member port in an aggregation group takes effect only after the port is
removed from the aggregation group.

Configuring GVRP functions


Configuration restrictions and guidelines
• Before enabling GVRP on a port, you must enable GVRP globally. In addition, GVRP can be
configured only on trunk ports, and you must assign the involved trunk ports to all dynamic VLANs.
• GVRP is mutually exclusive with service loopback.
• GVRP can work with STP, RSTP, or MSTP CIST but not PVST. When GVRP runs on the CIST, blocked
ports on the CIST cannot receive/send GVRP packets. For more information about STP, RSTP, MSTP
CIST, and PVST, see "Configuring spanning tree protocols."
• Do not enable both GVRP and remote port mirroring. Otherwise, GVRP may register the remote
probe VLAN to unexpected ports, resulting in undesired duplicates to be received by the monitor
port. For more information about port mirroring, see Network Management and Monitoring
Configuration Guide.
• Enabling GVRP on a Layer 2 aggregate interface enables both the aggregate interface and all
selected member ports in the corresponding link aggregation group to participate in dynamic
VLAN registration and deregistration.

Configuration procedure
To configure GVRP functions on a trunk port:

Step Command Remarks


1. Enter system view. system-view N/A

By default, GVRP is
2. Enable GVRP globally. gvrp
globally disabled.

171
Step Command Remarks

• Enter Ethernet interface view


or Layer 2 aggregate interface
view:
interface interface-type
3. Enter interface view or port group view. Use either command.
interface-number
• Enter port-group view:
port-group manual
port-group-name

The default setting is


access.

4. Configure the link type of the ports as For more information


port link-type trunk about the port link-type
trunk.
trunk command, see
Layer 2—LAN Switching
Command Reference.

By default, a trunk port is


assigned to VLAN 1
only.
For more information
5. Assign the trunk ports to all VLANs. port trunk permit vlan all about the port trunk
permit vlan all
command, see Layer
2—LAN Switching
Command Reference.

By default, GVRP is
6. Enable GVRP on the ports. gvrp
disabled on ports.

Optional.
The default setting is
normal.
When you set the GVRP
7. Configure the GVRP registration mode on gvrp registration { fixed | registration mode to
the ports. forbidden | normal } forbidden, HP
recommends that you
make sure the port
allows packets from
VLAN 1 to pass through.

Configuring GARP timers


Among the four GARP timers, the LeaveAll timer is configured in system view and takes effect on all ports,
while the other three are configured on a port basis.
To configure GARP timers:

Step Command Remarks


1. Enter system view. system-view N/A

172
Step Command Remarks
Optional.
2. Configure the GARP LeaveAll
garp timer leaveall timer-value The default setting is 1000
timer.
centiseconds.

• Enter Ethernet interface view or


Layer 2 aggregate interface
Use either command.
view:
3. Enter interface view or port interface interface-type Depending on the view you
group view. interface-number accessed, the subsequent
configuration takes effect on a
• Enter port-group view:
port or all ports in a port-group.
port-group manual
port-group-name

Optional.
4. Configure the Hold timer. garp timer hold timer-value The default setting is 10
centiseconds.

Optional.
5. Configure the Join timer. garp timer join timer-value The default setting is 20
centiseconds.

Optional.
6. Configure the Leave timer. garp timer leave timer-value The default setting is 60
centiseconds.

As shown in Table 20, the value ranges for GARP timers are dependent on one another:
• If you want to set a value beyond the value range for a timer, you may change the value range by
tuning the value of another related timer.
• If you want to restore the default settings of the timers, restore the Hold timer first, and then the Join,
Leave, and LeaveAll timers.
Table 20 Dependencies of GARP timers

Timer Lower limit Upper limit


Hold 10 centiseconds No greater than half of the Join timer setting

Join No less than two times the Hold timer setting Less than half of the leave timer setting

Leave Greater than two times the Join timer setting Less than the LeaveAll timer setting

LeaveAll Greater than the Leave timer setting 32765 centiseconds

NOTE:
To keep the dynamic VLANs learned through GVRP stable, do not set the LeaveAll timer smaller than its
default value, 1000 centiseconds.

Displaying and maintaining GVRP

173
Task Command Remarks
display garp statistics [ interface
Display statistics about GARP on ports. interface-list ] [ | { begin | exclude | Available in any view.
include } regular-expression ]

display garp timer [ interface


Display GARP timers on ports. interface-list ] [ | { begin | exclude | Available in any view.
include } regular-expression ]

display gvrp local-vlan interface


Display the local VLAN information
interface-type interface-number [ | { begin Available in any view.
maintained by GVRP on ports.
| exclude | include } regular-expression ]

display gvrp state interface interface-type


Display the current GVRP state in the
interface-number vlan vlan-id [ | { begin | Available in any view.
specified VLANs on ports.
exclude | include } regular-expression ]

display gvrp statistics [ interface


Display GVRP statistics on ports. interface-list ] [ | { begin | exclude | Available in any view.
include } regular-expression ]

display gvrp status [ | { begin | exclude |


Display the global GVRP state. Available in any view.
include } regular-expression ]

display gvrp vlan-operation interface


Display the information about interface-type interface-number [ |
Available in any view.
dynamic VLAN operations on ports. { begin | exclude | include }
regular-expression ]

reset garp statistics [ interface


Clear the GARP statistics on ports. Available in user view.
interface-list ]

GVRP configuration examples


GVRP normal registration mode configuration example
Network requirements
As shown in Figure 61, enable GVRP and configure the normal registration mode on ports to enable the
registration of dynamic and static VLAN information between the two switches.
Figure 61 Network diagram

Configuration procedure
1. Configure Device A:
# Enable GVRP globally.
<DeviceA> system-view
[DeviceA] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk

174
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on trunk port GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] gvrp
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2 (a static VLAN).
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Enable GVRP globally.
<DeviceB> system-view
[DeviceB] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on trunk port GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] gvrp
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3 (a static VLAN).
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display gvrp local-vlan command to display the local VLAN information maintained by
GVRP on ports. For example:
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device A.
[DeviceA] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default),2-3
According to the output above, information about VLAN 1, static VLAN information of VLAN 2 on
the local device, and dynamic VLAN information of VLAN 3 on Device B are all registered through
GVRP.
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device B.
[DeviceB] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default),2-3
According to the output above, information about VLAN 1, static VLAN information of VLAN 3 on
the local device, and dynamic VLAN information of VLAN 2 on Device A are all registered through
GVRP.

GVRP fixed registration mode configuration example


Network requirements
As shown in Figure 62, enable GVRP and configure the fixed registration mode on ports to enable the
registration of static VLAN information between the two switches.

175
Figure 62 Network diagram

Configuration procedure
1. Configure Device A:
# Enable GVRP globally.
<DeviceA> system-view
[DeviceA] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1 and set the GVRP registration mode to fixed on the
port.
[DeviceA-GigabitEthernet3/0/1] gvrp
[DeviceA-GigabitEthernet3/0/1] gvrp registration fixed
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2 (a static VLAN).
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Enable GVRP globally.
<DeviceB> system-view
[DeviceB] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to fixed on the
port.
[DeviceB-GigabitEthernet3/0/1] gvrp
[DeviceB-GigabitEthernet3/0/1] gvrp registration fixed
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3 (a static VLAN).
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display gvrp local-vlan command to display the local VLAN information maintained by
GVRP on ports. For example:
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device A.
[DeviceA] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:

176
1(default), 2
According to the output above, information about VLAN 1 and static VLAN information of VLAN
2 on the local device are registered through GVRP, but dynamic VLAN information of VLAN 3 on
Device B is not.
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device B.
[DeviceB] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default), 3
According to the output above, information about VLAN 1 and static VLAN information of VLAN
3 on the local device are registered through GVRP, but dynamic VLAN information of VLAN 2 on
Device A is not.

GVRP forbidden registration mode configuration example


Network requirements
As shown in Figure 63, enable GVRP and configure the forbidden registration mode on ports to prevent
the registration of all VLANs but VLAN 1 between the two switches.
Figure 63 Network diagram

Configuration procedure
1. Configure Device A:
# Enable GVRP globally.
<DeviceA> system-view
[DeviceA] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to forbidden on
the port.
[DeviceA-GigabitEthernet3/0/1] gvrp
[DeviceA-GigabitEthernet3/0/1] gvrp registration forbidden
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2 (a static VLAN).
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Enable GVRP globally.
<DeviceB> system-view
[DeviceB] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.

177
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to forbidden on
the port.
[DeviceB-GigabitEthernet3/0/1] gvrp
[DeviceB-GigabitEthernet3/0/1] gvrp registration forbidden
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3 (a static VLAN).
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display gvrp local-vlan command to display the local VLAN information maintained by
GVRP on ports. For example:
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device A.
[DeviceA] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default)
The output shows that information about VLAN 1 is registered through GVRP, but static VLAN
information of VLAN 2 on the local device and dynamic VLAN information of VLAN 3 on Device
B are not.
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device B.
[DeviceB] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default)
The output shows that information about VLAN 1 is registered through GVRP, but static VLAN
information of VLAN 3 on the local device and dynamic VLAN information of VLAN 2 on Device
A are not.

178
Configuring loopback detection

Overview
Incorrect network connections or configurations may create loops at Layer 2, causing related devices to
repeatedly transmit broadcasts, multicasts, and unknown unicasts. This wastes the network resources and
sometimes even paralyzes the networks. The loopback detection mechanism timely notifies you when
loops occur, so that you can promptly check network connections and configurations and remove the
loops by automatically shutting down the looped ports. The loopback detection mechanism notifies you
of the network loop by printing logs and sending trap messages, and may shut down the looped port as
configured. For more information about logs and trap messages, see Network Management and
Monitoring Configuration Guide.

Basic concepts in loopback detection


Loopback detection frame
The switch detects loops by sending loopback detection frames and then checking whether or not these
frames return (not necessarily to the sending ports). If a port on the switch receives a loopback detection
frame sent by the switch, the port is considered looped.
Loopback detection is usually VLAN based; however, incorrect QinQ or VLAN mapping configurations
may also cause loops. Even though the VLAN information carried in loopback detection frames returned
to the switch is changed, the switch still considers the receiving ports looped. For more information about
QinQ and VLAN switching, see "Configuring QinQ" and "Configuring VLAN mapping."
Figure 64 Ethernet header of a loopback detection frame
0 15 31
DMAC

SMAC

TPID TCI

Type

Figure 64 shows the format of the Ethernet header of a loopback detection frame. The Ethernet header
contains the following fields:
• DMAC—Destination MAC address of the loopback detection frame, which is the multicast MAC
address 010F-E200-0007. When a loopback detection-enabled switch receives a frame with this
destination MAC address, it sends the frame to the CPU and broadcasts the frame in the VLAN from
which the frame was originally received.
• SMAC—Source MAC address of the loopback detection frame, which is the bridge MAC address
of the sending switch.
• TPID—Tag Protocol Identifier, type of the VLAN tag, with the value of 0x8100.
• TCI—Tag Control Information, information of the VLAN tag, including the priority and VLAN ID.
• Type—Protocol type, with the value of 0x8918.

179
Figure 65 Inner header of a loopback detection frame
0 15 31
Code Version

Length Reserved

Figure 65 shows the format of the inner header of a loopback detection frame. The inner header contains
the following fields:
• Code—Protocol sub-type, with the value of 0x0001, indicating the loopback detection protocol.
• Version—Protocol version, with the value of 0x0000, which is reserved.
• Length—Length of the loopback detection frame, including the inner header, but not the Ethernet
header.
• Reserved—This field is reserved.
Loopback detection frames are constructed in the form of TLV (type/length/value) triplets. Table 21 lists
the required and optional TLVs supported by the loopback detection mechanism.
Table 21 TLVs supported by the loopback detection mechanism

TLV Description Remarks


End of PDU TLV that indicates the end of a PDU. Optional.

Device ID TLV that indicates the bridge MAC address of the sending switch. Required.

Port ID TLV that indicates the ID of the PDU sending port. Optional.

Port Name TLV that indicates the name of the PDU sending port. Optional.

System Name TLV that indicates the switch name. Optional.

Chassis ID TLV that indicates the chassis ID of the sending port. Optional.

Slot ID TLV that indicates the slot ID of the sending port. Optional.

Loopback detection interval


Loopback detection should be a continuous process. Loopback detection frames are sent at a specified
interval, known as a loopback detection interval, to check whether loops occur on ports and whether
loops are removed.

How loopback detection works


Loopback detection actions
Loopback detection actions refer to the actions taken by the system when detecting loops. The following
actions are available:
• None—When detecting a looped port, the system takes no action on the port except printing log
information and sending trap messages. If no loopback detection frames are received within three
loopback detection intervals, the system determines that the loop is already removed, and again
prints log information to notify the user.
• Shutdown—When detecting a looped port, besides printing log information and sending trap
messages, the system also shuts down the port to disable it from receiving and sending frames
(including loopback detection frames).

180
NOTE:
A port shut down by the system during the loopback detection process can only be manually brought up
by using the undo shutdown command.

Loop status auto recovery


After the switch detects a loop on a port, the switch continues to monitor the loopback detection frames.
If no loopback detection frame is received within three times the loopback detection interval, the switch
concludes that the loop is removed and notifies the users of this event. This process is known as loop
status auto recovery.
Loop status auto recovery applies only when the loopback detection action is none. When the loopback
detection action is shutdown, the switch automatically shuts down looped ports and thus removes the
loop.
When a network loop occurs, the switch discards some of the frames to reduce the load. If the loopback
detection frames are among the discarded frames, the loop status auto recovery function on the switch
will erroneously conclude that the loop has already been removed. To avoid this, set the loopback
detection action to shutdown, or manually remove the loop when the switch reports the occurrence of the
loop if you set the loopback detection action to none.

Loopback detection configuration task list


Task Remarks
Enabling loopback detection Required

Configuring the loopback detection action Optional

Configuring the loopback detection interval Optional

Enabling loopback detection


You can enable the loopback detection function in system view or VLAN view. After you enable loopback
detection for a VLAN, the system performs loopback detection on all the ports in the VLAN.

Enabling loopback detection in system view


In system view, you can bulk enable loopback detection for multiple or all VLANs.
To enable loopback detection in system view:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enable loopback detection. loopback-detection enable vlan


Disabled by default.
{ vlan-list | all }

Enabling loopback detection in VLAN view


In VLAN view, you can enable loopback detection only for the current VLAN.

181
To enable loopback detection in VLAN view:

Step Command Remarks


1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
3. Enable loopback detection. loopback-detection enable Disabled by default.

NOTE:
HP recommends you not configure the port mirroring function on the member ports of a loopback
detection-enabled VLAN. For more information about port mirroring, see Network Management and
Monitoring Configuration Guide.

Configuring the loopback detection action


You can set the loopback detection action to none or shutdown as needed.
To set the loopback detection action:

Step Command Remarks


1. Enter system view. system-view N/A
2. Configure the loopback loopback-detection action { none | By default, the loopback detection
detection action. shutdown } action is none.

Configuring the loopback detection interval


With loopback detection enabled, the switch sends loopback detection frames at a specified interval.
The shorter this interval is, the faster the system can detect loops, but the more system resources will be
used. You must consider both the system performance and loopback detection speed when choosing an
appropriate interval.
To configure the loopback detection interval:

Step Command Remarks


1. Enter system view. system-view N/A
2. Configure the loopback loopback-detection interval-time
detection interval. 30 seconds by default.
interval

Displaying and maintaining loopback detection


Task Command Remarks
display loopback-detection [ |
Display the status of loopback
{ begin | exclude | include } Available in any view.
detection.
regular-expression ]

182
Loopback detection configuration example
IMPORTANT:
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these
interfaces, use the undo shutdown command to bring them up.

