Beruflich Dokumente
Kultur Dokumente
i
Configuring a port to operate in manual voice VLAN assignment mode ································································ 39
Configuration restrictions and guidelines ··········································································································· 39
Configuration procedure ······································································································································ 39
Displaying and maintaining voice VLAN ···················································································································· 40
Voice VLAN configuration examples ··························································································································· 40
Automatic voice VLAN mode configuration example ······················································································· 40
Manual voice VLAN assignment mode configuration example ······································································· 42
ii
Configuring the timeout factor ······································································································································ 75
Configuring the maximum port rate ····························································································································· 76
Configuration guidelines ······································································································································ 76
Configuration procedure ······································································································································ 76
Configuring edge ports ················································································································································· 76
Configuration restrictions and guidelines ··········································································································· 77
Configuration procedure ······································································································································ 77
Configuring path costs of ports ···································································································································· 77
Specifying a standard for the switch to use when calculating the default path cost ····································· 77
Configuring the path costs of ports ····················································································································· 79
Configuration example ········································································································································· 80
Configuring the port priority ········································································································································· 80
Configuring the port link type ······································································································································· 81
Configuration restrictions and guidelines ··········································································································· 81
Configuration procedure ······································································································································ 81
Configuring the mode a port uses to recognize/send MSTP packets ······································································ 81
Enabling the spanning tree feature ······························································································································ 82
Enabling the spanning tree protocol in STP, RSTP, or MSTP mode ································································· 82
Enabling the spanning tree protocol in PVST mode ·························································································· 83
Performing mCheck ························································································································································ 83
Performing mCheck globally ································································································································ 84
Performing mCheck in interface view ················································································································· 84
Configuring the VLAN Ignore feature ·························································································································· 84
Configuration procedure ······································································································································ 84
Configuration example ········································································································································· 85
Configuring Digest Snooping ······································································································································· 85
Configuration restrictions and guidelines ··········································································································· 86
Configuration procedure ······································································································································ 86
Configuration example ········································································································································· 87
Configuring No Agreement Check ······························································································································ 87
Configuration prerequisites ·································································································································· 89
Configuration procedure ······································································································································ 89
Configuration example ········································································································································· 89
Configuring TC snooping ·············································································································································· 90
Configuration restrictions and guidelines ··········································································································· 90
Configuration procedure ······································································································································ 90
Configuring protection functions ·································································································································· 91
Enabling BPDU guard ··········································································································································· 91
Enabling root guard ·············································································································································· 91
Enabling loop guard ············································································································································· 92
Enabling TC-BPDU guard······································································································································ 93
Displaying and maintaining the spanning tree ··········································································································· 93
Spanning tree configuration examples ························································································································ 95
MSTP configuration example ······························································································································· 95
PVST configuration example ································································································································ 98
iii
Configuring a static aggregation group ··········································································································· 110
Configuring a dynamic aggregation group ····································································································· 111
Configuring an aggregate interface ·························································································································· 113
Configuring the description of an aggregate interface/subinterface ···························································· 114
Configuring the MTU of a Layer 3 aggregate interface/subinterface ·························································· 114
Enabling link state trapping for an aggregate interface ················································································· 114
Limiting the number of Selected ports for an aggregation group ·································································· 115
Shutting down an aggregate interface ············································································································· 116
Restoring the default settings for an aggregate interface ··············································································· 117
Configuring load sharing for link aggregation groups ···························································································· 117
Enabling link-aggregation traffic redirection ············································································································· 118
Enhancing the Selected port capacity for link aggregation in IRF mode ······························································· 118
Displaying and maintaining Ethernet link aggregation ··························································································· 119
Ethernet link aggregation configuration examples ··································································································· 119
Layer 2 static aggregation configuration example ·························································································· 120
Layer 2 dynamic aggregation configuration example ···················································································· 122
Layer 3 static aggregation configuration example ·························································································· 123
Layer 3 dynamic aggregation configuration example ···················································································· 125
iv
Configuring one-to-one VLAN mapping ···················································································································· 149
Configuration prerequisites ································································································································ 149
Configuring an uplink policy······························································································································ 149
Configuring a downlink policy ·························································································································· 150
Configuring the customer-side port ···················································································································· 151
Configuring the network-side port ····················································································································· 151
Configuring one-to-two VLAN mapping ···················································································································· 152
Configuration prerequisites ································································································································ 152
Configuring an uplink policy······························································································································ 152
Configuring the customer-side port ···················································································································· 153
Configuring the network-side port ····················································································································· 153
Configuring two-to-two VLAN mapping····················································································································· 154
Configuring an uplink policy for the customer-side port ················································································· 154
Configuring a downlink policy for the customer-side port ·············································································· 155
Configuring the customer-side port ···················································································································· 156
Configuring the network-side port ····················································································································· 157
VLAN mapping configuration examples ··················································································································· 157
One-to-one VLAN mapping configuration example ························································································ 157
One-to-two and two-to-two VLAN mapping configuration example ······························································ 159
v
Configuring the loopback detection interval ············································································································· 182
Displaying and maintaining loopback detection ······································································································ 182
Loopback detection configuration example ·············································································································· 183
vi
Configuration prerequisites ································································································································ 223
Configuring CDP compatibility ·························································································································· 223
Configuring LLDP trapping ·········································································································································· 223
Displaying and maintaining LLDP ······························································································································· 224
LLDP configuration examples ······································································································································ 224
Basic LLDP configuration example ····················································································································· 225
CDP-compatible LLDP configuration example ··································································································· 227
vii
Configuring VLANs
In this chapter, EB cards refer to the interface cards prefixed with EB.
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on
Ethernet networks. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all
broadcast traffic is contained within it, as shown in Figure 1.
Figure 1 A VLAN diagram
A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, all
workstations and servers used by a particular workgroup can be connected to the same LAN, regardless
of their physical locations.
VLAN technology delivers the following benefits:
• Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves
network performance.
• Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer
2. To enable communication between VLANs, routers or Layer 3 switches are required.
• Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same
VLAN regardless of their physical locations, network construction and maintenance is much easier
and more flexible.
VLAN fundamentals
To enable a switch to identify frames of different VLANs, a VLAN tag field is inserted into the data link
layer encapsulation.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by the Institute of Electrical and
Electronics Engineers (IEEE) in 1999.
1
In the header of a traditional Ethernet data frame, the field after the destination MAC address and the
source MAC address is the Type field indicating the upper layer protocol type, as shown in Figure 2.
Figure 2 Traditional Ethernet frame format
IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 3.
Figure 3 Position and format of VLAN tag
A VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical format
indicator (CFI), and VLAN ID.
• The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN-tagged.
• The 3-bit priority field indicates the 802.1p priority of the frame. For more information about frame
priority, see ACL and QoS Configuration Guide.
• The 1-bit CFI field specifies whether the MAC addresses are encapsulated in the standard format
when packets are transmitted across different media. Value 0 indicates that MAC addresses are
encapsulated in the standard format; value 1 indicates that MAC addresses are encapsulated in a
non-standard format. The value of the filed is 0 by default.
• The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095.
As 0 and 4095 are reserved by the protocol, a VLAN ID actually ranges from 1 to 4094.
A switch handles an incoming frame depending on whether the frame is VLAN tagged and the value of
the VLAN tag, if any. For more information, see "Introduction to port-based VLANs."
NOTE:
• The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, Ethernet
also supports other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw. The
VLAN tag fields are added to frames encapsulated in these formats for VLAN identification.
• When a frame carrying multiple VLAN tags passes through, the switch processes the frame according
to its outer VLAN tag and transmits its inner tags as payload.
Types of VLAN
You can implement VLAN based on the following criteria:
• Port
• MAC address
• Protocol
• IP subnet
2
Protocols and standards
• IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local
Area Networks
Optional.
2. Create VLANs. vlan { vlan-id1 [ to vlan-id2 ] | all } You can use this command to
create multiple VLANs in bulk.
Optional.
4. Configure a name for the By default, the name of a VLAN is
name text
VLAN. its VLAN ID, for example, VLAN
0001.
Optional.
5. Configure the description of
description text By default, VLAN ID is used, for
the current VLAN.
example, VLAN 0001.
NOTE:
As the default VLAN, VLAN 1 cannot be created or removed.
3
Configuration procedure
To configure basic settings of a VLAN interface:
Optional.
4. Configure the description of By default, the VLAN interface name is
description text
the VLAN interface. used, for example, Vlan-interface1
Interface.
4
Figure 4 Network diagram
Configuration procedure
1. Configure Switch A:
# Create VLAN 5 and assign GigabitEthernet 3/0/1 to it.
<SwitchA> system-view
[SwitchA] vlan 5
[SwitchA-vlan5] port gigabitethernet 3/0/1
# Create VLAN 10 and assign GigabitEthernet 3/0/2 to it.
[SwitchA-vlan5] vlan 10
[SwitchA-vlan10] port gigabitethernet 3/0/2
[SwitchA-vlan10] quit
# Create VLAN-interface 5 and configure its IP address as 192.168.0.10/24.
[SwitchA] interface vlan-interface 5
[SwitchA-Vlan-interface5] ip address 192.168.0.10 24
[SwitchA-Vlan-interface5] quit
# Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 192.168.1.20 24
[SwitchA-Vlan-interface10] return
2. Configure the default gateway of PC A as 192.168.0.10.
3. Configure the default gateway of PC B as 192.168.1.20.
5
Configuring port-based VLANs
Introduction to port-based VLANs
Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is
assigned to the VLAN.
6
Figure 5 Network diagram
PVID
By default, VLAN 1 is the PVID for all ports. You can configure the PVID for a port as required.
Use the following guidelines when you configure the PVID on a port:
• An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of
the port. The PVID of the access port changes along with the VLAN to which the port belongs.
• A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.
• You can use a nonexistent VLAN as the PVID for a hybrid or trunk port but not for an access port.
After you remove the VLAN that an access port resides in with the undo vlan command, the PVID
of the port changes to VLAN 1. The removal of the VLAN specified as the PVID of a trunk or hybrid
port, however, does not affect the PVID setting on the port.
• HP recommends that you set the same PVID on local and remote ports.
• Make sure a port is assigned to its PVID. Otherwise, when receiving frames tagged with the PVID
or untagged frames (including protocol packets such as MSTP BPDUs), the port filters out these
frames.
• The following table shows how ports of different link types handle frames:
7
Actions (in the inbound direction) Actions (in the outbound
Port type
Untagged frame Tagged frame direction)
• Remove the tag and send the
frame if the frame carries the
PVID and the port is assigned
to the PVID.
Trunk
Check whether the • Send the frame without
PVID is permitted on the • Receive the frame if its removing the tag if its VLAN
port: VLAN is carried on the is carried on the port but is
• If yes, tag the frame port. different from the default one.
with the PVID. • Drop the frame if its VLAN Send the frame if its VLAN is
• If not, drop the is not carried on the port. carried on the port. The frame is
frame. sent with the VLAN tag removed
Hybrid or intact depending on your
configuration with the port
hybrid vlan command. This is
true of the PVID.
You can assign an access port to a VLAN in VLAN view, Ethernet interface view, Layer 2 aggregate
interface view, or port group view.
To assign one or multiple access ports to a VLAN in VLAN view:
To assign an access port (in interface view) or multiple access ports (in port group view) to a VLAN:
8
Step Command Remarks
• Enter Ethernet interface view:
interface interface-type
interface-number
• Enter Layer 2 aggregate
2. Enter interface view or port group interface view:
N/A
view. interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual
port-group-name
Optional.
3. Configure the link type of the port
port link-type access By default, the link type of a port
or ports as access.
is access.
Optional.
4. Assign the current access ports to
port access vlan vlan-id By default, all access ports
a VLAN.
belong to VLAN 1.
9
Step Command Remarks
Optional.
By default, the PVID is
VLAN 1.
After configuring the PVID
for a trunk port, you must
5. Configure the PVID of the trunk use the port trunk permit
port trunk pvid vlan vlan-id vlan command to
ports.
configure the trunk port to
allow packets from the
PVID to pass through, so
that the egress port can
forward packets from the
PVID.
10
Step Command Remarks
Optional.
By default, the PVID is
VLAN 1.
After configuring the PVID
for a hybrid port, you must
5. Configure the PVID of the hybrid use the port hybrid vlan
port hybrid pvid vlan vlan-id
port. command to configure the
hybrid port to allow
packets from the PVID to
pass through, so that the
egress port can forward
packets from the PVID.
Configuration procedure
1. Configure Device A:
# Create VLAN 100, and assign port GigabitEthernet 3/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port GigabitEthernet 3/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign port GigabitEthernet 3/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port GigabitEthernet 3/0/2
[DeviceA-vlan200] quit
11
# Configure port GigabitEthernet 3/0/3 as a trunk port, and assign it to VLANs 100 and 200,
thus enabling GigabitEthernet 3/0/3 to forward traffic of VLANs 100 and 200 to Device B.
[DeviceA] interface gigabitethernet 3/0/3
[DeviceA-GigabitEthernet3/0/3] port link-type trunk
[DeviceA-GigabitEthernet3/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B as you configure Device A.
3. Configure Host A and Host C to be on the same network segment, 192.168.100.0/24 for
example. Configure Host B and Host D to be on the same network segment, 192.168.200.0/24
for example
12
Static MAC-based VLAN assignment
Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In
such a network, you can create a MAC address-to-VLAN map containing multiple MAC
address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port
to MAC-based VLANs.
With static MAC-based VLAN assignment configured on a port, the device processes received frames by
using the following guidelines:
• When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map
based on the source MAC address of the frame for a match.
{ The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC
address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on
the source MAC address and each mask. If the result of an AND operation matches the
corresponding MAC address, the device tags the frame with the corresponding VLAN ID.
{ If the fuzzy match fails, the device performs an exact match. In the exact match, the device
searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a
MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the
device tags the frame with the corresponding VLAN ID.
{ If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP
subnet or protocol, and forwards the frame.
{ If no VLAN is available, the device tags the frame with the PVID of the receiving port and
forwards the frame.
• When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is
permitted by the port, or otherwise drops the frame.
Configuration procedure
IMPORTANT:
• MAC-based VLANs are available only on hybrid ports.
• Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user
access devices, do not enable this function together with link aggregation.
13
Step Command Remarks
1. Enter system view. system-view N/A
14
MAC-based VLAN configuration example
Network requirements
As shown in Figure 7:
• GigabitEthernet 3/0/1 of Device A and Device C are each connected to a meeting room. Laptop
1 and Laptop 2 are used for meeting and may be used in any of the two meeting rooms.
• Laptop 1 and Laptop 2 are owned by different departments. The two departments use VLAN 100
and VLAN 200, respectively.
• The MAC address of Laptop 1 is 000d-88f8-4e71, and that of Laptop 2 is 0014-222c-aa69.
Configure MAC-based VLANs, so that each laptop can access only its own department server no matter
which meeting room it is used in.
Figure 7 Network diagram
Configuration consideration
• Create VLANs 100 and 200.
• Configure the uplink ports of Device A and Device C as trunk ports, and assign them to VLANs 100
and 200.
• Configure the downlink ports of Device B as trunk ports, and assign them to VLANs 100 and 200.
Assign the uplink ports of Device B to VLANs 100 and 200.
• Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with
VLAN 200.
Configuration procedure
1. Configure Device A:
# Create VLANs 100 and 200.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
15
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with
VLAN 200.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Laptop 1 and Laptop 2 to access the network through GigabitEthernet 3/0/1:
Configure GigabitEthernet 3/0/1 as a hybrid port that sends packets of VLANs 100 and 200
untagged, and enable MAC-based VLAN on it.
[DeviceA] interface gigabitethernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type hybrid
[DeviceA-GigabitEthernet3/0/1] port hybrid vlan 100 200 untagged
Please wait... Done.
[DeviceA-GigabitEthernet3/0/1] mac-vlan enable
[DeviceA-GigabitEthernet3/0/1] quit
# Configure the uplink port GigabitEthernet 3/0/2 as a trunk port, and assign it to VLANs 100
and 200. so that the laptops can access Server 1 and Server 2.
[DeviceA] interface gigabitethernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port link-type trunk
[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan 100 200
[DeviceA-GigabitEthernet3/0/2] quit
2. Configure Device B:
# Create VLANs 100 and 200. Assign GigabitEthernet 3/0/13 to VLAN 100, and
GigabitEthernet 3/0/14 to VLAN 200.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port GigabitEthernet 3/0/13
[DeviceB-vlan100] quit
[DeviceB] vlan 200
[DeviceB-vlan200] port GigabitEthernet 3/0/14
[DeviceB-vlan200] quit
# Configure GigabitEthernet 3/0/3 and GigabitEthernet 3/0/4 as trunk ports, and assign them
to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 3/0/3
[DeviceB-GigabitEthernet3/0/3] port link-type trunk
[DeviceB-GigabitEthernet3/0/3] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet3/0/3] quit
[DeviceB] interface gigabitethernet 3/0/4
[DeviceB-GigabitEthernet3/0/4] port link-type trunk
[DeviceB-GigabitEthernet3/0/4] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet3/0/4] quit
3. Configure Device C as you configure Device A.
16
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC ADDR MASK VLAN ID PRIO STATE
--------------------------------------------------------
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S
Configuration guidelines
1. MAC-based VLAN can be configured only on hybrid ports.
2. MAC-based VLAN is typically configured on the downlink ports of access layer switches, and
hence cannot be configured together with the link aggregation function.
Configuration procedure
To configure a protocol-based VLAN:
17
Step Command Remarks
If the specified VLAN does not
2. Enter VLAN view. vlan vlan-id exist, this command creates the
VLAN first.
protocol-vlan [ protocol-index ] { at
| ipv4 | ipv6 | ipx { ethernetii | llc
3. Create a protocol template for the | raw | snap } | mode { ethernetii By default, no protocol template
VLAN. etype etype-id | llc { dsap dsap-id exists.
[ ssap ssap-id ] | ssap ssap-id } |
snap etype etype-id } }
18
Figure 8 Network diagram
Configuration consideration
Create VLANs 100 and 200. Associate VLAN 100 with IPv4, and VLAN 200 with IPv6. Configure
protocol-based VLANs to isolate IPv4 traffic and IPv6 traffic at Layer 2.
Configuration procedure
1. Configure Device:
# Create VLAN 100, and assign port GigabitEthernet 3/0/11 to VLAN 100.
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
[Device-vlan100] port GigabitEthernet 3/0/11
# Create VLAN 200, and assign port GigabitEthernet 3/0/12 to VLAN 200.
[Device-vlan100] quit
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
[Device-vlan200] port GigabitEthernet 3/0/12
# Create an IPv6 protocol template in the view of VLAN 200, and an IPv4 protocol template in the
view of VLAN 100.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
[Device] vlan 100
[Device-vlan100] protocol-vlan 1 ipv4
[Device-vlan100] quit
# Configure port GigabitEthernet 3/0/1 as a hybrid port that forwards packets of VLANs 100
and 200 untagged.
[Device] interface gigabitethernet 3/0/1
[Device-GigabitEthernet3/0/1] port link-type hybrid
19
[Device-GigabitEthernet3/0/1] port hybrid vlan 100 200 untagged
Please wait... Done.
# Associate port GigabitEthernet 3/0/1 with the IPv4 protocol template of VLAN 100, and the
IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet3/0/1] port hybrid protocol-vlan vlan 100 1
[Device-GigabitEthernet3/0/1] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet3/0/1] quit
# Configure GigabitEthernet 3/0/2 as a hybrid port that forwards packets of VLANs 100 and
200 untagged, and associate GigabitEthernet 3/0/2 with the IPv4 protocol template of VLAN
100, and the IPv6 protocol template of VLAN 200.
[Device] interface gigabitethernet 3/0/2
[Device-GigabitEthernet3/0/2] port link-type hybrid
[Device-GigabitEthernet3/0/2] port hybrid vlan 100 200 untagged
Please wait... Done.
[Device-GigabitEthernet3/0/2] port hybrid protocol-vlan vlan 100 1
[Device-GigabitEthernet3/0/2] port hybrid protocol-vlan vlan 200 1
2. Keep the default settings of L2 Switch A and L2 Switch B.
3. Configure IPv4 Host A, IPv4 Host B, and IPv4 Server to be on the same network segment,
192.168.100.0/24 for example, and configure IPv6 Host A, IPv6 Host B, and IPv6 Server to be
on the same network segment, 2001::1/64 for example.
20
200 1 ipv6
Configuration guidelines
Protocol-based VLAN configuration applies to hybrid ports only.
Configuration procedure
To configure an IP subnet-based VLAN:
Optional.
7. Configure the PVID of the
port hybrid pvid vlan vlan-id By default, the PVID of a
hybrid port or ports.
hybrid port is VLAN 1.
21
Step Command Remarks
22
Step Command Remarks
23. Associate the classes
with the traffic behavior
in the policy to transmit
ARP packets and IPv4 classifier tcl-name behavior behavior-name N/A
packets from the
specified subnet in the
specified VLAN.
24. Return to system view. quit N/A
• (Approach 1) Apply the policy to an interface
or multiple interfaces:
a. Enter interface or port group view:
Enter Ethernet interface view:
interface interface-type
interface-number
Use any approach.
OR:
Enter port group view: To apply the policy to a
port-group manual port-group-name Layer 2 aggregate
25. Apply the QoS policy. interface, you must apply
b. qos apply policy policy-name { inbound
| outbound } the policy to every
member port of the Layer
• (Approach 2) Apply the policy to the
2 aggregate interface.
specified VLANs:
qos vlan-policy policy-name vlan vlan-id-list
{ inbound | outbound }
• (Approach 3) Apply the policy globally:
qos apply policy policy-name global
{ inbound | outbound }
23
Configuration considerations
To satisfy the requirements, you can configure IP subnet-based VLANs.
• Create VLAN 10 and VLAN 20.
• Assign users on subnet 1.1.1.0/24 to VLAN 10, and users on 2.1.1.0/24 to VLAN 20.
Configuration procedure
1. Configure Switch:
# Create VLAN-interface 10 and VLAN-interface 20. (Details not shown.)
# Configure port GigabitEthernet 3/0/1 as a hybrid port to permit packets from VLANs 1, 10,
and 20 to pass through untagged, and configure the PVID of the port as 1.
[Switch] interface GigabitEthernet 3/0/1
[Switch-GigabitEthernet3/0/1] port link-type hybrid
[Switch-GigabitEthernet3/0/1] port hybrid vlan 10 20 1 untagged
Please wait... Done.
[Switch-GigabitEthernet3/0/1] port hybrid pvid vlan 1
# Configure ACL 3000 to permit packets from subnet 1.1.1.0/24 to pass through, and ACL 3001
to permit packets from subnet 2.1.1.0/24 to pass through.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule 0 permit ip source 1.1.1.0 0.0.0.255
[Switch-acl-adv-3000] quit
[Switch] acl number 3001
[Switch-acl-adv-3001] rule 0 permit ip source 2.1.1.0 0.0.0.255
[Switch-acl-adv-3001] quit
# Configure a QoS policy named test to transmit ARP and IPv4 packets from subnet 1.1.1.0/24
through VLAN 10 and transmit ARP and IPv4 packets from subnet 2.1.1.0/24 through VLAN 20.
[Switch] traffic classifier 1
[Switch-classifier-1] if-match acl 3000
[Switch-classifier-1] quit
[Switch] traffic classifier 2
[Switch-classifier-2] if-match acl 3000
[Switch-classifier-2] if-match protocol arp
[Switch-classifier-2] quit
[Switch] traffic classifier 3
[Switch-classifier-3] if-match acl 3001
[Switch-classifier-3] quit
[Switch] traffic classifier 4
[Switch-classifier-4] if-match acl 3001
[Switch-classifier-4] if-match protocol arp
[Switch-classifier-4] quit
[Switch] traffic behavior 1
[Switch-behavior-1] remark service-vlan-id 10
[Switch-behavior-1] quit
[Switch] traffic behavior 2
[Switch-behavior-2] remark service-vlan-id 20
[Switch-behavior-2] quit
[Switch] qos policy test
[Switch-qospolicy-test] classifier 1 behavior 1
24
[Switch-qospolicy-test] classifier 2 behavior 1
[Switch-qospolicy-test] classifier 3 behavior 2
[Switch-qospolicy-test] classifier 4 behavior 2
[Switch-qospolicy-test] quit
# Apply the QoS policy to the incoming packets of port GigabitEthernet 3/0/1.
[Switch] interface GigabitEthernet 3/0/1
[Switch-GigabitEthernet3/0/1] qos apply policy test inbound
Configuration precautions
IP subnet-based VLANs are only effective on hybrid ports.
Display hybrid ports or trunk ports display port { hybrid | trunk } [ | { begin |
Available in any view.
on the switch. exclude | include } regular-expression ]
25
Task Command Remarks
display protocol-vlan interface { interface-type
Display protocol-based VLAN interface-number [ to interface-type
Available in any view.
information on specified ports. interface-number ] | all } [ | { begin | exclude
| include } regular-expression ]
26
Configuring the super VLAN
Overview
Super VLAN, also called VLAN aggregation, was introduced to save IP address space.
A super VLAN is associated with multiple sub-VLANs. You can create a VLAN interface for a super VLAN
and assign an IP address to the VLAN interface. However, you cannot create a VLAN interface for a
sub-VLAN. You cannot assign a physical port to a super VLAN, but you can assign a physical port to a
sub-VLAN. All ports of a sub-VLAN use the VLAN interface IP address of the associated super VLAN.
Packets cannot be forwarded between sub-VLANs at Layer 2.
To enable Layer 3 communication between sub-VLANs, you should configure the VLAN interface IP
address of the associated super VLAN as the gateway IP address. This enables multiple sub-VLANs to
share the same gateway address, which saves IP address resources.
After creating a super VLAN and the VLAN interface, enable local proxy Address Resolution Protocol
(ARP) on the switch. The super VLAN can use local proxy ARP to forward and process ARP requests and
responses and to provide Layer 3 communication between sub-VLANs. For more information about local
proxy ARP, see Layer 3—IP Services Configuration Guide.
Configuration procedure
To configure a super VLAN, complete the following tasks:
1. Configure sub-VLANs.
2. Configure a super VLAN, and associate the super VLAN with the sub-VLANs configured earlier.
3. Configure a VLAN interface for the super VLAN. The VLAN interface enables communication
among hosts and sub-VLANs.
Configuring sub-VLANs
27
cannot forward multicast streams to any other sub-VLAN (regardless of whether the sub-VLAN is
associated with the super VLAN). For the multicast source in a sub-VLAN to correctly forward
multicast streams, the sub-VLAN where the multicast source resides must have learned the ARP
entries of the multicast source.
• The multicast streams entering through a Layer 3 interface (except the VLAN interface of the super
VLAN) cannot be forwarded to the receivers in the super VLAN.
• The IPv4 Layer 3 multicast feature of a super VLAN is mutually exclusive with the IPv4 Layer 2
multicast feature of a super VLAN or sub-VLAN. The IPv6 Layer 3 multicast feature of a super VLAN
is mutually exclusive with the IPv6 Layer 2 multicast feature of a super VLAN or sub-VLAN.
• A super VLAN does not support BIDIR-PIM or multicast VPN.
To configure a super VLAN:
28
Step Command Remarks
2. Create a VLAN interface, and interface vlan-interface The value of vlan-interface-id must
enter VLAN interface view. vlan-interface-id be the ID of the super VLAN.
Network requirements
As shown in Figure 10:
• Create super VLAN 10, and configure its VLAN interface IP address as 10.0.0.1/24.
• Create the sub-VLANs VLAN 2, VLAN 3, and VLAN 5.
• Assign GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to VLAN 2, GigabitEthernet 3/0/3
and GigabitEthernet 3/0/4 to VLAN 3, and GigabitEthernet 3/0/5 and GigabitEthernet 3/0/6
to VLAN 5.
• The sub-VLANs are isolated at Layer 2 but connected at Layer 3.
29
Figure 10 Network diagram
Configuration procedure
# Create VLAN 10, and configure its VLAN interface IP address as 10.0.0.1/24.
<Sysname> system-view
[Sysname] vlan 10
[Sysname-vlan10] interface vlan-interface 10
[Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0
# Create VLAN 2, and assign ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to it.
[Sysname] vlan 2
[Sysname-vlan2] port gigabitethernet 3/0/1 gigabitethernet 3/0/2
# Create VLAN 3, and assign ports GigabitEthernet 3/0/3 and GigabitEthernet 3/0/4 to it.
[Sysname-vlan2] quit
[Sysname] vlan 3
[Sysname-vlan3] port gigabitethernet 3/0/3 gigabitethernet 3/0/4
# Create VLAN 5, and assign ports GigabitEthernet 3/0/5 and GigabitEthernet 3/0/6 to it.
[Sysname-vlan3] quit
[Sysname] vlan 5
[Sysname-vlan5] port gigabitethernet 3/0/5 gigabitethernet 3/0/6
# Configure VLAN 10 as the super VLAN, and configure VLAN 2, VLAN 3, and VLAN 5 as its
sub-VLANs.
[Sysname-vlan5] quit
[Sysname] vlan 10
[Sysname-vlan10] supervlan
[Sysname-vlan10] subvlan 2 3 5
[Sysname-vlan10] quit
[Sysname] quit
30
SuperVLAN ID : 10
SubVLAN ID : 2-3 5
VLAN ID: 10
VLAN Type: static
It is a Super VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged Ports: none
Untagged Ports: none
VLAN ID: 2
VLAN Type: static
It is a Sub VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged Ports: none
Untagged Ports:
GigabitEthernet3/0/1 GigabitEthernet3/0/2
VLAN ID: 3
VLAN Type: static
It is a Sub VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: none
Untagged Ports:
GigabitEthernet3/0/3 GigabitEthernet3/0/4
VLAN ID: 5
VLAN Type: static
It is a Sub VLAN.
