S7700 and S9700 V200R008C00 Configuration Guide - Device Management PDF

S7700 and S9700 Series Switches
V200R008C00
Configuration Guide - Device

Management
Issue 07
Date 2017-11-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. i

Configuration Guide - Device Management About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the device management feature supported by
the device.
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

which, if not avoided, may result in minor
or moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. ii

Symbol Description
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. iii

– When configuring a password, the cipher text is recommended. To ensure device

security, change the password periodically.
– When you configure a password in plain text that starts and ends with %^%#, %#
%#, %@%@ or @%@% (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
l Encryption algorithm
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5. 3DES,
RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are irreversible. Using
the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower), MD5 (in digital
signature scenarios and password encryption), or SHA1 (in digital signature scenarios) is
a security risk. If protocols allow, use more secure encryption algorithms, such as AES,
RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
l Personal data
Some personal data (such as MAC or IP addresses of terminals) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configure
your devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Product Software Versions Matching NMS Versions

The product software versions matching NMS versions are as follows.
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. iv

S7700 and S9700 Product NMS

Software Version
V200R008C00 eSight V300R003C20
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 07 (2017-11-30) V200R008C00

This version has the following updates:
Mistakes in the document are corrected.





Some contents are modified according to updates in the product.

Initial commercial release.
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. v

Configuration Guide - Device Management Contents
Contents
About This Document.....................................................................................................................ii

1 Displaying the Device Status...................................................................................................... 1
1.1 Displaying Hardware Information..................................................................................................................................1
1.1.1 Displaying Device Information................................................................................................................................... 1
1.1.1.1 How Can I Determine Whether the Card Status Is Normal?....................................................................................2
1.1.1.2 How Can I View the Card Type and Subcard Type?................................................................................................ 2
1.1.1.3 How Can I Determine Whether the Port on an LPU Is an Optical or Electrical Port?.............................................2
1.1.1.4 Why Does the Standby MPU Fail to Register?........................................................................................................ 3
1.1.1.5 What Does PowerOff Mean and Why Is PowerOff Displayed in an LPU's Status Information?............................4
1.1.1.6 What Does Unregistered Mean and Why Is Unregistered Displayed in an LPU's Status Information?.................. 4
1.1.2 Displaying Electronic Labels.......................................................................................................................................4
1.1.2.1 How Can I View the Chassis Electronic Label?.......................................................................................................5
1.1.2.2 How Can I View the Card Electronic Label?........................................................................................................... 5
1.1.2.3 How Can I View the Power Supply Electronic Label?.............................................................................................6
1.1.2.4 How Can I View the Fan Module Electronic Label?................................................................................................6
1.1.2.5 How Can I View the Optical Module Electronic Label?..........................................................................................7
1.1.2.6 How Can I View the Part Number and What Is the Relationship Between the Part Number and BarCode?.......... 7
1.1.2.7 What Are the MIB OIDs of Electronic Labels?....................................................................................................... 8
1.1.3 Displaying the Device Serial Number......................................................................................................................... 9
1.1.3.1 How Can I View the Serial Number of a Device?..................................................................................................10
1.1.3.2 How Can I View the Serial Number of a Card?..................................................................................................... 12
1.1.3.3 How Can I View the Serial Number of a Power Module?..................................................................................... 17
1.1.3.4 How Can I View the Serial Number of a Fan Module?..........................................................................................20
1.1.3.5 How Can I View the Serial Number of an Optical Module?..................................................................................21
1.1.4 Displaying Power Supply and Power Information.................................................................................................... 22
1.1.4.1 How Can I Determine Whether the Power Supply Status Is Abnormal?............................................................... 22
1.1.4.2 How Can I Determine a DC or AC Power Module?.............................................................................................. 23
1.1.4.3 How Can I View the Power of Power Modules?....................................................................................................23
1.1.4.4 What Are the MIB OIDs of System Power Information?...................................................................................... 24
1.1.5 Displaying the Fan Status.......................................................................................................................................... 24
1.1.6 Displaying Optical Module Information................................................................................................................... 25
1.1.6.1 What Is the Impact of Using Non-Huawei-Certified Optical Modules?................................................................ 25
1.1.6.2 How Can I Determine Whether an Optical Module Is a Huawei-Certified Switch Optical Module?................... 26
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. vi