Network requirements
As shown in Figure 66,
• Device A, Device B, and Device C form a ring-shaped network. The network administrator typically
shuts down GigabitEthernet 4/0/1 of Device B to prevent loops in the network.
• Configure loopback detection on Device A so that when a loop resulting from incorrect
configuration occurs, Device A can automatically shut down the looped port and remind the user to
check the network connections by printing log information and sending trap messages.
Figure 66 Network diagram

Configuring Device A
# Create VLAN 100 and then enable loopback detection on it.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] loopback-detection enable
[DeviceA–vlan100] quit

# Configure GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 as trunk ports and assign them to
VLAN 100.
[DeviceA] interface GigabitEthernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] port link-type trunk
[DeviceA-GigabitEthernet4/0/1] port trunk permit vlan 100
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] interface GigabitEthernet 4/0/2
[DeviceA-GigabitEthernet4/0/2] port link-type trunk
[DeviceA-GigabitEthernet4/0/2] port trunk permit vlan 100
[DeviceA-GigabitEthernet4/0/2] quit

# Set the loopback detection action to shutdown.


[DeviceA] loopback-detection action shutdown

183
# Set the loopback detection interval to 35 seconds.
[DeviceA] loopback-detection interval-time 35

Configuring Device B
# Create VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB–vlan100] quit

# Configure GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 as trunk ports and assign them to
VLAN 100.
[DeviceB] interface GigabitEthernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] port link-type trunk
[DeviceB-GigabitEthernet4/0/1] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/1] quit
[DeviceB] interface GigabitEthernet 4/0/2
[DeviceB-GigabitEthernet4/0/2] port link-type trunk
[DeviceB-GigabitEthernet4/0/2] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/2] quit

# Shut down GigabitEthernet 4/0/1 to prevent loops.


[DeviceB] interface GigabitEthernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] shutdown
[DeviceB-GigabitEthernet4/0/1] quit

Configuring Device C
# Create VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC–vlan100] quit

# Configure GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 as trunk ports and assign them to
VLAN 100.
[DeviceB] interface GigabitEthernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] port link-type trunk
[DeviceB-GigabitEthernet4/0/1] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/1] quit
[DeviceB] interface GigabitEthernet 4/0/2
[DeviceB-GigabitEthernet4/0/2] port link-type trunk
[DeviceB-GigabitEthernet4/0/2] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/2] quit

Verifying the configuration


After the configurations are completed, you can use the display loopback-detection command to check
the status of loopback detection on each device.
# Display the loopback detection status on Device A.
[DeviceA] display loopback-detection
Loopback-detection is running.
Detection interval is 30 second(s).
Action mode: Shutdown
Loopback-detection is enabled on the following VLAN(s):

184
100
No loopback is detected on any interface.

The output shows that loopback detection is enabled on Device A, and no looped ports are detected.
# Display the loopback detection status on Device B.
[DeviceB] display loopback-detection
Loopback-detection is not running.

# Display the loopback detection status on Device C.


[DeviceC] display loopback-detection
Loopback-detection is not running.

The output shows that loopback detection is not enabled on Device B or Device C.
Assume that later on, GigabitEthernet 4/0/1 of Device B is brought up by the network administrator by
mistake. Within a loopback detection interval, Device A will detect a loop on ports GigabitEthernet
4/0/1 and GigabitEthernet 4/0/2. Consequently, it automatically shuts down the ports and prints the
following log information:
[DeviceA]
%Feb 24 15:04:29:663 2010 DeviceA LPDT/4/LOOPED:Slot=4;
Loopback exists on GigabitEthernet4/0/1.
%Feb 24 15:04:29:667 2009 DeviceA LPDT/4/LOOPED:Slot=1;
Loopback exists on GigabitEthernet4/0/2.
%Feb 24 15:04:44:243 2010 DeviceA LPDT/4/RECOVERED:Slot=4;
Loopback on GigabitEthernet4/0/1 recovered.
%Feb 24 15:04:44:248 2009 DeviceA LPDT/4/RECOVERED:Slot=1;
Loopback on GigabitEthernet4/0/2 recovered.

When you see the log information above, use the display loopback-detection command again to display
the loopback detection status on Device A.
# Display the loopback detection operating status on Device A.
[DeviceA] display loopback-detection
Loopback-detection is running.
Detection interval is 35 second(s).
Action mode: Shutdown
Loopback-detection is enabled on the following VLAN(s):
100
No loopback is detected on any interface.

The output shows that no loop is detected on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2. The
reason is that the loopback detection action is set to shutdown, in which case, the two ports are
automatically shut down when a loop occurs on them. The shutdown action removes the loop. Use the
display interface command to display the status information of GigabitEthernet 4/0/1 and
GigabitEthernet 4/0/2 on Device A:
# Display the status information of GigabitEthernet 4/0/1 on Device A.
[DeviceA] display interface gigabitethernet 4/0/1
GigabitEthernet 4/0/1 current state: DOWN ( Loopback detection-protected )
...

# Display the status information of GigabitEthernet 4/0/2 on Device A.


[DeviceA] display interface gigabitethernet 4/0/2
GigabitEthernet 4/0/2 current state: DOWN ( Loopback detection-protected )

185
...

The output above shows that GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 have already been
shut down by the loopback detection module.

186
Configuring VLAN termination

The switch does not support QinQ termination when it is operating in standard mode. For more
information about the commands of system operating modes, see Fundamentals Command Reference.

Overview
VLAN termination assigns a received VLAN-tagged packet to the corresponding interface according to
its VLAN tag, and then the interface removes its VLAN tags, and forwards it through Layer 3 or processes
it in another way. Before sending a packet, the port adds VLAN tags to the packet according to the
VLAN termination configuration on the port.

VLAN termination types


VLAN termination includes the following types:
• Dot1q termination—Terminates packets which carry one or more layers of VLAN tags and whose
outermost VLAN tag matches the number of the receiving VLAN interface. Packets sent out of the
VLAN interface are tagged with the ID of that VLAN. By default, Dot1q termination is enabled on
all VLAN interfaces.
• QinQ termination—Terminates packets which carry two or more layers of VLAN tags and whose
outermost VLAN tag matches the number of the receiving VLAN interface. Packets sent out of a
QinQ termination interface are double-tagged.

Application scenarios
Inter-VLAN communication
Hosts in different VLANs cannot directly communicate with each other. You can use Layer 3 routing to
allow all VLANs to communicate. To allow the specified VLANs to communicate, configure VLAN
termination on VLAN interfaces.
As shown in Figure 67, Host A belongs to VLAN 2, Host B belongs to VLAN 3, and Host C belongs to
VLAN 4. Create VLAN-interface 2 and VLAN-interface 3 on the device, and specify Host A's gateway
IP address as 1.1.1.1/24 and Host B's gateway IP address as 1.1.2.1/24. With the configuration, Host A
and Host B can communicate at Layer 3 through VLAN interfaces. When VLAN-interface 2 receives a
packet from Host A, the interface removes the VLAN tag 2 of the packet and forwards the packet to
VLAN-interface 3. VLAN-interface 3 then tags the packet with VLAN 3 and forwards it to Host B. The
packet sent from Host B to Host A is processed in the same way.
Because VLAN-interface 4 is not created on the device, the device cannot terminate packets from Host C.
As a result, Host C cannot communicate with Host A or Host B.

187
Figure 67 VLAN termination for inter-VLAN communication

LAN-WAN communication
Most packets sent out of LANs carry VLAN tags, but some WAN protocols such as ATM, Frame Relay,
and PPP cannot recognize VLAN-tagged packets. Therefore, before sending VLAN-tagged packets to a
WAN, the sending port must locally record VLAN information and remove VLAN tags from the packets.
VLAN termination can help implement this purpose. You can configure VLAN interfaces to enable
LAN-WAN communication.
As shown in Figure 68, the VLANs of the customer network are called customer VLANs (CVLANs), and
the VLANs of the service provider network are called service provider VLANs (SVLANs). When a packet
carrying a CVLAN tag enters the service provider network, it is tagged with a SVLAN tag, and
forwarded based on the SVLAN tag. When the packet is to be forwarded to an external WAN, the
gateway (Device) must perform VLAN termination for the packet and remove the two layers of VLAN tags
from the packet before sending the packet to the WAN.
Figure 68 VLAN termination enables LAN-WAN communication

VLAN termination networking solutions


The following QinQ termination networking solutions are available.

188
Traditional solution
As shown in Figure 69, configure the QinQ feature on the distribution layer devices and configure QinQ
termination on core layer devices. In a configuration example, the traditional networking solution is used
unless the lite solution is marked for the configuration example.
Figure 69 Traditional QinQ termination networking solution
Core layer
Create a VLAN Device
interface for QinQ
termination

L2 Switch B
Distribution layer
L2 Switch C
Enable QinQ and assign
SVLANs

Access layer
L2 Switch A
Assign CVLANs
Server group

VLAN 11 VLAN 12 VLAN 13

Lite solution
As shown in Figure 70, configure both the QinQ feature and QinQ termination on core layer devices,
and you do not need to configure the distribution layer devices. When you use the lite solution and create
a VLAN interface on the core layer devices for QinQ termination, make sure the inner VLAN IDs (CVLAN
IDs) to be terminated do not include the VLAN interface number.
Figure 70 Lite QinQ termination networking solution
Core layer
Create a VLAN interface Device
for QinQ termination

Access port
Enable QinQ and assign SVLANs

Access layer L2 Switch B


L2 Switch A
Assign CVLANs

Server group

VLAN 11 VLAN 12 VLAN 13

189
VLAN termination configuration task list
Task Remarks

Configuring QinQ Configuring unambiguous QinQ termination


Use at least one approach.
termination Configuring ambiguous QinQ termination

Enabling a VLAN termination-enabled interface to transmit broadcast and


Optional.
multicast packets

Configuring the TPID for VLAN-tagged packets Optional.

Configuring QinQ termination


Based on the range of outermost two layers of VLAN IDs in the VLAN-tagged packets that can be
terminated by an interface, QinQ termination falls into the following categories:
• Unambiguous QinQ termination—Terminates packets whose outermost VLAN ID matches the
number of the receiving VLAN interface, and prohibits any other VLAN-tagged packet from passing
through this VLAN interface. When the interface receives such a packet, it removes the outermost
two layers of VLAN tags of the packet. When the interface sends out a packet, it tags the packet
with two layers of VLAN IDs, of which the outer VLAN ID is the VLAN interface number and the
inner VLAN ID is a specified value.
• Ambiguous QinQ termination—Terminates packets whose outermost VLAN tag matches the
number of the receiving VLAN interface, and prohibits any other VLAN-tagged packets from
passing through this VLAN interface. When the interface receives such a packet, it removes the
outermost two layers of VLAN tags of the packet. When the interface sends a packet, it tags the
packet with two layers of VLAN IDs, of which the outer VLAN ID is the VLAN interface number and
the inner VLAN ID is determined as follows:
{ For a DHCP relay packet, the inner VLAN ID is obtained by searching the DHCP relay agent
bindings.
{ For an IPv4 or MPLS packet, the inner VLAN ID is obtained by searching the ARP table with a
specified destination IP address.

IMPORTANT:
To obtain correct VLAN ID, make sure the Layer 2 physical interface to which the VLAN interface is bound
maintains the most recent ARP entries. To do that, execute the reset arp interface command in user view
on the Layer 2 physical interface when the QinQ termination configuration on the VLAN interface is
changed. For more information about this command, see Layer 3—IP Services Command Reference.

Configuring unambiguous QinQ termination


Step Command Remarks
1. Enter system view. system-view N/A

interface vlan-interface
2. Enter VLAN interface view. N/A
interface-number

190
Step Command Remarks
By default, QinQ termination is
3. Enable QinQ termination on disabled and the interface processes
the interface and specify the only the outermost VLAN tag of
VLAN ID that the interface packets.
second-dot1q vlan-id
adds to packets as the inner
VLAN tag before sending A VLAN interface always adds its
them out. interface number as the outer VLAN
tag to the packets it sends out.

Configuring ambiguous QinQ termination


Step Command Remarks
1. Enter system view. system-view N/A

interface vlan-interface
2. Enter VLAN interface view. N/A
interface-number

By default, QinQ termination is


3. Enable QinQ termination on disabled and the interface processes
the interface and specify a list only the outermost VLAN tag of
of VLAN IDs that the interface packets.
second-dot1q { vlan-list | any }
can add to packets as the
inner VLAN tag before A VLAN interface always adds its
sending them out. interface number as the outer VLAN
tag to the packets it sends out.

Enabling a VLAN termination-enabled interface to


transmit broadcast and multicast packets
By default, an ambiguous QinQ termination-enabled interface drops broadcast and multicast packets
they receive, instead of transmitting them. You can enable an interface configured with ambiguous QinQ
termination to transmit broadcast and multicast packets.
To enable a VLAN termination-enabled interface to transmit broadcast and multicast packets:

Step Command Remarks


1. Enter system view. system-view N/A

interface vlan-interface
2. Enter VLAN interface view. N/A
interface-number

By default, an ambiguous QinQ


3. Enable the interface to
termination-enabled interface does
transmit broadcast and vlan-termination broadcast enable
not transmit broadcast and
multicast packets.
multicast packets.

Configuring the TPID for VLAN-tagged packets


To configure VLAN termination on a VLAN interface, set the TPID value in the outermost VLAN tag of
packets received and sent by the Layer 2 physical interface bound to that VLAN interface. With the

191
configuration, the VLAN interface checks the TPID value in the outermost VLAN tag of each received
packet, and then processes the packet as a VLAN-tagged packet only when the TPID value matches the
configured value.
If the TPID is not specified, the TPID value in the outermost VLAN tag of packets has a default value of
0x8100. For information about setting the TPID value in the VLAN tag of packets on a Layer 2 physical
interface, see "Configuring QinQ."
You can set a non-default TPID value only for a QinQ termination network only in the Lite solution.

VLAN termination configuration examples


NOTE:
By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. To
configure such an interface, use the undo shutdown command to bring it up first.

Unambiguous QinQ termination configuration example


Network requirements
As shown in Figure 71, Host A connects to Layer 2 Switch A and belongs to VLAN 11. Host B connects to
Layer 2 Switch D, which supports only single VLAN-tagged packets. With QinQ enabled, Layer 2 Switch
B adds an outer VLAN tag 100 to packets whose inner VLAN ID is 11 before forwarding the packets.
Configure QinQ termination so that Host A can communicate with Host B.
Figure 71 Network diagram

Configuration considerations
Configure unambiguous QinQ termination to enable Layer 3 communication between Host A Host B
through VLAN interfaces. The following process describes how a packet is transmitted from Host A to
Host B:
• Host A sends out the packet.
• Layer 2 Switch A adds VLAN 11 to the packet and forwards the single-tagged packet to Layer 2
Switch B.

192
• Layer 2 Switch B receives the packet on GigabitEthernet 4/0/2, adds VLAN 100 to the packet as
the outer VLAN tag, and forwards the double-tagged packet to Layer 3 Switch C through a trunk
port.
• Layer 3 Switch C receives the packet on VLAN-interface 100, which is the gateway of Host A,
removes the two layers of VLAN tags of the packet, and forwards the packet to the gateway of Host
B, which is VLAN-interface 2.
• VLAN-interface 2 adds VLAN 2 to the packet and forwards the single-tagged packet to the access
port GigabitEthernet 3/0/2.
• Port GigabitEthernet 3/0/2 removes the default VLAN tag (VLAN 2) of the packet and forwards the
packet to Layer 2 Switch D.
• Layer 2 Switch D forwards the packet to Host B.