Route Interface: configured
Ip Address: 10.0.0.1
Subnet Mask: 255.255.255.0
Description: VLAN 0005
Name: VLAN 0005
Tagged Ports: none
Untagged Ports:
31
GigabitEthernet3/0/5 GigabitEthernet3/0/6
32
Configuring the voice VLAN
Overview
As voice communication technologies grow more mature, voice devices are more and more widely
deployed, especially on broadband networks, where voice traffic and data traffic often co-exist. Usually,
compared to data traffic, voice traffic is given a higher transmission priority for the purpose of reducing
transmission delay and packet loss.
A voice VLAN is configured especially for voice traffic. After assigning the ports connecting to voice
devices to a voice VLAN, the system automatically configures quality of service (QoS) parameters for
voice traffic, thus improving the transmission priority of voice traffic and ensuring voice quality.
Common voice devices include IP phones and integrated access devices (IADs). Only IP phones are used
in the voice VLAN configuration examples in this chapter.
OUI addresses
A switch determines whether a received packet is a voice packet by checking its source MAC address.
A packet whose source MAC address complies with the voice device’s Organizationally Unique
Identifier (OUI) address is regarded as voice traffic.
In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique
identifier assigned to a vendor by IEEE. OUI addresses mentioned in this chapter, however, are different
from those in common sense. OUI addresses in this chapter are used by the system to determine whether
a received packet is a voice packet. They are the results of the AND operation of the two arguments
mac-address and oui-mask in the voice vlan mac-address command.
You can configure the OUI addresses of a device in advance or use the default OUI addresses. You can
remove the default OUI address of a switch manually and then add new ones manually. Table 1 lists the
default OUI address for each vendor’s devices.
Table 1 The default OUI addresses of different vendors
33
Voice VLAN assignment modes
Introduction to voice VLAN assignment modes
A port can be assigned to a voice VLAN in one of the following modes:
• In automatic mode, the system matches the source MAC address carried in the untagged packets
sent when an IP phone is powered on against the switch’s OUI addresses. If a match is found, the
switch automatically assigns the receiving port to the voice VLAN, issues ACL rules, and configures
the packet precedence. You can configure voice VLAN aging time on the switch. The switch
removes a port from the voice VLAN if no packet is received from the port during the aging time.
Assigning/removing ports to/from a voice VLAN are automatically performed by the switch. The
automatic mode is suitable for scenarios where PCs and IP phones connected in series access the
network through the switch and ports on the switch transmit both voice traffic and data traffic at the
same time, as shown in Figure 11. When the voice VLAN works normally, in case of a switch reboot,
the switch reassigns ports in automatic voice VLAN assignment mode to the voice VLAN after the
reboot, thus ensuring that existing voice connections can work normally. In this case, port
assignment to the voice VLAN is not triggered by voice traffic streams.
Figure 11 PCs and IP phones connected in series access the network
• In manual mode, you need to manually assign an IP phone accessing port to a voice VLAN. Then,
the switch matches the source MAC addresses carried in the packets against the switch’s OUI
addresses. If a match is found, the switch issues ACL rules and configures the packet precedence.
In this mode, assigning/removing ports to/from a voice VLAN are performed manually. The
manual mode is suitable for scenarios where only IP phones access the network through the switch
and ports on the switch only transmit voice traffic, as shown in Figure 12. In this mode, ports
assigned to a voice VLAN transmit voice traffic exclusively, which prevents the impact of data traffic
on the transmission of voice traffic.
Figure 12 Only IP phones access the network
Required configurations on ports of different links types for supporting tagged or untagged voice traffic
34
CAUTION:
• If an IP phone sends tagged voice traffic and its accessing port is configured with 802.1X authentication
and guest VLAN, you should assign different VLAN IDs for the voice VLAN, the PVID of the connecting
port, and the 802.1X guest VLAN.
• If an IP phone sends untagged voice traffic, to implement the voice VLAN feature, you must configure the
PVID of the IP phone’s accessing port as the voice VLAN. In this case, the 802.1X authentication function
cannot be implemented.
The following tables list the required configurations on ports of different link types in order for these ports
to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment
modes are configured.
• IP phones send tagged voice traffic
Table 2 Required configurations on ports of different links types for supporting tagged voice traffic
Automatic No N/A
Trunk Configure the PVID of the port as the voice VLAN
Manual Yes
and assign the port to the voice VLAN.
Automatic No N/A
35
NOTE:
• The PVIDs for all ports are VLAN 1. You can configure the PVID of a port and assign a port to certain
VLANs by using commands. For more information, see "Configuring VLANs."
• Use the display interface command to display the PVID of a port and the VLANs to which the port is
assigned.
Voice VLAN
Packet type Packet processing mode
mode
Untagged packets If the source MAC address of a packet matches an OUI
Packets carrying the address configured for the switch, it is forwarded in the voice
Security mode voice VLAN tag VLAN; otherwise, it is dropped.
Packets carrying other Forwarded or dropped depending on whether the port allows
tags packets of these VLANs to pass through
Untagged packets The port does not check the source MAC addresses of inbound
packets. In this way, both voice traffic and non-voice traffic
Packets carrying the can be transmitted in the voice VLAN.
Normal mode voice VLAN tag
Packets carrying other Forwarded or dropped depending on whether the port allows
tags packets of these VLANs to pass through
36
Configuration prerequisites
1. Create a VLAN
Before configuring a VLAN as a voice VLAN, create the VLAN first.
2. Configure QoS priority settings for voice traffic on an interface
Configure QoS priority settings for voice VLAN traffic on an interface before enabling voice VLAN
on the interface. If the configuration order is reversed, your priority configuration will fail. For more
information, see "Configuring QoS priority settings for voice traffic on an interface."
3. Configure the voice VLAN assignment mode.
For more information, see "Configuring a port to operate in automatic voice VLAN assignment
mode" and "Configuring a port to operate in manual voice VLAN assignment mode."
Configuration guidelines
• When EB cards are operating in standard ACL mode, the ports on the EB cards do not support
voice VLAN. For more information about the standard ACL mode, see ACL and QoS Configuration
Guide.
• A port can belong to only one voice VLAN at a time.
• Voice VLAN cannot be enabled on member ports of an aggregation group. For more information
about link aggregation member ports, see "Configuring Ethernet link aggregation."
In voice VLAN applications, you can improve the quality of voice traffic by configuring the appropriate
QoS priority settings, including the Class of Service (CoS) and Differentiated Services Code Point (DSCP)
values, for voice traffic. Voice traffic carries its own QoS priority settings. You can configure the switch
either to modify or not to modify the QoS priority settings carried by incoming voice traffic.
To configure QoS priority settings for voice traffic:
interface interface-type
2. Enter interface view. N/A
interface-number
37
Step Command Remarks
• Configure the interface to
trust the QoS priority settings
in incoming voice traffic, that
is, not to modify the CoS and Use either command.
DSCP values marked for By default, an interface modifies the
incoming traffic of the voice CoS value and the DSCP value
VLAN: marked for voice VLAN traffic into 6
3. Configure QoS priority
voice vlan qos trust and 46.
settings for voice traffic.
• Configure the interface to The voice vlan qos command and the
modify the CoS and DSCP voice vlan qos trust command can
values marked for incoming overwrite each other, whichever is
traffic of the voice VLAN into configured last.
specified values:
voice vlan qos cos-value
dscp-value
Configuration procedure
To set a port to operate in automatic voice VLAN assignment mode:
38
Step Command Remarks
Optional.
The default setting is 1440
minutes.
2. Set the voice VLAN aging
voice vlan aging minutes The voice VLAN aging time
time.
configuration is only applicable on
ports in automatic voice VLAN
assignment mode.
Optional.
3. Enable the voice VLAN
voice vlan security enable By default, the voice VLAN security
security mode.
mode is enabled.
Optional.
4. Add a recognizable OUI voice vlan mac-address oui mask By default, each voice VLAN has
address. oui-mask [ description text ] default OUI addresses configured.
For the default OUI addresses of
different vendors, see Table 1.
interface interface-type
5. Enter Ethernet interface view. N/A
interface-number
Optional.
By default, automatic voice VLAN
6. Configure the port to operate
assignment mode is enabled.
in automatic voice VLAN voice vlan mode auto
assignment mode. The voice VLAN assignment modes
on different ports are independent
of one another.
7. Enable voice VLAN on the
voice vlan vlan-id enable By default, voice VLAN is disabled.
port.
Configuration procedure
To configure a port to operate in manual voice VLAN assignment mode:
39
Step Command Remarks
1. Enter system view. system-view N/A
Optional.
2. Enable the voice VLAN
voice vlan security enable By default, the voice VLAN security
security mode.
mode is enabled.
Optional.
3. Add a recognizable OUI voice vlan mac-address oui mask By default, each voice VLAN has
address. oui-mask [ description text ] default OUI addresses configured.
For the default OUI addresses of
different vendors, see Table 1.
interface interface-type
4. Enter interface view. N/A
interface-number
Optional.
7. Configure the voice VLAN as This operation is required for
For the configuration procedure,
the PVID of the trunk or hybrid untagged inbound voice traffic
see "Configuring VLANs."
port. and prohibited for tagged inbound
voice traffic.
8. Enable voice VLAN on the
voice vlan vlan-id enable N/A
port.
Display the OUI addresses display voice vlan oui [ | { begin | exclude |
Available in any view.
currently supported by system. include } regular-expression ]
40
Switch A uses voice VLAN 2 to transmit voice packets for IP phone A and voice VLAN 3 to transmit voice
packets for IP phone B.
Configure GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to operate in automatic voice VLAN
assignment mode. In addition, if one of them has not received any voice packet in 30 minutes, the port
is removed from the corresponding voice VLAN automatically.
Figure 13 Network diagram
Configuration procedure
# Create VLAN 2 and VLAN 3.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
Please wait... Done.
# Since GigabitEthernet 3/0/1 might receive both voice traffic and data traffic at the same time, to
ensure the quality of voice packets and effective bandwidth use, configure voice VLANs to operate in
security mode, that is, configure the voice VLANs to transmit only voice packets. (Optional. By default,
voice VLANs operate in security mode.)
[SwitchA] voice vlan security enable
# Configure GigabitEthernet 3/0/1 to operate in automatic voice VLAN assignment mode. (Optional.
By default, a port operates in automatic voice VLAN assignment mode.)
[SwitchA-GigabitEthernet3/0/1] voice vlan mode auto
41
# Configure VLAN 2 as the voice VLAN for GigabitEthernet 3/0/1.
[SwitchA-GigabitEthernet3/0/1] voice vlan 2 enable
[SwitchA-GigabitEthernet3/0/1] quit
42
Figure 14 Network diagram
Configuration procedure
# Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security
mode by default.)
<SwitchA> system-view
[SwitchA] voice vlan security enable
# Create VLAN 2.
[SwitchA] vlan 2
[SwitchA-vlan2] quit
# Configure the voice VLAN (VLAN 2) as the PVID of GigabitEthernet 3/0/1 and configure
GigabitEthernet 3/0/1 to permit the voice traffic of VLAN 2 to pass through untagged.
[SwitchA-GigabitEthernet3/0/1] port hybrid pvid vlan 2
[SwitchA-GigabitEthernet3/0/1] port hybrid vlan 2 untagged
43
# Display the current voice VLAN state.
<SwitchA> display voice vlan state
Maximum of Voice VLANs: 128
Current Voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled port and its mode:
PORT VLAN MODE
-----------------------------------------------
GigabitEthernet3/0/1 2 MANUAL
44
Configuring the MAC address table
NOTE:
• At present, MAC address table configuration applies to Layer 2 Ethernet ports and Layer 2 aggregate
interfaces only.
• This document covers only the configuration of static, dynamic, blackhole, and multiport unicast MAC
address table entries. For the configuration of static multicast MAC address table entries, see IP Multicast
Configuration Guide.
Overview
A MAC address table is maintained for frame forwarding. Each entry in this table indicates the following
information:
• The MAC address of a connected network device.
• The interface to which the device is connected.
• The VLAN to which the interface belongs.
When forwarding a frame, the switch first looks up the MAC address table by the destination MAC
address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather
than broadcast, so broadcasts are reduced.
45
Manually configure MAC address table entries
With dynamic MAC address learning, a switch does not distinguish illegitimate frames from legitimate
frames. This causes security hazards. For example, if a hacker sends frames with a forged source MAC
address to a port different from the one where the real MAC address is connected, the switch will create
an entry for the forged MAC address, and will forward frames destined for the legal user to the hacker
instead.
To enhance the security of a port, you can manually add MAC address entries in the MAC address table
of the switch to bind specific user switches to the port. Because manually configured entries have higher
priority than the dynamically learned ones, this prevents hackers from stealing data using forged MAC
addresses.
NOTE:
A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address entry,
but not vice versa.
46
Configuring static, dynamic, and blackhole MAC address
table entries
Usually, a switch can populate its MAC address table automatically by learning the source MAC
addresses of incoming frames.
To improve port security, you can manually add MAC address entries to the MAC address table to bind
ports with MAC addresses, fending off MAC address spoofing attacks.
In addition, you can configure blackhole MAC address entries to filter out packets with certain source or
destination MAC addresses.
To add or modify a static, dynamic, or blackhole MAC address table entry in system view:
To add or modify a static or dynamic MAC address table entry in interface view:
47
Step Command Remarks
No multiport unicast MAC
address table entries exist by
2. Configure a multiport unicast mac-address multiport mac-address default.
MAC address table entry. interface interface-list vlan vlan-id Make sure that you have
created the VLAN and assign
the interfaces to the VLAN.
NOTE:
• On a switch operating in IRF mode, do not specify the same MAC address for both a multiport unicast
MAC address table entry and a static neighbor table entry. Otherwise, a conflict will occur. For more
information about static neighbor entries, see Layer 3—IP Services Configuration Guide.
• To associate a unicast MAC address to an Ethernet interface that belongs to an aggregation group,
configure the multiport unicast MAC address table entry in Layer 2 aggregate interface view, instead of
Layer 2 Ethernet interface view.
48
The MAC address aging timer takes effect globally on dynamic MAC address entries (learned or
administratively configured) only.
In a stable network, when there has been no traffic activity for a long time, all dynamic entries in the MAC
address table maintained by the switch are deleted, and the switch broadcasts a large amount of data
packets, which may be listened to by unwanted users, resulting in security hazards. To avoid this, you can
configure mac-address timer no-aging for dynamic MAC address entries, so that dynamic MAC address
entries will not be aged out. This can reduce broadcasts and improve the stability and security of the
network.
Configuration procedure
To configure the aging timer for dynamic MAC address entries:
Optional.
2. Configure the aging timer for
mac-address timer { aging seconds The value range of the aging timer
dynamic MAC address
| no-aging } is 10 to 3600 seconds and the
entries.
default value is 300 seconds.
49
Configuring the MAC learning limit on a VLAN
You may also limit the number of MAC addresses that can be learned on a per-VLAN basis.
To configure the MAC learning limit on a VLAN:
2. Enable MAC address mac-flapping notification By default, MAC address migration log
migration log notifying. enable notifying is disabled.
The MAC address migration logs of the last 1 minute are displayed once every 1 minute.
You can use the display mac-flapping information command to view the MAC address migration
records after a device starts up.
50
Task Command Remarks
display mac-address [ mac-address [ vlan
vlan-id ] | [ [ dynamic | static ] [ interface
Display MAC address table Available in any
interface-type interface-number ] | blackhole ]
information. view.
[ vlan vlan-id ] [ count ] ] [ | { begin | exclude |
include } regular-expression ]
Display the aging timer for display mac-address aging-time [ | { begin | Available in any
dynamic MAC address entries. exclude | include } regular-expression ] view.
Display the MAC address display mac-flapping information [ chassis Available in any
migration record (in IRF mode). chassis-number [ slot slot-number ] ] view.
Network requirements
As shown in Figure 15:
• The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to
GigabitEthernet 3/0/1 of the switch. To prevent MAC address spoofing, add a static entry for the
host in the MAC address table of the switch.
• The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this
host once behaved suspiciously on the network, add a destination blackhole MAC address entry for
the host MAC address, so all packets destined for the host will be dropped.
• Set the aging timer for dynamic MAC address entries to 500 seconds.
Figure 15 Network diagram
51
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface Gigabitethernet 3/0/1 vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
52
Configuring spanning tree protocols
As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by
selectively blocking redundant links in a network, and also allows for link redundancy.
Recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Multiple Spanning Tree
Protocol (MSTP), and the Per VLAN Spanning Tree Protocol (PVST).
STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a
local area network (LAN). Networks often have redundant links as backups in case of failures, but loops
are a very serious problem. Devices running STP detect loops in the network by exchanging information
with one another, and eliminate loops by selectively blocking certain ports to prune the loop structure
into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would occur in
a loop network and prevents decreased device performance caused by receiving duplicate packets.
In the narrow sense, STP refers to IEEE 802.1d STP. In the broad sense, STP refers to the IEEE 802.1d STP
and various enhanced spanning tree protocols derived from that protocol.
53
Basic concepts in STP
Root bridge
A tree network must have a root bridge.
There is only one root bridge in the entire network. The root bridge is not permanent, but can change with
changes of the network topology.
Upon initialization of a network, each device generates and periodically sends out configuration BPDUs
with itself as the root bridge. After network convergence, only the root bridge generates and periodically
sends out configuration BPDUs. The other devices only forward the BPDUs.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates with
the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.
As shown in Figure 16, Device B and Device C are directly connected to a LAN. If Device A forwards
BPDUs to Device B through port A1, the designated bridge for Device B is Device A, and the designated
port of Device B is port A1 on Device A. If Device B forwards BPDUs to the LAN, the designated bridge
for the LAN is Device B, and the designated port for the LAN is port B2 on Device B.
Figure 16 Designated bridges and designated ports
Path cost
Path cost is a reference value used for link selection in STP. STP calculates path costs to select the most
robust links and blocks redundant links that are less robust, to prune the network into a loop-free tree.
54
Calculation process of the STP algorithm
The STP algorithm uses the following calculation process:
1. Initial state
Upon initialization of a device, each port generates a BPDU with itself as the designated port, the
device as the root bridge, 0 as the root path cost, and the device ID as the designated bridge ID.
2. Root bridge selection
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with its own
device ID as the root bridge ID. By exchanging configuration BPDUs, the devices compare their
root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.
3. Non-root bridge: selection of root port and designated ports
Table 6 describes the process of selecting the root port and designated ports.
Table 6 Selection of the root port and designated ports
Step Description
A non-root-bridge device regards the port on which it received the optimum configuration BPDU
1
as the root port. Table 7 describes how the optimum configuration BPDU is selected.
Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of its other ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus the path
cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the configuration BPDU on the port
whose port role is to be determined:
• If the calculated configuration BPDU is superior, the device considers this port as the
designated port, replaces the configuration BPDU on the port with the calculated configuration
3
BPDU, and periodically sends out the calculated configuration BPDU.
• If the configuration BPDU on the port is superior, the device blocks this port without updating its
configuration BPDU. The blocked port can receive BPDUs, but cannot send BPDUs or forward
data traffic.
NOTE:
When the network topology is stable, only the root port and designated ports forward user traffic, while
other ports are all in the blocked state to receive BPDUs but not forward BPDUs or user traffic.
Step Actions
Upon receiving a configuration BPDU on a port, the device compares the priority of the received
configuration BPDU with that of the configuration BPDU generated by the port, and:
1
• If the former priority is lower, the device discards the received configuration BPDU and keeps
the configuration BPDU the port generated.
• If the former priority is higher, the device replaces the content of the configuration BPDU
generated by the port with the content of the received configuration BPDU.
55
Step Actions
The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.
As shown in Figure 17, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the
path costs of links among the three devices are 5, 10, and 4.
4. Initial state of each device
Table 8 Initial state of each device
56
NOTE:
In Table 8, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
Configuration BPDU on
Device Comparison process
ports after comparison
• Port A1 receives the configuration BPDU of Port B1 {1, 0, 1, Port
B1}, finds that its existing configuration BPDU {0, 0, 0, Port A1}
is superior to the received configuration BPDU, and discards the
received one.
• Port A2 receives the configuration BPDU of Port C1 {2, 0, 2, Port • Port A1: {0, 0, 0, Port
C1}, finds that its existing configuration BPDU {0, 0, 0, Port A2}
A1}
Device A is superior to the received configuration BPDU, and discards the
received one.
• Port A2: {0, 0, 0, Port
A2}
• Device A finds that it is both the root bridge and designated
bridge in the configuration BPDUs of all its ports, and considers
itself as the root bridge. It does not change the configuration
BPDU of any port and starts to periodically send out
configuration BPDUs.
• Port B1 receives the configuration BPDU of Port A1 {0, 0, 0, Port
A1}, finds that the received configuration BPDU is superior to its
existing configuration BPDU {1, 0, 1, Port B1}, and updates its • Port B1: {0, 0, 0, Port
configuration BPDU. A1}
• Port B2 receives the configuration BPDU of Port C2 {2, 0, 2, Port • Port B2: {1, 0, 1, Port
C2}, finds that its existing configuration BPDU {1, 0, 1, Port B2} B2}
is superior to the received configuration BPDU, and discards the
received one.
• Device B compares the configuration BPDUs of all its ports,
Device B decides that the configuration BPDU of Port B1 is the optimum,
and selects Port B1 as the root port with the configuration BPDU
unchanged.
• Based on the configuration BPDU and path cost of the root port, • Root port (Port B1): {0,
Device B calculates a designated port configuration BPDU for 0, 0, Port A1}
Port B2 {0, 5, 1, Port B2}, and compares it with the existing • Designated port (Port
configuration BPDU of Port B2 {1, 0, 1, Port B2}. Device B finds B2): {0, 5, 1, Port B2}
that the calculated one is superior, decides that Port B2 is the
designated port, replaces the configuration BPDU on Port B2
with the calculated one, and periodically sends out the
calculated configuration BPDU.
• Port C1 receives the configuration BPDU of Port A2 {0, 0, 0, Port
A2}, finds that the received configuration BPDU is superior to its
existing configuration BPDU {2, 0, 2, Port C1}, and updates its • Port C1: {0, 0, 0, Port
configuration BPDU. A2}
Device C
• Port C2 receives the original configuration BPDU of Port B2 {1, • Port C2: {1, 0, 1, Port
0, 1, Port B2}, finds that the received configuration BPDU is B2}
superior to the existing configuration BPDU {2, 0, 2, Port C2},
and updates its configuration BPDU.
57
Configuration BPDU on
Device Comparison process
ports after comparison
• Device C compares the configuration BPDUs of all its ports,
decides that the configuration BPDU of Port C1 is the optimum,
and selects Port C1 as the root port with the configuration BPDU
unchanged.
• Root port (Port C1): {0,
• Based on the configuration BPDU and path cost of the root port, 0, 0, Port A2}
Device C calculates the configuration BPDU of Port C2 {0, 10, 2,
• Designated port (Port
Port C2}, and compares it with the existing configuration BPDU
C2): {0, 10, 2, Port C2}
of Port C2 {1, 0, 1, Port B2}. Device C finds that the calculated
configuration BPDU is superior to the existing one, selects Port
C2 as the designated port, and replaces the configuration
BPDU of Port C2 with the calculated one.
• Port C2 receives the updated configuration BPDU of Port B2 {0,
5, 1, Port B2}, finds that the received configuration BPDU is
• Port C1: {0, 0, 0, Port
superior to its existing configuration BPDU {0, 10, 2, Port C2},
A2}
and updates its configuration BPDU.
• Port C2: {0, 5, 1, Port
• Port C1 receives a periodic configuration BPDU {0, 0, 0, Port
B2}
A2} from Port A2, finds that it is the same as the existing
configuration BPDU, and discards the received one.
• Device C finds that the root path cost of Port C1 (10) (root path
cost of the received configuration BPDU (0) plus path cost of Port
C1 (10)) is larger than that of Port C2 (9) (root path cost of the
received configuration BPDU (5) plus path cost of Port C2 (4)),
decides that the configuration BPDU of Port C2 is the optimum,
and selects Port C2 as the root port with the configuration BPDU
unchanged. • Blocked port (Port C1):
• Based on the configuration BPDU and path cost of the root port, {0, 0, 0, Port A2}
Device C calculates a designated port configuration BPDU for • Root port (Port C2): {0,
Port C1 {0, 9, 2, Port C1} and compares it with the existing 5, 1, Port B2}
configuration BPDU of Port C1 {0, 0, 0, Port A2}. Device C finds
that the existing configuration BPDU is superior to the calculated
one and blocks Port C1 with the configuration BPDU
unchanged. Then Port C1 does not forward data until a
spanning tree calculation process is triggered by a new event,
for example, the link between Device B and Device C is down.
NOTE:
In Table 9, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
After the comparison processes described in Table 9, a spanning tree with Device A as the root bridge
is established, and the topology is shown in Figure 18.
58
Figure 18 The final calculated spanning tree
STP timers
STP calculation involves the following timers: forward delay, hello time, and max age.
• Forward delay
Forward delay is the delay time for state transition.
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the
change. However, the resulting new configuration BPDU cannot propagate throughout the
network immediately. If the newly elected root ports and designated ports start to forward data
right away, a temporary loop is likely to occur.
For this reason, as a mechanism for state transition in STP, the newly elected root ports or
designated ports require twice the forward delay time before transiting to the forwarding state to
make sure the new configuration BPDU has propagated throughout the network.
• Hello time
The device sends hello packets at the hello time interval to the neighboring devices to make sure
the paths are fault-free.
• Max age
59
The device uses the max age to determine whether a stored configuration BPDU has expired and
discards it if the max age is exceeded.
RSTP
RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to
enter the forwarding state much faster than STP.
A newly elected RSTP root port rapidly enters the forwarding state if the old root port on the device has
stopped forwarding data and the upstream designated port has started forwarding data.
A newly elected RSTP designated port rapidly enters the forwarding state if it is an edge port (which
directly connects to a user terminal rather than to another network device or a shared LAN segment) or
it connects to a point-to-point link (to another device). Edge ports directly enter the forwarding state.
Connecting to a point-to-point link, a designated port enters the forwarding state immediately after the
device receives a handshake response from the directly connected device.
PVST
PVST was introduced to improve link bandwidth usage in network environments where multiple virtual
LANs (VLANs) exist. Unlike STP and RSTP whose bridges in a LAN must forward their VLAN packets in
the same spanning tree, PVST allows each VLAN to build a separate spanning tree.
PVST uses the following BPDUs:
• STP BPDUs—Sent by access ports according to the VLAN status, or by trunk ports and hybrid ports
according to the status of VLAN 1.
• PVST BPDUs—Sent by trunk port and hybrid ports according to the status of permitted VLANs
except VLAN 1.
MSTP
STP, RSTP, and PVST limitations
STP does not support rapid state transition of ports. A newly elected port must wait twice the forward
delay time before transiting to the forwarding state, even if it connects to a point-to-point link or is an
edge port.
Although RSTP supports rapid network convergence, it has the same drawback as STP—All bridges
within a LAN share the same spanning tree, and the packets of all VLANs are forwarded along the same
spanning tree, so redundant links cannot be blocked based on VLAN and load sharing among VLANs
cannot be implemented.
The number of PVST BPDUs generated grows with that of permitted VLANs on trunk ports. When the
status of a trunk port transitions, network devices might be overloaded to re-calculate a large number of
spanning trees.
MSTP features
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In addition to
supporting rapid network convergence, it also provides a better load sharing mechanism for redundant
60
links by allowing data flows of different VLANs to be forwarded along separate paths. For more
information about VLANs, see "Configuring VLANs."
MSTP includes the following features:
• MSTP divides a switched network into multiple regions, each containing multiple spanning trees
that are independent of one another.
• MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one instance.
• MSTP prunes a loop network into a loop-free tree, avoiding proliferation and endless cycling of
packets in a loop network. In addition, it provides multiple redundant paths for data forwarding,
supporting load balancing of VLAN data.
• MSTP is compatible with STP and RSTP, but is incompatible with PVST.
61
Figure 20 Network diagram and topology of MST region 3
MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the
network segments among them. All these devices have the following characteristics:
• A spanning tree protocol enabled
• Same region name
• Same VLAN-to-instance mapping configuration
• Same MSTP revision level
• Physically linked together
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST
region. In Figure 19, the switched network comprises four MST regions, MST region 1 through MST region
4, and all devices in each MST region have the same MST region configuration.
MSTI
MSTP can generate multiple spanning trees in an MST region, and each spanning tree is independent of
another and maps to specific VLANs. Each spanning tree is referred to as a multiple spanning tree
instance (MSTI).
In Figure 20, MST region 3 comprises three MSTIs, MSTI 1, MSTI 2, and MSTI 0.
CST
The common spanning tree (CST) is a single spanning tree that connects all MST regions in a switched
network. If you regard each MST region as a device, the CST is a spanning tree calculated by these
devices through STP or RSTP.
The blue lines in Figure 19 represent the CST.
62
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0, a
special MSTI to which all VLANs are mapped by default.
In Figure 19, MSTI 0 is the IST in MST region 3.
CIST
The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in a
switched network. It consists of the ISTs in all MST regions and the CST.
In Figure 19, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the entire
network.
Regional root
The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI. Based
on the topology, different spanning trees in an MST region may have different regional roots.
For example, in MST region 3 in Figure 20, the regional root of MSTI 1 is Device B, the regional root of
MSTI 2 is Device C, and the regional root of MSTI 0 (also known as the IST) is Device A.