1.1.6.3 What Can I Do If the Optical Power Is Low or High?........................................................................................... 26

1.1.6.4 How Can I View Optical Power Information?....................................................................................................... 28
1.1.6.5 How Can I View the Optical Module Wavelength?............................................................................................... 29
1.1.6.6 How Can I View the Optical Module Transmission Distance?.............................................................................. 29
1.1.6.7 How Can I View the Temperature, Voltage, and Current of an Optical Module?.................................................. 30
1.1.6.8 Why I Cannot Obtain Optical Module Information?..............................................................................................31
1.1.6.9 How Can I Determine Whether an Optical Module Is Single-Mode or Multi-Mode?...........................................31
1.1.6.10 What Are the MIB OIDs of Optical Module Information?.................................................................................. 32
1.1.6.11 What Does Alarm information Mean in Optical Module Information?............................................................... 33
1.1.6.12 How Can I View the Optical Attenuation?........................................................................................................... 34
1.1.6.13 How Can I Determine Whether an Interface Has an Optical Module?................................................................ 34
1.1.7 Displaying the Card Voltage......................................................................................................................................36
1.1.7.1 Why Is a Voltage Alarm Generated and What Can I Do to Clear the Alarm?....................................................... 36
1.1.7.2 How Can I Determine Whether and Why the Voltage Is Abnormal?.....................................................................38
1.1.8 Displaying the Temperature.......................................................................................................................................41
1.1.8.1 How Can I Determine Whether the Card Temperature Is too High?..................................................................... 41
1.1.8.2 Why Is a High Temperature Alarm Generated and How Can This Alarm Be Cleared?........................................ 41
1.1.8.3 How Can I Determine Whether and Why the Temperature Is Abnormal?.............................................................43
1.2 Displaying the Version and Configuration................................................................................................................... 44
1.2.1 Displaying Version Information................................................................................................................................ 44
1.2.1.1 How Can I View the Hardware Version?................................................................................................................44
1.2.1.2 How Can I View the Running Time of a Device and Card?...................................................................................45
1.2.1.3 How Can I View the Number of LPUs Supported by a Device?............................................................................46
1.2.2 Displaying the Environment Monitoring Software Version...................................................................................... 46
1.2.3 Displaying the Current Configuration....................................................................................................................... 47
1.2.3.1 How Can I Determine Whether a Device Starts Using the Initial Configuration?.................................................47
1.2.3.2 How Can Low-Level Users View the Current Device Configuration?.................................................................. 48
1.2.3.3 How Can the Current Configuration Be Displayed on Multiple Screens?.............................................................48
1.3 Collecting Device Information by One Click...............................................................................................................48
1.3.1 Displaying Diagnostic Information........................................................................................................................... 48
1.3.2 Displaying the Device Health Status......................................................................................................................... 49
1.4 Displaying the System MAC Address..........................................................................................................................49
1.5 Displaying Alarm Information..................................................................................................................................... 49
1.6 Displaying the CPU Usage........................................................................................................................................... 50
1.6.1 Does a High CPU Usage Affect Data Forwarding?.................................................................................................. 50
1.6.2 What Do Common CPU Processes Such as VIDL, SOCK, and RPCQ Mean?........................................................51
1.6.3 How Can I Determine Whether CPU Usages of the System and Processes Are High?............................................52
1.6.4 What Can I Do If the CPU Usage Is High?............................................................................................................... 52
1.6.5 What Are the MIB OIDs of CPU Usage?..................................................................................................................53
1.7 Displaying the Memory Usage..................................................................................................................................... 53
1.7.1 How Can I Determine Whether the Memory Usage of a Device Is High?............................................................... 54
1.7.2 What Are the MIB OIDs of Memory Usage?............................................................................................................54
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. vii