Configuration procedure
1. Configure Host A and Host B:
{ Configure Host A's IP address as 1.1.1.1/24, and gateway IP address as 1.1.1.11/24.
{ Configure Host B's IP address as 1.1.2.1/24, and gateway IP address as 1.1.2.11/24.
2. Configure Layer 2 Switch A:
# Assign GigabitEthernet 3/0/2 to VLAN 11.
<L2_SwitchA> system-view
[L2_SwitchA] vlan 11
[L2_SwitchA-vlan11] port GigabitEthernet 3/0/2
[L2_SwitchA-vlan11] quit
# Configure GigabitEthernet 3/0/1 as a hybrid port, assign the port to VLAN 11 as a tagged
member, and assign the port to VLAN 100 as an untagged member.
[L2_SwitchA] interface GigabitEthernet 3/0/1
[L2_SwitchA-GigabitEthernet3/0/1] port link-type hybrid
[L2_SwitchA-GigabitEthernet3/0/1] port hybrid vlan 11 tagged
[L2_SwitchA-GigabitEthernet3/0/1] port hybrid vlan 100 untagged
3. Configure Layer 2 Switch B:
# Configure GigabitEthernet 4/0/2 as a trunk port and assign the port to VLAN 100.
<L2_SwitchB> system-view
[L2_SwitchB] interface GigabitEthernet 4/0/2
[L2_SwitchB-GigabitEthernet4/0/2] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/2] port trunk permit vlan 100
# Configure VLAN 100 as the PVID of GigabitEthernet 4/0/2, enable QinQ on the port to add
outer VLAN tag 100 to the received packets.
[L2_SwitchB-GigabitEthernet4/0/2] port trunk pvid vlan 100
[L2_SwitchB-GigabitEthernet4/0/2] qinq enable
[L2_SwitchB-GigabitEthernet4/0/2] quit
# Configure GigabitEthernet 4/0/1 as a trunk port and assign the port to VLAN 100.
[L2_SwitchB] interface GigabitEthernet 4/0/1
[L2_SwitchB-GigabitEthernet4/0/1] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/1] port trunk permit vlan 100
4. Configure Layer 3 Switch C:
# Create VLAN-interface 100 and assign an IP address to the interface.
<L3_SwitchC> system-view

193
[L3_SwitchC] vlan 100
[L3_SwitchC-vlan100] quit
[L3_SwitchC] interface vlan-interface 100
[L3_SwitchC-Vlan-interface100] ip address 1.1.1.11 255.255.255.0
# Enable QinQ termination on VLAN-interface 100 to remove the outermost two layers of VLAN
tags for packets whose outermost VLAN tag is 100, and configure the interface to add inner VLAN
tag 11 to packets before sending them out.
[L3_SwitchC-Vlan-interface100] second-dot1q 11
[L3_SwitchC-Vlan-interface100] quit
# Configure GigabitEthernet 3/0/1 as a trunk port, and assign the port to VLAN 100.
[L3_SwitchC] interface GigabitEthernet 3/0/1
[L3_SwitchC-GigabitEthernet3/0/1] port link-type trunk
[L3_SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 100
[L3_SwitchC-GigabitEthernet3/0/1] quit
# Create VLAN-interface 2 and assign an IP address to the interface.
[L3_SwitchC] vlan 2
[L3_SwitchC-vlan2] quit
[L3_SwitchC] interface vlan-interface 2
[L3_SwitchC-Vlan-interface2] ip address 1.1.2.11 255.255.255.0
[L3_SwitchC-Vlan-interface2] quit
# Assign GigabitEthernet 3/0/2 to VLAN 2.
[L3_SwitchC] interface GigabitEthernet 3/0/2
[L3_SwitchC-GigabitEthernet3/0/2] port access vlan 2
5. Use the factory configuration of Layer 2 Switch D.

Ambiguous QinQ termination configuration example


Network requirements
As shown in Figure 72, Host A, Host B, and Host C belong to VLAN 11, VLAN 12, and VLAN 13,
respectively. The server group is connected to Switch C. QinQ is enabled on Switch B.
Configure QinQ termination, so that Host A, Host B, and Host C can communicate with the server group.

194
Figure 72 Network diagram

Configuration procedure
1. Configure Host A, Host B, and Host C:
{ Configure the IP addresses of Host A, Host B, and Host C as 1.1.1.1/24, 1.1.1.2/24, and
1.1.1.3/24, respectively.
{ Configure the gateway address as 1.1.1.11/24 for the hosts.
2. Configure Layer 2 Switch A:
# Assign GigabitEthernet 3/0/1 to VLAN 11.
<L2_SwitchA> system-view
[L2_SwitchA] vlan 11
[L2_SwitchA-vlan11] port GigabitEthernet 3/0/1
[L2_SwitchA-vlan11] quit
# Assign GigabitEthernet 3/0/2 to VLAN 12.
[L2_SwitchA] vlan 12
[L2_SwitchA-vlan12] port GigabitEthernet 3/0/2
[L2_SwitchA-vlan12] quit
# Assign GigabitEthernet 3/0/3 to VLAN 13.
[L2_SwitchA] vlan 13
[L2_SwitchA-vlan13] port GigabitEthernet 3/0/3
[L2_SwitchA-vlan13] quit
# Configure GigabitEthernet 3/0/7 as a hybrid port, assign the port to VLANs 11 through 13 as
a tagged member, and assign the port to VLAN 100 as an untagged member.
[L2_SwitchA] interface GigabitEthernet 3/0/7
[L2_SwitchA-GigabitEthernet3/0/7] port link-type hybrid
[L2_SwitchA-GigabitEthernet3/0/7] port hybrid vlan 11 to 13 tagged
[L2_SwitchA-GigabitEthernet3/0/7] port hybrid vlan 100 untagged
3. Configure Layer 2 Switch B:

195
# Configure GigabitEthernet 4/0/2 as a trunk port, and assign the port to VLAN 100.
<L2_SwitchB> system-view
[L2_SwitchB] interface GigabitEthernet 4/0/2
[L2_SwitchB-GigabitEthernet4/0/2] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/2] port trunk permit vlan 100
# Configure VLAN 100 as the PVID of GigabitEthernet 4/0/2, enable QinQ on the port to add
outer VLAN tag 100 to the received packets.
[L2_SwitchB-GigabitEthernet4/0/2] port trunk pvid vlan 100
[L2_SwitchB-GigabitEthernet4/0/2] qinq enable
[L2_SwitchB-GigabitEthernet4/0/2] quit
# Configure GigabitEthernet 4/0/1 as a trunk port and assign the port to VLAN 100.
[L2_SwitchB] interface GigabitEthernet 4/0/1
[L2_SwitchB-GigabitEthernet4/0/1] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/1] port trunk permit vlan 100
4. Configure Layer 3 Switch C:
# Create VLAN-interface 100 and assign an IP address to the interface.
<L3_SwitchC> system-view
[L3_SwitchC] vlan 100
[L3_SwitchC-vlan100] quit
[L3_SwitchC] interface vlan-interface 100
[L3_SwitchC-Vlan-interface100] ip address 1.1.1.11 255.255.255.0
# Configure VLAN-interface 100 to remove the outermost two layers of VLAN tags for packets
whose outermost VLAN tag is 100, and configure the interface to add inner VLAN tag 11, 12, or
13 to packets before sending them out.
[L3_SwitchC-Vlan-interface100] second-dot1q 11 to 13
[L3_SwitchC-Vlan-interface100] quit
# Configure GigabitEthernet 3/0/1 as a trunk port, and assign the port to VLAN 100.
[L3_SwitchC] interface GigabitEthernet 3/0/1
[L3_SwitchC-GigabitEthernet3/0/1] port link-type trunk
[L3_SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 100
[L3_SwitchC-GigabitEthernet3/0/1] quit
# Create VLAN-interface 2 and assign an IP address to the interface.
[L3_SwitchC] vlan 2
[L3_SwitchC-vlan2] quit
[L3_SwitchC] interface vlan-interface 2
[L3_SwitchC-Vlan-interface2] ip address 1.1.2.11 255.255.255.0
[L3_SwitchC-Vlan-interface2] quit
# Assign GigabitEthernet 3/0/2 to VLAN 2.
[L3_SwitchC] interface GigabitEthernet 3/0/2
[L3_SwitchC-GigabitEthernet3/0/2] port access vlan 2
5. Use the factory configuration of Layer 2 Switch D.
6. Assign each server in the server group an IP address on the network segment 1.1.2.0/24 and
configure the gateway IP address as 1.1.2.11/24.

196
Ambiguous QinQ termination configuration example (lite
solution)
In this example, customer network VLANs (CVLANs), also called inner VLANs, refer to the VLANs that
a customer uses on the private network. Service provider network VLANs (SVLANs), also called outer
VLANs, refer to the VLANs that a service provider uses to carry VLAN tagged traffic for customers.

Network requirements
As shown in Figure 73, Layer 3 Switch C is a core network device of a service provider. It connects to
Layer 2 Switch A and Layer 2 Switch B through access ports GigabitEthernet 3/0/1 and GigabitEthernet
3/0/2, respectively.
Layer 3 Switch C also connects to a server group through Layer 2 Switch D. Layer 2 Switch D can process
only single-tagged VLAN packets.
On customer networks A and B, Host A1 and Host A2 are assigned to CVLAN 11, Host B1 and Host B2
are assigned to CVLAN 12, and Host C2 and Host C2 are assigned to CVLAN 13.
Enable QinQ on GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of Layer 3 Switch C to add SVLAN
100 and SVLAN 200 to packets carrying CVLANs 11 through 13 as the outermost VLAN tag, respectively,
so the packets are isolated at Layer 2.
Configure QinQ termination on the VLAN interfaces of Layer 3 Switch C to enable all hosts on the
customer networks to communicate with the server group and to enable hosts on customer network A to
communicate with hosts on customer network B at Layer 3.
Figure 73 Network diagram
Server group
L3 Switch C Vlan-int300 L2 Switch D
3.1.1.11/24
GE3/0/3

Vlan-int100 Vlan-int200
1.1.1.11/24 2.1.1.11/24
GE3/0/1 GE3/0/2
VLAN 100 VLAN 200
QinQ enabled QinQ enabled

L2 Switch A GE1/0/7 L2 Switch B


Customer Customer
network A network B
GE1/0/1 GE1/0/3

GE1/0/2

VLAN 11 VLAN 12 VLAN 13 VLAN 11 VLAN 12 VLAN 13

Host A1 Host B1 Host C1 Host A2 Host B2 Host C2


1.1.1.1/24 1.1.1.2/24 1.1.1.3/24 2.1.1.1/24 2.1.1.2/24 2.1.1.3/24

Configuration considerations and guidelines


Make sure the number of the current VLAN interface is excluded from the inner VLAN ID range. For
example, when you configure the second-dot1q { vlan-list | any } command on VLAN-interface 100,
make sure vlan-list does not include 100 and do not use the any keyword.

197
The following process describes how a packet is transmitted from Host A1 to Host B2:
• Host A1 sends out the packet.
• Layer 2 Switch A adds VLAN 11 to the packet and forwards the single-tagged packet to Layer 3
Switch C.
• Layer 3 Switch C receives the packet on GigabitEthernet 3/0/1, adds VLAN 100 to the packet as
the outer VLAN tag, and forwards the double-tagged packet to VLAN-interface 100, which is the
gateway of Host A1.
• VLAN-interface 100 removes the two layers of VLAN tags of the packet and forwards the packet to
the gateway of Host B2, which is VLAN-interface 200.
• VLAN-interface 200 searches the ARP table for the VLAN ID (VLAN 12) mapped to Host B2, adds
outer VLAN tag 200 and inner VLAN tag 12 to the packet, and forwards the double-tagged packet
to the access port GigabitEthernet 3/0/2.
• Port GigabitEthernet 3/0/2 removes the default VLAN tag (VLAN 200) of the packet and forwards
the packet tagged with VLAN 12 to Layer 2 Switch B.
• Layer 2 Switch B forwards the packet to Host B2 in VLAN 12.

Configuration procedure
1. Configure hosts:
{ Configure Host A1's IP address as 1.1.1.1/24, Host B1's IP address as 1.1.1.2/24, Host C1's IP
address as 1.1.1.3/24, and their gateway IP address as 1.1.1.11/24.
{ Configure Host A2's IP address as 2.1.1.1/24, Host B2's IP address as 2.1.1.2/24, Host C2's IP
address as 2.1.1.3/24, and their gateway IP address as 2.1.1.11/24.
2. Configure Layer 2 Switch A:
# Assign GigabitEthernet 1/0/1 to VLAN 11.
<L2_SwitchA> system-view
[L2_SwitchA] vlan 11
[L2_SwitchA-vlan11] port GigabitEthernet 1/0/1
[L2_SwitchA-vlan11] quit
# Assign GigabitEthernet 1/0/2 to VLAN 12.
[L2_SwitchA] vlan 12
[L2_SwitchA-vlan12] port GigabitEthernet 1/0/2
[L2_SwitchA-vlan12] quit
# Assign GigabitEthernet 1/0/3 to VLAN 13.
[L2_SwitchA] vlan 13
[L2_SwitchA-vlan13] port GigabitEthernet 1/0/3
[L2_SwitchA-vlan13] quit
# Configure GigabitEthernet 1/0/7 as a trunk port and assign the port to VLANs 11 through 13.
[L2_SwitchA] interface GigabitEthernet 1/0/7
[L2_SwitchA-GigabitEthernet1/0/7] port link-type trunk
[L2_SwitchA-GigabitEthernet1/0/7] port trunk permit vlan 11 to 13
3. Configure Layer 2 Switch B in the same way as you configure Layer 2 Switch A.
4. Configure Layer 3 Switch C:
# Assign GigabitEthernet 3/0/1 to VLAN 100 and enable QinQ on the interface to tag the
received packets with the PVID.
[L3_SwitchC] vlan 100

198
[L3_SwitchC-vlan100] quit
[L3_SwitchC] interface GigabitEthernet 3/0/1
[L3_SwitchC-GigabitEthernet3/0/1] port access vlan 100
[L3_SwitchC-GigabitEthernet3/0/1] qinq enable
[L3_SwitchC-GigabitEthernet3/0/1] quit
# Create VLAN-interface 100, assign an IP address to the interface, enable QinQ termination on
the interface, and specify VLANs 11 through 13 as the inner VLAN tags that can be added to
packets.
[L3_SwitchC] interface vlan-interface 100
[L3_SwitchC-Vlan-interface100] ip address 1.1.1.11 255.255.255.0
[L3_SwitchC-Vlan-interface100] second-dot1q 11 to 13
[L3_SwitchC-Vlan-interface100] quit
# Assign GigabitEthernet 3/0/2 to VLAN 200, and enable QinQ on the interface to tag the
received packets with the PVID.
[L3_SwitchC] vlan 200
[L3_SwitchC-vlan200] quit
[L3_SwitchC] interface GigabitEthernet 3/0/2
[L3_SwitchC-GigabitEthernet3/0/2] port access vlan 200
[L3_SwitchC-GigabitEthernet3/0/2] qinq enable
[L3_SwitchC-GigabitEthernet3/0/2] quit
# Create VLAN-interface 200, assign an IP address to the interface, enable QinQ termination on
the interface, and specify VLANs 11 through 13 as the inner VLAN tags that can be added to
packets.
[L3_SwitchC] interface vlan-interface 200
[L3_SwitchC-Vlan-interface200] ip address 2.1.1.11 255.255.255.0
[L3_SwitchC-Vlan-interface200] second-dot1q 11 to 13
[L3_SwitchC-Vlan-interface200] quit
# Assign GigabitEthernet 3/0/3 to VLAN 300.
[L3_SwitchC] vlan 300
[L3_SwitchC-vlan300] interface GigabitEthernet 3/0/3
[L3_SwitchC-vlan300] quit
# Create VLAN-interface 300 and assign an IP address to the interface.
[L3_SwitchC] interface vlan-interface 300
[L3_SwitchC-Vlan-interface300] ip address 3.1.1.11 255.255.255.0
[L3_SwitchC-Vlan-interface300] quit
5. Use the factory configuration of Layer 2 Switch D.
6. Assign each server in the server group an IP address on the network segment 3.1.1.0/24 and
configure the gateway IP address as 3.1.1.11/24.