Port roles
A port can play different roles in different MSTIs. As shown in Figure 21, an MST region comprises Device
A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root
bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other
MST regions. Port D3 of Device D directly connects to a host.
Figure 21 Port roles
63
MSTP calculation involves these port roles:
• Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have
any root port.
• Designated port—Forwards data to the downstream network segment or device.
• Alternate port—The backup port for a root port or master port. When the root port or master port
is blocked, the alternate port takes over.
• Backup port—The backup port of a designated port. When the designated port is invalid, the
backup port becomes the new designated port. A loop occurs when two ports of the same
spanning tree device are interconnected, so the device blocks one of the ports. The blocked port
acts as the backup.
• Edge port—An edge port does not connect to any network device or network segment, but directly
connects to a user host.
• Master port—A port on the shortest path from the local MST region to the common root bridge. The
master port is not always located on the regional root. It is a root port on the IST or CIST and still a
master port on the other MSTIs.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running device.
In MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But
that is not true with master ports. A master port on MSTIs is a root port on the CIST.
Port states
In MSTP, a port may be in one of the following states:
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user
traffic.
• Learning—The port receives and sends BPDUs, and learns MAC addresses, but does not forward
user traffic. Learning is an intermediate port state.
• Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward
user traffic.
When in different MSTIs, a port can be in different states. A port state is not exclusively associated with
a port role. Table 10 lists the port states supported by each port role ("√" indicates that the port supports
the state, and "—" indicates that the port does not support the state).
Table 10 Port states supported by different port roles
Learning √ √ — —
Discarding √ √ √ √
64
Similar to STP, MSTP uses configuration BPDUs to calculate spanning trees. However, an important
difference is that an MSTP BPDU carries the MSTP configuration of the device from which the BPDU is
sent.
CIST calculation
The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process,
the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within
each MST region through calculation, and, at the same time, MSTP regards each MST region as a single
device and generates a CST among these MST regions through calculation. The CST and ISTs constitute
the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation process,
which is similar to spanning tree calculation in STP. For more information, see "Calculation process of the
STP algorithm."
In MSTP, a VLAN packet is forwarded along the following paths:
• Within an MST region, the packet is forwarded along the corresponding MSTI.
• Between two MST regions, the packet is forwarded along the CST.
65
• If GVRP and a spanning tree protocol are enabled on a device at the same time, GVRP packets are
forwarded along the CIST. To advertise a certain VLAN within the network through GVRP, make
sure this VLAN is mapped to the CIST when you configure the VLAN-to-instance mapping table. For
more information about GVRP, see "Configuring GVRP."
• The spanning tree configurations are mutually exclusive with any of the following functions on a port:
RRPP, Smart Link, and BPDU tunnel.
• The spanning tree configurations made in system view take effect globally. Configurations made in
Ethernet interface view take effect on the current interface only. Configurations made in port group
view take effect on all member ports in the port group. Configurations made in Layer 2 aggregate
interface view take effect only on the aggregate interface. Configurations made on an aggregation
member port can take effect only after the port is removed from the aggregation group.
• After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system performs
spanning tree calculation on the Layer 2 aggregate interface but not on the aggregation member
ports. The spanning tree protocol enable state and forwarding state of each selected member port
is consistent with those of the corresponding Layer 2 aggregate interface.
• Though the member ports of an aggregation group do not participate in spanning tree calculation,
the ports still reserve its spanning tree configurations for participating spanning tree calculation
after leaving the aggregation group.
Task Remarks
Required.
Setting the spanning tree mode Configure the switch to
operate in STP mode.
Required.
Setting the spanning tree mode Configure the switch to
operate in STP mode.
Configuring the leaf
nodes Configuring the switch priority Optional.
66
Task Remarks
Configuring path costs of ports Optional.
Task Remarks
Required.
Setting the spanning tree mode Configure the switch to
operate in RSTP mode.
Required.
Setting the spanning tree mode Configure the switch to
operate in RSTP mode.
67
Task Remarks
Configuring the port link type Optional.
Task Remarks
Required.
Setting the spanning tree mode Configure the switch to
operate in PVST mode.
Required.
Setting the spanning tree mode Configure the switch to
operate in PVST mode.
68
Task Remarks
Performing mCheck Optional.
Task Remarks
Optional.
Setting the spanning tree mode By default, the switch
operates in MSTP mode.
Optional.
Setting the spanning tree mode By default, the switch
operates in MSTP mode.
69
Task Remarks
Configuring the mode a port uses to recognize/send
Optional.
MSTP packets
70
• The configuration of MST region–related parameters, especially the VLAN-to-instance mapping
table, will result in a new spanning tree calculation. To reduce the possibility of topology instability,
the MST region configuration takes effect only after you activate it by using the active
region-configuration command, or enable a spanning tree protocol by using the stp enable
command in the case that the spanning tree protocol is disabled.
• The switch in PVST mode supports more MSTIs than in MSTP mode. When you change the spanning
tree mode from PVST to MSTP, exceeding MSTIs (arranged in ascending order of their IDs) and their
configurations are silently deleted and cannot be recovered even if you change the spanning tree
mode back. To prevent loss of MSTIs, map all VLANs in the MST regions to the CIST in PVST mode.
Configuration procedure
To configure an MST region:
Optional.
3. Configure the MST region
region-name name The MST region name is the MAC
name.
address by default.
Optional.
4. Configure the • instance instance-id vlan Use either command.
VLAN-to-instance mapping vlan-list
All VLANs in an MST region are
table. • vlan-mapping modulo modulo mapped to the CIST (or MSTI 0) by
default.
71
A spanning tree can have one root bridge only. If two or more switches are selected as the root bridge
in a spanning tree at the same time, the switch with the lowest MAC address wins out.
When the root bridge of an instance fails or is shut down, the secondary root bridge (if you have
specified one) can take over the role of the primary root bridge. However, if you specify a new primary
root bridge for the instance then, the secondary root bridge will not become the root bridge. If you have
specified multiple secondary root bridges for an instance, when the root bridge fails, the secondary root
bridge with the lowest MAC address is selected as the new root bridge.
• In STP/RSTP mode:
stp root primary
• In PVST mode: Use any command.
2. Configure the switch as the
stp vlan vlan-list root primary By default, a switch does not
root bridge.
• In MSTP mode: function as the root bridge.
stp [ instance instance-id ] root
primary
NOTE:
• You can specify one root bridge for each spanning tree, regardless of the switch priority settings. Once
you specify a switch as the root bridge or a secondary root bridge, you cannot change its priority.
• You can configure the current switch as the root bridge by setting the switch priority to 0. For the switch
priority configuration, see "Configuring the switch priority."
72
IMPORTANT:
• After you configure the switch as the root bridge or a secondary root bridge, you cannot change the
priority of the switch.
• During root bridge selection, if all devices in a spanning tree have the same priority, the one with the
lowest MAC address will be selected as the root bridge of the spanning tree.
Priority is a factor in spanning tree calculation. The priority of a switch determines whether the switch can
be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. You can set
the priority of a switch to a low value to specify the switch as the root bridge of the spanning tree. A
spanning tree switch can have different priorities in different MSTIs.
To configure the priority of a switch in a specified MSTI:
73
Configuring the network diameter of a switched
network
Any two terminal devices in a switched network are interconnected through a specific path composed of
a series of devices. The network diameter is the number of devices on the path composed of the most
devices. The network diameter is a parameter that indicates the network size. A bigger network diameter
indicates a larger network size. Based on the network diameter you configured, the system automatically
sets an optimal hello time, forward delay, and max age for the switch.
To configure the network diameter of a switched network:
NOTE:
• In STP/RSTP/MSTP mode, each MST region is considered as a device and the configured network
diameter is effective only for the CIST (or the common root bridge), but not for MSTIs.
• In PVST mode, the network diameter configuration is effective on the root bridge only.
74
HP does not recommend you to manually set the spanning tree timers. Instead, you can specify the
network diameter and let spanning tree protocols automatically calculate the timers based on the
network diameter. If the network diameter uses the default value, the timers also use their default values.
Configure the timers on the root bridge only, and the timer settings on the root bridge apply to all the
devices on the entire switched network.
Configuration procedure
To configure the spanning tree timers:
75
After the network topology is stabilized, each non-root-bridge device forwards configuration BPDUs to
the downstream devices at the interval of hello time to check whether any link is faulty. If a device does
not receive a BPDU from the upstream device within nine times the hello time, it assumes that the
upstream device has failed and starts a new spanning tree calculation process.
Sometimes a device may fail to receive a BPDU from the upstream device because the upstream device
is busy. If a spanning tree calculation occurs, the calculation can fail and also waste the network
resources. In a stable network, you can prevent undesired spanning tree calculations by setting the
timeout factor to 5, 6, or 7.
To configure the timeout factor:
2. Configure the timeout factor of the switch. stp timer-factor factor The default setting is 3.
Configuration guidelines
The higher the maximum port rate is, the more BPDUs will be sent within each hello time, and the more
system resources will be used. By setting an appropriate maximum port rate, you can limit the rate at
which the port sends BPDUs and prevent spanning tree protocols from using excessive network resources
when the network becomes instable. HP recommends you to use the default setting.
Configuration procedure
To configure the maximum rate of a port or a group of ports:
76
you must manually configure the port to be an edge port. After that, this port can transition rapidly from
the blocked state to the forwarding state without delay.
Configuration procedure
To specify a port or a group of ports as edge port or ports:
You can specify a standard for the switch to use in automatic calculation for the default path cost. The
switch supports the following standards:
• dot1d-1998—The switch calculates the default path cost for ports based on IEEE 802.1d-1998.
• dot1t—The switch calculates the default path cost for ports based on IEEE 802.1t.
77
• legacy—The switch calculates the default path cost for ports based on a private standard.
To specify a standard for the switch to use when calculating the default path cost:
NOTE:
When calculating path cost for an aggregate interface, IEEE 802.1t takes into account the number of
Selected ports in its aggregation group, but IEEE 802.1d-1998 does not. The calculation formula of IEEE
802.1t is: Path Cost = 200,000,000/link speed (in 100 kbps), where link speed is the sum of the link
speed values of the Selected ports in the aggregation group.
Table 11 shows the mappings between the link speed and the path cost.
Table 11 Mappings between the link speed and the path cost
Path cost
Link speed Port type IEEE
IEEE 802.1t Private standard
802.1d-1998
0 N/A 65535 200,000,000 200,000
Aggregate interface
containing 2 Selected 1,000,000 1,800
ports
Aggregate interface
containing 4 Selected 500,000 1,400
ports
Aggregate interface
containing 2 Selected 100,000 180
ports
Aggregate interface
containing 4 Selected 50,000 140
ports
78
Path cost
Link speed Port type IEEE
IEEE 802.1t Private standard
802.1d-1998
Aggregate interface
containing 2 Selected 10,000 18
ports
Aggregate interface
containing 3 Selected 6666 16
ports
Aggregate interface
containing 4 Selected 5000 14
ports
Aggregate interface
containing 2 Selected 1000 1
ports
Aggregate interface
containing 4 Selected 500 1
ports
NOTE:
When the path cost of a port changes, the system re-calculates the role of the port and initiates a state
transition.
79
Configuration example
# In MSTP mode, specify the switch to calculate the default path costs of its ports by using IEEE
802.1d-1998, and set the path cost of GigabitEthernet 3/0/3 to 200 on MSTI 2.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
[Sysname] interface gigabitethernet 3/0/3
[Sysname-GigabitEthernet3/0/3] stp instance 2 cost 200
# In PVST mode, specify the switch to calculate the default path costs of its ports by using IEEE
802.1d-1998, and set the path cost of GigabitEthernet 3/0/3 to 2000 on VLANs 20 through 30.
<Sysname> system-view
[Sysname] stp mode pvst
[Sysname] stp pathcost-standard dot1d-1998
[Sysname] interface gigabitethernet 3/0/3
[Sysname-GigabitEthernet3/0/3] stp vlan 20 to 30 cost 2000
• In STP/RSTP mode:
stp port priority priority
• In PVST mode: Use any command.
stp vlan vlan-list port priority
3. Configure the port priority. The default setting is
priority
128 for all ports.
• In MSTP mode:
stp [ instance instance-id ] port
priority priority
NOTE:
If the port priority changes, the system re-calculates the port role and initiate a state transition.
80
Configuring the port link type
A point-to-point link directly connects two devices. If two root ports or designated ports are connected
over a point-to-point link, they can rapidly transition to the forwarding state after a proposal-agreement
handshake process.
Configuration procedure
To configure the link type of a port or a group of ports:
81
MSTP provides MSTP packet format incompatibility guard. In MSTP mode, if a port is configured to
recognize/send MSTP packets in a mode other than auto, and receives a packet in a format different
from the specified type, the port will become a designated port and remain in the discarding state to
prevent the occurrence of a loop.
MSTP provides MSTP packet format frequent change guard. If a port receives MSTP packets of different
formats frequently, the MSTP packet format configuration contains errors. If the port is operating in MSTP
mode, it will be shut down for protection. Ports disabled in this way can be re-activated after a detection
interval. For more information about the detection interval, see Fundamentals Configuration Guide.
To configure the MSTP packet format to be supported on a port or a group of ports:
You must enable the spanning tree feature for the switch before any other spanning tree related
configurations can take effect.
82
Step Command Remarks
• Enter Ethernet interface view
or Layer 2 aggregate
interface view:
3. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name
Optional.
4. Enable the spanning tree feature for
stp enable By default, the spanning tree
the port or group of ports.
feature is enabled for all ports.
3. Enable the spanning tree feature for By default, PVST is enabled for
stp vlan vlan-list enable
the desired VLANs. all VLANs.
• Enter Ethernet interface view
or Layer 2 aggregate
interface view:
4. Enter interface view or port group interface interface-type
Use either command.
view. interface-number
• Enter port group view:
port-group manual
port-group-name
Optional.
5. Enable the spanning tree feature for
stp enable By default, the spanning tree
the port or group of ports.
feature is enabled for all ports.
Performing mCheck
If a port on a device running MSTP, RSTP, or PVST connects to an STP device, this port will automatically
transition to the STP mode. However, it cannot automatically transition back to the original mode when:
• The STP device is shut down or removed.
• The STP device transitions to the MSTP, RSTP, or PVST mode.
To forcibly transition the port to operate in the original mode, you can perform an mCheck operation. An
mCheck operation takes effect on a device that operates in MSTP, RSTP, or PVST mode.
83
The following methods for performing mCheck produce the same result.
Configuration procedure
To configure the VLAN Ignore feature:
84
Step Command Remarks
1. Enter system view. system-view N/A
Configuration example
Network requirements
As shown in Figure 23:
• Device A and Device B are directly connected.
• GigabitEthernet 4/0/1 on Device A and GigabitEthernet 4/0/1 on Device B allow the traffic of
VLAN 1 to pass through. GigabitEthernet 4/0/2 on Device A and GigabitEthernet 4/0/2 on
Device B allow the traffic of VLAN 2 to pass through.
• Device A is the root bridge, and Device A and Device B both run a spanning tree protocol.
GigabitEthernet 4/0/2 on Device B is blocked, causing traffic of VLAN 2 to be blocked.
Configure VLAN Ignore to keep GigabitEthernet 4/0/2 of Device B in the forwarding state.
Figure 23 Network diagram
Root
bridge VLAN 1
GE4/0/1 GE4/0/1
Configuration procedure
# Enable VLAN Ignore for VLAN 2 on Device B.
<DeviceB> system-view
[DeviceB] stp ignored vlan 2
85
digest that is in 16-byte length and is the result calculated via the HMAC-MD5 algorithm based on
VLAN-to-instance mappings.
Spanning tree implementations vary with vendors, and the configuration digests calculated using private
keys is different, so devices of different vendors in the same MST region cannot communicate with each
other.
To enable communication between an HP device and a third-party device, enable the Digest Snooping
feature on the port connecting the HP device to the third-party device in the same MST region.
Configuration procedure
To configure Digest Snooping:
86
Configuration example
Network requirements
As shown in Figure 24, Device A and Device B connect to Device C, which is a third-party device. All
these devices are in the same region.
Enable Digest Snooping on Device A’s and Device B’s ports that connect to Device C, so that the three
devices can communicate with one another.
Figure 24 Network diagram
Configuration procedure
# Enable Digest Snooping on GigabitEthernet 4/0/1 of Device A and enable global Digest Snooping
on Device A.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] stp config-digest-snooping
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] stp config-digest-snooping
# Enable Digest Snooping on GigabitEthernet 4/0/1 of Device B and enable global Digest Snooping
on Device B.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] stp config-digest-snooping
[DeviceB-GigabitEthernet4/0/1] quit
[DeviceB] stp config-digest-snooping
87
Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port
receives an agreement packet from the downstream device. RSTP and MSTP devices have the following
differences:
• For MSTP, the downstream device’s root port sends an agreement packet only after it receives an
agreement packet from the upstream device.
• For RSTP, the downstream device sends an agreement packet regardless of whether an agreement
packet from the upstream device is received.
Figure 25 shows the rapid state transition mechanism on MSTP designated ports.
Figure 25 Rapid state transition of an MSTP designated port
Upstream device Downstream device
(1) Proposal for rapid transition The root port blocks non-edge
ports.
If the upstream device is a third-party device, the rapid state transition implementation may be limited.
For example, when the upstream device uses a rapid transition mechanism similar to that of RSTP, and the
downstream device adopts MSTP and does not operate in RSTP mode, the root port on the downstream
device receives no agreement packet from the upstream device and sends no agreement packets to the
upstream device. As a result, the designated port of the upstream device fails to transit rapidly and can
only change to the forwarding state after a period twice the Forward Delay.
You can enable the No Agreement Check feature on the downstream device’s port to enable the
designated port of the upstream device to transit its state rapidly.
88
Configuration prerequisites
Before you configure the No Agreement Check function, complete the following tasks:
• Connect a device to a third-party upstream device supporting spanning tree protocols via a
point-to-point link.
• Configure the same region name, revision level and VLAN-to-instance mappings on the two devices,
assigning them to the same region.
Configuration procedure
To make the No Agreement Check feature take effect, enable it on the root port.
To configure No Agreement Check:
Configuration example
Network requirements
As shown in Figure 27:
• Device A connects to Device B, a third-party device that has a different spanning tree
implementation. Both devices are in the same region.
• Device B is the regional root bridge, and Device A is the downstream device.
Figure 27 No Agreement Check configuration
Root bridge
GE4/0/1 GE4/0/1
Device A Device B
Configuration procedure
# Enable No Agreement Check on GigabitEthernet 4/0/1 of Device A.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] stp no-agreement-check
89
Configuring TC snooping
Figure 28 shows a topology change (TC) snooping application scenario. Device A and Device B are both
IRF-enabled switches and form an IRF fabric; they operate at the distribution layer and do not have any
spanning tree protocol enabled. The IRF fabric formed by Device A and Device B connect to multiple
access-layer customer networks, such as Customer 1 and Customer 2. Device C, Device D, and Device
E in customer network Customer 1 are all enabled with a spanning tree protocol. Customer 1 is
dual-uplinked to the IRF fabric for high availability. The IRF fabric transparently transmits STP BPDUs from
Customer 1 at Layer 2. Other customer networks (such as Customer 2) act the same as Customer 1.
Figure 28 TC snooping application scenario
In the network, the IRF fabric transparently transmits the received STP BPDUs and does not participate in
STP calculations. When a topology change occurs to the IRF fabric or attached access-layer networks,
the IRF fabric may need a long time to learn the correct MAC address table entries and ARP entries,
resulting in long network disruption. To avoid the network disruption, you can enable TC snooping on the
IRF fabric.
TC snooping enables the device to actively clear the MAC address table entries and ARP entries upon
receiving TC-BPDUs and to re-learn the MAC address table entries and ARP entries, so that the device
can normally forward the user traffic.
Configuration procedure
To configure TC snooping:
90
Step Command Description
1. Enter system view. system-view N/A
For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file
servers. The access ports are configured as edge ports to allow rapid transition. When these ports
receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new
spanning tree calculation process. This causes a change of network topology. Under normal conditions,
these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, the network will become instable.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs,
the system will close these ports and notify the NMS that these ports have been closed by the spanning
tree protocol. Ports disabled in this way will be re-activated by the device after a detection interval. For
more information about this detection interval, see Fundamentals Configuration Guide.
Configure BPDU guard on a device with edge ports configured.
To enable BPDU guard:
91
IMPORTANT:
On a port, the root guard function and the loop guard function are mutually exclusive.
The root bridge and secondary root bridge of a spanning tree should be located in the same MST region.
Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core
region during network design. However, due to possible configuration errors or malicious attacks in the
network, the legal root bridge may receive a configuration BPDU with a higher priority. The current legal
root bridge will be superseded by another device, causing an undesired change of the network topology.
As a result, the traffic that should go over high-speed links is switched to low-speed links, resulting in
network congestion.
To prevent this situation, MSTP provides the root guard function. If the root guard function is enabled on
a port of a root bridge, this port plays the role of designated port on all MSTIs. Once this port receives
a configuration BPDU with a higher priority from an MSTI, it immediately sets that port to the listening
state in the MSTI, without forwarding the packet (this is equivalent to disconnecting the link connected
with this port in the MSTI). If the port receives no BPDUs with a higher priority within twice the forwarding
delay, it will revert to its original state.
Configure root guard on a designated port.
To enable root guard:
A device that keeps receiving BPDUs from the upstream device can maintain the state of the root port and
blocked ports. However, link congestion or unidirectional link failures may cause these ports to fail to
receive BPDUs from the upstream devices. The device will reselect the port roles: Those ports in
forwarding state that failed to receive upstream BPDUs will become designated ports, and the blocked
ports will transition to the forwarding state, resulting in loops in the switched network. The loop guard
function can suppress the occurrence of such loops.
92
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives BPDUs,
its state transitions normally. Otherwise, it stays in the discarding state to prevent temporary loops.
Configure loop guard on the root port and alternate ports of a device.
To enable loop guard:
Optional.
2. Enable the TC-BPDU guard function. stp tc-protection enable By default, TC-BPDU guard is
enabled.
3. Configure the maximum number of Optional.
stp tc-protection threshold
forwarding address entry flushes that the
number The default setting is 6.
switch can perform every 10 seconds.
NOTE:
HP does not recommend you disable this feature.
93
Task Command Remarks
display stp bpdu-statistics [ interface
interface-type interface-number [ instance Available in any
Display BPDU statistics on ports.
instance-id ] ] [ | { begin | exclude | view.
include } regular-expression ]
Display the historical information of port display stp [ instance instance-id ] history
Available in any
role calculation for the specified MSTI or [ slot slot-number ] [ | { begin | exclude |
view.
all MSTIs (in standalone mode). include } regular-expression ]
Display the root bridge information of all display stp root [ | { begin | exclude | Available in any
MSTIs. include } regular-expression ] view.
Display the list of VLANs with VLAN display stp ignored-vlan [ | { begin | Available in any
Ignore enabled. exclude | include } regular-expression ] view.
Available in user
Clear the spanning tree statistics. reset stp [ interface interface-list ]
view.
94
Spanning tree configuration examples
MSTP configuration example
Network requirements
As shown in Figure 29:
• All devices on the network are in the same MST region. Device A and Device B work at the
distribution layer. Device C and Device D work at the access layer.
• Configure MSTP so that packets of different VLANs are forwarded along different spanning trees:
Packets of VLAN 10 are forwarded along MSTI 1, those of VLAN 30 are forwarded along MSTI 3,
those of VLAN 40 are forwarded along MSTI 4, and those of VLAN 20 are forwarded along MSTI
0.
• VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is
terminated on the access layer devices, so the root bridges of MSTI 1 and MSTI 3 are Device A and
Device B, and the root bridge of MSTI 4 is Device C.
Figure 29 Network diagram
/1
GE
3/0
3/0
GE
/1
/1
GE
3/0
3/0
GE
/1
Configuration procedure
1. Configure VLANs and VLAN member ports: (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example
95
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
[DeviceA-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Specify the current device as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Enable the spanning tree feature globally.
[DeviceA] stp enable
3. Configure Device B:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
[DeviceB-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Specify the current device as the root bridge of MSTI 3.
[DeviceB] stp instance 3 root primary
# Enable the spanning tree feature globally.
[DeviceB] stp enable
4. Configure Device C:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
[DeviceC-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Specify the current device as the root bridge of MSTI 4.
[DeviceC] stp instance 4 root primary
# Enable the spanning tree feature globally.
96
[DeviceC] stp enable
5. Configure Device D:
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30,
and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the
MST region as 0.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40
[DeviceD-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Enable the spanning tree feature globally.
[DeviceD] stp enable
6. Verify the configuration:
You can use the display stp brief command to display brief spanning tree information on each
device after the network is stable.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 ALTE DISCARDING NONE
0 GigabitEthernet3/0/2 DESI FORWARDING NONE
0 GigabitEthernet3/0/3 ROOT FORWARDING NONE
1 GigabitEthernet3/0/1 DESI FORWARDING NONE
1 GigabitEthernet3/0/3 DESI FORWARDING NONE
3 GigabitEthernet3/0/2 DESI FORWARDING NONE
3 GigabitEthernet3/0/3 ROOT FORWARDING NONE
# Display brief spanning tree information on Device B.
[DeviceB] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 DESI FORWARDING NONE
0 GigabitEthernet3/0/2 DESI FORWARDING NONE
0 GigabitEthernet3/0/3 DESI FORWARDING NONE
1 GigabitEthernet3/0/2 DESI FORWARDING NONE
1 GigabitEthernet3/0/3 ROOT FORWARDING NONE
3 GigabitEthernet3/0/1 DESI FORWARDING NONE
3 GigabitEthernet3/0/3 DESI FORWARDING NONE
# Display brief spanning tree information on Device C.
[DeviceC] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 DESI FORWARDING NONE
0 GigabitEthernet3/0/2 ROOT FORWARDING NONE
0 GigabitEthernet3/0/3 DESI FORWARDING NONE
1 GigabitEthernet3/0/1 ROOT FORWARDING NONE
97
1 GigabitEthernet3/0/2 ALTE DISCARDING NONE
4 GigabitEthernet3/0/3 DESI FORWARDING NONE
# Display brief spanning tree information on Device D.
[DeviceD] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet3/0/1 ROOT FORWARDING NONE
0 GigabitEthernet3/0/2 ALTE DISCARDING NONE
0 GigabitEthernet3/0/3 ALTE DISCARDING NONE
3 GigabitEthernet3/0/1 ROOT FORWARDING NONE
3 GigabitEthernet3/0/2 ALTE DISCARDING NONE
4 GigabitEthernet3/0/3 ROOT FORWARDING NONE
Based on the output, you can draw the MSTI mapped to each VLAN, as shown in Figure 30.
Figure 30 MSTIs mapped to different VLANs
98
Figure 31 Network diagram
/1
GE
3/0
3/0
GE
/1
/1
GE
3/0
3/0
GE
/1
Configuration procedure
1. Configure VLANs and VLAN member ports: (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Specify the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 10,
20, and 30.
[DeviceA] stp enable
[DeviceA] stp vlan 10 20 30 enable
3. Configure Device B:
# Set the spanning tree mode to PVST.
<DeviceB> system-view
[DeviceB] stp mode pvst
# Specify the device as the root bridge of VLAN 30.
[DeviceB] stp vlan 30 root primary
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 10,
20, and 30.
[DeviceB] stp enable
[DeviceB] stp vlan 10 20 30 enable
4. Configure Device C:
# Set the spanning tree mode to PVST.
99
<DeviceC> system-view
[DeviceC] stp mode pvst
# Specify the current device as the root bridge of VLAN 40.
[DeviceC] stp vlan 40 root primary
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 10,
20, and 40.
[DeviceC] stp enable
[DeviceC] stp vlan 10 20 40 enable
5. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally, and enable the spanning tree feature for VLANs 20,
30, and 40.
[DeviceD] stp enable
[DeviceD] stp vlan 20 30 40 enable
6. Verify the configuration:
You can use the display stp brief command to display brief spanning tree information on each
device after the network is stable.
[DeviceA] display stp brief
VLAN Port Role STP State Protection
10 GigabitEthernet3/0/1 DESI DISCARDING NONE
10 GigabitEthernet3/0/3 DESI FORWARDING NONE
20 GigabitEthernet3/0/1 DESI FORWARDING NONE
20 GigabitEthernet3/0/2 DESI FORWARDING NONE
20 GigabitEthernet3/0/3 DESI FORWARDING NONE
30 GigabitEthernet3/0/2 DESI FORWARDING NONE
30 GigabitEthernet3/0/3 ROOT FORWARDING NONE
# Display brief spanning tree information on Device B.
[DeviceB] display stp brief
VLAN Port Role STP State Protection
10 GigabitEthernet3/0/2 DESI FORWARDING NONE
10 GigabitEthernet3/0/3 ROOT FORWARDING NONE
20 GigabitEthernet3/0/1 DESI FORWARDING NONE
20 GigabitEthernet3/0/2 DESI FORWARDING NONE
20 GigabitEthernet3/0/3 ROOT FORWARDING NONE
30 GigabitEthernet3/0/1 DESI FORWARDING NONE
30 GigabitEthernet3/0/3 DESI FORWARDING NONE
# Display brief spanning tree information on Device C.
[DeviceC] display stp brief
VLAN Port Role STP State Protection
10 GigabitEthernet3/0/1 ROOT FORWARDING NONE
10 GigabitEthernet3/0/2 ALTE FORWARDING NONE
20 GigabitEthernet3/0/1 ROOT FORWARDING NONE
20 GigabitEthernet3/0/2 ALTE FORWARDING NONE
20 GigabitEthernet3/0/3 DESI DISCARDING NONE
40 GigabitEthernet3/0/3 DESI FORWARDING NONE
100
# Display brief spanning tree information on Device D.
[DeviceD] display stp brief
VLAN Port Role STP State Protection
20 GigabitEthernet3/0/1 ALTE FORWARDING NONE
20 GigabitEthernet3/0/2 ROOT DISCARDING NONE
20 GigabitEthernet3/0/3 ALTE DISCARDING NONE
30 GigabitEthernet3/0/1 ROOT FORWARDING NONE
30 GigabitEthernet3/0/2 ALTE DISCARDING NONE
40 GigabitEthernet3/0/3 ROOT FORWARDING NONE
Based on the output, you can draw the spanning tree mapped to each VLAN, as shown in Figure
32.