2 Hardware Management.............................................................................................................. 55
2.1 Configuring the Device MAC Address........................................................................................................................ 55
2.2 Backing Up Electronic Labels...................................................................................................................................... 56
2.3 Managing Device Resources........................................................................................................................................ 57
2.3.1 Configuring the SRU Hardware Engine.................................................................................................................... 57
2.3.2 Configuring the Internal Forwarding Resource Allocation Mode.............................................................................58
2.3.3 Configuring the Resource Mode of Extended Entry Space.......................................................................................59
2.3.4 Configuring the Fabric Mode.................................................................................................................................... 68
2.4 Managing the Active and Standby MPUs.................................................................................................................... 69
2.4.1 Resetting the Standby MPU...................................................................................................................................... 69
2.4.2 Configuring Active/Standby Switchover...................................................................................................................69
2.5 Managing a Card and Subcard......................................................................................................................................71
2.5.1 Resetting a Card.........................................................................................................................................................71
2.5.2 Powering On or Off a Card........................................................................................................................................72
2.5.3 Starting, Shutting Down, and Resetting the X86 Subcard on an OSP Card..............................................................72
2.6 Configuring the Alarm Function or Setting Alarm Thresholds....................................................................................73
2.6.1 Configuring Temperature Thresholds for Fan Speed Adjustment.............................................................................73
2.6.2 Configuring the CPU Usage Alarm Threshold..........................................................................................................74
2.6.3 Configuring the Memory Usage Alarm Threshold....................................................................................................74
2.6.4 Setting Optical Power Alarm Thresholds.................................................................................................................. 75
2.6.5 Configuring the Alarm Function for Non-Huawei-Certified switch Optical Modules............................................. 76
3 Information Center Configuration...........................................................................................78

3.1 Information Center Overview.......................................................................................................................................78
3.2 Principles...................................................................................................................................................................... 79
3.2.1 Information Classification......................................................................................................................................... 79
3.2.2 Information Hierarchy............................................................................................................................................... 79
3.2.3 Information Output.................................................................................................................................................... 80
3.2.4 Information Filtering................................................................................................................................................. 82
3.2.5 Information Output Format....................................................................................................................................... 82
3.2.6 Binary Log................................................................................................................................................................. 85
3.3 Applications..................................................................................................................................................................86
3.4 Licensing Requirements and Limitations for the Information Center..........................................................................88
3.5 Configuring Information Center................................................................................................................................... 89
3.5.1 Configuring Log Output............................................................................................................................................ 89
3.5.1.1 Enabling the Information Center............................................................................................................................ 91
3.5.1.2 (Optional) Naming an Information Channel.......................................................................................................... 91
3.5.1.3 (Optional) Configuring Log Filtering.....................................................................................................................92
3.5.1.4 (Optional) Setting the Timestamp Format of Logs ................................................................................................93
3.5.1.5 (Optional) Disabling the Log Counter Function.....................................................................................................93
3.5.1.6 (Optional) Configuring the Suppression of the Log Processing Rate.................................................................... 94
3.5.1.7 (Optional) Enabling Suppression of Statistics About Consecutive Repeated Logs............................................... 95
3.5.1.8 Configuring the Device to Output Logs to the Log Buffer.................................................................................... 96
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. viii

3.5.1.9 Configuring the Device to Output Logs to a Log File............................................................................................96