Configuration example for QinQ termination supporting DHCP


relay
Network requirements
As shown in Figure 74:
• Provider A and Provider B are edge devices on the service provider network.
• DHCP client A and DHCP client B are devices on the customer networks.

199
• Provider A is the DHCP relay agent and Provider B is the DHCP server.
• Provider A and Provider B communicate with each other through Layer 3 interfaces.
The expected results after the configuration are:
• DHCP relay agent Provider A receives double-tagged packets sent from DHCP clients, terminates
these packets by removing their inner and outer VLAN tags, and forwards the packets to DHCP
server Provider B through the service provider network.
• DHCP client A and client B can apply for IP addresses and related network configuration
parameters from Provider B through the service provider network.
Figure 74 Network diagram

Configuration procedure
1. Configure DHCP relay agent Provider A:
# Enable DHCP service.
<ProviderA> system-view
[ProviderA] dhcp enable
# Create the DHCP server group.
[ProviderA] dhcp relay server-group 1 ip 10.2.1.1
# Create VLAN-interface 100.
[ProviderA] vlan 100
[ProviderA-vlan100] quit
[ProviderA] interface vlan-interface 100
# Enable QinQ termination on the interface and specify VLANs 10 and 20 as the inner VLAN tags
that can be added to packets.
[ProviderA-Vlan-interface100] second-dot1q 10 20
# Enable the VLAN interface to transmit broadcast and multicast packets.
[ProviderA-Vlan-interface100] vlan-termination broadcast enable

200
# Enable DHCP relay on the VLAN interface, select a DHCP server group, and enable address
check on the relay agent.
[ProviderA-Vlan-interface100] dhcp select relay
[ProviderA-Vlan-interface100] dhcp relay server-select 1
[ProviderA-Vlan-interface100] dhcp relay address-check enable
# Assign an IP address to the VLAN interface.
[ProviderA-Vlan-interface100] ip address 192.168.1.1 24
[ProviderA-Vlan-interface100] quit
# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLAN 100.
[ProviderA] interface GigabitEthernet 3/0/1
[ProviderA-GigabitEthernet3/0/1] port link-type trunk
[ProviderA-GigabitEthernet3/0/1] port trunk permit vlan 100
[ProviderA-GigabitEthernet3/0/1] quit
# Assign an IP address to the interface connecting to the DHCP server.
[ProviderA] interface vlan-interface 10
[ProviderA-Vlan-interface10] ip address 10.1.1.1 24
[ProviderA-Vlan-interface10] quit
# Configure a static route to the DHCP server.
[ProviderA] ip route-static 10.2.1.1 24 10.1.1.1
2. Configure DHCP server Provider B:
# Assign an IP address to the DHCP server.
<ProviderB> system-view
[ProviderB] interface vlan-interface 20
[ProviderB-Vlan-interface20] ip address 10.2.1.1 24
[ProviderB-Vlan-interface20] quit
# Enable DHCP.
[ProviderB] dhcp enable
# Configure an IP address pool on the DHCP server.
[ProviderB] dhcp server ip-pool 1
[ProviderB-dhcp-pool-1] network 192.168.1.0 24
[ProviderB-dhcp-pool-1] gateway-list 192.168.1.1
[ProviderB-dhcp-pool-1] quit
# Configure a static route to VLAN-interface 100.
[ProviderB] ip route-static 192.168.1.1 24 10.1.1.1
3. Configure Switch A:
# Enable QinQ on uplink port GigabitEthernet 2/0/1 and configure it as a trunk port.
<SwitchA> system-view
[SwitchA] interface GigabitEthernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
# Assign trunk port GigabitEthernet 2/0/1 to VLAN 100.
[SwitchA-GigabitEthernet2/0/1] port trunk permit vlan 100
[SwitchA-GigabitEthernet2/0/1] quit
# Enable QinQ on downlink port GigabitEthernet 2/0/2.
[SwitchA] interface GigabitEthernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] qinq enable

201
[SwitchA-GigabitEthernet2/0/2] quit
# Enable QinQ on downlink port GigabitEthernet 2/0/3.
[SwitchA] interface GigabitEthernet 2/0/3
[SwitchA-GigabitEthernet2/0/3] qinq enable
[SwitchA-GigabitEthernet2/0/3] quit
# Assign GigabitEthernet 2/0/2 and GigabitEthernet 2/0/3 to VLAN 100.
[SwitchA] vlan 100
[SwitchA-vlan100] port GigabitEthernet 2/0/2
[SwitchA-vlan100] port GigabitEthernet 2/0/3
4. Configure Switch B:
# Add GigabitEthernet 2/0/2 to VLAN 10.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] port GigabitEthernet 2/0/2
[SwitchB-vlan10] quit
# Configure GigabitEthernet 2/0/1 as a trunk port and assign it to VLAN 10.
[SwitchB] interface GigabitEthernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] port trunk permit vlan 10
5. Configure Switch C:
# Add GigabitEthernet 2/0/2 to VLAN 20.
<SwitchC> system-view
[SwitchC] vlan 20
[SwitchC-vlan20] port GigabitEthernet 2/0/2
[SwitchC-vlan20] quit
# Configure GigabitEthernet 2/0/1 as a trunk port and assign it to VLAN 20.
[SwitchC] interface GigabitEthernet 2/0/1
[SwitchC-GigabitEthernet2/0/1] port link-type trunk
[SwitchC-GigabitEthernet2/0/1] port trunk permit vlan 20

Verifying the configuration


With the previous configuration, DHCP client A and DHCP client B can obtain their respective IP
addresses from the DHCP server. You can view information about the DHCP relay agent bindings on
Provider A by using the display dhcp relay security command.

202
Configuring MAC-in-MAC

The switch does not support MAC-in-MAC when it operates in standard mode. For more information
about system operating modes, see Fundamentals Configuration Guide.

MAC-in-MAC overview
MAC-in-MAC, also known as Provider Backbone Bridge (PBB), is defined in IEEE 802.1ah. MAC-in-MAC
is a Layer-2 Virtual Private Network (VPN) technique. It encapsulates the customer MAC in the service
provider MAC, transmits the inner MAC as payload, and thus improves the expandability for Ethernet
and secures services.

Basic concepts
Figure 75 shows a typical MAC-in-MAC network. This section introduces some basic concepts of
MAC-in-MAC based on this network.
Figure 75 A typical MAC-in-MAC network

Customer Customer
network network
BEB BEB

BCB BCB

PBBN

BCB BCB

Customer Customer
BEB BEB
network network

PBN PBN

Customer Customer
network network

PBBN
As shown in Figure 75, a network using MAC-in-MAC is called a provider backbone bridge network
(PBBN) or MAC-in-MAC network. For users, a PBBN is a Layer-2 switching network where Layer-2
connections are between different nodes.

203
PBN
As shown in Figure 75, a network connecting the PBBN with the customer network is a provider bridge
network (PBN). The customer network can connect to the PBBN directly, or through a PBN.

MAC-in-MAC frame
A frame processed by MAC-in-MAC is called a MAC-in-MAC frame. For more information about the
encapsulation format of a MAC-in-MAC frame, see "MAC-in-MAC frame encapsulation."

BEB
As shown in Figure 75, a backbone edge bridge (BEB) is an edge device in the PBBN, like a PE device
in an MPLS network. The BEB encapsulates frames from the customer network by using MAC-in-MAC, or
de-encapsulates MAC-in-MAC frames from the PBBN and forwards them to the customer network.

BCB
As shown in Figure 75, a backbone core bridge (BCB) is a core device in the PBBN, like a P device in
an MPLS network. It forwards MAC-in-MAC frames according to their B-MAC and B-VLAN. A BCB device
only forwards frames and learns MAC addresses in the backbone network. It does not learn a large
number of customer MAC addresses. In this way, the network deployment costs are reduced, and the
PBBN is given better expandability.

B-MAC/B-VLAN
When encapsulating a customer frame, a BEB tags the frame with the service provider MAC address
(known as backbone MAC address, B-MAC) and service provider VLAN (known as backbone VLAN,
B-VLAN). Note that the B-MAC falls into source B-MAC and destination B-MAC. In the PBBN, a BCB
forwards MAC-in-MAC frames according to their B-MAC and B-VLAN.

Uplink port/downlink port


The port that connects the BEB to the PBBN is the uplink port, and the port that connects the BEB to the
customer network is the downlink port. After the frames from the customer network are encapsulated in
MAC-in-MAC frames, they are forwarded out of uplink ports on the BEB; after the MAC-in-MAC frames
from the PBBN are de-encapsulated, they are forwarded out of the corresponding downlink port on the
BEB according to the customer MAC.

MAC-in-MAC instance and I-SID


In the PBBN, a MAC-in-MAC instance represents a type of services provided by the service provider, and
is uniquely identified by a backbone service instance identifier (I-SID).

MAC-in-MAC frame encapsulation


Figure 76 Format of a MAC-in-MAC frame

204
Figure 76 shows the format of a MAC-in-MAC frame. Table 22 describes some key fields in the frame.
Table 22 Some key fields of a MAC-in-MAC frame

Field Full name Description


Destination B-MAC, outer destination MAC address in a
MAC-in-MAC frame. It is the MAC address of the BEB device
B-DA Backbone destination MAC address
at the destination end of the PBBN tunnel. The combination of
B-DA and B-SA is B-MAC.

Source B-MAC, outer source MAC address in a


MAC-in-MAC frame. It is the MAC address of the BEB device
B-SA Backbone source MAC address
at the source end of the PBBN tunnel. The combination of
B-DA and B-SA is B-MAC.

Outer VLAN tag in a MAC-in-MAC frame. It indicates the


VLAN information and priority information of the frame
B-Tag Backbone VLAN tag
within the PBBN. The Tag Protocol Identifier (TPID) in the
B-tag is 0x8100.

Service identifier of a MAC-in-MAC frame. The I-tag contains


the backbone service instance priority code point (I-PCP) and
backbone service instance drop eligibility indicator (I-DEI) on
I-Tag Backbone service instance tag
the BEB, backbone service instance identifier (I-SID), and the
C-DA and C-SA of the customer frame. The TPID of the I-tag is
0x88E7.

Outer VLAN tag of the frame in the PBN, which indicates the
S-Tag Service provider VLAN tag VLAN information and priority information of the frame
within the PBN.

Inner VLAN tag of the frame in the PBN, which indicates the
C-Tag Customer VLAN tag VLAN information and priority information of the frame
within the customer network.

For more information about TPID, see "Configuring VLANs."

MAC-in-MAC frame forwarding


Figure 77 MAC-in-MAC frame forwarding

205
As shown in Figure 77, a MAC-in-MAC frame is forwarded in the PBBN using the following process:
1. BEB 1 encapsulates a customer frame with the corresponding B-MAC, B-VLAN, and I-SID, and then
forwards the frame to the BCB through its uplink port.
2. BCB forwards the MAC-in-MAC frame from BEB 1 to BEB 2 according to its B-MAC and B-VLAN.
3. BEB 2 de-encapsulates the MAC-in-MAC frame from the BCB, restores the frames to a standard
Ethernet frame, and then forwards the frame out of the corresponding downlink port to the
customer network.

Protocols and standards


IEEE 802.1ah, Virtual Bridged Local Area Networks Amendment 7: Provider Backbone Bridges

MAC-in-MAC configuration task list


Perform the MAC-in-MAC-related configurations on the BEB devices only. The BCB devices simply
forward MAC-in-MAC frames according to their B-MAC and B-VLAN.
Complete the following tasks to configure MAC-in-MAC:

Task Remarks
Enabling L2VPN Required.

Creating a MAC-in-MAC instance Required.

Configuring a B-VLAN Required.

Configuring an uplink port Required.

Configuring a downlink port Required.

Applying a global CAR action Optional.

Configuring MAC-in-MAC
Enabling L2VPN
To configure MAC-in-MAC, which is a Layer-2 VPN technique, enable L2VPN first.
To enable L2VPN:

Step Command Remarks


1. Enter system view. system-view N/A
2. Enable L2VPN and enter
L2VPN view. l2vpn By default, L2VPN is disabled.

For more information about the l2vpn command, see MPLS Command Reference.

206
Creating a MAC-in-MAC instance
To create a MAC-in-MAC instance, create a virtual switch instance of the MAC-in-MAC type and specify
its I-SID. The I-SID identifies a type of services, and is the unique identifier of the MAC-in-MAC instance.
The same I-SID must be used throughout a MAC-in-MAC network. For more information about the VSI,
see MPLS Configuration Guide.
To create a MAC-in-MAC instance:

Step Command
1. Enter system view. system-view
2. Create a VSI of the MAC-in-MAC type, specify the
I-SID, and enter VSI view. vsi vsi-name minm i-sid i-sid

For more information about the vsi command, see MPLS Command Reference.

Configuring a B-VLAN
Only MAC-in-MAC instances with the same I-SID and B-VLAN can communicate. Therefore, you must
specify a B-VLAN for a MAC-in-MAC instance.
To configure a B-VLAN for a MAC-in-MAC instance:

Step Command Remarks


1. Enter system view. system-view N/A
2. Enter VSI view. vsi vsi-name minm i-sid i-sid N/A

3. Specify a B-VLAN for the By default, no B-VLAN is specified


MAC-in-MAC instance. minm bvlan vlan-id for a MAC-in-MAC service
instance.

For more information about the vsi command, see MPLS Command Reference.

NOTE:
• You can specify only one B-VLAN for a MAC-in-MAC instance, and specify the same B-VLAN for
different MAC-in-MAC instances.
• The B-VLAN must be a static, existing VLAN.

Configuring an uplink port


CAUTION:
• The uplink port configuration takes effect only after you specify a B-VLAN for the MAC-in-MAC
instance.
• To make the uplink port configuration take effect, assign them to the B-VLAN.

You can specify one or more uplink ports for a MAC-in-MAC instance. On the BEB, frames from the
customer network are encapsulated in MAC-in-MAC frames in the corresponding MAC-in-MAC
instances, and then forwarded out of the corresponding uplink ports.

207
You can configure the uplink ports in either VSI view or interface view. If the same port is configured as
an uplink port in both VSI view and interface view, the latest configuration takes effect.

Configuring an uplink port in VSI view

Step Command Remarks


1. Enter system view. system-view N/A
2. Enter VSI view. vsi vsi-name minm i-sid i-sid N/A

3. Specify an uplink port for the By default, no uplink port is


minm uplink interface-type
MAC-in-MAC instance. specified for a MAC-in-MAC
interface-number
service instance.