Figure 32 Spanning trees mapped to different VLANs
101
Configuring Ethernet link aggregation
When the device operating in IRF mode is enabled with enhanced IRF mode, it does not support creating
Layer 3 Ethernet interfaces/subinterfaces or Layer 3 aggregate interfaces/subinterfaces.
The device supports a maximum of 240 aggregation groups. An aggregation group supports a
maximum number of 12 Selected ports on a single device. For IRF mode, the maximum number of
Selected ports supported by an aggregation group is 12 multiplied by the number of IRF member
devices.
Overview
Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one
logical link, called an aggregate link. Link aggregation delivers the following benefits:
• Increases bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed
across the member ports.
• Improves link reliability. The member ports dynamically back up one another. When a member port
fails, its traffic is automatically switched to other member ports.
As shown in Figure 33, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link, Link Aggregation 1. The bandwidth of this
aggregate link is as high as the total bandwidth of these three physical Ethernet links. At the same time,
the three Ethernet links back up one another.
Figure 33 Ethernet link aggregation
Basic concepts
Aggregation group, member port, and aggregate interface
Ethernet link aggregation is implemented through link aggregation groups. An aggregation group is a
group of Ethernet interfaces aggregated together, which are called member ports of the aggregation
group. For each aggregation group, a logical interface, called an aggregate interface is created. To an
upper layer entity that uses the link aggregation service, a link aggregation group looks like a single
logical link and data traffic is transmitted through the aggregate interface.
There are two types of aggregate interfaces: Bridge-Aggregation (BAGG) interfaces, which are Layer 2
aggregate interfaces, and Route-Aggregation (RAGG) interfaces, which are Layer 3 aggregate
interfaces. When an aggregate interface is created, an aggregation group of the same type and
numbered the same is created automatically. For example, when you create interface
Bridge-Aggregation 1, Layer 2 aggregation group 1 is created.
To a Layer 2 aggregation group, you can assign only Layer 2 Ethernet interfaces; to a Layer 3
aggregation group, only Layer 3 Ethernet interfaces.
102
NOTE:
• On a Layer 3 aggregate interface, you can create subinterfaces, which are called "Layer 3 aggregate
subinterfaces." These subinterfaces are logical interfaces that operate at the network layer. They can
receive VLAN tagged packets for their Layer 3 aggregate interface.
• The rate of an aggregate interface equals the total rate of its member ports in selected state and its
duplex mode is the same as that of the selected member ports. For more information about the states of
member ports in an aggregation group, see "Aggregation states of member ports in an aggregation
group."
Operational key
When aggregating ports, the system automatically assigns each port an operational key based on port
information such as port rate and duplex mode. Any change to this information triggers a recalculation
of this operational key.
In an aggregation group, all selected member ports are assigned the same operational key.
Configuration classes
Every configuration setting on a member port in a link aggregation group may affect the aggregation
state of the port in the group more or less. They are divided into three configuration classes:
• Port attribute configurations, including port rate, duplex mode, and link status (up/down), which
are the most basic port configurations.
• Class-two configurations, as described in Table 12. A member port can be placed in selected state
only if it has the same class-two configurations as the aggregate interface.
Table 12 Class-two configurations
Item Considerations
Whether the port has joined an isolation group, and the isolation group to which
Port isolation
the port belongs
QinQ enable state (enable/disable), TPID for VLAN tags, outer VLAN tags to be
QinQ added, inner-to-outer VLAN priority mappings, inner-to-outer VLAN tag
mappings, inner VLAN ID substitution mappings
Permitted VLAN IDs, PVID, link type (trunk, hybrid, or access), IP subnet-based
VLAN
VLAN configuration, protocol-based VLAN configuration, VLAN tagging mode
103
NOTE:
• Class-two configurations made on an aggregate interface are automatically synchronized to all its
member ports. These configurations are retained on the member ports even after the aggregate
interface is removed.
• Any class-two configuration change may affect the aggregation state of link aggregation member ports
and thus ongoing traffic. To make sure that you are aware of the risk, the system displays a warning
message every time you attempt to change a class-two configuration setting on a member port.
• Class-one configurations, which are configurations that do not affect the aggregation state of the
member port even if they are different from those on the aggregate interface. GVRP and MSTP
settings are examples of class-one configurations.
Reference port
When setting the aggregation state of the ports in an aggregation group, the system automatically picks
a member port as the reference. This port is called the reference port of the aggregation group. The port
attribute and class-two configurations of every other member port are compared with those of the
reference port.
LACP protocol
The IEEE 802.3ad Link Aggregation Control Protocol (LACP) enables dynamic aggregation of physical
links. It uses link aggregation control protocol data units (LACPDUs) for exchanging aggregation
information between LACP-enabled network devices.
1. LACP functions
Based on the fields carried in LACPDUs, the functions delivered by the IEEE 802.3ad LACP fall into
basic LACP functions and extended LACP functions, as described in Table 13.
Table 13 Basic and extended LACP functions
Category Description
Implemented through the basic LACPDU fields including the system LACP priority,
system MAC address, port aggregation priority, port number, and operational key.
Each member port in a LACP-enabled aggregation group exchanges the above
Basic LACP functions information with its peer. When a member port receives an LACPDU, it compares
the received information with the information received on the other member ports. In
this way the two systems reach an agreement on which ports should be placed in the
selected state.
For more information about IRF, IRF member switches, intermediate switches, and the LACP MAD
mechanism, see IRF Configuration Guide.
2. LACP priorities
There are two types of LACP priorities: system LACP priority and port aggregation priority, as
described in Table 14.
104
Table 14 LACP priorities
LACP status
Aggregation
on member Pros Cons
mode
ports
The member ports cannot
change their aggregation state
Aggregation is stable. The
in consistent with their peers.
Static Disabled aggregation state of the member
The administrator needs to
ports is not affected by their peers.
manually maintain link
aggregations.
105
Static link aggregation comprises:
• Selecting a reference port
• Setting the aggregation state of each member port
106
NOTE:
• Any port attribute or class-two configuration change on a member port may change the aggregation
state and cause service interruption.
• A port that joins the static aggregation group after the Selected port limit has been reached will not be
placed in the selected state even if it otherwise should be. This is can prevent ongoing traffic on the
current Selected ports from being interrupted. You should avoid the situation, however, as it can cause
the aggregation state of a port to change after a reboot.
107
Figure 35 Setting the state of a member port in a dynamic aggregation group
Meanwhile, the system with the higher system ID, being aware of the aggregation state changes on the
remote system, changes the aggregation state of its ports accordingly.
NOTE:
• A dynamic link aggregation group preferably sets full-duplex ports as the Selected ports, and will set
one, and only one, half-duplex port as a Selected port when none of the full-duplex ports can be
selected or only half-duplex ports exist in the group.
• Any member port attribute or class-two configuration change may affect the aggregation state of link
aggregation member ports and ongoing traffic.
• In a dynamic aggregation group, when the aggregation state of a local port changes, the aggregation
state of the peer port also changes accordingly.
• A port that joins a dynamic aggregation group after the Selected port limit has been reached is placed
in Selected state if it is more eligible for being selected than a current member port.
108
Load sharing criteria for link aggregation groups
In a link aggregation group, traffic may be load-shared across the selected member ports based on a set
of criteria, depending on your configuration.
You can choose one of the following criteria or any combination for load sharing:
• MAC addresses
• IP addresses
• Service port numbers
• Ingress ports
• MPLS labels
Enhancing the Selected port capacity for link aggregation in IRF mode Optional.
Configuration guidelines
You cannot assign a port to a Layer 2 aggregation group if any of the features listed in Table 16 is
configured on the port.
109
Table 16 Features incompatible with Layer 2 aggregation groups
Feature Reference
RRPP RRPP configuration in High Availability Configuration Guide
You cannot assign a port to a Layer 3 aggregation group if any of the features listed in Table 17 is
configured on the port.
Table 17 Interfaces that cannot be assigned to a Layer 3 aggregation group
If a port is used as a reflector port for port mirroring, do not assign it to an aggregation group. For more
information about reflector ports, see Network Management and Monitoring Configuration Guide.
Removing an aggregate interface also removes the corresponding aggregation group. At the same time,
any member ports of the aggregation group leave the aggregation group.
Do not configure any Layer 3 features, such as MPLS and VPN, on a port to be added to a Layer 3
aggregation group. Remove any Layer 3 feature configured on a port before adding it to a Layer 3
aggregation group.
After adding a port to a Layer 3 aggregation group, configure Layer 3 features on the aggregate
interface instead of on the member port. If you configure any Layer 3 feature mistakenly on a member
port, remove the Layer 3 feature configuration from the member port and then run the shutdown and
undo shutdown commands on the aggregate interface.
110
Step Command Remarks
a. Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number Repeat this step to assign multiple
4. Assign an Ethernet interface
b. Assign the Ethernet Layer 2 Ethernet interfaces to the
to the aggregation group.
interface to the aggregation group.
aggregation group:
port link-aggregation
group number
Optional.
By default, the aggregation priority
of a port is 32768.
5. Assign the port an link-aggregation port-priority
aggregation priority. port-priority Changing the aggregation priority
of a port may affect the
aggregation state of the ports in
the static aggregation group.
Optional.
By default, the aggregation priority
of a port is 32768.
5. Assign the port an link-aggregation port-priority
aggregation priority. port-priority Changing the aggregation priority
of a port may affect the
aggregation state of the ports in
the static aggregation group.
111
NOTE:
To guarantee a successful dynamic aggregation, make sure that the peer ports of the ports aggregated at
one end are also aggregated. The two ends can automatically negotiate the aggregation state of each
member port.
Optional.
By default, the system LACP priority
is 32768.
2. Set the system LACP priority. lacp system-priority system-priority Changing the system LACP priority
may affect the aggregation state of
the ports in dynamic aggregation
groups.
Optional.
By default, the aggregation priority
of a port is 32768.
7. Assign the interface an link-aggregation port-priority
aggregation priority. port-priority Changing the aggregation priority
of a port may affect the
aggregation state of the ports in
the dynamic aggregation group.
Optional.
8. Set the LACP timeout interval
on the port to the short timeout lacp period short By default, the LACP timeout
interval (1 second). interval on a port is the long
timeout interval (30 seconds).
112
Step Command Remarks
1. Enter system view. system-view N/A
Optional.
By default, the system LACP priority
is 32768.
2. Set the system LACP priority. lacp system-priority system-priority Changing the system LACP priority
may affect the aggregation state of
the ports in the dynamic
aggregation group.
Optional.
By default, the aggregation priority
of a port is 32768.
7. Assign the port an
lacp port-priority port-priority Changing the aggregation priority
aggregation priority.
of a port may affect the
aggregation state of ports in the
dynamic aggregation group.
Optional.
8. Set the LACP timeout interval
on the port to the short timeout lacp period short By default, the LACP timeout
interval (1 second). interval on a port is the long
timeout interval (30 seconds).
113
Configuring the description of an aggregate
interface/subinterface
You can configure the description of an aggregate interface for administration purposes such as
describing the purpose of the interface.
To configure the description of an aggregate interface/subinterface:
Optional.
3. Configure the description of By default, the description of an
the aggregate description text interface is interface-name Interface,
interface/subinterface. such as Bridge-Aggregation1
Interface.
interface route-aggregation
2. Enter Layer 3 aggregate
{ interface-number | N/A
interface/subinterface view.
interface-number.subnumber }
114
To enable link state trapping on an aggregate interface:
Optional.
2. Enable the trap function snmp-agent trap enable [ standard By default, link state trapping is
globally. [ linkdown | linkup ] * ] enabled globally and on all
interfaces.
Optional.
4. Enable link state trapping
for the aggregate enable snmp trap updown By default, link state trapping is
interface. enabled for the aggregate
interface.
The bandwidth of an aggregate link increases along with the number of selected member ports. To avoid
congestion caused by insufficient Selected ports on an aggregate link, you can set the minimum number
of Selected ports required for bringing up the specific aggregate interface.
This minimum threshold setting affects the aggregation state of both aggregation member ports and the
aggregate interface:
• All member ports change to the Unselected state and the link of the aggregate interface goes down,
when the number of member ports eligible for being selected is smaller than the minimum
threshold.
• When the minimum threshold is reached, the eligible member ports change to the Selected state,
and the link of the aggregate interface goes up.
By default, the maximum number of Selected ports allowed in an aggregation group is limited by the
hardware capabilities of the member ports. After you manually configure the maximum number of
115
Selected ports in an aggregation group, the maximum number of Selected ports allowed in the
aggregation group is the smaller value of the two upper limits.
You can configure redundancy between two ports using the following guideline: Assign two ports to an
aggregation group, and configure the maximum number of Selected ports allowed in the aggregation
group as 1. In this way, only one Selected port is allowed in the aggregation group at any point in time,
while the Unselected port serves as a backup port.
To limit the number of Selected ports for an aggregation group:
116
Step Command Remarks
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
2. Enter aggregate interface
view. • Enter Layer 3 aggregate interface Use either command.
or subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber }
NOTE:
Shutting down a Layer 3 aggregate subinterface does not affect any aggregation group, because Layer 3
aggregate subinterfaces are not associated with any aggregation groups.
117
Step Command Remarks
1. Enter system view. system-view N/A
The link-aggregation traffic redirection function is available on switches or IRF member switches. It can
redirect traffic between cards or IRF member switches for a cross-card or cross-switch link aggregation
group. With this function, you can prevent traffic interruption when rebooting a card or IRF member
switch that contains link aggregation member ports. For more information about IRF, see IRF
Configuration Guide.
To enable link-aggregation traffic redirection:
Optional.
2. Enable link-aggregation traffic link-aggregation lacp
redirection. traffic-redirect-notification enable By default, link-aggregation traffic
redirection is disabled.
NOTE:
Link-aggregation traffic redirection applies to dynamic link aggregation groups only.
118
If one end is configured with this feature, make sure the other end is also configured with this feature.
Otherwise, link aggregation might not work.
To enhance the Selected port capacity for link aggregation in IRF mode:
Display the summary of all display link-aggregation summary [ | { begin | Available in any
aggregation groups. exclude | include } regular-expression ] view.
Clear statistics for a specific or all reset counters interface [ { bridge-aggregation | Available in user
aggregate interfaces. route-aggregation } [ interface-number ] ] view.
119
NOTE:
• In an aggregation group, only ports that have the same port attributes and class-two configurations (see
"Configuration classes") as the reference port (see "Reference port") can operate as Selected ports.
Make sure that all member ports have the same port attributes and class-two configurations as the
reference port. The other settings only need to be configured on the aggregate interface, not on the
member ports.
• By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the down state. Before
configuring these interfaces, use the undo shutdown command to bring them up.
Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign port GigabitEthernet 4/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 4/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign port GigabitEthernet 4/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 4/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
120
[DeviceA-Bridge-Aggregation1] quit
# Assign ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 to link aggregation group
1.
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] interface gigabitethernet 4/0/2
[DeviceA-GigabitEthernet4/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/2] quit
[DeviceA] interface gigabitethernet 4/0/3
[DeviceA-GigabitEthernet4/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
Please wait... Done.
[DeviceA-Bridge-Aggregation1] quit
# Configure Device A to use the source and destination MAC addresses of packets as the global
link-aggregation load sharing criteria.
[DeviceA] link-aggregation load-sharing mode source-mac destination-mac
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:
# Display summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary
121
Layer 2 dynamic aggregation configuration example
Network requirements
As shown in Figure 37:
• Configure a Layer 2 dynamic link aggregation group on both Device A and Device B, enable VLAN
10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and VLAN 20
at one end to communicate with VLAN 20 at the other end.
• Enable traffic to be load-shared across aggregation group member ports based on source and
destination MAC addresses.
Figure 37 Network diagram
Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port GigabitEthernet 4/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 4/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port GigabitEthernet 4/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 4/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and configure the link aggregation
mode as dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
# Assign ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 to link aggregation group
1.
[DeviceA] interface gigabitethernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] interface gigabitethernet 4/0/2
[DeviceA-GigabitEthernet4/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/2] quit
122
[DeviceA] interface gigabitethernet 4/0/3
[DeviceA-GigabitEthernet4/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet4/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
Please wait... Done.
[DeviceA-Bridge-Aggregation1] quit
# Configure the device to use the source and destination MAC addresses of packets as the global
link-aggregation load sharing criteria.
[DeviceA] link-aggregation load-sharing mode source-mac destination-mac
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:
# Display summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary
123
Figure 38 Network diagram
Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and
subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 3/0/1 through GigabitEthernet 3/0/3 to
aggregation group 1.
[DeviceA] interface Gigabitethernet 3/0/1
[DeviceA-Gigabitethernet3/0/1] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/1] quit
[DeviceA] interface Gigabitethernet 3/0/2
[DeviceA-Gigabitethernet3/0/2] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/2] quit
[DeviceA] interface Gigabitethernet 3/0/3
[DeviceA-Gigabitethernet3/0/3] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/3] quit
# Configure the global link-aggregation load sharing criteria as the source and destination IP
addresses of packets.
[DeviceA] link-aggregation load-sharing mode source-ip destination-ip
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:
# Display the summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary
124
[DeviceA] display link-aggregation load-sharing mode
Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, configure the link aggregation mode
as dynamic, and configure an IP address and subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 3/0/1 through GigabitEthernet 3/0/3 to
aggregation group 1.
[DeviceA] interface Gigabitethernet 3/0/1
[DeviceA-Gigabitethernet3/0/1] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/1] quit
[DeviceA] interface Gigabitethernet 3/0/2
[DeviceA-Gigabitethernet3/0/2] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/2] quit
[DeviceA] interface Gigabitethernet 3/0/3
[DeviceA-Gigabitethernet3/0/3] port link-aggregation group 1
[DeviceA-Gigabitethernet3/0/3] quit
# Configure to use the source and destination IP addresses of packets as the global
link-aggregation load sharing criteria.
[DeviceA] link-aggregation load-sharing mode source-ip destination-ip
2. Configure Device B in the same way as you configure Device A.
3. Verify the configurations:
125
# Display the summary information about all aggregation groups on Device A.
[DeviceA] display link-aggregation summary
126
Configuring port isolation
Overview
Assigning access ports to different VLANs is a typical way to isolate Layer 2 traffic for data privacy and
security, but this approach is VLAN resource demanding. To save VLAN resources, you can use the port
isolation feature, which can isolate ports on the switch or IRF member switch basis without using VLANs
and allows for flexibility and security.
Operating mechanism
The feature isolates ports regardless of the VLANs that the ports are assigned to. The ports in the same
isolation group cannot communicate with each other at Layer 2, but they can communicate with the ports
outside the isolation group bidirectionally if the outside ports belong to the same VLAN as the isolation
group ports.
IMPORTANT:
• The ports in an isolation group support the following functions only: MAC address learning, QoS
actions (such as accounting, filter deny, car cir committed-information-rate red discard, and traffic
mirroring) in the incoming direction of the ports, and link aggregation.
• Do not configure Layer 2 protocols (such as GVRP) or Layer 3 protocols (such as multicast and routing)
on the ports in an isolation group. Doing so can cause network malfunction.
Non-isolated VLAN
A non-isolated VLAN allows the ports in an isolation group to communicate with each other within the
VLAN at Layer 2.
Figure 40 shows a network scenario that requires the non-isolated VLAN configuration.
• Switch B and Switch C communicate with a public server cluster through Switch A.
• Switch A connects to Switch B through GigabitEthernet 3/0/2, and connects to Switch C through
GigabitEthernet 3/0/3.
• Both GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to VLAN 2 and VLAN 3.
After GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to isolation group 1, Switch B
cannot communicate with Switch C at Layer 2, Host A cannot communicate with Host C although they
both belong to VLAN 2, and Host B cannot communicate with Host D although they both belong to VLAN
3.
To enable Layer 2 communication between Host B and Host D, you can configure VLAN 3 as a
non-isolated VLAN for isolation group 1.
127
Figure 40 Non-isolated VLAN in an isolation group
128
Step Command Remarks
• Enter Ethernet interface view:
interface interface-type
interface-number
• Enter Layer 2 aggregate
interface view:
4. Enter interface view. Use one of the commands.
interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual
port-group-name
5. Assign the ports to the port-isolate enable group No ports are assigned to an
isolation group. group-number isolation group by default.
NOTE:
The number of ports that can be assigned to an isolation group is not limited.
129
Port isolation without non-isolated VLAN configuration example
Network requirements
As shown in Figure 41, the switch is operating in hybrid mode and provides access to the Internet through
GigabitEthernet 4/0/1. Ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/4 belong to VLAN
2.
Configure port isolation, so the switch prevents Host A, Host B, and Host C from communicating with one
another at Layer 2, but allows them to access the Internet.
Figure 41 Network diagram
Configuration procedure
# Create VLAN 2 and assign ports to the VLAN.
<Switch> system-view
[Switch] vlan 2
[Switch-vlan2] port gigabitethernet 4/0/1 to gigabitethernet 4/0/4
[Switch-vlan2] quit
# Assign ports GigabitEthernet 4/0/2, GigabitEthernet 4/0/3, and GigabitEthernet 4/0/4 to isolation
group 2 as isolated ports.
[Switch] interface gigabitethernet 4/0/2
[Switch-GigabitEthernet4/0/2] port-isolate enable group 2
[Switch-GigabitEthernet4/0/2] quit
[Switch] interface gigabitethernet 4/0/3
[Switch-GigabitEthernet4/0/3] port-isolate enable group 2
[Switch-GigabitEthernet4/0/3] quit
[Switch] interface gigabitethernet 4/0/4
[Switch-GigabitEthernet4/0/4] port-isolate enable group 2
[Switch-GigabitEthernet4/0/4] quit
130
[Switch] display port-isolate group 2
Port-isolate group information:
Uplink port support: NO
Group ID: 2
Group members:
GigabitEthernet4/0/2 GigabitEthernet4/0/3 GigabitEthernet4/0/4
Configuring Switch A
# Create VLAN 2 and VLAN 3, and assign trunk ports GigabitEthernet 3/0/2 and GigabitEthernet
3/0/3 to the VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
[SwitchA] interface GigabitEthernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port link-type trunk
[SwitchA-GigabitEthernet3/0/2] port trunk permit vlan 2 3
[SwitchA-GigabitEthernet3/0/2] quit
131
[SwitchA] interface GigabitEthernet 3/0/3
[SwitchA-GigabitEthernet3/0/3] port link-type trunk
[SwitchA-GigabitEthernet3/0/3] port trunk permit vlan 2 3
[SwitchA-GigabitEthernet3/0/3] quit
# Assign ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 that connect to Switch B and Switch
C to isolation group 1.
[SwitchA] interface GigabitEthernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port-isolate enable group 1
[SwitchA-GigabitEthernet3/0/2] quit
[SwitchA] interface GigabitEthernet 3/0/3
[SwitchA-GigabitEthernet3/0/3] port-isolate enable group 1
[SwitchA-GigabitEthernet3/0/3] quit
Configuring Switch B
# Create VLAN 2 and VLAN 3, assign GigabitEthernet 2/0/2 to VLAN 2, and assign GigabitEthernet
2/0/3 to VLAN 3.
<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] port GigabitEthernet 2/0/2
[SwitchB-vlan2] vlan 3
[SwitchB-vlan3] port GigabitEthernet 2/0/3
[SwitchB-vlan3] quit
# Configure GigabitEthernet 2/0/1 as a trunk port and assign the port to VLAN 2 and VLAN 3.
[SwitchB] interface GigabitEthernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] port trunk permit vlan 2 3
Configuring Switch C
Configure Switch C as you configure Switch B.
132
The output shows that ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to
isolation group 1.
# Display the configuration of isolation group 1.
[SwitchA] port-isolate group 1
[SwitchA -port-isolate-group1] display this
#
port-isolate group 1
community-vlan vlan 3
#
return
The output shows that Switch A contains isolation group 1, in which VLAN 3 is a non-isolated VLAN.
133
Configuring QinQ
Throughout this document, customer network VLANs (CVLANs), also called inner VLANs, refer to the
VLANs that a customer uses on the private network; and service provider network VLANs (SVLANs), also
called outer VLANs, refer to the VLANs that a service provider uses to carry VLAN tagged traffic for
customers.
Overview
QinQ stands for 802.1Q in 802.1Q. QinQ is a flexible, easy-to-implement Layer 2 VPN technology
based on IEEE 802.1Q. QinQ enables the edge device on a service provider network to insert an outer
VLAN tag in the Ethernet frames from customer networks, so that the Ethernet frames travel across the
service provider network (public network) with double VLAN tags. QinQ enables a service provider to
use a single SVLAN to serve customers who have multiple CVLANs.
134
Figure 43 Typical QinQ application scenario
As shown in Figure 43, customer network A has CVLANs 1 through 10, and customer network B has
CVLANs 1 through 20. The service provider assigns SVLAN 3 to customer network A and SVLAN 4 to
customer network B. When a tagged Ethernet frame from customer network A arrives at the edge of the
service provider network, the edge device tags the frame with outer VLAN 3. When a tagged Ethernet
frame from customer network B arrives at the edge of the service provider network, the edge device tags
it with outer VLAN 4. As a result, no overlap of VLAN IDs among customers exists, and traffic from
different customers can be identified separately.
NOTE:
The QinQ feature is implemented based on the 802.1q standard. It is necessary that all the switches along
the tunnel support the 802.1q standard.
135
The default maximum transmission unit (MTU) of an interface is 1500 bytes. The size of an outer VLAN
tag is 4 bytes. HP recommends you to increase the MTU of each interface on the service provider network
to at least 1504 bytes. For more information about interface MTU configuration, see Interface
Configuration Guide.
Implementations of QinQ
HP provides the following QinQ implementations: basic QinQ and selective QinQ.
1. Basic QinQ
Basic QinQ enables a port to tag any incoming frames with its default VLAN tag, regardless of
whether they have been tagged or not. If an incoming frame has been tagged, it becomes a
double-tagged frame. If not, it becomes a frame tagged with the port’s default VLAN tag.
2. Selective QinQ
Selective QinQ is more flexible than basic QinQ. In addition to all the functions of basic QinQ,
selective QinQ enables a port to perform the following per-CVLAN actions for incoming frames:
{ Tag frames from different CVLANs with different SVLAN tags.
{ Mark the outer VLAN 802.1p priority based on the existing inner VLAN 802.1p priority.
Besides being able to separate the service provider network from the customer networks, selective
QinQ provides abundant service features and allows more flexible networking.
Devices of different vendors may set the TPID of the outer VLAN tag of QinQ frames to different values.
For compatibility with these devices, modify the TPID value so that the QinQ frames, when sent to the
public network, carry the TPID value identical to the value of a particular vendor to allow interoperability
with the devices of that vendor.
The TPID in an Ethernet frame has the same position as the protocol type field in a frame without a VLAN
tag. To avoid problems in packet forwarding and handling in the network, do not set the TPID value to
any of the values in Table 18.
Table 18 Reserved protocol type values
136
Protocol type Value
PUP 0x0200
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
IS-IS 0x8000
LACP 0x8809
802.1X 0x888E
Cluster 0x88A7
Reserved 0xFFFD/0xFFFE/0xFFFF
Task Remarks
Enabling basic QinQ Required.
137
Step Command Remarks
138
Step Command Remarks
• Enter Ethernet interface view:
interface interface-type
interface-number
11. Enter interface view: Use either command.
• Enter port group view:
port-group manual
port-group-name
12. Apply the QoS policy to the
qos apply policy policy-name
Ethernet interface or all ports N/A
{ inbound | outbound }
in the port group.
3. Define an inner VLAN 802.1p if-match customer-dot1p You can configure more match
priority match criterion. 8021p-list criteria as needed.
139
Step Command Remarks
12. Apply the QoS policy to the
qos apply policy policy-name
Ethernet interface or all ports N/A
{ inbound | outbound }
in the port group.
140
• PE 1 and PE 2 are edge devices on the service provider network and are connected through
third-party devices with a TPID value of 0x8200.
Configure the edge and third-party devices to enable communication between the branches of Company
A through SVLAN 100, and communication between the branches of Company B through SVLAN 200.
Figure 46 Network diagram
Configuration procedure
IMPORTANT:
Make sure the devices in the service provider network have been configured to allow QinQ packets to
pass through.