3.5.1.10 Configuring the Device to Output Logs to the Console....................................................................................... 98
3.5.1.11 Configuring the Device to Output Logs to a Terminal......................................................................................... 99
3.5.1.12 Configuring the Device to Output Logs to a Log Host........................................................................................ 99
3.5.1.13 Checking the Configuration................................................................................................................................101
3.5.2 Configuring Trap Output......................................................................................................................................... 101
3.5.2.1 Enabling the Information Center.......................................................................................................................... 103
3.5.2.2 (Optional) Naming an Information Channel........................................................................................................ 103
3.5.2.3 (Optional) Configuring Trap Filtering..................................................................................................................104
3.5.2.4 (Optional) Setting the Timestamp Format of Traps..............................................................................................105
3.5.2.5 Configuring the Device to Output Traps to the Trap Buffer.................................................................................105
3.5.2.6 Configuring the Device to Output Traps to a Log File.........................................................................................106
3.5.2.7 Configuring the Device to Output Traps to the Console...................................................................................... 107
3.5.2.8 Configuring the Device to Output Traps to a Terminal........................................................................................ 108
3.5.2.9 Configuring the Device to Output Traps to a Log Host....................................................................................... 109
3.5.2.10 Configuring the Device to Output Traps to an SNMP Agent.............................................................................110
3.5.2.11 Checking the Configuration................................................................................................................................ 111
3.5.3 Configuring Debugging Message Output................................................................................................................ 111
3.5.3.1 Enabling the Information Center.......................................................................................................................... 113
3.5.3.2 (Optional) Naming an Information Channel.........................................................................................................113
3.5.3.3 (Optional) Setting the Timestamp Format of Debugging Messages.................................................................... 114
3.5.3.4 Configuring the Device to Output Debugging Messages to the Log File............................................................ 114
3.5.3.5 Configuring the Device to Output Debugging Messages to the Console............................................................. 116
3.5.3.6 Configuring the Device to Output Debugging Messages to the Terminal............................................................117
3.5.3.7 Configuring the Device to Output Debugging Messages to the Log Host........................................................... 117
3.5.3.8 Checking the Configuration..................................................................................................................................119
3.6 Maintaining the Information Center........................................................................................................................... 119
3.6.1 Clearing Statistics.................................................................................................................................................... 119
3.6.2 Monitoring the Information Center..........................................................................................................................119
3.7 Configuration Examples............................................................................................................................................. 120
3.7.1 Example for Outputting Logs to the Log File......................................................................................................... 120
3.7.2 Example for Outputting Logs to a Log Host........................................................................................................... 122
3.7.3 Example for Outputting Traps to the SNMP Agent................................................................................................ 124
3.7.4 Example for Outputting Traps to the Console......................................................................................................... 127
4 NTP Configuration....................................................................................................................129
4.1 Overview.................................................................................................................................................................... 129
4.2 Principles.................................................................................................................................................................... 131
4.2.1 Principles................................................................................................................................................................. 131
4.2.2 Network Architecture.............................................................................................................................................. 132
4.2.3 Operating Mode....................................................................................................................................................... 133
4.2.4 NTP Access Control................................................................................................................................................ 138
4.3 Application................................................................................................................................................................. 139
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. ix

4.4 Licensing Requirements and Limitations for NTP.....................................................................................................141

4.5 Configuring the NTP.................................................................................................................................................. 142
4.5.1 Configuring Basic NTP Functions.......................................................................................................................... 142
4.5.1.1 Configuring an NTP primary clock...................................................................................................................... 142
4.5.1.2 Configuring NTP Operating Modes..................................................................................................................... 143
4.5.1.3 Enabling the NTP Server Function.......................................................................................................................148
4.5.2 Configuring the Client Clock.................................................................................................................................. 149
4.5.3 Configuring the Local Source Interface for Sending and Receiving NTP Packets.................................................150
4.5.4 Limiting the Number of Local Dynamic Sessions.................................................................................................. 150
4.5.5 Configuring NTP Access Control............................................................................................................................151
4.5.5.1 Disabling a Specified Interface from Receiving NTP Packets.............................................................................151
4.5.5.2 Configuring NTP Access Control Authority........................................................................................................ 152
4.5.5.3 Configuring KOD................................................................................................................................................. 154
4.5.5.4 Configuring NTP Authentication......................................................................................................................... 155
4.6 Maintaining NTP........................................................................................................................................................ 156
4.6.1 Clearing NTP Statistics........................................................................................................................................... 157
4.6.2 Monitoring the Running Status of NTP...................................................................................................................157
4.7.1 Example for Configuring the NTP Unicast Server/Client Mode with NTP Authentication Enabled..................... 157
4.7.2 Example for Configuring the NTP Symmetric Peer Mode..................................................................................... 162
4.7.3 Example for Configuring the NTP Broadcast Mode with NTP Authentication Enabled........................................165
4.7.4 Example for Configuring the NTP Multicast Mode................................................................................................ 169
4.8 Reference.................................................................................................................................................................... 174
5 Ethernet Clock Synchronization Configuration..................................................................175