For more information about the vsi command, see MPLS Command Reference.

Configuring an uplink port in interface view

Step Command Remarks


1. Enter system view. system-view N/A
2. Enter Layer-2 Ethernet
interface view or Layer-2 interface interface-type
N/A
aggregate interface view. interface-number

3. Specify the port as the uplink By default, a port is not configured


port for the MAC-in-MAC minm uplink vsi vsi-name as the uplink port of any
instance. MAC-in-MAC service instance.

Configuring a downlink port


On the BEB, frames from the customer network are mapped to MAC-in-MAC instances based on the
match criteria configured on downlink ports, and MAC-in-MAC frames from the PBBN are
de-encapsulated in the corresponding MAC-in-MAC instances and then forwarded out of the
corresponding downlink ports based on their customer MAC addresses.
You can specify one or more downlink ports for a MAC-in-MAC instance.
To configure a downlink port:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enter interface view. interface interface-type


N/A
interface-number
3. Create a service instance and By default, no service instance
enter service instance view. service-instance instance-id
exists on a port.

encapsulation { s-vid vlan-id


4. Configure the match criteria. By default, no match criterion is
[ only-tagged ] | port-based |
configured.
tagged | untagged }
5. Associate the service instance By default, a service instance is not
with the specified xconnect vsi vsi-name
associated with any MAC-in-MAC
MAC-in-MAC instance. [ access-mode { ethernet | vlan } ]
service instance.

208
For more information about the service-instance, encapsulation, and xconnect vsi commands, see MPLS
Command Reference.

Applying a global CAR action


You can apply a global CAR action to a service instance to rate-limit the incoming or outgoing traffic of
the service instance.
To apply a global CAR action:

Step Command Remarks


1. Enter system view. system-view N/A

2. Enter interface view. interface interface-type


N/A
interface-number
3. Enter service instance view. service-instance instance-id N/A
4. Apply a global CAR action to car { inbound | outbound } name By default, no global CAR action is
the service instance. car-name applied to a service instance.

NOTE:
If you want to configure traffic policing on an attachment circuit (AC), do that before binding it to a
MAC-in-MAC instance. For more information about an AC, see MPLS Configuration Guide.

Displaying and maintaining MAC-in-MAC


Task Command Remarks
Display the uplink connection display minm connection [ vsi vsi-name ]
information of the specified [ | { begin | exclude | include } Available in any view.
MAC-in-MAC instance. regular-expression ]

undo minm connection [ vsi vsi-name


Clear the uplink connection information
[ linkid link-id ] | { bvlan vlan-id | interface Available in user view.
of the specified MAC-in-MAC instance.
interface-type interface-number } * ]

reset service-instance statistics [ interface


Clear the service instance statistics of an interface-type interface-number
Available in user view.
interface. [ service-instance instance-id [ inbound |
outbound ] ] ]

MAC-in-MAC configuration example


NOTE:
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these
interfaces, use the undo shutdown command to bring them up.

209
Network requirements
As shown in Figure 78, enable customer network A to communicate with customer network B by using the
MAC-in-MAC protocol.
Figure 78 Network diagram

Configuration procedures
1. Configure Device A:
# Create VLAN 20.
<DeviceA> system-view
[DeviceA] vlan 20
[DeviceA-vlan20] quit
# Enable L2VPN.
[DeviceA] l2vpn
[DeviceA-l2vpn] quit
# Create a VSI of the MAC-in-MAC type named aaa, specify the I-SID as 100, and configure
Ethernet encapsulation for the instance.
[DeviceA] vsi aaa minm i-sid 100
[DeviceA-vsi-aaa] encapsulation ethernet
# Specify VLAN 20 as the B-VLAN for MAC-in-MAC instance aaa.
[DeviceA-vsi-aaa] minm bvlan 20
[DeviceA-vsi-aaa] quit
# Configure port GigabitEthernet3/0/1 as a trunk port, assign it to VLAN 20, and configure it as
an uplink port of MAC-in-MAC instance aaa.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan 20
[DeviceA-GigabitEthernet3/0/1] minm uplink vsi aaa
[DeviceA-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and assign it to all VLANs. Create service
instance 1 on port GigabitEthernet 3/0/2, configure the port-based match criteria, and associate
the service instance with MAC-in-MAC instance aaa by using the access mode of Ethernet.
[DeviceA] interface GigabitEthernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port link-type trunk
[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan all
[DeviceA-GigabitEthernet3/0/2] service-instance 1

210
[DeviceA-GigabitEthernet3/0/2-srv1] encapsulation port-based
[DeviceA-GigabitEthernet3/0/2-srv1] xconnect vsi aaa access-mode ethernet
[DeviceA-GigabitEthernet3/0/2-srv1] quit
[DeviceA-GigabitEthernet3/0/2] quit
2. Configure Device B:
Configure Device B as you configure Device A. (Details not shown.)
3. Verify the configuration:
Use the display minm connection command to display the uplink connection information (that is,
the remote B-MAC information learned) of MAC-in-MAC instance aaa. For example:
# Display the uplink connection information of MAC-in-MAC instance aaa on Device A.
[DeviceA] display minm connection vsi aaa
1 connection(s) exist
VSIIndex LinkID BMAC BVLAN Interface Name State AGING TIME(s)
1 1 000f-e200-0001 20 GigabitEthernet3/0/1 Learned AGING

Troubleshooting
Symptom
The customer frames cannot be transmitted to the peer network by using MAC-in-MAC.

Analysis
• No VSI of the MAC-in-MAC type is configured on the BEB, or the configured VSI is down.
• The MAC-in-MAC configurations on the BEBs are inconsistent.
• The B-VLAN in the BEB is not created on the BCB, or the ports connecting the BEB and BCB are not
both assigned to the B-VLAN.

Solution
1. User the display vsi verbose command to display the MAC-in-MAC configuration of the VSI. If the
VSI is not configured with MAC-in-MAC, configure it. If the VSI is down, use the undo shutdown
command to bring the VSI up. For more information about the display vsi verbose command, see
MPLS Command Reference.
2. Use the display vsi verbose command on all BEBs to see whether they are consistent in the
MAC-in-MAC configuration, especially the I-SID and B-VLAN. The MAC-in-MAC configurations on
the BEBs should be consistent.
3. Use the display vlan all command on all BCBs to see whether the B-VLAN in the BEB is created on
the BCB, and whether the ports connecting the BEB and BCB are both assigned to the B-VLAN. All
ports connecting the BEB and BCB must be assigned to the VLAN.

211
Configuring LLDP

Overview
Background
In a heterogeneous network, it is important that different types of network devices from different vendors
can discover one another and exchange configuration for interoperability and management sake. A
standard configuration exchange platform was created.
The IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the
data link layer to exchange device information between directly connected devices. With LLDP, a device
sends local device information (including its major functions, management IP address, device ID, and
port ID) as TLV (type, length, and value) triplets in LLDP Data Units (LLDPDUs) to the directly connected
devices, and at the same time, stores the device information received in LLDPDUs sent from the LLDP
neighbors in a standard management information base (MIB). It allows a network management system
to quickly detect and identify Layer 2 network topology changes. For more information about MIBs, see
Network Management and Monitoring Configuration Guide.

Basic concepts
LLDPDU formats
LLDP sends device information in LLDPDUs. LLDPDUs are encapsulated in Ethernet II or Subnetwork
Access Protocol (SNAP) frames.
1. Ethernet II-encapsulated LLDPDU format
Figure 79 Ethernet II-encapsulated LLDPDU format

The fields in the Ethernet II-encapsulated LLDPDU are described in Table 23.
Table 23 Fields in an Ethernet II-encapsulated LLDPDU

Field Description
MAC address to which the LLDPDU is advertised. It is fixed to
Destination MAC address
0x0180-C200-000E, a multicast MAC address.

212
Field Description
Source MAC address MAC address of the sending port.

Type Ethernet type for the upper layer protocol. It is 0x88CC for LLDP.

Data LLDPDU.

Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

2. SNAP-encapsulated LLDPDU format


Figure 80 SNAP-encapsulated LLDPDU format

The fields in the SNAP-encapsulated LLDPDU are described in Table 24.


Table 24 Fields in a SNAP-encapsulated LLDPDU

Field Description
MAC address to which the LLDPDU is advertised. It is fixed at
Destination MAC address
0x0180-C200-000E, a multicast MAC address.

Source MAC address MAC address of the sending port.

SNAP type for the upper layer protocol. It is 0xAAAA-0300-0000-88CC for


Type
LLDP.

Data LLDPDU.

Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

LLDPDUs
LLDP uses LLDPDUs to exchange information. An LLDPDU comprises multiple TLV sequences. Each carries
a specific type of device information, as shown in Figure 81.
Figure 81 LLDPDU encapsulation format

An LLDPDU can carry up to 28 types of TLVs. Mandatory TLVs include Chassis ID TLV, Port ID TLV, Time
To Live TLV, and End of LLDPDU TLV. Other TLVs are optional.

213
TLVs
TLVs are type, length, and value sequences that carry information elements. The type field identifies the
type of information, the length field measures the length of the information field in octets, and the value
field contains the information itself.
LLDPDU TLVs fall into the following categories:
• Basic management TLVs
• Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs
• LLDP-MED (media endpoint discovery) TLVs
Basic management TLVs are essential to device management. Organizationally specific TLVs and
LLDP-MED TLVs are used for enhanced device management; they are defined by standardization or other
organizations and are optional to LLDPDUs.
1. Basic management TLVs
Table 25 lists the basic management TLV types. Some of them must be included in every LLDPDU.
Table 25 Basic LLDP TLVs

Type Description Remarks


Chassis ID Bridge MAC address of the sending device.

ID of the sending port.

Port ID If the LLDPDU carries LLDP-MED TLVs, the port ID TLV carries the
MAC address of the sending port. If the LLDPDU carries no Mandatory.
LLDP-MED TLVs, the port ID TLV carries the port name.

Time To Live Life of the transmitted information on the receiving device.

End of LLDPDU Marks the end of the TLV sequence in the LLDPDU.

Port Description Port description of the sending port.

System Name Assigned name of the sending device.

System Description Description of the sending device.


Optional.
Identifies the primary functions of the sending device and the
System Capabilities
enabled primary functions.

Management address, and the interface number and object


Management Address
identifier (OID) associated with the address.

2. IEEE 802.1 organizationally specific TLVs


Table 26 IEEE 802.1 organizationally specific TLVs

Type Description
Port VLAN ID Port’s VLAN identifier (PVID). An LLDPDU carries only one TLV of this type.

Indicates whether the device supports protocol VLANs and, if so, what VLAN
Port And Protocol VLAN ID IDs these protocols will be associated with. An LLDPDU can carry multiple
different TLVs of this type.

Textual name of any VLAN to which the port belongs. An LLDPDU can carry
VLAN Name
multiple different TLVs of this type.

Indicates protocols supported on the port. An LLDPDU can carry multiple


Protocol Identity
different TLVs of this type.

214
Type Description
DCBX Data center bridging exchange protocol.

NOTE:
• HP devices only support receiving protocol identity TLVs.
• Layer 3 Ethernet ports do not support IEEE 802.1 organizationally specific TLVs.

3. IEEE 802.3 organizationally specific TLVs


Table 27 IEEE 802.3 organizationally specific TLVs

Type Description
Contains the bit-rate and duplex capabilities of the sending port,
MAC/PHY Configuration/Status support for auto negotiation, enabling status of auto negotiation, and
the current rate and duplex mode.

Contains the power supply capability of the port, including the Power
over Ethernet (PoE) type, which can be Power Sourcing Equipment
Power Via MDI (PSE) or Powered Device (PD), PoE mode, whether PSE power supply
is supported, whether PSE power supply is enabled, and whether the
PoE mode is controllable.

Indicates the aggregation capability of the port (whether the link is


Link Aggregation capable of being aggregated), and the aggregation status (whether
the link is in an aggregation).

Indicates the supported maximum frame size. It is now the maximum


Maximum Frame Size
transmission unit (MTU) of the port.

Power state control configured on the sending port, including the


Power Stateful Control power type of the PSE/PD, PoE sourcing/receiving priority, and PoE
sourcing/receiving power.

NOTE:
The Power Stateful Control TLV is defined in IEEE P802.3at D1.0. The later versions no longer support this
TLV. HP devices send this type of TLVs only after receiving them.

LLDP-MED TLVs
LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic
configuration, network policy configuration, and address and directory management. LLDP-MED TLVs
provide a cost-effective and easy-to-use solution for deploying voice devices in Ethernet. LLDP-MED TLVs
are shown in Table 28.
Table 28 LLDP-MED TLVs

Type Description
LLDP-MED Capabilities Allows a network device to advertise the LLDP-MED TLVs it supports.

Allows a network device or terminal device to advertise VLAN ID of the


Network Policy specific port, VLAN type, and the Layer 2 and Layer 3 priorities for
specific applications.

Allows a network device or terminal device to advertise power supply


Extended Power-via-MDI
capability. This TLV is an extension of the Power Via MDI TLV.

215
Type Description
Hardware Revision Allows a terminal device to advertise its hardware version.

Firmware Revision Allows a terminal device to advertise its firmware version.

Software Revision Allows a terminal device to advertise its software version.

Serial Number Allows a terminal device to advertise its serial number.

Manufacturer Name Allows a terminal device to advertise its vendor name.

Model Name Allows a terminal device to advertise its model name.

Allows a terminal device to advertise its asset ID. The typical case is
Asset ID that the user specifies the asset ID for the endpoint to facilitate
directory management and asset tracking.

Allows a network device to advertise the appropriate location


Location Identification identifier information for a terminal device to use in the context of
location-based applications.

Management address
The management address of a device is used by the network management system to identify and
manage the device for topology maintenance and network management. The management address is
encapsulated in the management address TLV.

How LLDP works


Operating modes of LLDP
LLDP can operate in one of the following modes:
• TxRx mode—A port in this mode sends and receives LLDPDUs.
• Tx mode—A port in this mode only sends LLDPDUs.
• Rx mode—A port in this mode only receives LLDPDUs.
• Disable mode—A port in this mode does not send or receive LLDPDUs.
When the LLDP operating mode of a port changes, its LLDP protocol state machine re-initializes. A
re-initialization delay, which is user configurable, prevents LLDP from being initialized too frequently
during times of frequent operating mode change. With this delay configured, before a port can initialize
LLDP, it must wait for the specified interval after the LLDP operating mode changes.

Transmitting LLDPDUs
An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDPDUs to its directly connected
devices both periodically and when the local configuration changes. A frame transmit interval between
two successive LLDP frames prevents the network from being overwhelmed by LLDPDUs during times of
frequent local device information change.
This interval is shortened to 1 second in either of the following cases:
• A new neighbor is discovered. A new LLDPDU is received carrying device information new to the
local device.
• The LLDP operating mode of the port changes from Disable/Rx to TxRx or Tx.
This is the fast sending mechanism of LLDP. This feature sends a specific number of LLDPDUs at 1-second
intervals to help LLDP neighbors discover the local device as soon as possible. Then, the normal LLDPDU
transmit interval resumes.

216
Receiving LLDPDUs
An LLDP-enabled port operating in TxRx mode or Rx mode checks the validity of TLVs carried in every
received LLDPDU. If valid, the information is saved and an aging timer is set for it based on the time to
live (TTL) value in the Time to Live TLV carried in the LLDPDU. If the TTL value is zero, the information is
aged out immediately.