1. Configure PE 1:
a. Configure GigabitEthernet 4/0/1:
# Configure GigabitEthernet 4/0/1 as a trunk port and assign it to VLAN 100.
<PE1> system-view
[PE1] interface gigabitethernet 4/0/1
[PE1-GigabitEthernet4/0/1] port link-type trunk
[PE1-GigabitEthernet4/0/1] port trunk permit vlan 100
# Configure VLAN 100 as the default VLAN ID for the port.
[PE1-GigabitEthernet4/0/1] port trunk pvid vlan 100
# Enable basic QinQ on the port.
[PE1-GigabitEthernet4/0/1] qinq enable
[PE1-GigabitEthernet4/0/1] quit
b. Configure GigabitEthernet 4/0/2:
# Configure GigabitEthernet 4/0/2 as a trunk port and assign it to VLAN 100 and VLAN 200.
[PE1] interface gigabitethernet 4/0/2
[PE1-GigabitEthernet4/0/2] port link-type trunk
141
[PE1-GigabitEthernet4/0/2] port trunk permit vlan 100 200
# Set the TPID value in the outer VLAN tag to 0x8200 on the port.
[PE1-GigabitEthernet4/0/2] qinq ethernet-type 8200
[PE1-GigabitEthernet4/0/2] quit
c. Configure GigabitEthernet 4/0/3:
# Configure GigabitEthernet 4/0/3 as a trunk port and assign it to VLAN 200.
[PE1] interface gigabitethernet 4/0/3
[PE1-GigabitEthernet4/0/3] port link-type trunk
[PE1-GigabitEthernet4/0/3] port trunk permit vlan 200
# Configure VLAN 200 as the default VLAN ID for the port.
[PE1-GigabitEthernet4/0/3] port trunk pvid vlan 200
# Enable basic QinQ on the port.
[PE1-GigabitEthernet4/0/3] qinq enable
[PE1-GigabitEthernet4/0/3] quit
2. Configure PE 2:
a. Configure GigabitEthernet 4/0/1:
# Configure GigabitEthernet 4/0/1 as a trunk port and assign it to VLAN 200.
<PE2> system-view
[PE2] interface gigabitethernet 4/0/1
[PE2-GigabitEthernet4/0/1] port link-type trunk
[PE2-GigabitEthernet4/0/1] port trunk permit vlan 200
# Configure VLAN 200 as the default VLAN ID for the port.
[PE2-GigabitEthernet4/0/1] port trunk pvid vlan 200
# Enable basic QinQ on the port.
[PE2-GigabitEthernet4/0/1] qinq enable
[PE2-GigabitEthernet4/0/1] quit
b. Configure GigabitEthernet 4/0/2:
# Configure GigabitEthernet 4/0/2 as a trunk port and assign it to VLAN 100 and VLAN 200.
[PE2] interface gigabitethernet 4/0/2
[PE2-GigabitEthernet4/0/2] port link-type trunk
[PE2-GigabitEthernet4/0/2] port trunk permit vlan 100 200
# Set the TPID value in the outer VLAN tag to 0x8200 on the port.
[PE2-GigabitEthernet4/0/2] qinq ethernet-type 8200
[PE2-GigabitEthernet4/0/2] quit
c. Configure GigabitEthernet 4/0/3:
# Configure GigabitEthernet 4/0/3 as a trunk port and assign it to VLAN 100.
[PE2] interface gigabitethernet 4/0/3
[PE2-GigabitEthernet4/0/3] port link-type trunk
[PE2-GigabitEthernet4/0/3] port trunk permit vlan 100
# Configure VLAN 100 as the default VLAN ID for the port.
[PE2-GigabitEthernet4/0/3] port trunk pvid vlan 100
# Enable basic QinQ on the port.
[PE2-GigabitEthernet4/0/3] qinq enable
[PE2-GigabitEthernet4/0/3] quit
142
3. On the third-party devices between PE 1 and PE 2, configure the port connecting to PE 1 and that
connecting to PE 2 to allow tagged frames of VLAN 100 and VLAN 200 to pass through.
Configuration procedure
IMPORTANT:
Because the packets in the customer network are single-tagged, when you configure match criteria for
packets, you must use the if-match service-vlan-id vlan-id-list command (which matches the outermost
VLAN tags) rather than the if-match customer-vlan-id vlan-id-list command (which matches the inner
VLAN tags of double-tagged packets).
1. Configure Provider A:
# Configure an uplink policy to tag SVLAN 100 for frames from the user network.
<ProviderA> system-view
[ProviderA] traffic classifier nest operator or
[ProviderA-classifier-nest] if-match service-vlan-id 10 20
[ProviderA-classifier-nest] quit
[ProviderA] traffic behavior nest
[ProviderA-behavior-nest] nest top-most vlan-id 100
[ProviderA-behavior-nest] quit
[ProviderA] qos policy nest
[ProviderA-qospolicy-nest] classifier nest behavior nest
[ProviderA-qospolicy-nest] quit
143
# Configure port GigabitEthernet 4/0/1 to allow frames of VLAN 100 to pass through untagged.
[ProviderA] interface gigabitethernet 4/0/1
[ProviderA-GigabitEthernet4/0/1] port link-type hybrid
[ProviderA-GigabitEthernet4/0/1] port hybrid vlan 100 untagged
# Apply the uplink policy to the inbound direction of GigabitEthernet 4/0/1.
[ProviderA-GigabitEthernet4/0/1] qos apply policy nest inbound
[ProviderA-GigabitEthernet4/0/1] quit
# Configure port GigabitEthernet 4/0/2 to allow frames of VLAN 100 to pass through.
[ProviderA] interface gigabitethernet 4/0/2
[ProviderA-GigabitEthernet4/0/2] port link-type trunk
[ProviderA-GigabitEthernet4/0/2] port trunk permit vlan 100
2. Configure Provider B as you configure Provider A.
144
Configuring VLAN mapping
The Layer 3 Ethernet interfaces of the switch do not support VLAN mapping.
Overview
VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. The switch provides the following
types of VLAN mapping:
• One-to-one VLAN mapping—Replaces one VLAN tag with another. You can use one-to-one VLAN
mapping to sub-classify traffic from a particular VLAN for granular QoS control, or adapt the VLAN
schemes of two service providers.
• One-to-two VLAN mapping—Tags single-tagged packets with an outer VLAN tag. One-to-two
VLAN mapping expands the VLAN tag space, and enables a service provider and its customers to
independently assign VLANs without the risk of VLAN assignment conflicts.
• Two-to-two VLAN mapping—Replaces the outer and inner VLAN IDs of double tagged traffic with
a new pair of VLAN IDs. The switch supports replacing only the outer VLAN ID. You can use
two-to-two VLAN mapping on the switch to enable two remote sites in the same VLAN to
communicate at Layer 2 across two service provider networks that use different VLAN assignment
schemes.
145
Application scenario of one-to-two and two-to-two VLAN
mapping
Figure 49 shows a typical application scenario in which two remote sites in VPN A, Site 1 and Site 2,
must communicate across two SP networks, SP 1 and SP 2.
Figure 49 Application scenario of one-to-two and two-to-two VLAN mapping
Site 1 and Site 2 are in VLAN 2. The VLAN assigned to VPN A is VLAN 10 in the SP 1 network and
VLAN 20 in the SP 2 network.
If Site 1 sends a packet to Site 2, the packet is processed on the way to its destination using the following
workflow:
1. When the packet tagged with VLAN 2 arrives at the edge of network SP 1, PE 1 tags the packet
with outer VLAN 10 by using one-to-two VLAN mapping.
2. When the double-tagged packet enters the SP 2 network, PE 3 replaces the outer VLAN tag (VLAN
10) with VLAN 20 by performing two-to-two VLAN mapping.
3. When PE4 receives the packet with outer VLAN tag 20, it removes the outer VLAN tag and
forwards the packet to VLAN 2.
You can use QinQ to implement one-to-two VLAN mapping. For more information about QinQ, see
"Configuring QinQ."
146
Figure 50 Basic concepts of VLAN mapping
SP
Network-side port
Customer-side port
Uplink traffic
Downlink traffic
• Uplink traffic—Traffic transmitted from the customer network to the service provider network.
• Downlink traffic—Traffic transmitted from the service provider network to the customer network.
• Network-side port—A port connected to or closer to the service provider network.
• Customer-side port—A port connected to or closer to the customer network.
• Uplink policy—A QoS policy that defines VLAN mapping rules for uplink traffic.
• Downlink policy—A QoS policy that defines VLAN mapping rules for downlink traffic.
• Customer VLANs (CVLANs)—VLANs assigned to customers.
• Service provider VLANs (SVLANs)—VLANs assigned for transmitting traffic across the service
provider network.
For more information about QoS policies, see ACL and QoS Configuration Guide.
147
Figure 51 One-to-one VLAN mapping implementation
148
Figure 53 Two-to-two VLAN mapping implementation
Configuration prerequisites
Create CVLANs and SVLANs, and plan CVLAN-SVLAN mappings.
149
Step Command Remarks
a. Create a class and enter class
view: Repeat these steps to configure
traffic classifier tcl-name one class for each CVLAN.
[ operator { and | or } ]
In one-to-one VLAN mapping,
2. Configure one class for a b. Specify one CVLAN as the the if-match service-vlan-id
CVLAN. match criterion: command is for matching both
if-match service-vlan-id CVLANs and SVLANs, because
vlan-id-value the switch uses the command for
c. Return to system view: matching the outmost VLAN tag.
quit
150
Step Command Remarks
a. Create a traffic behavior and
Repeat these steps to configure
enter traffic behavior view:
a behavior for each CVLAN.
traffic behavior
behavior-name In one-to-one VLAN mapping,
3. Configure one behavior for a b. Configure an SVLAN marking the remark service-vlan-id
CVLAN. action: command is for marking both
remark service-vlan-id the CVLAN and SVLAN tags,
vlan-id-value because the switch uses the
command for marking the
c. Return to system view:
outmost VLAN tag.
quit
4. Create a QoS policy and
qos policy policy-name N/A
enter QoS policy view.
N/A
5. Associate the class with the
classifier tcl-name behavior Repeat these steps to create
behavior to map the SVLAN
behavior-name other CVLAN-to-SVLAN
to the CVLAN.
mappings.
interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
• As a hybrid port:
port hybrid vlan vlan-id-list tagged
4. Assign the port to the By default, ports of any link
CVLANs. • As a trunk port: type permit VLAN 1.
port trunk permit vlan { vlan-id-list |
all }
interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
3. Configure the link type of the The default link type of ports is
port link-type { hybrid | trunk }
port. access.
151
Step Command Remarks
• As a hybrid port:
port hybrid vlan vlan-id-list tagged
4. Assign the port to the By default, ports of any link
SVLANs. • As a trunk port: type permit VLAN 1.
port trunk permit vlan { vlan-id-list |
all }
Task Description
Configuring an uplink policy Configures an uplink policy for the customer-side port (required).
Configuration prerequisites
Create VLANs, and plan CVLAN-to-SVLAN mappings.
152
Step Command Remarks
a. Create a traffic behavior
and enter traffic behavior
view:
traffic behavior
behavior-name
b. Add a VLAN nest action to
3. Configure one behavior for insert an outer VLAN tag Repeat these steps to configure one
an SVLAN. into the incoming packets behavior for each SVLAN.
from the CVLAN or
CVLANs:
nest top-most vlan-id
vlan-id-value
c. Return to system view:
quit
4. Create a QoS policy and
qos policy policy-name N/A
enter QoS policy view.
N/A
5. Associate the class with the classifier tcl-name behavior Repeat this step to create
behavior. behavior-name class-behavior associations for
other CVLANs.
interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
4. Assign the port to the SVLANs port hybrid vlan vlan-id-list By default, a hybrid port is an
as an untagged member. untagged untagged member of only VLAN 1.
5. Assign the port to the
CVLANs as a tagged port hybrid vlan vlan-id-list tagged N/A
member.
6. Apply the uplink policy to the qos apply policy policy-name
N/A
incoming traffic. inbound
interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
153
Step Command Remarks
• Configure the port as a trunk
port:
3. Configure the link type of the port link-type trunk The default link type of an Ethernet
port. • Configure the port as a hybrid port is access.
port:
port link-type hybrid
• As a trunk port:
By default:
port trunk permit vlan
{ vlan-id-list | all } • A trunk port is assigned to only
4. Assign the port to all SVLANs. VLAN 1.
• As a hybrid port:
port hybrid vlan vlan-id-list • A hybrid port is an untagged
tagged member of VLAN 1.
Task Description
Configuring an uplink policy for the Replaces foreign SVLANs with local SVLANs for uplink traffic
customer-side port (required).
154
Step Command Remarks
a. Create a class and enter class
view:
traffic classifier tcl-name
[ operator { and | or } ]
b. Specify one CVLAN as the
match criterion: Repeat these steps to
2. Configure one class for a CVLAN if-match customer-vlan-id create one class for each
and a SVLAN. vlan-id-value CVLAN and foreign
c. Specify one SVLAN as the SVLAN pair.
match criterion:
if-match service-vlan-id
vlan-id-value
d. Return to system view:
quit
a. Create a traffic behavior and
enter traffic behavior view:
traffic behavior
behavior-name
Repeat these steps to
b. Configure an SVLAN marking
configure one SVLAN
3. Configure one behavior for an action to replace the foreign
marking action for each
SVLAN. SVLAN ID with a local SVLAN
CVLAN and foreign
ID:
SVLAN pair.
remark service-vlan-id
vlan-id-value
c. Return to system view:
quit
4. Create a QoS policy and enter
qos policy policy-name N/A
QoS policy view.
155
Step Command Remarks
a. Create a class and enter class
view:
traffic classifier tcl-name
[ operator { and | or } ]
b. Specify one CVLAN as the
match criterion:
Repeat these steps to
2. Configure one class for a CVLAN if-match customer-vlan-id
create one class for each
and a SVLAN. vlan-id-value
local SVLAN pair.
c. Specify one SVLAN as the
match criterion:
if-match service-vlan-id
vlan-id-value
d. Return to system view:
quit
a. Create a traffic behavior and
enter traffic behavior view:
traffic behavior
behavior-name
b. Configure an SVLAN marking Repeat these steps to
3. Configure one behavior for an action to replace the foreign create one VLAN marking
SVLAN. SVLAN ID with a local SVLAN behavior for each local
ID: SVLAN.
remark service-vlan-id
vlan-id-value
c. Return to system view:
quit
4. Create a QoS policy and enter
qos policy policy-name N/A
QoS policy view.
interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
• Configure the port as a trunk
port:
port link-type trunk The default link type of an
3. Configure the link type of the port.
• Configure the port as a hybrid Ethernet port is access.
port:
port link-type hybrid
156
Step Command Remarks
interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
• Configure the port as a trunk
port:
3. Configure the link type of the port link-type trunk The default link type of an Ethernet
port. • Configure the port as a hybrid port is access.
port:
port link-type hybrid
• As a trunk port:
By default:
port trunk permit vlan
4. Assign the port to the local { vlan-id-list | all } • A trunk port is assigned to only
VLAN 1.
SVLANs. • As a hybrid port:
port hybrid vlan vlan-id-list • A hybrid port is an untagged
tagged member of VLAN 1.
157
Figure 54 Network diagram
Configuring Switch A
# Create the CVLANs and SVLANs.
<SwitchA> system-view
[SwitchA] vlan 10 to 100
# Configure downlink policy p11 to map the SVLAN back to the CVLAN.
[SwitchA] traffic classifier c11
[SwitchA-classifier-c11] if-match service-vlan-id 100
[SwitchA-classifier-c11] quit
[SwitchA] traffic behavior b11
[SwitchA-behavior-b11] remark service-vlan-id 10
[SwitchA-behavior-b11] quit
[SwitchA] qos policy p11
[SwitchA-policy-p11] classifier c11 behavior b11
[SwitchA-policy-p11] quit
# Apply uplink policy p1 to the incoming traffic and downlink policy p11 to the outgoing traffic
[SwitchA-GigabitEthernet4/0/1] qos apply policy p1 inbound
[SwitchA-GigabitEthernet4/0/1] qos apply policy p11 outbound
158
# Assign network-side port GigabitEthernet 4/0/2 to the CVLAN and SVLAN.
[SwitchA] interface ethernet gigabitethernet 4/0/2
[SwitchA-GigabitEthernet4/0/2] port link-type trunk
[SwitchA-GigabitEthernet4/0/2] port trunk permit vlan 10 100
GE4/0/1 GE4/0/1
VLAN 10, 100
SP 1 SP 2 VLAN 10, 200
VLAN 10 VLAN 10
VPN A VPN A
CE a1 Site 1 Site 2 CE a2
Configuring PE 1
# Configure uplink policy test to add outer VLAN tag 100 to VLAN 10 tagged traffic.
<PE1> system-view
[PE1] traffic classifier test
[PE1-classifier-test] if-match service-vlan-id 10
[PE1-classifier-test] quit
[PE1] traffic behavior test
[PE1-behavior-test] nest top-most vlan-id 100
[PE1-behavior-test] quit
[PE1] qos policy test
[PE1-qospolicy-test] classifier test behavior test
[PE1-qospolicy-test] quit
# Set customer-side port GigabitEthernet 4/0/1 as a hybrid port, and assign it to VLAN 100 as an
untagged member, so the port forwards VLAN 100 traffic with the VLAN tag removed. Apply uplink
policy test to the incoming traffic.
[PE1] interface gigabitethernet 4/0/1
[PE1-GigabitEthernet4/0/1] port link-type hybrid
[PE1-GigabitEthernet4/0/1] port hybrid vlan 100 untagged
[PE1-GigabitEthernet4/0/1] qos apply policy test inbound
[PE1-GigabitEthernet4/0/1] quit
159
# Set network-side port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 100.
[PE1] interface gigabitethernet 4/0/2
[PE1-GigabitEthernet4/0/2] port link-type trunk
[PE1-GigabitEthernet4/0/2] port trunk permit vlan 100
Configuring PE 2
# Set port GigabitEthernet 4/0/1 as a trunk port, and assign it to VLAN 100.
<PE2> system-view
[PE2] interface gigabitethernet 4/0/1
[PE2-GigabitEthernet4/0/1] port link-type trunk
[PE2-GigabitEthernet4/0/1] port trunk permit vlan 100
[PE2-GigabitEthernet4/0/1] quit
# Set port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 100.
[PE2] interface gigabitethernet 4/0/2
[PE2-GigabitEthernet4/0/2] port link-type trunk
[PE2-GigabitEthernet4/0/2] port trunk permit vlan 100
Configuring PE 3
# Configure uplink policy down_uplink for customer-side port GigabitEthernet 4/0/1 to substitute
SVLAN ID 200 for the SVLAN ID in the incoming traffic tagged with CVLAN 10 and SVLAN 100.
<PE3> system-view
[PE3] traffic classifier down_uplink
[PE3-classifier-down_uplink] if-match customer-vlan-id 10
[PE3-classifier-down_uplink] if-match service-vlan-id 100
[PE3-classifier-down_uplink] quit
[PE3] traffic behavior down_uplink
[PE3-behavior-down_uplink] remark service-vlan-id 200
[PE3-behavior-down_uplink] quit
[PE3] qos policy down_uplink
[PE3-qospolicy-down_uplink] classifier down_uplink behavior down_uplink
[PE3-qospolicy-down_uplink] quit
# Configure downlink policy down_downlink for customer-side port GigabitEthernet 4/0/1 to replace
the SVLAN 200 tag with the SVLAN 100 tag.
[PE3] traffic classifier down_downlink
[PE3-classifier-down_downlink] if-match customer-vlan-id 10
[PE3-classifier-down_downlink] if-match service-vlan-id 200
[PE3-classifier-down_downlink] quit
[PE3] traffic behavior down_downlink
[PE3-behavior-down_downlink] remark service-vlan-id 100
[PE3-behavior-down_downlink] quit
[PE3] qos policy down_downlink
[PE3-qospolicy-down_downlink] classifier down_downlink behavior down_downlink
[PE3-qospolicy-down_downlink] quit
# Set customer-side port GigabitEthernet 4/0/1 as a trunk port, assign it to VLAN 200, and apply uplink
policy down_uplink to the incoming traffic and downlink policy down_downlink to the outgoing traffic
on the port.
[PE3] interface gigabitethernet 4/0/1
[PE3-GigabitEthernet4/0/1] port link-type trunk
160
[PE3-GigabitEthernet4/0/1] port trunk permit vlan 200
[PE3-GigabitEthernet4/0/1] qos apply policy down_uplink inbound
[PE3-GigabitEthernet4/0/1] qos apply policy down_downlink outbound
[PE3-GigabitEthernet4/0/1] quit
# Set network-side port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 200.
[PE3] interface gigabitethernet 4/0/2
[PE3-GigabitEthernet4/0/2] port link-type trunk
[PE3-GigabitEthernet4/0/2] port trunk permit vlan 200
[PE3-GigabitEthernet4/0/2] quit
Configuring PE 4
# Configure uplink policy test to add outer VLAN tag 200 to VLAN 10 tagged traffic.
<PE4> system-view
[PE4] traffic classifier test
[PE4-classifier-test] if-match service-vlan-id 10
[PE4-classifier-test] quit
[PE4] traffic behavior test
[PE4-behavior-test] nest top-most vlan-id 200
[PE4-behavior-test] quit
[PE4] qos policy test
[PE4-qospolicy-test] classifier test behavior test
[PE4-qospolicy-test] quit
# Set port GigabitEthernet 4/0/1 as a hybrid port, and assign it to VLAN 200 as un untagged member,
so the port forwards VLAN 200 traffic with the VLAN tag removed. Apply uplink policy test to the
incoming traffic on the port.
[PE4] interface gigabitethernet 4/0/1
[PE4-GigabitEthernet4/0/1] port link-type hybrid
[PE4-GigabitEthernet4/0/1] port hybrid vlan 200 untagged
[PE4-GigabitEthernet4/0/1] qos apply policy test inbound
161
Configuring BPDU tunneling
Overview
As a Layer 2 tunneling technology, Bridge Protocol Data Unit (BPDU) tunneling enables Layer 2 protocol
packets from geographically dispersed customer networks to be transparently transmitted over specific
tunnels across a service provider network.
Background
Dedicated lines are used in a service provider network to build user-specific Layer 2 networks. As a result,
a user network is broken down into parts located at different sides of the service provider network. As
shown in Figure 56, User A has two devices (CE 1 and CE 2) and both devices belong to VLAN 100.
User A’s network is divided into network 1 and network 2, which are connected by the service provider
network. When a Layer 2 protocol (for example, STP) runs on both network 1 and network 2, the Layer
2 protocol packets must be transmitted over the service provider network to implement Layer 2 protocol
calculation (for example, spanning tree calculation). When receiving a Layer 2 protocol packet, the PEs
cannot determine whether the packet is from the user network or the service provider network, and must
deliver the packet to the CPU for processing. In this case, the Layer 2 protocol calculation in User A’s
network is mixed with that in the service provider network, and the user network cannot implement
independent Layer 2 protocol calculation.
Figure 56 BPDU tunneling application scenario
With BPDU tunneling, Layer 2 protocol packets from customer networks can be transparently transmitted
over the service provider network in the following workflow:
1. After receiving a Layer 2 protocol packet from CE 1, PE 1 encapsulates the packet, replaces its
destination MAC address with a specific multicast MAC address, and forwards the packet to the
service provider network.
2. The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded
to PE 2 at the other end of the service provider network, which de-encapsulates the packet, restores
the original destination MAC address of the packet, and then sends the packet to CE 2.
162
BPDU tunneling implementation
To avoid loops in your network, you can enable STP on your switch. When the topology changes at one
side of the customer network, the devices at this side of the customer network send BPDUs to devices on
the other side of the customer network to ensure consistent spanning tree calculation in the entire
customer network. However, because BPDUs are Layer 2 multicast frames, all STP-enabled devices, both
in the customer network and in the service provider network, can receive and process these BPDUs. In this
case, neither the service provider network nor the customer network can correctly calculate its
independent spanning tree.
To allow each network to calculate an independent spanning tree with STP, BPDU tunneling was
introduced.
BPDU tunneling delivers the following benefits:
• BPDUs can be transparently transmitted. BPDUs of one customer network can be broadcast in a
specific VLAN across the service provider network, allowing that customer’s geographically
dispersed networks to implement consistent spanning tree calculation across the service provider
network.
• BPDUs of different customer networks can be confined within different VLANs for transmission on
the service provider network, so each customer network can perform independent spanning tree
calculation.
Figure 57 BPDU tunneling implementation
The upper section of Figure 57 represents the service provider network (ISP network), and the lower
section, including User A network 1 and User A network 2, represents customer networks. Enabling
BPDU tunneling on edge devices (PE 1 and PE 2) in the service provider network allows BPDUs of User
A network 1 and User A network 2 to be transparently transmitted through the service provider network,
thus ensuring consistent spanning tree calculation throughout User A network, without affecting the
spanning tree calculation of the service provider network.
Assume a BPDU is sent from User A network 1 to User A network 2:
1. At the ingress of the service provider network, PE 1 changes the destination MAC address of the
BPDU from 0x0180-C200-0000 to a special multicast MAC address, 0x010F-E200-0003 (the
default multicast MAC address) for example. In the service provider network, the modified BPDU
is forwarded as a data packet in the VLAN assigned to User A.
2. At the egress of the service provider network, PE 2 recognizes the BPDU with the destination MAC
address 0x010F-E200-0003, restores its original destination MAC address 0x0180-C200-0000,
and then sends the BPDU to CE 2.
163
NOTE:
• The switch supports BPDU tunneling for the Spanning Tree Protocol (STP) only. For more information
about STP, see "Configuring spanning tree protocols."
• Make sure, through configuration, the VLAN tags carried in BPDUs are neither changed nor removed
during the transparent transmission in the service provider network; otherwise, the devices in the service
provider network will fail to transparently transmit the customer network BPDUs correctly.
Configuration prerequisites
• Enable STP in the customer networks before configuring BPDU tunneling for STP.
• Before enabling BPDU tunneling for STP on a port, disable STP on the port.
• Assign the port on which you want to enable BPDU tunneling on the PE device and the connected
port on the CE device to the same VLAN.
• Configure ports connecting network devices in the service provider network as trunk ports allowing
packets of any VLAN to pass through.
4. Enable BPDU tunneling for STP By default, BPDU tunneling for STP is
bpdu-tunnel dot1q stp
on the ports. disabled.
164
Step Command Remarks
2. Configure the destination Optional.
bpdu-tunnel tunnel-dmac
multicast MAC address for The default setting is
mac-address
BPDUs. 0x010F-E200-0003.
NOTE:
For BPDUs to be recognized, the destination multicast MAC addresses configured for BPDU tunneling must
be the same on the edge devices on the service provider network.
Network requirements
As shown in Figure 58:
• CE 1 and CE 2 are edges devices on the geographically dispersed network of User A; PE 1 and PE
2 are edge devices on the service provider network.
• All ports that connect service provider devices and customer devices are access ports and belong
to VLAN 2; all ports that interconnect service provider devices are trunk ports and allow packets of
any VLAN to pass through.
• MSTP is enabled on User A’s network.
Configure BPDU tunneling, so that CE 1 and CE 2 implement consistent spanning tree calculation across
the service provider network and that the destination multicast MAC address carried in BPDUs be
0x0100-0CCD-CDD0.
Figure 58 Network diagram
Configuration procedure
1. Configure PE 1:
# Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.
165
<PE1> system-view
[PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2 and assign GigabitEthernet 4/0/1 to VLAN 2.
[PE1] vlan 2
[PE1-vlan2] quit
[PE1] interface gigabitethernet 4/0/1
[PE1-GigabitEthernet4/0/1] port access vlan 2
# Disable STP on GigabitEthernet 4/0/1, and then enable BPDU tunneling for STP on it.
[PE1-GigabitEthernet4/0/1] stp disable
[PE1-GigabitEthernet4/0/1] bpdu-tunnel dot1q stp
2. Configure PE 2:
# Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.
<PE2> system-view
[PE2] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2 and assign GigabitEthernet 4/0/2 to VLAN 2.
[PE2] vlan 2
[PE2-vlan2] quit
[PE2] interface gigabitethernet 4/0/2
[PE2-GigabitEthernet4/0/2] port access vlan 2
# Disable STP on GigabitEthernet 4/0/2, and then enable BPDU tunneling for STP on it.
[PE2-GigabitEthernet4/0/2] stp disable
[PE2-GigabitEthernet4/0/2] bpdu-tunnel dot1q stp
166
Configuring GVRP
The Generic Attribute Registration Protocol (GARP) provides a generic framework whereby devices in a
bridged LAN, such as end stations and switches, can register and deregister attribute values. The GARP
VLAN Registration Protocol (GVRP) is a GARP application that registers and deregisters VLAN attributes.
GVRP uses the operating mechanism of GARP to maintain and propagate dynamic VLAN registration
information for the GVRP devices on the network.
Overview
GARP
GARP provides a mechanism that allows participants in a GARP application to distribute, propagate,
and register with other participants in a LAN the attributes specific to the GARP application, such as the
VLAN or multicast address attributes.
GARP messages
A GARP participant exchanges information with other GARP participants by sending GARP messages,
including Join, Leave, and LeaveAll. These messages work together to ensure the registration and
167
de-registration of attribute information. As a GARP application, GVRP also uses GARP messages for
information exchange.
1. Join messages
A GARP participant sends Join messages when it wishes to declare its attribute values or receives
Join messages from other GARP participants. There are two types of Join messages: JoinEmpty and
JoinIn.
{ A GARP participant sends a JoinEmpty message to declare an attribute not registered on it.
{ A GARP participant sends a JoinIn message to declare an attribute registered on it.
2. Leave messages
A GARP participant sends Leave messages when it wishes to withdraw declarations of its attribute
values, or receives Leave messages from other participants. There are two types of Leave
messages: LeaveEmpty and LeaveIn.
{ A GARP participant sends a LeaveEmpty message to deregister an attribute not registered on
it.
{ A GARP participant sends a LeaveIn message to deregister an attribute registered on it.
3. LeaveAll messages
A GARP participant sends a LeaveAll message when it declares that it is deregistering all attribute
values or receives LeaveAll messages from other participants. If any participants want to maintain
the registration for a particular attribute value, they must send a Join message.