5.1 Overview.................................................................................................................................................................... 175
5.2 Principles.................................................................................................................................................................... 176
5.3 Licensing Requirements and Limitations for Ethernet Clock Synchronization......................................................... 185
5.4 Configuring Ethernet Clock Synchronization............................................................................................................ 188
5.4.1 Forcibly Specifying a Reference Clock Source for the Main Control Board..........................................................188
5.4.2 Manually Specifying a Reference Clock Source for the Main Control Board........................................................ 190
5.4.3 Setting the Priority of a Clock Source..................................................................................................................... 191
5.4.4 Selecting the Clock Source Based on the SSM Quality Level................................................................................ 193
5.4.4.1 Enabling the SSM Quality Level to Be Used in Clock Source Selection............................................................ 194
5.4.4.2 (Optional) Setting the SSM Quality Level of a Clock Source............................................................................. 194
5.4.4.3 (Optional) Preventing Timing Loops Between BITS Interfaces.......................................................................... 195
5.4.5 (Optional) Configuring Other Attributes of a Clock Source................................................................................... 196
5.4.5.1 Setting Mode of a BITS Clock............................................................................................................................. 197
5.4.5.2 Setting the ID of a Clock Source.......................................................................................................................... 197
5.4.5.3 Configuring Attributes of the S1 Byte..................................................................................................................198
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. x

5.4.5.4 Setting the Priority of the Clock Signal That an Interface Sends to the Clock Board..........................................199
5.4.5.5 Locking a Clock Source....................................................................................................................................... 200
5.4.5.6 Configuring Frequency Offset Check...................................................................................................................200
5.4.5.7 Setting the Delay Time for the System to Consider a Clock Source Lost............................................................201
5.4.5.8 Setting the WTR Time of a Clock Source............................................................................................................ 202
5.4.5.9 Enable the Permanent Holding Mode of the Clock Module................................................................................ 202
5.4.5.10 Configuring the Non-Retrieve Mode of the Clock Source.................................................................................202
5.5.1 Example for Selecting the Clock Source Based on the Priority.............................................................................. 204
5.5.2 Example for Selecting the Clock Source Based on the SSM Quality Level........................................................... 208
5.5.3 Example for Selecting the Clock Source Based on the SSM Quality Level in Extended Mode.............................213
6 Energy-Saving Management................................................................................................... 218

6.1 Overview.................................................................................................................................................................... 218
6.2 Licensing Requirements and Limitations for Energy-Saving Management...............................................................220
6.3 Configuring Energy-Saving Management..................................................................................................................221
6.3.1 Configuring Fan Speed Adjustment........................................................................................................................ 221
6.3.2 Configuring ALS..................................................................................................................................................... 221
6.3.2.1 Enabling ALS on an Interface.............................................................................................................................. 221
6.3.2.2 Setting the Restart Mode of the Laser.................................................................................................................. 222
6.3.2.3 Setting the ALS Pulse Interval and Width of the Laser........................................................................................223
6.3.3 Configuring the EEE function................................................................................................................................. 224
6.3.4 Configuring Electrical Port Dormancy....................................................................................................................225
6.3.5 Configuring an Energy-Saving Mode......................................................................................................................225
6.4.1 Example for Configuring ALS................................................................................................................................ 226
7 PoE Configuration..................................................................................................................... 229

7.1 PoE Overview.............................................................................................................................................................229
7.2 Principles.................................................................................................................................................................... 230
7.3 Applications................................................................................................................................................................236
7.4 Licensing Requirements and Limitations for PoE......................................................................................................236
7.5 Default Configuration.................................................................................................................................................238
7.6 Configuring PoE Functions........................................................................................................................................ 238
7.6.1 Enabling the PoE Function...................................................................................................................................... 238
7.6.2 (Optional) Configuring the LLDP Power Capacity Negotiation.............................................................................239
7.6.3 Configuring PoE Power Management..................................................................................................................... 240
7.6.4 (Optional) Configuring the Device to Allow High Inrush Current During Power-on............................................ 242
7.6.5 Configuring PoE Power-on and Power-off Management........................................................................................242
7.6.6 Checking the Configuration.....................................................................................................................................245
7.7.1 Example for Configuring PoE................................................................................................................................. 245
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. xi

8 CSS Configuration.................................................................................................................... 249