Protocols and standards


• IEEE 802.1AB-2005, Station and Media Access Control Connectivity Discovery
• ANSI/TIA-1057, Link Layer Discovery Protocol for Media Endpoint Devices
• DCB Capability Exchange Protocol Specification Rev 1.0
• DCB Capability Exchange Protocol Base Specification Rev 1.01

LLDP configuration task list


Task Remarks
Enabling LLDP Required.

Setting LLDP operating mode Optional.

Setting the LLDP re-initialization delay Optional.

Performing basic LLDP Enabling LLDP polling Optional.


configuration Configuring the advertisable TLVs Optional.

Configuring the management address and its encoding format Optional.

Setting other LLDP parameters Optional.

Configuring the encapsulation format for LLDPDUs Optional.

Configuring CDP compatibility Optional.

Configuring LLDP trapping Optional.

NOTE:
LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those
made in port group view takes effect on all ports in the current port group.

Performing basic LLDP configuration


Enabling LLDP
To make LLDP take effect on specific ports, you must enable LLDP both globally and on these ports.
To enable LLDP on the switch:

Step Command Remarks


1. Enter system view. system-view N/A

217
Step Command Remarks

2. Enable LLDP globally. By default, LLDP is enabled on ports,


lldp enable
but disabled globally.

• Enter Layer 2 or Layer 3


Ethernet interface view:
interface interface-type
3. Enter Ethernet interface view interface-number
or port group view. Use either command.
• Enter port group view:
port-group manual
port-group-name

Optional.
4. Enable LLDP. lldp enable
By default, LLDP is enabled on a port.

Setting LLDP operating mode


LLDP can operate in one of the following modes.
• TxRx mode—A port in this mode sends and receives LLDPDUs.
• Tx mode—A port in this mode only sends LLDPDUs.
• Rx mode—A port in this mode only receives LLDPDUs.
• Disable mode—A port in this mode does not send or receive LLDPDUs.
To set the LLDP operating mode:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Layer 2 or Layer 3 Ethernet
interface view:
2. Enter Ethernet interface view interface interface-type
or port group view. interface-number Use either command.

• Enter port group view:


port-group manual port-group-name

lldp admin-status { disable | rx | tx | Optional.


3. Set the LLDP operating mode.
txrx } The default setting is TxRx.

Setting the LLDP re-initialization delay


When the LLDP operating mode changes on a port, the port initializes the protocol state machines after
a re-initialization delay. By adjusting the LLDP re-initialization delay, you can avoid frequent
initializations caused by frequent LLDP operating mode changes on a port.
To set the LLDP re-initialization delay for ports:

Step Command Remarks


1. Enter system view. system-view N/A

218
Step Command Remarks
2. Set the LLDP re-initialization Optional.
delay. lldp timer reinit-delay delay
The default setting is 2 seconds.

Enabling LLDP polling


With LLDP polling enabled, the switch periodically checks for local configuration changes. Upon
detecting a configuration change, the switch sends LLDPDUs to inform neighboring switches of the
change.
To enable LLDP polling on the specified port or ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Layer 2 or Layer 3 Ethernet
interface view:
interface interface-type
2. Enter Ethernet interface view or interface-number
port group view. Use either command.
• Enter port group view:
port-group manual
port-group-name

3. Enable LLDP polling and set the By default, LLDP polling is


polling interval. lldp check-change-interval interval
disabled.

Configuring the advertisable TLVs


To configure the advertisable LLDPDU TLVs on the specified port or ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Layer 2 or Layer 3 Ethernet
interface view:
2. Enter Ethernet interface view or interface interface-type
port group view. interface-number Use either command.

• Enter port group view:


port-group manual port-group-name

219
Step Command Remarks
lldp tlv-enable { basic-tlv { all |
port-description | system-capability |
system-description | system-name } |
dot1-tlv { all | port-vlan-id | Optional.
protocol-vlan-id [ vlan-id ] | vlan-name
3. Configure the advertisable TLVs [ vlan-id ] } | dot3-tlv { all | By default, all types of
(Layer 2 Ethernet interface view link-aggregation | mac-physic | LLDP TLVs except location
or port group view). max-frame-size | power } | med-tlv { all identification TLVs are
| capability | inventory | location-id advertisable on a Layer 2
{ civic-address device-type country-code Ethernet port.
{ ca-type ca-value }&<1-10> |
elin-address tel-number } |
network-policy | power-over-ethernet } }

lldp tlv-enable { basic-tlv { all | Optional.


port-description | system-capability |
system-description | system-name } | By default, all types of
dot3-tlv { all | link-aggregation | LLDP TLVs, except IEEE
4. Configure the advertisable TLVs 802.1 organizationally
(Layer 3 Ethernet interface mac-physic | max-frame-size | power } |
med-tlv { all | capability | inventory | specific TLVs, network
view). policy TLVs, and location
location-id { civic-address device-type
country-code { ca-type ca-value }&<1-10> identification TLVs, are
| elin-address tel-number } | advertisable on a Layer 3
power-over-ethernet } } Ethernet port.

Configuring the management address and its encoding format


LLDP encodes the management address in numeric or character string format in management address
TLVs.
By default, management addresses are encoded in numeric format. If a neighbor encoded its
management address in character string format, you must configure the encoding format of the
management address as string on the connecting port to guarantee normal communication with the
neighbor.
To configure the management address to be advertised and its encoding format on a port or a group of
ports:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Layer 2 or Layer 3 Ethernet
interface view:
interface interface-type
2. Enter Ethernet interface view or interface-number
port group view. Use either command.
• Enter port group view:
port-group manual
port-group-name

220
Step Command Remarks
Optional.
By default, the management
address is sent through
LLDPDUs.
• For a Layer 2 Ethernet
port, the management
address is the main IP
address of the lowest-ID
VLAN carried on the
3. Allow LLDP to advertise the port. If none of the
management address in carried VLANs is
LLDPDUs and configure the lldp management-address-tlv
assigned an IP address,
advertised management [ ip-address ]
no management
address. address will be
advertised.
• For a Layer 3 Ethernet
port, the management
address is its own IP
address. If no IP address
is configured for the
Layer 3 Ethernet port, no
management address
will be advertised.

4. Configure the encoding By default, the management


format of the management lldp management-address-format string address is encoded in the
address as character string. numeric format.

Setting other LLDP parameters


The Time to Live TLV carried in an LLDPDU determines how long the device information carried in the
LLDPDU can be saved on a recipient device.
By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs, which determines how
long information about the local device can be saved on a neighboring device. The TTL is expressed by
using the following formula:
TTL = Min (65535, (TTL multiplier × LLDPDU transmit interval))
As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be rounded
down to 65535 seconds.

Configuration restrictions and guidelines


• Both the LLDPDU transmit interval and delay must be smaller than the TTL to make sure LLDP
neighbors can receive LLDPDUs to update information about the switch you are configuring before
it is aged out.
• HP recommends that you set the LLDPDU transmit interval to be no smaller than four times the
LLDPDU transmit delay.
• If the LLDPDU transmit delay is greater than the LLDPDU transmit interval, the switch uses the
LLDPDUs transmit delay as the transmit interval.

221
Configuration procedure
To set related LLDP parameters:

Step Command Remarks


1. Enter system view. system-view N/A

Optional.
2. Set the TTL multiplier. lldp hold-multiplier value
The default setting is 4.

3. Set the LLDPDU transmit Optional.


interval. lldp timer tx-interval interval
The default setting is 30 seconds.

Optional.
4. Set LLDPDU transmit delay. lldp timer tx-delay delay
The default setting is 2 seconds.
5. Set the number of LLDPDUs
Optional.
sent each time fast LLDPDU lldp fast-count count
transmission is triggered. The default setting is 3.

Configuring the encapsulation format for LLDPDUs


LLDPDUs can be encapsulated in Ethernet II or SNAP frames.
• With Ethernet II encapsulation configured, an LLDP port sends LLDPDUs in Ethernet II frames and
processes an incoming LLDP frame only when it is Ethernet II encapsulated.
• With SNAP encapsulation configured, an LLDP port sends LLDPDUs in SNAP frames and processes
an incoming LLDP frame only when it is SNAP encapsulated.
By default, LLDPDUs are encapsulated in Ethernet II frames. If the neighbor switches encapsulate LLDPDUs
in SNAP frames, configure the encapsulation format for LLDPDUs as SNAP to guarantee normal
communication with the neighbors.
To configure the encapsulation format for LLDPDUs:

Step Command Remarks


1. Enter system view. system-view N/A
• Enter Layer 2 or Layer 3 Ethernet
interface view:
2. Enter Ethernet interface view or interface interface-type
port group view. interface-number Use either command.

• Enter port group view:


port-group manual port-group-name

3. Configure the encapsulation Ethernet II encapsulation


format for LLDPDUs as SNAP. lldp encapsulation snap
format applies by default.

Configuring CDP compatibility


To make your switch work with Cisco IP phones, you must enable CDP compatibility.
With CDP compatibility enabled, your switch can receive and recognize CDP packets from a Cisco IP
phone and respond with CDP packets.

222
Configuration prerequisites
Before configuring CDP compatibility, perform the following configurations:
• Enable LLDP globally.
• Enable LLDP on the port connected to an IP phone and configure LLDP to operate in TxRx mode on
the port.

Configuring CDP compatibility


CDP-compatible LLDP operates in one of the follows modes:
• TxRx—CDP packets can be transmitted and received.
• Disable—CDP packets cannot be transmitted or received.
To make CDP-compatible LLDP take effect on specific ports, first enable CDP-compatible LLDP globally,
and then configure CDP-compatible LLDP to operate in TxRx mode.

NOTE:
The maximum TTL value allowed by CDP is 255 seconds. To make CDP-compatible LLDP work properly
with Cisco IP phones, make sure the product of the TTL multiplier and the LLDPDU transmit interval is less
than 255 seconds.

To enable LLDP to be compatible with CDP:

Step Command Remarks


1. Enter system view. system-view N/A
2. Enable CDP compatibility By default, CDP
globally. lldp compliance cdp
compatibility is disabled.
• Enter Layer 2 or Layer 3 Ethernet
interface view:
3. Enter Ethernet interface view interface interface-type
or port group view. interface-number Use either command.

• Enter port group view:


port-group manual port-group-name

4. Configure CDP-compatible The default setting is


LLDP to operate in TxRx mode. lldp compliance admin-status cdp txrx
disable mode.

Configuring LLDP trapping


LLDP trapping notifies the network management system (NMS) of events such as newly-detected
neighboring devices and link malfunctions.
To prevent excessive LLDP traps from being sent when topology is unstable, set a trap transmit interval for
LLDP.
To configure LLDP trapping:

223
Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 or Layer 3 Ethernet
interface view:
interface interface-type
2. Enter Ethernet interface view or interface-number
port group view. Use either command.
• Enter port group view:
port-group manual
port-group-name

3. Enable LLDP trapping. By default, LLDP trapping is


lldp notification remote-change enable
disabled.
4. Return to system view. quit N/A

Optional.
5. Set the LLDP trap transmit
interval. lldp timer notification-interval interval The default setting is 5
seconds.

Displaying and maintaining LLDP


Task Command Remarks
Display the global LLDP display lldp local-information [ global |
information or the information interface interface-type interface-number ] [ |
Available in any view.
contained in the LLDP TLVs to be { begin | exclude | include }
sent through a port. regular-expression ]

display lldp neighbor-information [ brief |


Display the information contained interface interface-type interface-number
in the LLDP TLVs sent from [ brief ] | list [ system-name system-name ] ] Available in any view.
neighboring switches. [ | { begin | exclude | include }
regular-expression ]

display lldp statistics [ global | interface


Display LLDP statistics. interface-type interface-number ] [ | { begin | Available in any view.
exclude | include } regular-expression ]

display lldp status [ interface interface-type


Display LLDP status of a port. interface-number ] [ | { begin | exclude | Available in any view.
include } regular-expression ]

display lldp tlv-config [ interface


Display types of advertisable
interface-type interface-number ] [ | { begin | Available in any view.
optional LLDP TLVs.
exclude | include } regular-expression ]

LLDP configuration examples


IMPORTANT:
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these
interfaces, use the undo shutdown command to bring them up.

224
Basic LLDP configuration example
Network requirements
As shown in Figure 82, the NMS and Switch A are located in the same Ethernet.
Enable LLDP on the ports of Switch A and Switch B to monitor the link between Switch A and Switch B and
the link between Switch A and the MED device on the NMS.
Figure 82 Network diagram

MED

GE4/0/1
NMS GE4/0/1

GE4/0/2
Switch A Switch B

Configuration procedure
1. Configure Switch A:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp enable
# Enable LLDP on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 (you can skip this step
because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx.
[SwitchA] interface gigabitethernet 4/0/1
[SwitchA-GigabitEthernet4/0/1] lldp enable
[SwitchA-GigabitEthernet4/0/1] lldp admin-status rx
[SwitchA-GigabitEthernet4/0/1] quit
[SwitchA] interface gigabitethernet 4/0/2
[SwitchA-GigabitEthernet4/0/2] lldp enable
[SwitchA-GigabitEthernet4/0/2] lldp admin-status rx
[SwitchA-GigabitEthernet4/0/2] quit
2. Configure Switch B:
# Enable LLDP globally.
<SwitchB> system-view
[SwitchB] lldp enable
# Enable LLDP on GigabitEthernet 4/0/1 (you can skip this step because LLDP is enabled on ports
by default), and set the LLDP operating mode to Tx.
[SwitchB] interface gigabitethernet 4/0/1
[SwitchB-GigabitEthernet4/0/1] lldp enable
[SwitchB-GigabitEthernet4/0/1] lldp admin-status tx
[SwitchB-GigabitEthernet4/0/1] quit
3. Verify the configuration:
# Display the global LLDP status and port LLDP status on Switch A.
[SwitchA] display lldp status

225
Global status of LLDP : Enable
The current number of LLDP neighbors : 2
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days,0 hours,4 minutes,40 seconds
Transmit interval : 30s
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
Trap interval : 5s
Fast start times : 3

Port 1 [GigabitEthernet4/0/1]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s

Number of neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0

Port 2 [GigabitEthernet4/0/2]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s

Number of neighbors : 1
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 3
The output shows that: GigabitEthernet 4/0/1 of Switch A connects a MED device, and
GigabitEthernet 4/0/2 of Switch A connects a non-MED device. Both ports operate in Rx mode,
in other words, they only receive LLDP frames.
# Tear down the link between Switch A and Switch B and then display the global LLDP status and
port LLDP status on Switch A.
[SwitchA] display lldp status
Global status of LLDP : Enable
The current number of LLDP neighbors : 1
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days,0 hours,5 minutes,20 seconds
Transmit interval : 30s
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s

226
Trap interval : 5s
Fast start times : 3

Port 1 [GigabitEthernet4/0/1]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s

Number of neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 5

Port 2 [GigabitEthernet4/0/2]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s

Number of neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0
The output shows that GigabitEthernet 4/0/2 of Switch A does not connect any neighboring
switch.