GARP timers
GARP defines the following timers to control the sending of GARP messages:
1. Hold timer
The Hold timer sets the delay that a GARP participant waits before sending a Join or Leave
message.
When an attribute value changes or a Join or Leave message arrives, the GARP participant does
not sends the message immediately. Rather, it assembles Join and Leave messages in the least
number of GARP PDUs, and sends them out when the Hold timer expires. This timer reduces the
number of GARP PDUs and saves bandwidth.
2. Join timer
A GARP participant may declare an attribute twice to ensure reliable transmission. The Join timer
sets the interval between the two declarations.
A GARP participant starts a Join timer when it declares an attribute value or receives a JoinIn
message for the attribute value. If the GARP participant does not receive any declaration for the
attribute value when the Join timer expires, it re-declares the attribute value.
Because all attributes of a GARP participant share the same Join timer, you must set the Join timer
long enough so that all attributes can be sent out in one declaration.
3. Leave timer
A GARP participant starts a Leave timer when it receives a Leave message for an attribute value.
If the GARP participant has not received a Join message for the attribute value before the timer
expires, it deregisters the attribute value.
4. LeaveAll timer
When a GARP application is enabled, a LeaveAll timer starts. The GARP participant sends a
LeaveAll message when the timer expires. Then, the LeaveAll timer restarts to begin a new cycle.
168
The LeaveAll timer and all other GARP timers also restart when the GARP participant receives a
LeaveAll message.
Set the LeaveAll timer greater than any Leave timer and not smaller than its default value (1000
centiseconds). Each time a LeaveAll timer expires, a network-wide re-join occurs.
On a GARP-enabled network, a device may send LeaveAll messages at the interval set by its
LeaveAll timer or the LeaveAll timer of another device on the network, whichever is smaller. This is
because each time a device on the network receives a LeaveAll message it resets its LeaveAll timer.
NOTE:
• The settings of GARP timers apply to all GARP applications, such as GVRP, on a LAN.
• On a GARP-enabled network, each port of a device maintains its own Hold, Join, and Leave timers, but
only one LeaveAll timer is maintained on each device globally.
• The value ranges for the Hold, Join, Leave, and LeaveAll timers are dependent on one another. For more
information, see Table 20.
As shown in Figure 60, GARP PDUs use the IEEE 802.3 Ethernet frame format.
Table 19 The GARP PDU fields
169
Field Description Value
Consists of an Attribute Length, an
Attribute Attribute Event, and an Attribute N/A
Value.
The destination MAC addresses of GARP messages are multicast MAC addresses, and vary with GARP
applications. For example, the destination MAC address of GVRP is 01-80-C2-00-00-21. A device
distributes GARP messages to different GARP applications according to the destination MAC addresses
carried in GARP messages.
GVRP
GVRP overview
As a GARP application, GVRP enables a device to propagate local VLAN registration information to
other participant devices, and to dynamically update the VLAN registration information from other
devices to its local database, including active VLAN members and through which port they can be
reached. This makes sure all GVRP participants on a bridged LAN maintain the same VLAN registration
information. The VLAN registration information propagated by GVRP includes both manually configured
local static entries and dynamic entries from other devices.
170
GVRP configuration task list
Task Remarks
Configuring GVRP functions Required.
NOTE:
• GVRP configuration made in Ethernet interface view or Layer-2 aggregate interface view takes effect on
the current interface only. GVRP configuration made in port group view takes effect on all the member
ports in the group.
• GVRP configuration made on a member port in an aggregation group takes effect only after the port is
removed from the aggregation group.
Configuration procedure
To configure GVRP functions on a trunk port:
By default, GVRP is
2. Enable GVRP globally. gvrp
globally disabled.
171
Step Command Remarks
By default, GVRP is
6. Enable GVRP on the ports. gvrp
disabled on ports.
Optional.
The default setting is
normal.
When you set the GVRP
7. Configure the GVRP registration mode on gvrp registration { fixed | registration mode to
the ports. forbidden | normal } forbidden, HP
recommends that you
make sure the port
allows packets from
VLAN 1 to pass through.
172
Step Command Remarks
Optional.
2. Configure the GARP LeaveAll
garp timer leaveall timer-value The default setting is 1000
timer.
centiseconds.
Optional.
4. Configure the Hold timer. garp timer hold timer-value The default setting is 10
centiseconds.
Optional.
5. Configure the Join timer. garp timer join timer-value The default setting is 20
centiseconds.
Optional.
6. Configure the Leave timer. garp timer leave timer-value The default setting is 60
centiseconds.
As shown in Table 20, the value ranges for GARP timers are dependent on one another:
• If you want to set a value beyond the value range for a timer, you may change the value range by
tuning the value of another related timer.
• If you want to restore the default settings of the timers, restore the Hold timer first, and then the Join,
Leave, and LeaveAll timers.
Table 20 Dependencies of GARP timers
Join No less than two times the Hold timer setting Less than half of the leave timer setting
Leave Greater than two times the Join timer setting Less than the LeaveAll timer setting
NOTE:
To keep the dynamic VLANs learned through GVRP stable, do not set the LeaveAll timer smaller than its
default value, 1000 centiseconds.
173
Task Command Remarks
display garp statistics [ interface
Display statistics about GARP on ports. interface-list ] [ | { begin | exclude | Available in any view.
include } regular-expression ]
Configuration procedure
1. Configure Device A:
# Enable GVRP globally.
<DeviceA> system-view
[DeviceA] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
174
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on trunk port GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] gvrp
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2 (a static VLAN).
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Enable GVRP globally.
<DeviceB> system-view
[DeviceB] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on trunk port GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] gvrp
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3 (a static VLAN).
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display gvrp local-vlan command to display the local VLAN information maintained by
GVRP on ports. For example:
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device A.
[DeviceA] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default),2-3
According to the output above, information about VLAN 1, static VLAN information of VLAN 2 on
the local device, and dynamic VLAN information of VLAN 3 on Device B are all registered through
GVRP.
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device B.
[DeviceB] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default),2-3
According to the output above, information about VLAN 1, static VLAN information of VLAN 3 on
the local device, and dynamic VLAN information of VLAN 2 on Device A are all registered through
GVRP.
175
Figure 62 Network diagram
Configuration procedure
1. Configure Device A:
# Enable GVRP globally.
<DeviceA> system-view
[DeviceA] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1 and set the GVRP registration mode to fixed on the
port.
[DeviceA-GigabitEthernet3/0/1] gvrp
[DeviceA-GigabitEthernet3/0/1] gvrp registration fixed
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2 (a static VLAN).
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Enable GVRP globally.
<DeviceB> system-view
[DeviceB] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to fixed on the
port.
[DeviceB-GigabitEthernet3/0/1] gvrp
[DeviceB-GigabitEthernet3/0/1] gvrp registration fixed
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3 (a static VLAN).
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display gvrp local-vlan command to display the local VLAN information maintained by
GVRP on ports. For example:
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device A.
[DeviceA] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
176
1(default), 2
According to the output above, information about VLAN 1 and static VLAN information of VLAN
2 on the local device are registered through GVRP, but dynamic VLAN information of VLAN 3 on
Device B is not.
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device B.
[DeviceB] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default), 3
According to the output above, information about VLAN 1 and static VLAN information of VLAN
3 on the local device are registered through GVRP, but dynamic VLAN information of VLAN 2 on
Device A is not.
Configuration procedure
1. Configure Device A:
# Enable GVRP globally.
<DeviceA> system-view
[DeviceA] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to forbidden on
the port.
[DeviceA-GigabitEthernet3/0/1] gvrp
[DeviceA-GigabitEthernet3/0/1] gvrp registration forbidden
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2 (a static VLAN).
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Enable GVRP globally.
<DeviceB> system-view
[DeviceB] gvrp
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
177
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to forbidden on
the port.
[DeviceB-GigabitEthernet3/0/1] gvrp
[DeviceB-GigabitEthernet3/0/1] gvrp registration forbidden
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3 (a static VLAN).
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display gvrp local-vlan command to display the local VLAN information maintained by
GVRP on ports. For example:
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device A.
[DeviceA] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default)
The output shows that information about VLAN 1 is registered through GVRP, but static VLAN
information of VLAN 2 on the local device and dynamic VLAN information of VLAN 3 on Device
B are not.
# Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of
Device B.
[DeviceB] display gvrp local-vlan interface GigabitEthernet 3/0/1
Following VLANs exist in GVRP local database:
1(default)
The output shows that information about VLAN 1 is registered through GVRP, but static VLAN
information of VLAN 3 on the local device and dynamic VLAN information of VLAN 2 on Device
A are not.
178
Configuring loopback detection
Overview
Incorrect network connections or configurations may create loops at Layer 2, causing related devices to
repeatedly transmit broadcasts, multicasts, and unknown unicasts. This wastes the network resources and
sometimes even paralyzes the networks. The loopback detection mechanism timely notifies you when
loops occur, so that you can promptly check network connections and configurations and remove the
loops by automatically shutting down the looped ports. The loopback detection mechanism notifies you
of the network loop by printing logs and sending trap messages, and may shut down the looped port as
configured. For more information about logs and trap messages, see Network Management and
Monitoring Configuration Guide.
SMAC
TPID TCI
Type
Figure 64 shows the format of the Ethernet header of a loopback detection frame. The Ethernet header
contains the following fields:
• DMAC—Destination MAC address of the loopback detection frame, which is the multicast MAC
address 010F-E200-0007. When a loopback detection-enabled switch receives a frame with this
destination MAC address, it sends the frame to the CPU and broadcasts the frame in the VLAN from
which the frame was originally received.
• SMAC—Source MAC address of the loopback detection frame, which is the bridge MAC address
of the sending switch.
• TPID—Tag Protocol Identifier, type of the VLAN tag, with the value of 0x8100.
• TCI—Tag Control Information, information of the VLAN tag, including the priority and VLAN ID.
• Type—Protocol type, with the value of 0x8918.
179
Figure 65 Inner header of a loopback detection frame
0 15 31
Code Version
Length Reserved
Figure 65 shows the format of the inner header of a loopback detection frame. The inner header contains
the following fields:
• Code—Protocol sub-type, with the value of 0x0001, indicating the loopback detection protocol.
• Version—Protocol version, with the value of 0x0000, which is reserved.
• Length—Length of the loopback detection frame, including the inner header, but not the Ethernet
header.
• Reserved—This field is reserved.
Loopback detection frames are constructed in the form of TLV (type/length/value) triplets. Table 21 lists
the required and optional TLVs supported by the loopback detection mechanism.
Table 21 TLVs supported by the loopback detection mechanism
Device ID TLV that indicates the bridge MAC address of the sending switch. Required.
Port ID TLV that indicates the ID of the PDU sending port. Optional.
Port Name TLV that indicates the name of the PDU sending port. Optional.
Chassis ID TLV that indicates the chassis ID of the sending port. Optional.
Slot ID TLV that indicates the slot ID of the sending port. Optional.
180
NOTE:
A port shut down by the system during the loopback detection process can only be manually brought up
by using the undo shutdown command.
181
To enable loopback detection in VLAN view:
NOTE:
HP recommends you not configure the port mirroring function on the member ports of a loopback
detection-enabled VLAN. For more information about port mirroring, see Network Management and
Monitoring Configuration Guide.
182
Loopback detection configuration example
IMPORTANT:
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these
interfaces, use the undo shutdown command to bring them up.
Network requirements
As shown in Figure 66,
• Device A, Device B, and Device C form a ring-shaped network. The network administrator typically
shuts down GigabitEthernet 4/0/1 of Device B to prevent loops in the network.
• Configure loopback detection on Device A so that when a loop resulting from incorrect
configuration occurs, Device A can automatically shut down the looped port and remind the user to
check the network connections by printing log information and sending trap messages.
Figure 66 Network diagram
Configuring Device A
# Create VLAN 100 and then enable loopback detection on it.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] loopback-detection enable
[DeviceA–vlan100] quit
# Configure GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 as trunk ports and assign them to
VLAN 100.
[DeviceA] interface GigabitEthernet 4/0/1
[DeviceA-GigabitEthernet4/0/1] port link-type trunk
[DeviceA-GigabitEthernet4/0/1] port trunk permit vlan 100
[DeviceA-GigabitEthernet4/0/1] quit
[DeviceA] interface GigabitEthernet 4/0/2
[DeviceA-GigabitEthernet4/0/2] port link-type trunk
[DeviceA-GigabitEthernet4/0/2] port trunk permit vlan 100
[DeviceA-GigabitEthernet4/0/2] quit
183
# Set the loopback detection interval to 35 seconds.
[DeviceA] loopback-detection interval-time 35
Configuring Device B
# Create VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB–vlan100] quit
# Configure GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 as trunk ports and assign them to
VLAN 100.
[DeviceB] interface GigabitEthernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] port link-type trunk
[DeviceB-GigabitEthernet4/0/1] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/1] quit
[DeviceB] interface GigabitEthernet 4/0/2
[DeviceB-GigabitEthernet4/0/2] port link-type trunk
[DeviceB-GigabitEthernet4/0/2] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/2] quit
Configuring Device C
# Create VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC–vlan100] quit
# Configure GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 as trunk ports and assign them to
VLAN 100.
[DeviceB] interface GigabitEthernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] port link-type trunk
[DeviceB-GigabitEthernet4/0/1] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/1] quit
[DeviceB] interface GigabitEthernet 4/0/2
[DeviceB-GigabitEthernet4/0/2] port link-type trunk
[DeviceB-GigabitEthernet4/0/2] port trunk permit vlan 100
[DeviceB-GigabitEthernet4/0/2] quit
184
100
No loopback is detected on any interface.
The output shows that loopback detection is enabled on Device A, and no looped ports are detected.
# Display the loopback detection status on Device B.
[DeviceB] display loopback-detection
Loopback-detection is not running.
The output shows that loopback detection is not enabled on Device B or Device C.
Assume that later on, GigabitEthernet 4/0/1 of Device B is brought up by the network administrator by
mistake. Within a loopback detection interval, Device A will detect a loop on ports GigabitEthernet
4/0/1 and GigabitEthernet 4/0/2. Consequently, it automatically shuts down the ports and prints the
following log information:
[DeviceA]
%Feb 24 15:04:29:663 2010 DeviceA LPDT/4/LOOPED:Slot=4;
Loopback exists on GigabitEthernet4/0/1.
%Feb 24 15:04:29:667 2009 DeviceA LPDT/4/LOOPED:Slot=1;
Loopback exists on GigabitEthernet4/0/2.
%Feb 24 15:04:44:243 2010 DeviceA LPDT/4/RECOVERED:Slot=4;
Loopback on GigabitEthernet4/0/1 recovered.
%Feb 24 15:04:44:248 2009 DeviceA LPDT/4/RECOVERED:Slot=1;
Loopback on GigabitEthernet4/0/2 recovered.
When you see the log information above, use the display loopback-detection command again to display
the loopback detection status on Device A.
# Display the loopback detection operating status on Device A.
[DeviceA] display loopback-detection
Loopback-detection is running.
Detection interval is 35 second(s).
Action mode: Shutdown
Loopback-detection is enabled on the following VLAN(s):
100
No loopback is detected on any interface.
The output shows that no loop is detected on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2. The
reason is that the loopback detection action is set to shutdown, in which case, the two ports are
automatically shut down when a loop occurs on them. The shutdown action removes the loop. Use the
display interface command to display the status information of GigabitEthernet 4/0/1 and
GigabitEthernet 4/0/2 on Device A:
# Display the status information of GigabitEthernet 4/0/1 on Device A.
[DeviceA] display interface gigabitethernet 4/0/1
GigabitEthernet 4/0/1 current state: DOWN ( Loopback detection-protected )
...
185
...
The output above shows that GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 have already been
shut down by the loopback detection module.
186
Configuring VLAN termination
The switch does not support QinQ termination when it is operating in standard mode. For more
information about the commands of system operating modes, see Fundamentals Command Reference.
Overview
VLAN termination assigns a received VLAN-tagged packet to the corresponding interface according to
its VLAN tag, and then the interface removes its VLAN tags, and forwards it through Layer 3 or processes
it in another way. Before sending a packet, the port adds VLAN tags to the packet according to the
VLAN termination configuration on the port.
Application scenarios
Inter-VLAN communication
Hosts in different VLANs cannot directly communicate with each other. You can use Layer 3 routing to
allow all VLANs to communicate. To allow the specified VLANs to communicate, configure VLAN
termination on VLAN interfaces.
As shown in Figure 67, Host A belongs to VLAN 2, Host B belongs to VLAN 3, and Host C belongs to
VLAN 4. Create VLAN-interface 2 and VLAN-interface 3 on the device, and specify Host A's gateway
IP address as 1.1.1.1/24 and Host B's gateway IP address as 1.1.2.1/24. With the configuration, Host A
and Host B can communicate at Layer 3 through VLAN interfaces. When VLAN-interface 2 receives a
packet from Host A, the interface removes the VLAN tag 2 of the packet and forwards the packet to
VLAN-interface 3. VLAN-interface 3 then tags the packet with VLAN 3 and forwards it to Host B. The
packet sent from Host B to Host A is processed in the same way.
Because VLAN-interface 4 is not created on the device, the device cannot terminate packets from Host C.
As a result, Host C cannot communicate with Host A or Host B.
187
Figure 67 VLAN termination for inter-VLAN communication
LAN-WAN communication
Most packets sent out of LANs carry VLAN tags, but some WAN protocols such as ATM, Frame Relay,
and PPP cannot recognize VLAN-tagged packets. Therefore, before sending VLAN-tagged packets to a
WAN, the sending port must locally record VLAN information and remove VLAN tags from the packets.
VLAN termination can help implement this purpose. You can configure VLAN interfaces to enable
LAN-WAN communication.
As shown in Figure 68, the VLANs of the customer network are called customer VLANs (CVLANs), and
the VLANs of the service provider network are called service provider VLANs (SVLANs). When a packet
carrying a CVLAN tag enters the service provider network, it is tagged with a SVLAN tag, and
forwarded based on the SVLAN tag. When the packet is to be forwarded to an external WAN, the
gateway (Device) must perform VLAN termination for the packet and remove the two layers of VLAN tags
from the packet before sending the packet to the WAN.
Figure 68 VLAN termination enables LAN-WAN communication
188
Traditional solution
As shown in Figure 69, configure the QinQ feature on the distribution layer devices and configure QinQ
termination on core layer devices. In a configuration example, the traditional networking solution is used
unless the lite solution is marked for the configuration example.
Figure 69 Traditional QinQ termination networking solution
Core layer
Create a VLAN Device
interface for QinQ
termination
L2 Switch B
Distribution layer
L2 Switch C
Enable QinQ and assign
SVLANs
Access layer
L2 Switch A
Assign CVLANs
Server group
Lite solution
As shown in Figure 70, configure both the QinQ feature and QinQ termination on core layer devices,
and you do not need to configure the distribution layer devices. When you use the lite solution and create
a VLAN interface on the core layer devices for QinQ termination, make sure the inner VLAN IDs (CVLAN
IDs) to be terminated do not include the VLAN interface number.
Figure 70 Lite QinQ termination networking solution
Core layer
Create a VLAN interface Device
for QinQ termination
Access port
Enable QinQ and assign SVLANs
Server group
189
VLAN termination configuration task list
Task Remarks
IMPORTANT:
To obtain correct VLAN ID, make sure the Layer 2 physical interface to which the VLAN interface is bound
maintains the most recent ARP entries. To do that, execute the reset arp interface command in user view
on the Layer 2 physical interface when the QinQ termination configuration on the VLAN interface is
changed. For more information about this command, see Layer 3—IP Services Command Reference.
interface vlan-interface
2. Enter VLAN interface view. N/A
interface-number
190
Step Command Remarks
By default, QinQ termination is
3. Enable QinQ termination on disabled and the interface processes
the interface and specify the only the outermost VLAN tag of
VLAN ID that the interface packets.
second-dot1q vlan-id
adds to packets as the inner
VLAN tag before sending A VLAN interface always adds its
them out. interface number as the outer VLAN
tag to the packets it sends out.
interface vlan-interface
2. Enter VLAN interface view. N/A
interface-number
interface vlan-interface
2. Enter VLAN interface view. N/A
interface-number
191
configuration, the VLAN interface checks the TPID value in the outermost VLAN tag of each received
packet, and then processes the packet as a VLAN-tagged packet only when the TPID value matches the
configured value.
If the TPID is not specified, the TPID value in the outermost VLAN tag of packets has a default value of
0x8100. For information about setting the TPID value in the VLAN tag of packets on a Layer 2 physical
interface, see "Configuring QinQ."
You can set a non-default TPID value only for a QinQ termination network only in the Lite solution.
Configuration considerations
Configure unambiguous QinQ termination to enable Layer 3 communication between Host A Host B
through VLAN interfaces. The following process describes how a packet is transmitted from Host A to
Host B:
• Host A sends out the packet.
• Layer 2 Switch A adds VLAN 11 to the packet and forwards the single-tagged packet to Layer 2
Switch B.
192
• Layer 2 Switch B receives the packet on GigabitEthernet 4/0/2, adds VLAN 100 to the packet as
the outer VLAN tag, and forwards the double-tagged packet to Layer 3 Switch C through a trunk
port.
• Layer 3 Switch C receives the packet on VLAN-interface 100, which is the gateway of Host A,
removes the two layers of VLAN tags of the packet, and forwards the packet to the gateway of Host
B, which is VLAN-interface 2.
• VLAN-interface 2 adds VLAN 2 to the packet and forwards the single-tagged packet to the access
port GigabitEthernet 3/0/2.
• Port GigabitEthernet 3/0/2 removes the default VLAN tag (VLAN 2) of the packet and forwards the
packet to Layer 2 Switch D.
• Layer 2 Switch D forwards the packet to Host B.
Configuration procedure
1. Configure Host A and Host B:
{ Configure Host A's IP address as 1.1.1.1/24, and gateway IP address as 1.1.1.11/24.
{ Configure Host B's IP address as 1.1.2.1/24, and gateway IP address as 1.1.2.11/24.
2. Configure Layer 2 Switch A:
# Assign GigabitEthernet 3/0/2 to VLAN 11.
<L2_SwitchA> system-view
[L2_SwitchA] vlan 11
[L2_SwitchA-vlan11] port GigabitEthernet 3/0/2
[L2_SwitchA-vlan11] quit
# Configure GigabitEthernet 3/0/1 as a hybrid port, assign the port to VLAN 11 as a tagged
member, and assign the port to VLAN 100 as an untagged member.
[L2_SwitchA] interface GigabitEthernet 3/0/1
[L2_SwitchA-GigabitEthernet3/0/1] port link-type hybrid
[L2_SwitchA-GigabitEthernet3/0/1] port hybrid vlan 11 tagged
[L2_SwitchA-GigabitEthernet3/0/1] port hybrid vlan 100 untagged
3. Configure Layer 2 Switch B:
# Configure GigabitEthernet 4/0/2 as a trunk port and assign the port to VLAN 100.
<L2_SwitchB> system-view
[L2_SwitchB] interface GigabitEthernet 4/0/2
[L2_SwitchB-GigabitEthernet4/0/2] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/2] port trunk permit vlan 100
# Configure VLAN 100 as the PVID of GigabitEthernet 4/0/2, enable QinQ on the port to add
outer VLAN tag 100 to the received packets.
[L2_SwitchB-GigabitEthernet4/0/2] port trunk pvid vlan 100
[L2_SwitchB-GigabitEthernet4/0/2] qinq enable
[L2_SwitchB-GigabitEthernet4/0/2] quit
# Configure GigabitEthernet 4/0/1 as a trunk port and assign the port to VLAN 100.
[L2_SwitchB] interface GigabitEthernet 4/0/1
[L2_SwitchB-GigabitEthernet4/0/1] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/1] port trunk permit vlan 100
4. Configure Layer 3 Switch C:
# Create VLAN-interface 100 and assign an IP address to the interface.
<L3_SwitchC> system-view
193
[L3_SwitchC] vlan 100
[L3_SwitchC-vlan100] quit
[L3_SwitchC] interface vlan-interface 100
[L3_SwitchC-Vlan-interface100] ip address 1.1.1.11 255.255.255.0
# Enable QinQ termination on VLAN-interface 100 to remove the outermost two layers of VLAN
tags for packets whose outermost VLAN tag is 100, and configure the interface to add inner VLAN
tag 11 to packets before sending them out.
[L3_SwitchC-Vlan-interface100] second-dot1q 11
[L3_SwitchC-Vlan-interface100] quit
# Configure GigabitEthernet 3/0/1 as a trunk port, and assign the port to VLAN 100.
[L3_SwitchC] interface GigabitEthernet 3/0/1
[L3_SwitchC-GigabitEthernet3/0/1] port link-type trunk
[L3_SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 100
[L3_SwitchC-GigabitEthernet3/0/1] quit
# Create VLAN-interface 2 and assign an IP address to the interface.
[L3_SwitchC] vlan 2
[L3_SwitchC-vlan2] quit
[L3_SwitchC] interface vlan-interface 2
[L3_SwitchC-Vlan-interface2] ip address 1.1.2.11 255.255.255.0
[L3_SwitchC-Vlan-interface2] quit
# Assign GigabitEthernet 3/0/2 to VLAN 2.
[L3_SwitchC] interface GigabitEthernet 3/0/2
[L3_SwitchC-GigabitEthernet3/0/2] port access vlan 2
5. Use the factory configuration of Layer 2 Switch D.
194
Figure 72 Network diagram
Configuration procedure
1. Configure Host A, Host B, and Host C:
{ Configure the IP addresses of Host A, Host B, and Host C as 1.1.1.1/24, 1.1.1.2/24, and
1.1.1.3/24, respectively.
{ Configure the gateway address as 1.1.1.11/24 for the hosts.
2. Configure Layer 2 Switch A:
# Assign GigabitEthernet 3/0/1 to VLAN 11.
<L2_SwitchA> system-view
[L2_SwitchA] vlan 11
[L2_SwitchA-vlan11] port GigabitEthernet 3/0/1
[L2_SwitchA-vlan11] quit
# Assign GigabitEthernet 3/0/2 to VLAN 12.
[L2_SwitchA] vlan 12
[L2_SwitchA-vlan12] port GigabitEthernet 3/0/2
[L2_SwitchA-vlan12] quit
# Assign GigabitEthernet 3/0/3 to VLAN 13.
[L2_SwitchA] vlan 13
[L2_SwitchA-vlan13] port GigabitEthernet 3/0/3
[L2_SwitchA-vlan13] quit
# Configure GigabitEthernet 3/0/7 as a hybrid port, assign the port to VLANs 11 through 13 as
a tagged member, and assign the port to VLAN 100 as an untagged member.
[L2_SwitchA] interface GigabitEthernet 3/0/7
[L2_SwitchA-GigabitEthernet3/0/7] port link-type hybrid
[L2_SwitchA-GigabitEthernet3/0/7] port hybrid vlan 11 to 13 tagged
[L2_SwitchA-GigabitEthernet3/0/7] port hybrid vlan 100 untagged
3. Configure Layer 2 Switch B:
195
# Configure GigabitEthernet 4/0/2 as a trunk port, and assign the port to VLAN 100.
<L2_SwitchB> system-view
[L2_SwitchB] interface GigabitEthernet 4/0/2
[L2_SwitchB-GigabitEthernet4/0/2] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/2] port trunk permit vlan 100
# Configure VLAN 100 as the PVID of GigabitEthernet 4/0/2, enable QinQ on the port to add
outer VLAN tag 100 to the received packets.
[L2_SwitchB-GigabitEthernet4/0/2] port trunk pvid vlan 100
[L2_SwitchB-GigabitEthernet4/0/2] qinq enable
[L2_SwitchB-GigabitEthernet4/0/2] quit
# Configure GigabitEthernet 4/0/1 as a trunk port and assign the port to VLAN 100.
[L2_SwitchB] interface GigabitEthernet 4/0/1
[L2_SwitchB-GigabitEthernet4/0/1] port link-type trunk
[L2_SwitchB-GigabitEthernet4/0/1] port trunk permit vlan 100
4. Configure Layer 3 Switch C:
# Create VLAN-interface 100 and assign an IP address to the interface.
<L3_SwitchC> system-view
[L3_SwitchC] vlan 100
[L3_SwitchC-vlan100] quit
[L3_SwitchC] interface vlan-interface 100
[L3_SwitchC-Vlan-interface100] ip address 1.1.1.11 255.255.255.0
# Configure VLAN-interface 100 to remove the outermost two layers of VLAN tags for packets
whose outermost VLAN tag is 100, and configure the interface to add inner VLAN tag 11, 12, or
13 to packets before sending them out.
[L3_SwitchC-Vlan-interface100] second-dot1q 11 to 13
[L3_SwitchC-Vlan-interface100] quit
# Configure GigabitEthernet 3/0/1 as a trunk port, and assign the port to VLAN 100.
[L3_SwitchC] interface GigabitEthernet 3/0/1
[L3_SwitchC-GigabitEthernet3/0/1] port link-type trunk
[L3_SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 100
[L3_SwitchC-GigabitEthernet3/0/1] quit
# Create VLAN-interface 2 and assign an IP address to the interface.
[L3_SwitchC] vlan 2
[L3_SwitchC-vlan2] quit
[L3_SwitchC] interface vlan-interface 2
[L3_SwitchC-Vlan-interface2] ip address 1.1.2.11 255.255.255.0
[L3_SwitchC-Vlan-interface2] quit
# Assign GigabitEthernet 3/0/2 to VLAN 2.
[L3_SwitchC] interface GigabitEthernet 3/0/2
[L3_SwitchC-GigabitEthernet3/0/2] port access vlan 2
5. Use the factory configuration of Layer 2 Switch D.
6. Assign each server in the server group an IP address on the network segment 1.1.2.0/24 and
configure the gateway IP address as 1.1.2.11/24.