8.1 Using the CSS Assistant Tool to Quickly Obtain Information...................................................................................249
8.2 Introduction to CSS.................................................................................................................................................... 251
8.3 Principles.................................................................................................................................................................... 251
8.3.1 Basic Concepts........................................................................................................................................................ 251
8.3.2 CSS Setup................................................................................................................................................................ 252
8.3.3 CSS Login and File System Access........................................................................................................................ 254
8.3.3.1 Interface Numbering Rules...................................................................................................................................254
8.3.3.2 CSS Login.............................................................................................................................................................254
8.3.3.3 File System Access............................................................................................................................................... 255
8.3.4 Cluster Link Aggregation and Local Preferential Forwarding................................................................................ 255
8.3.5 New Member Join and CSS Merge......................................................................................................................... 258
8.3.6 CSS Split and MAD................................................................................................................................................ 260
8.3.7 Master/Standby Switchover.....................................................................................................................................264
8.3.8 CSS Upgrade........................................................................................................................................................... 266
8.4 Applications................................................................................................................................................................267
8.5 CSS Connection Modes..............................................................................................................................................269
8.6 Configuration Task Summary.....................................................................................................................................271
8.7 CSS Support and Version Requirements.................................................................................................................... 273
8.7.1 CSS Feature Limitations..........................................................................................................................................273
8.7.2 CSS Version Requirements......................................................................................................................................274
8.7.3 Software and Hardware Support for S7700 CSS Card Clustering.......................................................................... 275
8.7.4 Software and Hardware Support for S9700 CSS Card Clustering.......................................................................... 277
8.7.5 Software and Hardware Support for S7700 Service Port Clustering...................................................................... 278
8.7.6 Software and Hardware Support for S9700 Service Port Clustering...................................................................... 280
8.9 Establishing a CSS by Connecting CSS Cards...........................................................................................................282
8.9.1 Installing Hardware................................................................................................................................................. 283
8.9.1.1 Installing a CSS Card........................................................................................................................................... 283
8.9.1.2 Connecting Cluster Cables................................................................................................................................... 284
8.9.2 Configuring CSS Software...................................................................................................................................... 287
8.9.3 Verifying a CSS Is Established................................................................................................................................ 289
8.9.3.1 Reviewing Indicators to Confirm a CSS Is Established....................................................................................... 289
8.9.3.2 Logging In to a CSS to Verify that a CSS Is Established..................................................................................... 292
8.10 Establishing a CSS Using Service Port Connections............................................................................................... 298
8.10.1 Installing Hardware............................................................................................................................................... 299
8.10.1.1 Installing a Service Card.....................................................................................................................................299
8.10.1.2 Connecting Cluster Cables................................................................................................................................. 300
8.10.2 Configuring CSS Software.................................................................................................................................... 303
8.10.3 Verifying a CSS Is Established.............................................................................................................................. 305
8.10.3.1 Reviewing Indicators to Confirm a CSS Is Established..................................................................................... 306
8.10.3.2 Logging In to a CSS to Verify that a CSS Is Established................................................................................... 307
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. xii

8.11 Configuring Enhanced CSS Functions..................................................................................................................... 310