CDP-compatible LLDP configuration example


Network requirements
As shown in Figure 83, enable CDP compatibility of LLDP on Switch A.
Figure 83 Network diagram

Configuration procedure
1. Configure CDP-compatible LLDP on Switch A:
# Enable LLDP globally and enable LLDP to be compatible with CDP globally.
[SwitchA] lldp enable
[SwitchA] lldp compliance cdp
# Enable LLDP (you can skip this step because LLDP is enabled on ports by default), configure LLDP
to operate in TxRx mode, and configure CDP-compatible LLDP to operate in TxRx mode on
GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2.
[SwitchA] interface gigabitethernet 4/0/1

227
[SwitchA-GigabitEthernet4/0/1] lldp enable
[SwitchA-GigabitEthernet4/0/1] lldp admin-status txrx
[SwitchA-GigabitEthernet4/0/1] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet4/0/1] quit
[SwitchA] interface gigabitethernet 4/0/2
[SwitchA-GigabitEthernet4/0/2] lldp enable
[SwitchA-GigabitEthernet4/0/2] lldp admin-status txrx
[SwitchA-GigabitEthernet4/0/2] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet4/0/2] quit
2. Verify the configuration by displaying the neighbor information on Switch A.
[SwitchA] display lldp neighbor-information

CDP neighbor-information of port 1[GigabitEthernet4/0/1]:


CDP neighbor index : 1
Chassis ID : SEP00141CBCDBFE
Port ID : Port 1
Sofrware version : P0030301MFG2
Platform : Cisco IP Phone 7960
Duplex : Full

CDP neighbor-information of port 2[GigabitEthernet4/0/2]:


CDP neighbor index : 2
Chassis ID : SEP00141CBCDBFF
Port ID : Port 1
Sofrware version : P0030301MFG2
Platform : Cisco IP Phone 7960
Duplex : Full
The output shows that Switch A has discovered the IP phones connected to GigabitEthernet 4/0/1
and GigabitEthernet 4/0/2, and has obtained their LLDP device information.

228
Configuring MVRP

Overview
Multiple Registration Protocol (MRP) is an attribute registration protocol and transmits attribute messages.
An application that complies with MRP is called an "MRP application". Multiple VLAN Registration
Protocol (MVRP) is a typical MRP application. MRP is an enhanced version of Generic Attribute
Registration Protocol (GARP) and improves the declaration efficiency. MVRP is an enhanced version of
GARP VLAN Registration Protocol (GVRP) and improves the declaration efficiency. MVRP propagates
VLAN configuration information among devices, and enables devices to learn and automatically
synchronize VLAN configuration information, reducing the configuration workload. When the network
topology changes, MVRP can propagate and learn VLAN configuration information again according to
the new topology, and real-time synchronize the network topology. For more information about GVRP,
see "Configuring GVRP."

Introduction to MRP
Different from GARP, MRP allows participants in the same LAN to declare, propagate, and register
information (for example, VLAN information) on a per Multiple Spanning Tree Instance (MSTI) basis.

MRP implementation
Each port that participates in an MRP application (for example, MVRP) is called an "MRP participant".
MRP rapidly propagates the configuration information of an MRP participant throughout the LAN. As
shown in Figure 84, an MRP participant registers and deregisters its attribute values on other MRP
participants by sending declarations and withdrawals, and registers and deregisters the attribute values
of other participants according to the received declarations and withdrawals.
Figure 84 MRP implementation

MRP messages
MRP exchanges information among MRP participants by advertising MRP messages, including Join,
New, Leave, and LeaveAll. Join and New messages are declarations, and Leave and LeaveAll messages
are withdrawals. As an MRP application, MVRP also uses MRP messages for information exchange.
1. Join message
An MRP participant sends Join messages when it wishes to declare its attribute values and receives
Join messages from other MRP participants. When receiving a Join message, an MRP participant
sends a Join message to all participants except the sender.

229
Join messages fall into the following types:
{ JoinEmpty—An MRP participant sends JoinEmpty messages to declare attribute values that it
has not registered.
{ JoinIn—An MRP participant sends JoinIn messages to declare attribute values that it has
registered.
2. New message
When the Multiple Spanning Tree Protocol (MSTP) topology changes, in other words, when an
MSTP TcDetected event occurs, an MRP participant sends New messages to declare the topology
change. On receiving a New message, an MRP participant sends a New message out of each
port except the receiving port. Similar to a Join message, a New message enables MRP
participants to register attributes.
3. Leave message
An MRP participant sends Leave messages when it wishes to withdraw declarations of its attribute
values and receives Leave messages from other participants. When receiving a Leave message,
an MRP participant sends a Leave message to all participants except the sender.
4. LeaveAll message
Each MRP participant is configured with an individual LeaveAll timer. When the timer expires, the
MRP participant sends LeaveAll messages to deregister all attributes, so that any other MRP
participant can re-register all attributes. This process periodically clears the useless attributes in the
network. On receiving a LeaveAll message, MRP determines whether to send a Join message to
request the sender to re-register these attributes according to attribute status. On sending a
LeaveAll message, MRP restarts the LeaveAll timer.

MRP timers
The implementation of MRP uses the following timers to control MRP message transmission.
1. Periodic timer
On startup, an MRP participant starts its own Periodic timer to control MRP message transmission.
The MRP participant collects the MRP messages to be sent before the Periodic timer expires, and
sends the MRP messages in as few packets as possible when the Periodic timer expires and
meanwhile restarts the Periodic timer. This mechanism reduces the number of MRP protocol
packets periodically sent.
You can enable or disable the Periodic timer at the CLI. When you disable the Periodic timer, MRP
will not send MRP messages.
2. Join timer
The Join timer control the transmission of Join messages. To make sure Join messages can be
reliably transmitted to other participants, an MRP participant waits for a period of the Join timer
after sending a Join message. If the participant receives JoinIn messages from other participants
before the Join timer expires, the participant does not re-send the Join message. When both the
Join timer and the Periodic timer expire, the participant re-sends the Join message.
3. Leave timer
The Leave timer controls the deregistration of attributes. When an MRP participant wishes other
participants to deregister its attributes, it sends a Leave message. On receiving a Leave message,
MRP starts the Leave timer, and deregisters the attributes if it does not receive any Join message for
the attributes before the Leave timer expires.
4. LeaveAll timer

230
On startup, an MRP participant starts its own LeaveAll timer. When the LeaveAll timer expires, MRP
sends out a LeaveAll message and restarts the LeaveAll timer. On receiving the LeaveAll message,
other participants re-register all the attributes and re-start their LeaveAll timer.

NOTE:
Though MRP participants throughout the network may be configured with different LeaveAll timers, an
MRP participant sends LeaveAll messages at the smallest interval among the neighboring participants’
LeaveAll timers. At the next startup, the LeaveAll timer of each participant randomly changes within a
certain range.

MRP protocol packet encapsulation format


Figure 85 MRP protocol packet encapsulation format
Ethernet frame

DA SA Length Type MRPDU

Protocol Version Message 1 ... Message N End Mark

Attribute Type Attribute Length Attribute List

Vector Attribute 1 ... Vector Attribute N End Mark

Vector Header First Value Vector

LeaveAll Event Number of Values

Figure 85 shows the format of an MRP protocol packet encapsulated in an IEEE 802.3 Ethernet frame.
Table 29 MRP protocol packet fields

Field Description
MRPDU MRP protocol data unit (MRPDU) encapsulated in the MRP protocol packet.

Protocol Version Protocol version, which is 0.

Attribute message, which comprises the Attribute Type, Attribute Length, and Attribute List
Message
fields.

End Mark End mark of the MRPDU or an attribute list field. This field is fixed at 0x00.

Attribute Type Attribute type, which is VID Vector specified by the value of 1.

Attribute Length Length of the FirstValue field, which is 2 as specified by MVRP.

Attribute List Attribute list, which comprises multiple attributes.

Vector Attribute Vector attribute, which comprises the VectorHeader, FirstValue, and Vector fields.

231
Field Description
Vector Header Vector header, which comprises the LeaveAllEvent and NumberOfValues fields.

FirstValue First attribute value encapsulated in the MVRP protocol packet.

Attribute events, where each byte specifies three attribute events. The attribute events
include:
• 0x00—New operator.
• 0x01—JoinIn operator.
• 0x02—In operator.
Vector
• 0x03—JoinMt operator.
• 0x04—Mt operator.
• 0x05—Lv operator.
Assume that the three attribute events sharing a byte are A1, A2, and A3. The value of the
byte A1A2A3 is ((A1 * 6 + A2) * 6) + A3, which ranges from 0 to 255.

LeaveAll event indicator:


LeaveAll Event • 0—Not a LeaveAll event.
• 1—A LeaveAll event.
Number of
13-bit field, which shows the number of attribute values encoded in the Vector field.
Values

The destination MAC addresses of MRP protocol packets are multicast MAC addresses, and vary with
MRP applications. For example, the destination MAC address is 01-80-C2-00-00-21 and the EtherType is
88F5 for MVRP protocol packets. When a device receives a packet from an MRP participant, it delivers
the packet to the MRP application identified by the destination MAC address.

MVRP implementation
MVRP overview
As an MRP application, MVRP uses the operating mechanism of MRP to maintain and propagate
dynamic VLAN registration information throughout the network.
In a LAN, each MVRP-enabled device can receive the VLAN registration information from other MVRP
devices, and dynamically update its local database, including active VLANs and the ports through which
a VLAN can be reached. This makes sure all MVRP-enabled devices in a LAN maintain the same VLAN
information.
The VLAN information propagated by MVRP includes not only locally, manually configured static VLAN
information but also dynamic VLAN information from other devices.

MVRP implementation mechanisms


MVRP registers and deregisters VLAN attributes as follows:
• When a port receives the declaration of a VLAN attribute, the port registers the VLAN and joins the
VLAN.
• When a port receives the withdrawal of a VLAN attribute, the port deregisters the VLAN and leaves
the VLAN.
Figure 84 shows a simple MVRP implementation on an MSTI. In a network with multiple MSTIs, VLAN
registration and deregistration are performed on a per-MSTI basis. For more information about MSTIs,
see "Configuring spanning tree."

232
MVRP registration modes
VLANs created manually, locally are called "static VLANs", and VLANs learned through MVRP are
called "dynamic VLANs". The following MVRP registration modes are available.
• Normal
A port in normal registration mode performs dynamic VLAN registrations and deregistrations, and
sends declarations and withdrawals for dynamic and static VLANs.
• Fixed
A port in fixed registration mode disables deregistering dynamic VLANs, sends declarations for
dynamic VLANs and static VLANs, and drops received MVRP protocol packets. As a result, a trunk
port in fixed registration mode does not deregister or register dynamic VLANs.
• Forbidden
A port in forbidden registration mode disables registering dynamic VLANs, sends declarations for
dynamic VLANs and static VLANs, and drops received MVRP protocol packets. As a result, a trunk
port in forbidden registration mode does not register dynamic VLANs, and does not re-register a
dynamic VLAN when the VLAN is deregistered.

Protocols and standards


• IEEE 802.1ak IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks – Amendment 07: Multiple Registration Protocol

MVRP configuration task list


Task Remarks
Configuring MVRP Optional.

Configuring MRP timers Optional.

Enabling GVRP compatibility Optional.

NOTE:
• MVRP configuration made in Ethernet interface view or Layer 2 aggregate interface view takes effect on
the current interface only; MVRP configuration made in port group view takes effect on all the member
ports in the group.
• MVRP configuration made on a member port in an aggregation group takes effect only after the port is
removed from the aggregation group.

Configuring MVRP

233
CAUTION:
• MVRP and service loopback are mutually exclusive.
• MVRP can work with STP, RSTP, or MSTP, but not other link layer topology protocols, including PVST,
RRPP, and Smart Link. Ports blocked by STP, RSTP, or MSTP can receive and send MVRP protocol packets.
For more information about STP, RSTP, MSTP, and PVST, see "Configuring spanning tree protocols." For
more information about RRPP and Smart Link, see High Availability Configuration Guide.
• Do not enable both MVRP and remote port mirroring on a port. Otherwise, MVRP may register the
remote probe VLAN to unexpected ports, which would cause the monitor port to receive undesired
duplicates. For more information about port mirroring, see Network Management and Monitoring
Configuration Guide.
• Enabling MVRP on a Layer 2 aggregate interface enables both the aggregate interface and all Selected
member ports in the link aggregation group to participate in dynamic VLAN registration and
deregistration.
• MVRP runs on a per-MSTI basis. When configuring MVRP, make sure all MSTIs in the network are
effective and each MSTI is mapped to an existing VLAN on each device in the network.

Before enabling MVRP on a port, you must enable MVRP globally. You can configure MVRP only on trunk
ports, and you must assign the involved trunk ports to all dynamic VLANs.
To configure MVRP:

Step Command Remarks


1. Enter system view. system-view N/A

By default, MVRP is globally


2. Enable MVRP globally. mvrp global enable
disabled.
• Enter Layer 2 Ethernet interface
view or Layer 2 aggregate
interface view:
interface interface-type
3. Enter interface view. Use one of the commands.
interface-number
• Enter port group view:
port-group manual
port-group-name

By default, the link type of a port is


access.
4. Configure the port as a trunk For more information about the
port link-type trunk
port. port link-type trunk command, see
Layer 2—LAN Switching
Command Reference.

By default, a trunk port permits only


VLAN 1.
5. Configure the port to permit For more information about the
port trunk permit vlan all
all VLANs. port trunk permit vlan all
command, see Layer 2—LAN
Switching Command Reference.

By default, MVRP is disabled on a


6. Enable MVRP on the port. mvrp enable
port.

234
Step Command Remarks
Optional.
7. Set the MVRP registration mvrp registration { fixed |
mode. forbidden | normal } The default setting is normal
registration mode.

Configuring MRP timers


To do… Use the command… Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view or Layer 2 aggregate
interface view:
interface interface-type
2. Enter interface view. Use one of the commands.
interface-number
• Enter port group view:
port-group manual
port-group-name

Optional.
3. Configure the LeaveAll timer. mrp timer leaveall timer-value The default setting is 1000
centiseconds.

Optional.
4. Configure the Join timer. mrp timer join timer-value The default setting is 20
centiseconds.

Optional.
5. Configure the Leave timer. mrp timer leave timer-value The default setting is 60
centiseconds.

Optional.
6. Configure the Periodic timer. mrp timer periodic timer-value The default setting is 100
centiseconds.

Table 30 shows the value ranges for MRP timers (including Join, Leave, and LeaveAll timers) and their
dependencies.
• If you set a timer to a value beyond the allowed value range, your configuration will fail. To do that,
you can change the allowed value range by tuning the value of another related timer.
• To restore the default settings of the timers, restore the Join timer first, followed by the Leave and
LeaveAll timers. You can restore the Periodic timer to the default at any time.
Table 30 Dependencies of the MRP timers

Timer Lower limit Upper limit


Join 20 centiseconds Half the Leave timer

Leave Twice the Join timer LeaveAll timer

LeaveAll Leave timer on each port 32760 centiseconds

235
NOTE:
• The MRP timers apply to all MRP applications, for example, MVRP, on a port. To avoid frequent VLAN
registrations and deregistrations, use the same MRP timers throughout the network.
• Each port maintains its own Periodic, Join, and LeaveAll timers, and each attribute of a port maintains
a Leave timer.

Enabling GVRP compatibility


MVRP can be compatible with GVRP. When the peer device supports GVRP, you can enable GVRP
compatibility on the local end, so that the local end can receive and send MVRP and GVRP protocol
packets at the same time.
To enable GVRP compatibility:

Step Command Remarks


1. Enter system view system-view N/A
2. Enable GVRP mvrp gvrp-compliance
By default, GVRP compatibility is disabled.
compatibility enable

NOTE:
• With GVRP compatibility enabled, MVRP can work with only STP or RSTP rather than MSTP. In this case,
if MVRP and MSTP run at the same time, the network might fail to work properly.
• With GVRP compatibility enabled, HP recommends that you disable the Periodic timer for MVRP.
Otherwise, the VLAN status might change frequently when the system is busy.