196
Ambiguous QinQ termination configuration example (lite
solution)
In this example, customer network VLANs (CVLANs), also called inner VLANs, refer to the VLANs that
a customer uses on the private network. Service provider network VLANs (SVLANs), also called outer
VLANs, refer to the VLANs that a service provider uses to carry VLAN tagged traffic for customers.
Network requirements
As shown in Figure 73, Layer 3 Switch C is a core network device of a service provider. It connects to
Layer 2 Switch A and Layer 2 Switch B through access ports GigabitEthernet 3/0/1 and GigabitEthernet
3/0/2, respectively.
Layer 3 Switch C also connects to a server group through Layer 2 Switch D. Layer 2 Switch D can process
only single-tagged VLAN packets.
On customer networks A and B, Host A1 and Host A2 are assigned to CVLAN 11, Host B1 and Host B2
are assigned to CVLAN 12, and Host C2 and Host C2 are assigned to CVLAN 13.
Enable QinQ on GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of Layer 3 Switch C to add SVLAN
100 and SVLAN 200 to packets carrying CVLANs 11 through 13 as the outermost VLAN tag, respectively,
so the packets are isolated at Layer 2.
Configure QinQ termination on the VLAN interfaces of Layer 3 Switch C to enable all hosts on the
customer networks to communicate with the server group and to enable hosts on customer network A to
communicate with hosts on customer network B at Layer 3.
Figure 73 Network diagram
Server group
L3 Switch C Vlan-int300 L2 Switch D
3.1.1.11/24
GE3/0/3
Vlan-int100 Vlan-int200
1.1.1.11/24 2.1.1.11/24
GE3/0/1 GE3/0/2
VLAN 100 VLAN 200
QinQ enabled QinQ enabled
GE1/0/2
197
The following process describes how a packet is transmitted from Host A1 to Host B2:
• Host A1 sends out the packet.
• Layer 2 Switch A adds VLAN 11 to the packet and forwards the single-tagged packet to Layer 3
Switch C.
• Layer 3 Switch C receives the packet on GigabitEthernet 3/0/1, adds VLAN 100 to the packet as
the outer VLAN tag, and forwards the double-tagged packet to VLAN-interface 100, which is the
gateway of Host A1.
• VLAN-interface 100 removes the two layers of VLAN tags of the packet and forwards the packet to
the gateway of Host B2, which is VLAN-interface 200.
• VLAN-interface 200 searches the ARP table for the VLAN ID (VLAN 12) mapped to Host B2, adds
outer VLAN tag 200 and inner VLAN tag 12 to the packet, and forwards the double-tagged packet
to the access port GigabitEthernet 3/0/2.
• Port GigabitEthernet 3/0/2 removes the default VLAN tag (VLAN 200) of the packet and forwards
the packet tagged with VLAN 12 to Layer 2 Switch B.
• Layer 2 Switch B forwards the packet to Host B2 in VLAN 12.
Configuration procedure
1. Configure hosts:
{ Configure Host A1's IP address as 1.1.1.1/24, Host B1's IP address as 1.1.1.2/24, Host C1's IP
address as 1.1.1.3/24, and their gateway IP address as 1.1.1.11/24.
{ Configure Host A2's IP address as 2.1.1.1/24, Host B2's IP address as 2.1.1.2/24, Host C2's IP
address as 2.1.1.3/24, and their gateway IP address as 2.1.1.11/24.
2. Configure Layer 2 Switch A:
# Assign GigabitEthernet 1/0/1 to VLAN 11.
<L2_SwitchA> system-view
[L2_SwitchA] vlan 11
[L2_SwitchA-vlan11] port GigabitEthernet 1/0/1
[L2_SwitchA-vlan11] quit
# Assign GigabitEthernet 1/0/2 to VLAN 12.
[L2_SwitchA] vlan 12
[L2_SwitchA-vlan12] port GigabitEthernet 1/0/2
[L2_SwitchA-vlan12] quit
# Assign GigabitEthernet 1/0/3 to VLAN 13.
[L2_SwitchA] vlan 13
[L2_SwitchA-vlan13] port GigabitEthernet 1/0/3
[L2_SwitchA-vlan13] quit
# Configure GigabitEthernet 1/0/7 as a trunk port and assign the port to VLANs 11 through 13.
[L2_SwitchA] interface GigabitEthernet 1/0/7
[L2_SwitchA-GigabitEthernet1/0/7] port link-type trunk
[L2_SwitchA-GigabitEthernet1/0/7] port trunk permit vlan 11 to 13
3. Configure Layer 2 Switch B in the same way as you configure Layer 2 Switch A.
4. Configure Layer 3 Switch C:
# Assign GigabitEthernet 3/0/1 to VLAN 100 and enable QinQ on the interface to tag the
received packets with the PVID.
[L3_SwitchC] vlan 100
198
[L3_SwitchC-vlan100] quit
[L3_SwitchC] interface GigabitEthernet 3/0/1
[L3_SwitchC-GigabitEthernet3/0/1] port access vlan 100
[L3_SwitchC-GigabitEthernet3/0/1] qinq enable
[L3_SwitchC-GigabitEthernet3/0/1] quit
# Create VLAN-interface 100, assign an IP address to the interface, enable QinQ termination on
the interface, and specify VLANs 11 through 13 as the inner VLAN tags that can be added to
packets.
[L3_SwitchC] interface vlan-interface 100
[L3_SwitchC-Vlan-interface100] ip address 1.1.1.11 255.255.255.0
[L3_SwitchC-Vlan-interface100] second-dot1q 11 to 13
[L3_SwitchC-Vlan-interface100] quit
# Assign GigabitEthernet 3/0/2 to VLAN 200, and enable QinQ on the interface to tag the
received packets with the PVID.
[L3_SwitchC] vlan 200
[L3_SwitchC-vlan200] quit
[L3_SwitchC] interface GigabitEthernet 3/0/2
[L3_SwitchC-GigabitEthernet3/0/2] port access vlan 200
[L3_SwitchC-GigabitEthernet3/0/2] qinq enable
[L3_SwitchC-GigabitEthernet3/0/2] quit
# Create VLAN-interface 200, assign an IP address to the interface, enable QinQ termination on
the interface, and specify VLANs 11 through 13 as the inner VLAN tags that can be added to
packets.
[L3_SwitchC] interface vlan-interface 200
[L3_SwitchC-Vlan-interface200] ip address 2.1.1.11 255.255.255.0
[L3_SwitchC-Vlan-interface200] second-dot1q 11 to 13
[L3_SwitchC-Vlan-interface200] quit
# Assign GigabitEthernet 3/0/3 to VLAN 300.
[L3_SwitchC] vlan 300
[L3_SwitchC-vlan300] interface GigabitEthernet 3/0/3
[L3_SwitchC-vlan300] quit
# Create VLAN-interface 300 and assign an IP address to the interface.
[L3_SwitchC] interface vlan-interface 300
[L3_SwitchC-Vlan-interface300] ip address 3.1.1.11 255.255.255.0
[L3_SwitchC-Vlan-interface300] quit
5. Use the factory configuration of Layer 2 Switch D.
6. Assign each server in the server group an IP address on the network segment 3.1.1.0/24 and
configure the gateway IP address as 3.1.1.11/24.
199
• Provider A is the DHCP relay agent and Provider B is the DHCP server.
• Provider A and Provider B communicate with each other through Layer 3 interfaces.
The expected results after the configuration are:
• DHCP relay agent Provider A receives double-tagged packets sent from DHCP clients, terminates
these packets by removing their inner and outer VLAN tags, and forwards the packets to DHCP
server Provider B through the service provider network.
• DHCP client A and client B can apply for IP addresses and related network configuration
parameters from Provider B through the service provider network.
Figure 74 Network diagram
Configuration procedure
1. Configure DHCP relay agent Provider A:
# Enable DHCP service.
<ProviderA> system-view
[ProviderA] dhcp enable
# Create the DHCP server group.
[ProviderA] dhcp relay server-group 1 ip 10.2.1.1
# Create VLAN-interface 100.
[ProviderA] vlan 100
[ProviderA-vlan100] quit
[ProviderA] interface vlan-interface 100
# Enable QinQ termination on the interface and specify VLANs 10 and 20 as the inner VLAN tags
that can be added to packets.
[ProviderA-Vlan-interface100] second-dot1q 10 20
# Enable the VLAN interface to transmit broadcast and multicast packets.
[ProviderA-Vlan-interface100] vlan-termination broadcast enable
200
# Enable DHCP relay on the VLAN interface, select a DHCP server group, and enable address
check on the relay agent.
[ProviderA-Vlan-interface100] dhcp select relay
[ProviderA-Vlan-interface100] dhcp relay server-select 1
[ProviderA-Vlan-interface100] dhcp relay address-check enable
# Assign an IP address to the VLAN interface.
[ProviderA-Vlan-interface100] ip address 192.168.1.1 24
[ProviderA-Vlan-interface100] quit
# Configure GigabitEthernet 3/0/1 as a trunk port and assign it to VLAN 100.
[ProviderA] interface GigabitEthernet 3/0/1
[ProviderA-GigabitEthernet3/0/1] port link-type trunk
[ProviderA-GigabitEthernet3/0/1] port trunk permit vlan 100
[ProviderA-GigabitEthernet3/0/1] quit
# Assign an IP address to the interface connecting to the DHCP server.
[ProviderA] interface vlan-interface 10
[ProviderA-Vlan-interface10] ip address 10.1.1.1 24
[ProviderA-Vlan-interface10] quit
# Configure a static route to the DHCP server.
[ProviderA] ip route-static 10.2.1.1 24 10.1.1.1
2. Configure DHCP server Provider B:
# Assign an IP address to the DHCP server.
<ProviderB> system-view
[ProviderB] interface vlan-interface 20
[ProviderB-Vlan-interface20] ip address 10.2.1.1 24
[ProviderB-Vlan-interface20] quit
# Enable DHCP.
[ProviderB] dhcp enable
# Configure an IP address pool on the DHCP server.
[ProviderB] dhcp server ip-pool 1
[ProviderB-dhcp-pool-1] network 192.168.1.0 24
[ProviderB-dhcp-pool-1] gateway-list 192.168.1.1
[ProviderB-dhcp-pool-1] quit
# Configure a static route to VLAN-interface 100.
[ProviderB] ip route-static 192.168.1.1 24 10.1.1.1
3. Configure Switch A:
# Enable QinQ on uplink port GigabitEthernet 2/0/1 and configure it as a trunk port.
<SwitchA> system-view
[SwitchA] interface GigabitEthernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
# Assign trunk port GigabitEthernet 2/0/1 to VLAN 100.
[SwitchA-GigabitEthernet2/0/1] port trunk permit vlan 100
[SwitchA-GigabitEthernet2/0/1] quit
# Enable QinQ on downlink port GigabitEthernet 2/0/2.
[SwitchA] interface GigabitEthernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] qinq enable
201
[SwitchA-GigabitEthernet2/0/2] quit
# Enable QinQ on downlink port GigabitEthernet 2/0/3.
[SwitchA] interface GigabitEthernet 2/0/3
[SwitchA-GigabitEthernet2/0/3] qinq enable
[SwitchA-GigabitEthernet2/0/3] quit
# Assign GigabitEthernet 2/0/2 and GigabitEthernet 2/0/3 to VLAN 100.
[SwitchA] vlan 100
[SwitchA-vlan100] port GigabitEthernet 2/0/2
[SwitchA-vlan100] port GigabitEthernet 2/0/3
4. Configure Switch B:
# Add GigabitEthernet 2/0/2 to VLAN 10.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] port GigabitEthernet 2/0/2
[SwitchB-vlan10] quit
# Configure GigabitEthernet 2/0/1 as a trunk port and assign it to VLAN 10.
[SwitchB] interface GigabitEthernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] port trunk permit vlan 10
5. Configure Switch C:
# Add GigabitEthernet 2/0/2 to VLAN 20.
<SwitchC> system-view
[SwitchC] vlan 20
[SwitchC-vlan20] port GigabitEthernet 2/0/2
[SwitchC-vlan20] quit
# Configure GigabitEthernet 2/0/1 as a trunk port and assign it to VLAN 20.
[SwitchC] interface GigabitEthernet 2/0/1
[SwitchC-GigabitEthernet2/0/1] port link-type trunk
[SwitchC-GigabitEthernet2/0/1] port trunk permit vlan 20
202
Configuring MAC-in-MAC
The switch does not support MAC-in-MAC when it operates in standard mode. For more information
about system operating modes, see Fundamentals Configuration Guide.
MAC-in-MAC overview
MAC-in-MAC, also known as Provider Backbone Bridge (PBB), is defined in IEEE 802.1ah. MAC-in-MAC
is a Layer-2 Virtual Private Network (VPN) technique. It encapsulates the customer MAC in the service
provider MAC, transmits the inner MAC as payload, and thus improves the expandability for Ethernet
and secures services.
Basic concepts
Figure 75 shows a typical MAC-in-MAC network. This section introduces some basic concepts of
MAC-in-MAC based on this network.
Figure 75 A typical MAC-in-MAC network
Customer Customer
network network
BEB BEB
BCB BCB
PBBN
BCB BCB
Customer Customer
BEB BEB
network network
PBN PBN
Customer Customer
network network
PBBN
As shown in Figure 75, a network using MAC-in-MAC is called a provider backbone bridge network
(PBBN) or MAC-in-MAC network. For users, a PBBN is a Layer-2 switching network where Layer-2
connections are between different nodes.
203
PBN
As shown in Figure 75, a network connecting the PBBN with the customer network is a provider bridge
network (PBN). The customer network can connect to the PBBN directly, or through a PBN.
MAC-in-MAC frame
A frame processed by MAC-in-MAC is called a MAC-in-MAC frame. For more information about the
encapsulation format of a MAC-in-MAC frame, see "MAC-in-MAC frame encapsulation."
BEB
As shown in Figure 75, a backbone edge bridge (BEB) is an edge device in the PBBN, like a PE device
in an MPLS network. The BEB encapsulates frames from the customer network by using MAC-in-MAC, or
de-encapsulates MAC-in-MAC frames from the PBBN and forwards them to the customer network.
BCB
As shown in Figure 75, a backbone core bridge (BCB) is a core device in the PBBN, like a P device in
an MPLS network. It forwards MAC-in-MAC frames according to their B-MAC and B-VLAN. A BCB device
only forwards frames and learns MAC addresses in the backbone network. It does not learn a large
number of customer MAC addresses. In this way, the network deployment costs are reduced, and the
PBBN is given better expandability.
B-MAC/B-VLAN
When encapsulating a customer frame, a BEB tags the frame with the service provider MAC address
(known as backbone MAC address, B-MAC) and service provider VLAN (known as backbone VLAN,
B-VLAN). Note that the B-MAC falls into source B-MAC and destination B-MAC. In the PBBN, a BCB
forwards MAC-in-MAC frames according to their B-MAC and B-VLAN.
204
Figure 76 shows the format of a MAC-in-MAC frame. Table 22 describes some key fields in the frame.
Table 22 Some key fields of a MAC-in-MAC frame
Outer VLAN tag of the frame in the PBN, which indicates the
S-Tag Service provider VLAN tag VLAN information and priority information of the frame
within the PBN.
Inner VLAN tag of the frame in the PBN, which indicates the
C-Tag Customer VLAN tag VLAN information and priority information of the frame
within the customer network.
205
As shown in Figure 77, a MAC-in-MAC frame is forwarded in the PBBN using the following process:
1. BEB 1 encapsulates a customer frame with the corresponding B-MAC, B-VLAN, and I-SID, and then
forwards the frame to the BCB through its uplink port.
2. BCB forwards the MAC-in-MAC frame from BEB 1 to BEB 2 according to its B-MAC and B-VLAN.
3. BEB 2 de-encapsulates the MAC-in-MAC frame from the BCB, restores the frames to a standard
Ethernet frame, and then forwards the frame out of the corresponding downlink port to the
customer network.
Task Remarks
Enabling L2VPN Required.
Configuring MAC-in-MAC
Enabling L2VPN
To configure MAC-in-MAC, which is a Layer-2 VPN technique, enable L2VPN first.
To enable L2VPN:
For more information about the l2vpn command, see MPLS Command Reference.
206
Creating a MAC-in-MAC instance
To create a MAC-in-MAC instance, create a virtual switch instance of the MAC-in-MAC type and specify
its I-SID. The I-SID identifies a type of services, and is the unique identifier of the MAC-in-MAC instance.
The same I-SID must be used throughout a MAC-in-MAC network. For more information about the VSI,
see MPLS Configuration Guide.
To create a MAC-in-MAC instance:
Step Command
1. Enter system view. system-view
2. Create a VSI of the MAC-in-MAC type, specify the
I-SID, and enter VSI view. vsi vsi-name minm i-sid i-sid
For more information about the vsi command, see MPLS Command Reference.
Configuring a B-VLAN
Only MAC-in-MAC instances with the same I-SID and B-VLAN can communicate. Therefore, you must
specify a B-VLAN for a MAC-in-MAC instance.
To configure a B-VLAN for a MAC-in-MAC instance:
For more information about the vsi command, see MPLS Command Reference.
NOTE:
• You can specify only one B-VLAN for a MAC-in-MAC instance, and specify the same B-VLAN for
different MAC-in-MAC instances.
• The B-VLAN must be a static, existing VLAN.
You can specify one or more uplink ports for a MAC-in-MAC instance. On the BEB, frames from the
customer network are encapsulated in MAC-in-MAC frames in the corresponding MAC-in-MAC
instances, and then forwarded out of the corresponding uplink ports.
207
You can configure the uplink ports in either VSI view or interface view. If the same port is configured as
an uplink port in both VSI view and interface view, the latest configuration takes effect.
For more information about the vsi command, see MPLS Command Reference.
208
For more information about the service-instance, encapsulation, and xconnect vsi commands, see MPLS
Command Reference.
NOTE:
If you want to configure traffic policing on an attachment circuit (AC), do that before binding it to a
MAC-in-MAC instance. For more information about an AC, see MPLS Configuration Guide.
209
Network requirements
As shown in Figure 78, enable customer network A to communicate with customer network B by using the
MAC-in-MAC protocol.
Figure 78 Network diagram
Configuration procedures
1. Configure Device A:
# Create VLAN 20.
<DeviceA> system-view
[DeviceA] vlan 20
[DeviceA-vlan20] quit
# Enable L2VPN.
[DeviceA] l2vpn
[DeviceA-l2vpn] quit
# Create a VSI of the MAC-in-MAC type named aaa, specify the I-SID as 100, and configure
Ethernet encapsulation for the instance.
[DeviceA] vsi aaa minm i-sid 100
[DeviceA-vsi-aaa] encapsulation ethernet
# Specify VLAN 20 as the B-VLAN for MAC-in-MAC instance aaa.
[DeviceA-vsi-aaa] minm bvlan 20
[DeviceA-vsi-aaa] quit
# Configure port GigabitEthernet3/0/1 as a trunk port, assign it to VLAN 20, and configure it as
an uplink port of MAC-in-MAC instance aaa.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan 20
[DeviceA-GigabitEthernet3/0/1] minm uplink vsi aaa
[DeviceA-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and assign it to all VLANs. Create service
instance 1 on port GigabitEthernet 3/0/2, configure the port-based match criteria, and associate
the service instance with MAC-in-MAC instance aaa by using the access mode of Ethernet.
[DeviceA] interface GigabitEthernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port link-type trunk
[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan all
[DeviceA-GigabitEthernet3/0/2] service-instance 1
210
[DeviceA-GigabitEthernet3/0/2-srv1] encapsulation port-based
[DeviceA-GigabitEthernet3/0/2-srv1] xconnect vsi aaa access-mode ethernet
[DeviceA-GigabitEthernet3/0/2-srv1] quit
[DeviceA-GigabitEthernet3/0/2] quit
2. Configure Device B:
Configure Device B as you configure Device A. (Details not shown.)
3. Verify the configuration:
Use the display minm connection command to display the uplink connection information (that is,
the remote B-MAC information learned) of MAC-in-MAC instance aaa. For example:
# Display the uplink connection information of MAC-in-MAC instance aaa on Device A.
[DeviceA] display minm connection vsi aaa
1 connection(s) exist
VSIIndex LinkID BMAC BVLAN Interface Name State AGING TIME(s)
1 1 000f-e200-0001 20 GigabitEthernet3/0/1 Learned AGING
Troubleshooting
Symptom
The customer frames cannot be transmitted to the peer network by using MAC-in-MAC.
Analysis
• No VSI of the MAC-in-MAC type is configured on the BEB, or the configured VSI is down.
• The MAC-in-MAC configurations on the BEBs are inconsistent.
• The B-VLAN in the BEB is not created on the BCB, or the ports connecting the BEB and BCB are not
both assigned to the B-VLAN.
Solution
1. User the display vsi verbose command to display the MAC-in-MAC configuration of the VSI. If the
VSI is not configured with MAC-in-MAC, configure it. If the VSI is down, use the undo shutdown
command to bring the VSI up. For more information about the display vsi verbose command, see
MPLS Command Reference.
2. Use the display vsi verbose command on all BEBs to see whether they are consistent in the
MAC-in-MAC configuration, especially the I-SID and B-VLAN. The MAC-in-MAC configurations on
the BEBs should be consistent.
3. Use the display vlan all command on all BCBs to see whether the B-VLAN in the BEB is created on
the BCB, and whether the ports connecting the BEB and BCB are both assigned to the B-VLAN. All
ports connecting the BEB and BCB must be assigned to the VLAN.
211
Configuring LLDP
Overview
Background
In a heterogeneous network, it is important that different types of network devices from different vendors
can discover one another and exchange configuration for interoperability and management sake. A
standard configuration exchange platform was created.
The IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the
data link layer to exchange device information between directly connected devices. With LLDP, a device
sends local device information (including its major functions, management IP address, device ID, and
port ID) as TLV (type, length, and value) triplets in LLDP Data Units (LLDPDUs) to the directly connected
devices, and at the same time, stores the device information received in LLDPDUs sent from the LLDP
neighbors in a standard management information base (MIB). It allows a network management system
to quickly detect and identify Layer 2 network topology changes. For more information about MIBs, see
Network Management and Monitoring Configuration Guide.
Basic concepts
LLDPDU formats
LLDP sends device information in LLDPDUs. LLDPDUs are encapsulated in Ethernet II or Subnetwork
Access Protocol (SNAP) frames.
1. Ethernet II-encapsulated LLDPDU format
Figure 79 Ethernet II-encapsulated LLDPDU format
The fields in the Ethernet II-encapsulated LLDPDU are described in Table 23.
Table 23 Fields in an Ethernet II-encapsulated LLDPDU
Field Description
MAC address to which the LLDPDU is advertised. It is fixed to
Destination MAC address
0x0180-C200-000E, a multicast MAC address.
212
Field Description
Source MAC address MAC address of the sending port.
Type Ethernet type for the upper layer protocol. It is 0x88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.
Field Description
MAC address to which the LLDPDU is advertised. It is fixed at
Destination MAC address
0x0180-C200-000E, a multicast MAC address.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.
LLDPDUs
LLDP uses LLDPDUs to exchange information. An LLDPDU comprises multiple TLV sequences. Each carries
a specific type of device information, as shown in Figure 81.
Figure 81 LLDPDU encapsulation format
An LLDPDU can carry up to 28 types of TLVs. Mandatory TLVs include Chassis ID TLV, Port ID TLV, Time
To Live TLV, and End of LLDPDU TLV. Other TLVs are optional.
213
TLVs
TLVs are type, length, and value sequences that carry information elements. The type field identifies the
type of information, the length field measures the length of the information field in octets, and the value
field contains the information itself.
LLDPDU TLVs fall into the following categories:
• Basic management TLVs
• Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs
• LLDP-MED (media endpoint discovery) TLVs
Basic management TLVs are essential to device management. Organizationally specific TLVs and
LLDP-MED TLVs are used for enhanced device management; they are defined by standardization or other
organizations and are optional to LLDPDUs.
1. Basic management TLVs
Table 25 lists the basic management TLV types. Some of them must be included in every LLDPDU.
Table 25 Basic LLDP TLVs
Port ID If the LLDPDU carries LLDP-MED TLVs, the port ID TLV carries the
MAC address of the sending port. If the LLDPDU carries no Mandatory.
LLDP-MED TLVs, the port ID TLV carries the port name.
End of LLDPDU Marks the end of the TLV sequence in the LLDPDU.
Type Description
Port VLAN ID Port’s VLAN identifier (PVID). An LLDPDU carries only one TLV of this type.
Indicates whether the device supports protocol VLANs and, if so, what VLAN
Port And Protocol VLAN ID IDs these protocols will be associated with. An LLDPDU can carry multiple
different TLVs of this type.
Textual name of any VLAN to which the port belongs. An LLDPDU can carry
VLAN Name
multiple different TLVs of this type.
214
Type Description
DCBX Data center bridging exchange protocol.
NOTE:
• HP devices only support receiving protocol identity TLVs.
• Layer 3 Ethernet ports do not support IEEE 802.1 organizationally specific TLVs.
Type Description
Contains the bit-rate and duplex capabilities of the sending port,
MAC/PHY Configuration/Status support for auto negotiation, enabling status of auto negotiation, and
the current rate and duplex mode.
Contains the power supply capability of the port, including the Power
over Ethernet (PoE) type, which can be Power Sourcing Equipment
Power Via MDI (PSE) or Powered Device (PD), PoE mode, whether PSE power supply
is supported, whether PSE power supply is enabled, and whether the
PoE mode is controllable.
NOTE:
The Power Stateful Control TLV is defined in IEEE P802.3at D1.0. The later versions no longer support this
TLV. HP devices send this type of TLVs only after receiving them.
LLDP-MED TLVs
LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic
configuration, network policy configuration, and address and directory management. LLDP-MED TLVs
provide a cost-effective and easy-to-use solution for deploying voice devices in Ethernet. LLDP-MED TLVs
are shown in Table 28.
Table 28 LLDP-MED TLVs
Type Description
LLDP-MED Capabilities Allows a network device to advertise the LLDP-MED TLVs it supports.
215
Type Description
Hardware Revision Allows a terminal device to advertise its hardware version.
Allows a terminal device to advertise its asset ID. The typical case is
Asset ID that the user specifies the asset ID for the endpoint to facilitate
directory management and asset tracking.
Management address
The management address of a device is used by the network management system to identify and
manage the device for topology maintenance and network management. The management address is
encapsulated in the management address TLV.
Transmitting LLDPDUs
An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDPDUs to its directly connected
devices both periodically and when the local configuration changes. A frame transmit interval between
two successive LLDP frames prevents the network from being overwhelmed by LLDPDUs during times of
frequent local device information change.
This interval is shortened to 1 second in either of the following cases:
• A new neighbor is discovered. A new LLDPDU is received carrying device information new to the
local device.
• The LLDP operating mode of the port changes from Disable/Rx to TxRx or Tx.
This is the fast sending mechanism of LLDP. This feature sends a specific number of LLDPDUs at 1-second
intervals to help LLDP neighbors discover the local device as soon as possible. Then, the normal LLDPDU
transmit interval resumes.
216
Receiving LLDPDUs
An LLDP-enabled port operating in TxRx mode or Rx mode checks the validity of TLVs carried in every
received LLDPDU. If valid, the information is saved and an aging timer is set for it based on the time to
live (TTL) value in the Time to Live TLV carried in the LLDPDU. If the TTL value is zero, the information is
aged out immediately.
NOTE:
LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those
made in port group view takes effect on all ports in the current port group.
217
Step Command Remarks
Optional.
4. Enable LLDP. lldp enable
By default, LLDP is enabled on a port.
218
Step Command Remarks
2. Set the LLDP re-initialization Optional.
delay. lldp timer reinit-delay delay
The default setting is 2 seconds.
219
Step Command Remarks
lldp tlv-enable { basic-tlv { all |
port-description | system-capability |
system-description | system-name } |
dot1-tlv { all | port-vlan-id | Optional.
protocol-vlan-id [ vlan-id ] | vlan-name
3. Configure the advertisable TLVs [ vlan-id ] } | dot3-tlv { all | By default, all types of
(Layer 2 Ethernet interface view link-aggregation | mac-physic | LLDP TLVs except location
or port group view). max-frame-size | power } | med-tlv { all identification TLVs are
| capability | inventory | location-id advertisable on a Layer 2
{ civic-address device-type country-code Ethernet port.
{ ca-type ca-value }&<1-10> |
elin-address tel-number } |
network-policy | power-over-ethernet } }
220
Step Command Remarks
Optional.
By default, the management
address is sent through
LLDPDUs.
• For a Layer 2 Ethernet
port, the management
address is the main IP
address of the lowest-ID
VLAN carried on the
3. Allow LLDP to advertise the port. If none of the
management address in carried VLANs is
LLDPDUs and configure the lldp management-address-tlv
assigned an IP address,
advertised management [ ip-address ]
no management
address. address will be
advertised.
• For a Layer 3 Ethernet
port, the management
address is its own IP
address. If no IP address
is configured for the
Layer 3 Ethernet port, no
management address
will be advertised.
221
Configuration procedure
To set related LLDP parameters:
Optional.
2. Set the TTL multiplier. lldp hold-multiplier value
The default setting is 4.
Optional.
4. Set LLDPDU transmit delay. lldp timer tx-delay delay
The default setting is 2 seconds.