8.11.1 Configuring MAD..................................................................................................................................................310
8.11.1.1 Configuring MAD in Direct Mode..................................................................................................................... 311
8.11.1.2 Configuring MAD in Relay Mode......................................................................................................................312
8.11.1.3 (Optional) Configuring Reserved Ports.............................................................................................................. 313
8.11.1.4 (Optional) Restoring Shutdown Ports to the Up State........................................................................................314
8.11.2 Configuring a System MAC Address.................................................................................................................... 314
8.11.3 Setting a Delay Time Before Service Ports Restore to the Up State..................................................................... 315
8.11.4 Enabling the CSS Port Error-Down Function (Applicable to S9700 CSS Card Connection Mode).................... 315
8.11.5 Configuring the CSS Physical Port-Down Delay Function...................................................................................316
8.12 Maintaining the CSS.................................................................................................................................................317
8.12.1 Monitoring the CSS Status.................................................................................................................................... 317
8.12.2 Enabling/Disabling CSS Traps.............................................................................................................................. 318
8.12.3 Performing a Master/Standby Switchover.............................................................................................................318
8.12.4 Upgrading CSS Software.......................................................................................................................................319
8.12.5 Checking Connectivity of CSS Links (Applicable to S9700 CSS Card Connection Mode)................................ 321
8.13 Splitting a CSS..........................................................................................................................................................322
8.14 Configuration Examples........................................................................................................................................... 323
8.14.1 Example for Establishing a CSS (Using CSS Cards)............................................................................................ 323
8.14.2 Example for Establishing a CSS (Using Service Port Connections).....................................................................326
8.14.3 Example for Configuring Cluster Eth-Trunks....................................................................................................... 330
8.14.4 Example for Configuring MAD in Direct Mode................................................................................................... 334
8.14.5 Example for Configuring MAD in Relay Mode....................................................................................................338
8.15 FAQ...........................................................................................................................................................................343
8.15.1 How Can I Specify the Master Switch?.................................................................................................................343
8.15.2 How Do I Know Which Switch Is the Master in a CSS?...................................................................................... 343
8.15.3 Can Switches of Different Series Set Up a CSS?.................................................................................................. 344
8.15.4 Can the CSS Card Connection Mode and Service Port Connection Mode Be Used Together on the S7700s or
S9700s?.............................................................................................................................................................................344
8.15.5 Can Switches Set Up a CSS if They Use Different Types of MPUs?................................................................... 344
8.15.6 Can I Log In to a Cluster Through the Web NMS?............................................................................................... 344
8.15.7 How Do I Install a License File for a CSS?.......................................................................................................... 344
8.15.8 How Do I Load a Patch for a Cluster?...................................................................................................................347
9 SVF Configuration.................................................................................................................... 348

9.1 SVF Overview............................................................................................................................................................ 348
9.2 Principles.................................................................................................................................................................... 349
9.2.1 Roles in an SVF System.......................................................................................................................................... 349
9.2.2 SVF Setup................................................................................................................................................................350
9.2.3 AS Service Configuration........................................................................................................................................355
9.2.4 SVF Management and Maintenance........................................................................................................................357
9.3 Configuration Task Summary.....................................................................................................................................357
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. xiii

9.4 Licensing Requirements and Limitations for SVF..................................................................................................... 358

9.4.1 Involved Network Elements.................................................................................................................................... 358
9.4.2 Licensing Requirements.......................................................................................................................................... 358
9.4.3 Version Requirements..............................................................................................................................................359
9.4.4 Specifications...........................................................................................................................................................359
9.4.5 Service Configuration Supported on an AS............................................................................................................ 362
9.4.6 Restrictions on SVF Roles.......................................................................................................................................378
9.4.7 Restrictions on an SVF System............................................................................................................................... 381
9.6 Setting Up an SVF System......................................................................................................................................... 383
9.6.1 Connecting an AS to the Parent Directly.................................................................................................................383
9.6.1.1 Configuring AS Access Parameters on the Parent............................................................................................... 383
9.6.1.1.1 (Optional) Configuring a Parent as a CSS.........................................................................................................384
9.6.1.1.2 Enabling the SVF Function on the Parent......................................................................................................... 384
9.6.1.1.3 Configuring a Fabric Port That Connects the Parent to a Level-1 AS.............................................................. 387
9.6.1.1.4 Pre-configuring an AS Name............................................................................................................................ 389
9.6.1.1.5 (Optional) Configuring the Fabric Port That Connects a Level-1 AS to a Level-2 AS.................................... 390
9.6.1.1.6 Configuring AS Access Authentication............................................................................................................ 391
9.6.1.1.7 (Optional) Configuring CAPWAP Tunnel Encryption......................................................................................392
9.6.1.1.8 (Optional) Pre-configuring the Stack ID for an AS...........................................................................................393
9.6.1.1.9 (Optional) Enabling ASs to Automatically Upgrade After Going Online........................................................ 394
9.6.1.2 Configuring Access Parameters on an AS............................................................................................................396
9.6.1.2.1 (Optional) Configuring an AS as a Stack.......................................................................................................... 396
9.6.1.2.2 (Optional) Configuring the Management MAC Address for an AS................................................................. 396
9.6.1.3 Connecting an AS to the Parent............................................................................................................................397
9.6.2 Connecting an AS to the Parent Through a Network.............................................................................................. 397
9.6.2.1 Configuring AS Access Parameters on the Parent............................................................................................... 398
9.6.2.1.1 (Optional) Configuring a Parent as a CSS.........................................................................................................398
9.6.2.1.2 Enabling the SVF Function on the Parent......................................................................................................... 399
9.6.2.1.3 Configuring a Fabric Port That Connects the Parent to an AS Through a Network......................................... 402
9.6.2.1.4 Pre-configuring an AS Name............................................................................................................................ 404
9.6.2.1.5 Configuring AS Access Authentication............................................................................................................ 405
9.6.2.1.6 (Optional) Configuring CAPWAP Tunnel Encryption......................................................................................406
9.6.2.1.7 (Optional) Pre-configuring a Stack ID for an AS..............................................................................................408
9.6.2.1.8 (Optional) Enabling ASs to Automatically Upgrade After Going Online........................................................ 409
9.6.2.2 Configuring Access Parameters on an AS............................................................................................................410
9.6.2.2.1 (Optional) Configuring an AS as a Stack.......................................................................................................... 410
9.6.2.2.2 (Optional) Configuring the Management MAC Address for an AS..................................................................411
9.6.2.2.3 Configuring a Management VLAN and Fabric Port for an AS.........................................................................412
9.6.2.3 Connecting an AS to the Parent............................................................................................................................413
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. xiv