Displaying and maintaining MVRP


Task Command Remarks
Display the MVRP status of
display mvrp state interface interface-type
the specified port and each
interface-number vlan vlan-id [ | { begin | Available in any view.
MVRP interface in the
exclude | include } regular-expression ]
specified VLAN.

display mvrp running-status [ interface


Display the MVRP running
interface-list ] [ | { begin | exclude | Available in any view.
status.
include } regular-expression ]

display mvrp statistics [ interface


Display the MVRP statistics. interface-list ] [ | { begin | exclude | Available in any view.
include } regular-expression ]

Display the dynamic VLAN display mvrp vlan-operation interface


operation information of interface-type interface-number [ | { begin Available in any view.
the specified port. | exclude | include } regular-expression ]

Clear the MVRP statistics of


reset mvrp statistics [ interface interface-list ] Available in user view.
the specified ports.

236
MVRP configuration examples
Configuration example for MVRP in normal registration mode
Network requirements
As shown in Figure 86, configure MSTP, map VLAN 10 to MSTI 1, map VLAN 20 MST 2, and map the
other VLANs to MSTI 0.
Configure MVRP and set the MVRP registration mode to normal, so that Device A, Device B, Device C,
and Device D can register and deregister dynamic and static VLANs and keep identical VLAN
configuration for each MSTI.
Figure 86 Network diagram

MST region
Device A Device B
Permit: all VLAN
GE3/0/3 GE3/0/3
GE /2
3/0 3/0
/2 GE

Permit: all VLAN Permit: VLAN 20, 40


N Pe
LA rm
ll V it:
: a V LA
i t N4
rm GE
/2 Pe 0
3/0
3/0 /2
GE
GE3/0/3 GE3/0/3
Permit: VLAN 30, 40

Device C Device D

Configuration procedure
1. Configure Device A:
# Enter MST region view.
<DeviceA> system-view
[DeviceA] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 2 vlan 20
[DeviceA-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure Device A as the primary root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Globally enable the spanning tree feature.
[DeviceA] stp enable
# Globally enable MVRP.

237
[DeviceA] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] mvrp enable
[DeviceA-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceA] interface GigabitEthernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port link-type trunk
[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan 40
# Enable MVRP on port GigabitEthernet 3/0/2.
[DeviceA-GigabitEthernet3/0/2] mvrp enable
[DeviceA-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/3
[DeviceA-GigabitEthernet3/0/3] port link-type trunk
[DeviceA-GigabitEthernet3/0/3] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceA-GigabitEthernet3/0/3] mvrp enable
[DeviceA-GigabitEthernet3/0/3] quit
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
2. Configure Device B:
# Enter MST region view.
<DeviceB> system-view
[DeviceB] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 2 vlan 20
[DeviceB-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the primary root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Globally enable the spanning tree feature.
[DeviceB] stp enable
# Globally enable MVRP.
[DeviceB] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.

238
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan 20 40
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] mvrp enable
[DeviceB-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/2
[DeviceB-GigabitEthernet3/0/2] port link-type trunk
[DeviceB-GigabitEthernet3/0/2] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/2.
[DeviceB-GigabitEthernet3/0/2] mvrp enable
[DeviceB-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/3
[DeviceB-GigabitEthernet3/0/3] port link-type trunk
[DeviceB-GigabitEthernet3/0/3] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceB-GigabitEthernet3/0/3] mvrp enable
[DeviceB-GigabitEthernet3/0/3] quit
# Create VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] quit
3. Configure Device C:
# Enter MST region view.
<DeviceC> system-view
[DeviceC] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 2 vlan 20
[DeviceC-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceC] stp enable
# Globally enable MVRP.
[DeviceC] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface GigabitEthernet 3/0/1
[DeviceC-GigabitEthernet3/0/1] port link-type trunk
[DeviceC-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceC-GigabitEthernet3/0/1] mvrp enable

239
[DeviceC-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface GigabitEthernet 3/0/2
[DeviceC-GigabitEthernet3/0/2] port link-type trunk
[DeviceC-GigabitEthernet3/0/2] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/2.
[DeviceC-GigabitEthernet3/0/2] mvrp enable
[DeviceC-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit VLANs 30 and
40.
[DeviceC] interface GigabitEthernet 3/0/3
[DeviceC-GigabitEthernet3/0/3] port link-type trunk
[DeviceC-GigabitEthernet3/0/3] port trunk permit vlan 30 40
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceC-GigabitEthernet3/0/3] mvrp enable
[DeviceC-GigabitEthernet3/0/3] quit
4. Configure Device D:
# Enter MST region view.
<DeviceD> system-view
[DeviceD] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 2 vlan 20
[DeviceD-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceD] stp enable
# Globally enable MVRP.
[DeviceD] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.
[DeviceD] interface GigabitEthernet 3/0/1
[DeviceD-GigabitEthernet3/0/1] port link-type trunk
[DeviceD-GigabitEthernet3/0/1] port trunk permit vlan 20 40
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceD-GigabitEthernet3/0/1] mvrp enable
[DeviceD-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceD] interface GigabitEthernet 3/0/2
[DeviceD-GigabitEthernet3/0/2] port link-type trunk
[DeviceD-GigabitEthernet3/0/2] port trunk permit vlan 40
# Enable MVRP on port GigabitEthernet 3/0/2.

240
[DeviceD-GigabitEthernet3/0/2] mvrp enable
[DeviceD-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit VLANs 30 and
40.
[DeviceD] interface GigabitEthernet 3/0/3
[DeviceD-GigabitEthernet3/0/3] port link-type trunk
[DeviceD-GigabitEthernet3/0/3] port trunk permit vlan 30 40
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceD-GigabitEthernet3/0/3] mvrp enable
[DeviceD-GigabitEthernet3/0/3] quit
5. Verify the configuration:
Use the display mvrp running-status command to display the local MVRP VLAN information to
verify whether the configuration takes effect.
# Check the local VLAN information on Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),

----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),

----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)

241
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 20,
The output shows that:
{ Ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 have learned only VLAN 1 through
MVRP.
{ Port GigabitEthernet 3/0/3 has learned VLAN 1 and dynamic VLAN 20 created on Device B
through MVRP.
# Check the local VLAN information on Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),

----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),

----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 10,

242
The output shows that:
{ Ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 have learned only VLAN 1 through
MVRP.
{ Port GigabitEthernet 3/0/3 has learned VLAN 1 and dynamic VLAN 10 created on Device A
through MVRP.
# Check the local VLAN information on Device C.
[DeviceC] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 10,

----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 20,

----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
The output shows that:
{ Port GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 10 created on Device A
through MVRP.

243
{ Port GigabitEthernet 3/0/2 has learned VLAN 1 and dynamic VLAN 20 created on Device B
through MVRP.
{ Port GigabitEthernet 3/0/3 has learned only VLAN 1 through MVRP.
# Check the local VLAN information on Device D.
[DeviceD] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 20,

----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),

----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
The output shows that:
{ Port GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 20 created on Device B
through MVRP.
{ Ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 have learned only VLAN 1 through
MVRP.

244
Configuration example for MVRP in fixed registration mode
Network requirements
As shown in Figure 87, enable MVRP and set the MVRP registration mode to fixed on GigabitEthernet
3/0/1 on Device B, so that the dynamic VLANs on Device B are not deregistered.
Figure 87 Network diagram

Configuration procedure
1. Configure Device A:
# Globally enable MVRP.
<DeviceA> system-view
[DeviceA] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] mvrp enable
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Globally enable MVRP.
<DeviceB> system-view
[DeviceB] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] mvrp enable
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3.
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display mvrp running-status command to display the local MVRP VLAN information to
verify whether the configuration takes effect.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device A.
[DeviceA] display mvrp running-status

245
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 3,
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 3 created
on Device B through MVRP.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 2,
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 2 created
on Device A through MVRP.
4. Set the MVRP registration mode to fixed on GigabitEthernet 3/0/1 of Device B:
# Set the MVRP registration mode to fixed on GigabitEthernet 3/0/1.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] mvrp registration fixed
[DeviceB-GigabitEthernet3/0/1] quit
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled

246
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Local VLANs :
1(default), 2,
The output shows that the local VLAN information on GigabitEthernet 3/0/1 is the same that that
before the MVRP registration mode is set to fixed.
5. Delete VLAN 2 on Device A:
# Delete VLAN 2 on Device A.
[DeviceA] undo vlan 2
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Local VLANs :
1(default), 2,
The output shows that the dynamic VLAN information on GigabitEthernet 3/0/1 does not change
after VLAN 2 is deleted from Device A.

Configuration example for MVRP in forbidden registration


mode
Network requirements
As shown in Figure 88, enable MVRP and set the MVRP registration mode to forbidden on
GigabitEthernet 3/0/1 of Device B, so that Device B does not learn dynamic VLANs.
Figure 88 Network diagram

Configuration procedure
1. Configure Device A:

247
# Globally enable MVRP.
<DeviceA> system-view
[DeviceA] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] mvrp enable
[DeviceA-GigabitEthernet3/0/1] quit
# Create static VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Globally enable MVRP.
<DeviceB> system-view
[DeviceB] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] mvrp enable
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3.
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display mvrp running-status command to display the local MVRP VLAN information to
verify whether the configuration takes effect.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 3,

248
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 3 created
on Device B through MVRP.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 2,
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 2 created
on Device A through MVRP.
4. Set the MVRP registration mode to forbidden on GigabitEthernet 3/0/1 of Device B:
# Set the MVRP registration mode to forbidden on GigabitEthernet 3/0/1 of Device B.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] mvrp registration forbidden
# Several seconds after the LeaveAll timer (10 seconds by default) expires, check the local VLAN
information on GigabitEthernet 3/0/1 of Device B.
[DeviceB-GigabitEthernet3/0/1] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Forbidden
Local VLANs :
1(default),
The output shows that the local VLAN information on GigabitEthernet 3/0/1 of Device A does not
contain VLAN 2 and the port configured with forbidden MVRP registration mode does not
reregister dynamic VLANs that have been deregistered.

249
Support and other resources

Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions

Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.

Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
• For related documentation, navigate to the Networking section, and select a networking category.
• For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.

Websites
• HP.com http://www.hp.com
• HP Networking http://www.hp.com/go/networking
• HP manuals http://www.hp.com/support/manuals
• HP download drivers and software http://www.hp.com/support/downloads
• HP software depot http://www.software.hp.com
• HP Education http://www.hp.com/learn

250
Conventions
This section describes the conventions used in this documentation set.

Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[] Square brackets enclose syntax choices (keywords or arguments) that are optional.

Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.

Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.

Asterisk-marked braces enclose a set of required syntax choices separated by vertical


{ x | y | ... } *
bars, from which you select at least one.

Asterisk-marked square brackets enclose optional syntax choices separated by vertical


[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.

The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in bold text. For
Boldface
example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.

An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

251
Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.

Port numbering in examples


The port numbers in this document are for illustration only and might be unavailable on your device.

252
Index

ABCDEGLMOPQRSTV
A Configuring one-to-two VLAN mapping,152
Configuring path costs of ports,77
Assigning ports to an isolation group,128
Configuring port-based VLANs,6
B Configuring protection functions,91
BPDU tunneling configuration example,165 Configuring protocol-based VLANs,17
C Configuring QinQ termination,190
Configuring QoS priority settings for voice traffic on an
Configuration guidelines,37 interface,37
Configuration prerequisites,164 Configuring selective QinQ,138
Configuration prerequisites,37 Configuring spanning tree timers,74
Configuration procedure,27 Configuring TC snooping,90
Configuration restrictions and guidelines,128 Configuring the loopback detection action,182
Configuring a port to operate in automatic voice VLAN Configuring the loopback detection interval,182
assignment mode,38
Configuring the MAC address table,46
Configuring a port to operate in manual voice VLAN
Configuring the maximum hops of an MST region,73
assignment mode,39
Configuring the maximum port rate,76
Configuring an aggregate interface,113
Configuring the mode a port uses to recognize/send
Configuring an aggregation group,109
MSTP packets,81
Configuring an MST region,70
Configuring the network diameter of a switched
Configuring basic settings of a VLAN interface,3 network,74
Configuring basic VLAN settings,3 Configuring the port link type,81
Configuring CDP compatibility,222 Configuring the port priority,80
Configuring destination multicast MAC address for Configuring the root bridge or a secondary root
BPDUs,164 bridge,71
Configuring Digest Snooping,85 Configuring the switch priority,72
Configuring edge ports,76 Configuring the timeout factor,75
Configuring GARP timers,172 Configuring the TPID for VLAN-tagged packets,191
Configuring GVRP functions,171 Configuring the VLAN Ignore feature,84
Configuring IP subnet-based VLANs,21 Configuring two-to-two VLAN mapping,154
Configuring LLDP trapping,223 Contacting HP,250
Configuring load sharing for link aggregation Conventions,251
groups,117
Configuring MAC-based VLANs,12 D

Configuring MAC-in-MAC,206 Displaying and maintaining Ethernet link


Configuring MRP timers,235 aggregation,119
Configuring MVRP,233 Displaying and maintaining GVRP,173
Configuring No Agreement Check,87 Displaying and maintaining LLDP,224
Configuring non-isolated VLANs,129 Displaying and maintaining loopback detection,182
Configuring one-to-one VLAN mapping,149 Displaying and maintaining MAC-in-MAC,209

253
Displaying and maintaining MVRP,236 MAC-in-MAC overview,203
Displaying and maintaining port isolation,129 MSTP,60
Displaying and maintaining super VLAN,29 MVRP configuration examples,237
Displaying and maintaining the MAC address MVRP configuration task list,233
table,50
P
Displaying and maintaining the spanning tree,93
Performing basic LLDP configuration,217
Displaying and maintaining VLAN,25
Performing mCheck,83
Displaying and maintaining voice VLAN,40
Port isolation configuration examples,129
E
Port isolation configuration task list,128
Enabling a VLAN termination-enabled interface to Protocols and standards,65
transmit broadcast and multicast packets,191 PVST,60
Enabling basic QinQ,137
Q
Enabling BPDU tunneling,164
Enabling GVRP compatibility,236 QinQ configuration examples,140
Enabling link-aggregation traffic redirection,118 QinQ configuration task list,137
Enabling loopback detection,181 R
Enabling MAC address migration log notifying,50 Related information,250
Enabling the spanning tree feature,82 RSTP,60
Enhancing the Selected port capacity for link
aggregation in IRF mode,118 S
Ethernet link aggregation configuration examples,119 Setting the spanning tree mode,70
Ethernet link aggregation configuration task list,109 Setting the TPID value in VLAN tags,140
G Spanning tree configuration examples,95
Spanning tree configuration task lists,65
GVRP configuration examples,174
STP,53
GVRP configuration task list,171
Super VLAN configuration example,29
L
T
LLDP configuration examples,224
Troubleshooting,211
LLDP configuration task list,217
Loopback detection configuration example,183 V
Loopback detection configuration task list,181 VLAN mapping configuration examples,157
M VLAN mapping configuration task list,149
VLAN termination configuration examples,192
MAC address table configuration example,51
VLAN termination configuration task list,190
MAC-in-MAC configuration example,209
Voice VLAN configuration examples,40
MAC-in-MAC configuration task list,206

254

Das könnte Ihnen auch gefallen