5. Set the number of LLDPDUs
Optional.
sent each time fast LLDPDU lldp fast-count count
transmission is triggered. The default setting is 3.
222
Configuration prerequisites
Before configuring CDP compatibility, perform the following configurations:
• Enable LLDP globally.
• Enable LLDP on the port connected to an IP phone and configure LLDP to operate in TxRx mode on
the port.
NOTE:
The maximum TTL value allowed by CDP is 255 seconds. To make CDP-compatible LLDP work properly
with Cisco IP phones, make sure the product of the TTL multiplier and the LLDPDU transmit interval is less
than 255 seconds.
223
Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 or Layer 3 Ethernet
interface view:
interface interface-type
2. Enter Ethernet interface view or interface-number
port group view. Use either command.
• Enter port group view:
port-group manual
port-group-name
Optional.
5. Set the LLDP trap transmit
interval. lldp timer notification-interval interval The default setting is 5
seconds.
224
Basic LLDP configuration example
Network requirements
As shown in Figure 82, the NMS and Switch A are located in the same Ethernet.
Enable LLDP on the ports of Switch A and Switch B to monitor the link between Switch A and Switch B and
the link between Switch A and the MED device on the NMS.
Figure 82 Network diagram
MED
GE4/0/1
NMS GE4/0/1
GE4/0/2
Switch A Switch B
Configuration procedure
1. Configure Switch A:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp enable
# Enable LLDP on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 (you can skip this step
because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx.
[SwitchA] interface gigabitethernet 4/0/1
[SwitchA-GigabitEthernet4/0/1] lldp enable
[SwitchA-GigabitEthernet4/0/1] lldp admin-status rx
[SwitchA-GigabitEthernet4/0/1] quit
[SwitchA] interface gigabitethernet 4/0/2
[SwitchA-GigabitEthernet4/0/2] lldp enable
[SwitchA-GigabitEthernet4/0/2] lldp admin-status rx
[SwitchA-GigabitEthernet4/0/2] quit
2. Configure Switch B:
# Enable LLDP globally.
<SwitchB> system-view
[SwitchB] lldp enable
# Enable LLDP on GigabitEthernet 4/0/1 (you can skip this step because LLDP is enabled on ports
by default), and set the LLDP operating mode to Tx.
[SwitchB] interface gigabitethernet 4/0/1
[SwitchB-GigabitEthernet4/0/1] lldp enable
[SwitchB-GigabitEthernet4/0/1] lldp admin-status tx
[SwitchB-GigabitEthernet4/0/1] quit
3. Verify the configuration:
# Display the global LLDP status and port LLDP status on Switch A.
[SwitchA] display lldp status
225
Global status of LLDP : Enable
The current number of LLDP neighbors : 2
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days,0 hours,4 minutes,40 seconds
Transmit interval : 30s
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
Trap interval : 5s
Fast start times : 3
Port 1 [GigabitEthernet4/0/1]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s
Number of neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0
Port 2 [GigabitEthernet4/0/2]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s
Number of neighbors : 1
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 3
The output shows that: GigabitEthernet 4/0/1 of Switch A connects a MED device, and
GigabitEthernet 4/0/2 of Switch A connects a non-MED device. Both ports operate in Rx mode,
in other words, they only receive LLDP frames.
# Tear down the link between Switch A and Switch B and then display the global LLDP status and
port LLDP status on Switch A.
[SwitchA] display lldp status
Global status of LLDP : Enable
The current number of LLDP neighbors : 1
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days,0 hours,5 minutes,20 seconds
Transmit interval : 30s
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
226
Trap interval : 5s
Fast start times : 3
Port 1 [GigabitEthernet4/0/1]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s
Number of neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 5
Port 2 [GigabitEthernet4/0/2]:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
Polling interval : 0s
Number of neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0
The output shows that GigabitEthernet 4/0/2 of Switch A does not connect any neighboring
switch.
Configuration procedure
1. Configure CDP-compatible LLDP on Switch A:
# Enable LLDP globally and enable LLDP to be compatible with CDP globally.
[SwitchA] lldp enable
[SwitchA] lldp compliance cdp
# Enable LLDP (you can skip this step because LLDP is enabled on ports by default), configure LLDP
to operate in TxRx mode, and configure CDP-compatible LLDP to operate in TxRx mode on
GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2.
[SwitchA] interface gigabitethernet 4/0/1
227
[SwitchA-GigabitEthernet4/0/1] lldp enable
[SwitchA-GigabitEthernet4/0/1] lldp admin-status txrx
[SwitchA-GigabitEthernet4/0/1] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet4/0/1] quit
[SwitchA] interface gigabitethernet 4/0/2
[SwitchA-GigabitEthernet4/0/2] lldp enable
[SwitchA-GigabitEthernet4/0/2] lldp admin-status txrx
[SwitchA-GigabitEthernet4/0/2] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet4/0/2] quit
2. Verify the configuration by displaying the neighbor information on Switch A.
[SwitchA] display lldp neighbor-information
228
Configuring MVRP
Overview
Multiple Registration Protocol (MRP) is an attribute registration protocol and transmits attribute messages.
An application that complies with MRP is called an "MRP application". Multiple VLAN Registration
Protocol (MVRP) is a typical MRP application. MRP is an enhanced version of Generic Attribute
Registration Protocol (GARP) and improves the declaration efficiency. MVRP is an enhanced version of
GARP VLAN Registration Protocol (GVRP) and improves the declaration efficiency. MVRP propagates
VLAN configuration information among devices, and enables devices to learn and automatically
synchronize VLAN configuration information, reducing the configuration workload. When the network
topology changes, MVRP can propagate and learn VLAN configuration information again according to
the new topology, and real-time synchronize the network topology. For more information about GVRP,
see "Configuring GVRP."
Introduction to MRP
Different from GARP, MRP allows participants in the same LAN to declare, propagate, and register
information (for example, VLAN information) on a per Multiple Spanning Tree Instance (MSTI) basis.
MRP implementation
Each port that participates in an MRP application (for example, MVRP) is called an "MRP participant".
MRP rapidly propagates the configuration information of an MRP participant throughout the LAN. As
shown in Figure 84, an MRP participant registers and deregisters its attribute values on other MRP
participants by sending declarations and withdrawals, and registers and deregisters the attribute values
of other participants according to the received declarations and withdrawals.
Figure 84 MRP implementation
MRP messages
MRP exchanges information among MRP participants by advertising MRP messages, including Join,
New, Leave, and LeaveAll. Join and New messages are declarations, and Leave and LeaveAll messages
are withdrawals. As an MRP application, MVRP also uses MRP messages for information exchange.
1. Join message
An MRP participant sends Join messages when it wishes to declare its attribute values and receives
Join messages from other MRP participants. When receiving a Join message, an MRP participant
sends a Join message to all participants except the sender.
229
Join messages fall into the following types:
{ JoinEmpty—An MRP participant sends JoinEmpty messages to declare attribute values that it
has not registered.
{ JoinIn—An MRP participant sends JoinIn messages to declare attribute values that it has
registered.
2. New message
When the Multiple Spanning Tree Protocol (MSTP) topology changes, in other words, when an
MSTP TcDetected event occurs, an MRP participant sends New messages to declare the topology
change. On receiving a New message, an MRP participant sends a New message out of each
port except the receiving port. Similar to a Join message, a New message enables MRP
participants to register attributes.
3. Leave message
An MRP participant sends Leave messages when it wishes to withdraw declarations of its attribute
values and receives Leave messages from other participants. When receiving a Leave message,
an MRP participant sends a Leave message to all participants except the sender.
4. LeaveAll message
Each MRP participant is configured with an individual LeaveAll timer. When the timer expires, the
MRP participant sends LeaveAll messages to deregister all attributes, so that any other MRP
participant can re-register all attributes. This process periodically clears the useless attributes in the
network. On receiving a LeaveAll message, MRP determines whether to send a Join message to
request the sender to re-register these attributes according to attribute status. On sending a
LeaveAll message, MRP restarts the LeaveAll timer.
MRP timers
The implementation of MRP uses the following timers to control MRP message transmission.
1. Periodic timer
On startup, an MRP participant starts its own Periodic timer to control MRP message transmission.
The MRP participant collects the MRP messages to be sent before the Periodic timer expires, and
sends the MRP messages in as few packets as possible when the Periodic timer expires and
meanwhile restarts the Periodic timer. This mechanism reduces the number of MRP protocol
packets periodically sent.
You can enable or disable the Periodic timer at the CLI. When you disable the Periodic timer, MRP
will not send MRP messages.
2. Join timer
The Join timer control the transmission of Join messages. To make sure Join messages can be
reliably transmitted to other participants, an MRP participant waits for a period of the Join timer
after sending a Join message. If the participant receives JoinIn messages from other participants
before the Join timer expires, the participant does not re-send the Join message. When both the
Join timer and the Periodic timer expire, the participant re-sends the Join message.
3. Leave timer
The Leave timer controls the deregistration of attributes. When an MRP participant wishes other
participants to deregister its attributes, it sends a Leave message. On receiving a Leave message,
MRP starts the Leave timer, and deregisters the attributes if it does not receive any Join message for
the attributes before the Leave timer expires.
4. LeaveAll timer
230
On startup, an MRP participant starts its own LeaveAll timer. When the LeaveAll timer expires, MRP
sends out a LeaveAll message and restarts the LeaveAll timer. On receiving the LeaveAll message,
other participants re-register all the attributes and re-start their LeaveAll timer.
NOTE:
Though MRP participants throughout the network may be configured with different LeaveAll timers, an
MRP participant sends LeaveAll messages at the smallest interval among the neighboring participants’
LeaveAll timers. At the next startup, the LeaveAll timer of each participant randomly changes within a
certain range.
Figure 85 shows the format of an MRP protocol packet encapsulated in an IEEE 802.3 Ethernet frame.
Table 29 MRP protocol packet fields
Field Description
MRPDU MRP protocol data unit (MRPDU) encapsulated in the MRP protocol packet.
Attribute message, which comprises the Attribute Type, Attribute Length, and Attribute List
Message
fields.
End Mark End mark of the MRPDU or an attribute list field. This field is fixed at 0x00.
Attribute Type Attribute type, which is VID Vector specified by the value of 1.
Vector Attribute Vector attribute, which comprises the VectorHeader, FirstValue, and Vector fields.
231
Field Description
Vector Header Vector header, which comprises the LeaveAllEvent and NumberOfValues fields.
Attribute events, where each byte specifies three attribute events. The attribute events
include:
• 0x00—New operator.
• 0x01—JoinIn operator.
• 0x02—In operator.
Vector
• 0x03—JoinMt operator.
• 0x04—Mt operator.
• 0x05—Lv operator.
Assume that the three attribute events sharing a byte are A1, A2, and A3. The value of the
byte A1A2A3 is ((A1 * 6 + A2) * 6) + A3, which ranges from 0 to 255.
The destination MAC addresses of MRP protocol packets are multicast MAC addresses, and vary with
MRP applications. For example, the destination MAC address is 01-80-C2-00-00-21 and the EtherType is
88F5 for MVRP protocol packets. When a device receives a packet from an MRP participant, it delivers
the packet to the MRP application identified by the destination MAC address.
MVRP implementation
MVRP overview
As an MRP application, MVRP uses the operating mechanism of MRP to maintain and propagate
dynamic VLAN registration information throughout the network.
In a LAN, each MVRP-enabled device can receive the VLAN registration information from other MVRP
devices, and dynamically update its local database, including active VLANs and the ports through which
a VLAN can be reached. This makes sure all MVRP-enabled devices in a LAN maintain the same VLAN
information.
The VLAN information propagated by MVRP includes not only locally, manually configured static VLAN
information but also dynamic VLAN information from other devices.
232
MVRP registration modes
VLANs created manually, locally are called "static VLANs", and VLANs learned through MVRP are
called "dynamic VLANs". The following MVRP registration modes are available.
• Normal
A port in normal registration mode performs dynamic VLAN registrations and deregistrations, and
sends declarations and withdrawals for dynamic and static VLANs.
• Fixed
A port in fixed registration mode disables deregistering dynamic VLANs, sends declarations for
dynamic VLANs and static VLANs, and drops received MVRP protocol packets. As a result, a trunk
port in fixed registration mode does not deregister or register dynamic VLANs.
• Forbidden
A port in forbidden registration mode disables registering dynamic VLANs, sends declarations for
dynamic VLANs and static VLANs, and drops received MVRP protocol packets. As a result, a trunk
port in forbidden registration mode does not register dynamic VLANs, and does not re-register a
dynamic VLAN when the VLAN is deregistered.
NOTE:
• MVRP configuration made in Ethernet interface view or Layer 2 aggregate interface view takes effect on
the current interface only; MVRP configuration made in port group view takes effect on all the member
ports in the group.
• MVRP configuration made on a member port in an aggregation group takes effect only after the port is
removed from the aggregation group.
Configuring MVRP
233
CAUTION:
• MVRP and service loopback are mutually exclusive.
• MVRP can work with STP, RSTP, or MSTP, but not other link layer topology protocols, including PVST,
RRPP, and Smart Link. Ports blocked by STP, RSTP, or MSTP can receive and send MVRP protocol packets.
For more information about STP, RSTP, MSTP, and PVST, see "Configuring spanning tree protocols." For
more information about RRPP and Smart Link, see High Availability Configuration Guide.
• Do not enable both MVRP and remote port mirroring on a port. Otherwise, MVRP may register the
remote probe VLAN to unexpected ports, which would cause the monitor port to receive undesired
duplicates. For more information about port mirroring, see Network Management and Monitoring
Configuration Guide.
• Enabling MVRP on a Layer 2 aggregate interface enables both the aggregate interface and all Selected
member ports in the link aggregation group to participate in dynamic VLAN registration and
deregistration.
• MVRP runs on a per-MSTI basis. When configuring MVRP, make sure all MSTIs in the network are
effective and each MSTI is mapped to an existing VLAN on each device in the network.
Before enabling MVRP on a port, you must enable MVRP globally. You can configure MVRP only on trunk
ports, and you must assign the involved trunk ports to all dynamic VLANs.
To configure MVRP:
234
Step Command Remarks
Optional.
7. Set the MVRP registration mvrp registration { fixed |
mode. forbidden | normal } The default setting is normal
registration mode.
Optional.
3. Configure the LeaveAll timer. mrp timer leaveall timer-value The default setting is 1000
centiseconds.
Optional.
4. Configure the Join timer. mrp timer join timer-value The default setting is 20
centiseconds.
Optional.
5. Configure the Leave timer. mrp timer leave timer-value The default setting is 60
centiseconds.
Optional.
6. Configure the Periodic timer. mrp timer periodic timer-value The default setting is 100
centiseconds.
Table 30 shows the value ranges for MRP timers (including Join, Leave, and LeaveAll timers) and their
dependencies.
• If you set a timer to a value beyond the allowed value range, your configuration will fail. To do that,
you can change the allowed value range by tuning the value of another related timer.
• To restore the default settings of the timers, restore the Join timer first, followed by the Leave and
LeaveAll timers. You can restore the Periodic timer to the default at any time.
Table 30 Dependencies of the MRP timers
235
NOTE:
• The MRP timers apply to all MRP applications, for example, MVRP, on a port. To avoid frequent VLAN
registrations and deregistrations, use the same MRP timers throughout the network.
• Each port maintains its own Periodic, Join, and LeaveAll timers, and each attribute of a port maintains
a Leave timer.
NOTE:
• With GVRP compatibility enabled, MVRP can work with only STP or RSTP rather than MSTP. In this case,
if MVRP and MSTP run at the same time, the network might fail to work properly.
• With GVRP compatibility enabled, HP recommends that you disable the Periodic timer for MVRP.
Otherwise, the VLAN status might change frequently when the system is busy.
236
MVRP configuration examples
Configuration example for MVRP in normal registration mode
Network requirements
As shown in Figure 86, configure MSTP, map VLAN 10 to MSTI 1, map VLAN 20 MST 2, and map the
other VLANs to MSTI 0.
Configure MVRP and set the MVRP registration mode to normal, so that Device A, Device B, Device C,
and Device D can register and deregister dynamic and static VLANs and keep identical VLAN
configuration for each MSTI.
Figure 86 Network diagram
MST region
Device A Device B
Permit: all VLAN
GE3/0/3 GE3/0/3
GE /2
3/0 3/0
/2 GE
Device C Device D
Configuration procedure
1. Configure Device A:
# Enter MST region view.
<DeviceA> system-view
[DeviceA] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 2 vlan 20
[DeviceA-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure Device A as the primary root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Globally enable the spanning tree feature.
[DeviceA] stp enable
# Globally enable MVRP.
237
[DeviceA] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] mvrp enable
[DeviceA-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceA] interface GigabitEthernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port link-type trunk
[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan 40
# Enable MVRP on port GigabitEthernet 3/0/2.
[DeviceA-GigabitEthernet3/0/2] mvrp enable
[DeviceA-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/3
[DeviceA-GigabitEthernet3/0/3] port link-type trunk
[DeviceA-GigabitEthernet3/0/3] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceA-GigabitEthernet3/0/3] mvrp enable
[DeviceA-GigabitEthernet3/0/3] quit
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
2. Configure Device B:
# Enter MST region view.
<DeviceB> system-view
[DeviceB] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 2 vlan 20
[DeviceB-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the primary root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Globally enable the spanning tree feature.
[DeviceB] stp enable
# Globally enable MVRP.
[DeviceB] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.
238
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan 20 40
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] mvrp enable
[DeviceB-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/2
[DeviceB-GigabitEthernet3/0/2] port link-type trunk
[DeviceB-GigabitEthernet3/0/2] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/2.
[DeviceB-GigabitEthernet3/0/2] mvrp enable
[DeviceB-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/3
[DeviceB-GigabitEthernet3/0/3] port link-type trunk
[DeviceB-GigabitEthernet3/0/3] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceB-GigabitEthernet3/0/3] mvrp enable
[DeviceB-GigabitEthernet3/0/3] quit
# Create VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] quit
3. Configure Device C:
# Enter MST region view.
<DeviceC> system-view
[DeviceC] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 2 vlan 20
[DeviceC-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceC] stp enable
# Globally enable MVRP.
[DeviceC] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface GigabitEthernet 3/0/1
[DeviceC-GigabitEthernet3/0/1] port link-type trunk
[DeviceC-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceC-GigabitEthernet3/0/1] mvrp enable
239
[DeviceC-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface GigabitEthernet 3/0/2
[DeviceC-GigabitEthernet3/0/2] port link-type trunk
[DeviceC-GigabitEthernet3/0/2] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 3/0/2.
[DeviceC-GigabitEthernet3/0/2] mvrp enable
[DeviceC-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit VLANs 30 and
40.
[DeviceC] interface GigabitEthernet 3/0/3
[DeviceC-GigabitEthernet3/0/3] port link-type trunk
[DeviceC-GigabitEthernet3/0/3] port trunk permit vlan 30 40
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceC-GigabitEthernet3/0/3] mvrp enable
[DeviceC-GigabitEthernet3/0/3] quit
4. Configure Device D:
# Enter MST region view.
<DeviceD> system-view
[DeviceD] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 2 vlan 20
[DeviceD-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceD] stp enable
# Globally enable MVRP.
[DeviceD] mvrp global enable
# Configure port GigabitEthernet 3/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.
[DeviceD] interface GigabitEthernet 3/0/1
[DeviceD-GigabitEthernet3/0/1] port link-type trunk
[DeviceD-GigabitEthernet3/0/1] port trunk permit vlan 20 40
# Enable MVRP on port GigabitEthernet 3/0/1.
[DeviceD-GigabitEthernet3/0/1] mvrp enable
[DeviceD-GigabitEthernet3/0/1] quit
# Configure port GigabitEthernet 3/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceD] interface GigabitEthernet 3/0/2
[DeviceD-GigabitEthernet3/0/2] port link-type trunk
[DeviceD-GigabitEthernet3/0/2] port trunk permit vlan 40
# Enable MVRP on port GigabitEthernet 3/0/2.
240
[DeviceD-GigabitEthernet3/0/2] mvrp enable
[DeviceD-GigabitEthernet3/0/2] quit
# Configure port GigabitEthernet 3/0/3 as a trunk port, and configure it to permit VLANs 30 and
40.
[DeviceD] interface GigabitEthernet 3/0/3
[DeviceD-GigabitEthernet3/0/3] port link-type trunk
[DeviceD-GigabitEthernet3/0/3] port trunk permit vlan 30 40
# Enable MVRP on port GigabitEthernet 3/0/3.
[DeviceD-GigabitEthernet3/0/3] mvrp enable
[DeviceD-GigabitEthernet3/0/3] quit
5. Verify the configuration:
Use the display mvrp running-status command to display the local MVRP VLAN information to
verify whether the configuration takes effect.
# Check the local VLAN information on Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
241
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 20,
The output shows that:
{ Ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 have learned only VLAN 1 through
MVRP.
{ Port GigabitEthernet 3/0/3 has learned VLAN 1 and dynamic VLAN 20 created on Device B
through MVRP.
# Check the local VLAN information on Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 10,
242
The output shows that:
{ Ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 have learned only VLAN 1 through
MVRP.
{ Port GigabitEthernet 3/0/3 has learned VLAN 1 and dynamic VLAN 10 created on Device A
through MVRP.
# Check the local VLAN information on Device C.
[DeviceC] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 10,
----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 20,
----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
The output shows that:
{ Port GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 10 created on Device A
through MVRP.
243
{ Port GigabitEthernet 3/0/2 has learned VLAN 1 and dynamic VLAN 20 created on Device B
through MVRP.
{ Port GigabitEthernet 3/0/3 has learned only VLAN 1 through MVRP.
# Check the local VLAN information on Device D.
[DeviceD] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 20,
----[GigabitEthernet3/0/2] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
----[GigabitEthernet3/0/3] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default),
The output shows that:
{ Port GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 20 created on Device B
through MVRP.
{ Ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 have learned only VLAN 1 through
MVRP.
244
Configuration example for MVRP in fixed registration mode
Network requirements
As shown in Figure 87, enable MVRP and set the MVRP registration mode to fixed on GigabitEthernet
3/0/1 on Device B, so that the dynamic VLANs on Device B are not deregistered.
Figure 87 Network diagram
Configuration procedure
1. Configure Device A:
# Globally enable MVRP.
<DeviceA> system-view
[DeviceA] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] mvrp enable
[DeviceA-GigabitEthernet3/0/1] quit
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Globally enable MVRP.
<DeviceB> system-view
[DeviceB] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] mvrp enable
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3.
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display mvrp running-status command to display the local MVRP VLAN information to
verify whether the configuration takes effect.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device A.
[DeviceA] display mvrp running-status
245
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 3,
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 3 created
on Device B through MVRP.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 2,
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 2 created
on Device A through MVRP.
4. Set the MVRP registration mode to fixed on GigabitEthernet 3/0/1 of Device B:
# Set the MVRP registration mode to fixed on GigabitEthernet 3/0/1.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] mvrp registration fixed
[DeviceB-GigabitEthernet3/0/1] quit
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
246
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Local VLANs :
1(default), 2,
The output shows that the local VLAN information on GigabitEthernet 3/0/1 is the same that that
before the MVRP registration mode is set to fixed.
5. Delete VLAN 2 on Device A:
# Delete VLAN 2 on Device A.
[DeviceA] undo vlan 2
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Local VLANs :
1(default), 2,
The output shows that the dynamic VLAN information on GigabitEthernet 3/0/1 does not change
after VLAN 2 is deleted from Device A.
Configuration procedure
1. Configure Device A:
247
# Globally enable MVRP.
<DeviceA> system-view
[DeviceA] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port link-type trunk
[DeviceA-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceA-GigabitEthernet3/0/1] mvrp enable
[DeviceA-GigabitEthernet3/0/1] quit
# Create static VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
2. Configure Device B:
# Globally enable MVRP.
<DeviceB> system-view
[DeviceB] mvrp global enable
# Configure GigabitEthernet 3/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 3/0/1.
[DeviceB-GigabitEthernet3/0/1] mvrp enable
[DeviceB-GigabitEthernet3/0/1] quit
# Create VLAN 3.
[DeviceB] vlan 3
[DeviceB-vlan3] quit
3. Verify the configuration:
Use the display mvrp running-status command to display the local MVRP VLAN information to
verify whether the configuration takes effect.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 3,
248
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 3 created
on Device B through MVRP.
# Check the local VLAN information on GigabitEthernet 3/0/1 of Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Local VLANs :
1(default), 2,
The output shows that GigabitEthernet 3/0/1 has learned VLAN 1 and dynamic VLAN 2 created
on Device A through MVRP.
4. Set the MVRP registration mode to forbidden on GigabitEthernet 3/0/1 of Device B:
# Set the MVRP registration mode to forbidden on GigabitEthernet 3/0/1 of Device B.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] mvrp registration forbidden
# Several seconds after the LeaveAll timer (10 seconds by default) expires, check the local VLAN
information on GigabitEthernet 3/0/1 of Device B.
[DeviceB-GigabitEthernet3/0/1] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False
----[GigabitEthernet3/0/1] ----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Forbidden
Local VLANs :
1(default),
The output shows that the local VLAN information on GigabitEthernet 3/0/1 of Device A does not
contain VLAN 2 and the port configured with forbidden MVRP registration mode does not
reregister dynamic VLANs that have been deregistered.
249
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
• For related documentation, navigate to the Networking section, and select a networking category.
• For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.
Websites
• HP.com http://www.hp.com
• HP Networking http://www.hp.com/go/networking
• HP manuals http://www.hp.com/support/manuals
• HP download drivers and software http://www.hp.com/support/downloads
• HP software depot http://www.software.hp.com
• HP Education http://www.hp.com/learn
250
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.
GUI conventions
Convention Description
Window names, button names, field names, and menu items are in bold text. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.
An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.
251
Network topology icons
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
252
Index
ABCDEGLMOPQRSTV
A Configuring one-to-two VLAN mapping,152
Configuring path costs of ports,77
Assigning ports to an isolation group,128
Configuring port-based VLANs,6
B Configuring protection functions,91
BPDU tunneling configuration example,165 Configuring protocol-based VLANs,17
C Configuring QinQ termination,190
Configuring QoS priority settings for voice traffic on an
Configuration guidelines,37 interface,37
Configuration prerequisites,164 Configuring selective QinQ,138
Configuration prerequisites,37 Configuring spanning tree timers,74
Configuration procedure,27 Configuring TC snooping,90
Configuration restrictions and guidelines,128 Configuring the loopback detection action,182
Configuring a port to operate in automatic voice VLAN Configuring the loopback detection interval,182
assignment mode,38
Configuring the MAC address table,46
Configuring a port to operate in manual voice VLAN
Configuring the maximum hops of an MST region,73
assignment mode,39
Configuring the maximum port rate,76
Configuring an aggregate interface,113
Configuring the mode a port uses to recognize/send
Configuring an aggregation group,109
MSTP packets,81
Configuring an MST region,70
Configuring the network diameter of a switched
Configuring basic settings of a VLAN interface,3 network,74
Configuring basic VLAN settings,3 Configuring the port link type,81
Configuring CDP compatibility,222 Configuring the port priority,80
Configuring destination multicast MAC address for Configuring the root bridge or a secondary root
BPDUs,164 bridge,71
Configuring Digest Snooping,85 Configuring the switch priority,72
Configuring edge ports,76 Configuring the timeout factor,75
Configuring GARP timers,172 Configuring the TPID for VLAN-tagged packets,191
Configuring GVRP functions,171 Configuring the VLAN Ignore feature,84
Configuring IP subnet-based VLANs,21 Configuring two-to-two VLAN mapping,154
Configuring LLDP trapping,223 Contacting HP,250
Configuring load sharing for link aggregation Conventions,251
groups,117
Configuring MAC-based VLANs,12 D
253
Displaying and maintaining MVRP,236 MAC-in-MAC overview,203
Displaying and maintaining port isolation,129 MSTP,60
Displaying and maintaining super VLAN,29 MVRP configuration examples,237
Displaying and maintaining the MAC address MVRP configuration task list,233
table,50
P
Displaying and maintaining the spanning tree,93
Performing basic LLDP configuration,217
Displaying and maintaining VLAN,25
Performing mCheck,83
Displaying and maintaining voice VLAN,40
Port isolation configuration examples,129
E
Port isolation configuration task list,128
Enabling a VLAN termination-enabled interface to Protocols and standards,65
transmit broadcast and multicast packets,191 PVST,60
Enabling basic QinQ,137
Q
Enabling BPDU tunneling,164
Enabling GVRP compatibility,236 QinQ configuration examples,140
Enabling link-aggregation traffic redirection,118 QinQ configuration task list,137
Enabling loopback detection,181 R
Enabling MAC address migration log notifying,50 Related information,250
Enabling the spanning tree feature,82 RSTP,60
Enhancing the Selected port capacity for link
aggregation in IRF mode,118 S
Ethernet link aggregation configuration examples,119 Setting the spanning tree mode,70
Ethernet link aggregation configuration task list,109 Setting the TPID value in VLAN tags,140
G Spanning tree configuration examples,95
Spanning tree configuration task lists,65
GVRP configuration examples,174
STP,53
GVRP configuration task list,171
Super VLAN configuration example,29
L
T
LLDP configuration examples,224
Troubleshooting,211
LLDP configuration task list,217
Loopback detection configuration example,183 V
Loopback detection configuration task list,181 VLAN mapping configuration examples,157
M VLAN mapping configuration task list,149
VLAN termination configuration examples,192
MAC address table configuration example,51
VLAN termination configuration task list,190
MAC-in-MAC configuration example,209
Voice VLAN configuration examples,40
MAC-in-MAC configuration task list,206
254