9.6.3 Connecting an AP to an AS..................................................................................................................................... 413

9.7 Configuring Services for an AS..................................................................................................................................415
9.7.1 (Optional) Configuring the Forwarding Mode for an SVF System.........................................................................416
9.7.2 Configuring Service Profiles................................................................................................................................... 416
9.7.3 Directly Delivering Service Configurations to ASs................................................................................................ 424
9.7.4 Configuring User Authenticate-Free Rules............................................................................................................. 430
9.8 Maintaining an SVF System.......................................................................................................................................431
9.8.1 Monitoring the SVF System Running Status.......................................................................................................... 431
9.8.2 Upgrading an Online AS......................................................................................................................................... 432
9.8.3 Restarting an AS...................................................................................................................................................... 434
9.8.4 Replacing an AS...................................................................................................................................................... 434
9.8.5 Logging In to an AS and Running Diagnostic Commands..................................................................................... 435
9.8.6 Enabling the Diagnostic Mode on an AS................................................................................................................ 437
9.8.7 Disabling an AS Port............................................................................................................................................... 439
9.8.8 Clearing Packet Statistics in an SVF System.......................................................................................................... 439
9.9 Splitting an SVF System.............................................................................................................................................440
9.10 Configuration Examples........................................................................................................................................... 440
9.10.1 Example for Configuring SVF to Deploy a Wired Campus Network Access Layer (Using Commands)............440
9.10.2 Example for Configuring SVF to Deploy a Wired and Wireless Converged Campus Network Access Layer
(Using Commands)...........................................................................................................................................................446
9.10.3 Example for Configuring an SVF System Across a Layer 2 Network on a Wired Campus Network Access Layer
(Using Commands)...........................................................................................................................................................450
9.10.4 Example for Configuring the Access Layer for a Wired Campus Network Using eSight.................................... 455
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. xv

Configuration Guide - Device Management 1 Displaying the Device Status
1 Displaying the Device Status
About This Chapter
This chapter describes the functions of display commands and how to use the display
commands to view the device running status.
1.1 Displaying Hardware Information

1.2 Displaying the Version and Configuration
1.3 Collecting Device Information by One Click
1.4 Displaying the System MAC Address
1.5 Displaying Alarm Information
1.6 Displaying the CPU Usage
1.7 Displaying the Memory Usage
1.1 Displaying Hardware Information
1.1.1 Displaying Device Information
Context
When the device becomes faulty, you can view device information to check whether the status
of device components is normal.
Procedure
l Run the display device [ slot slot-id ] command to view component information and
status of the device.
l Run the display device manufacture-info [ slot slot-id | backplane ] command to view
manufacturing information about the device.
----End
Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. 1

FAQ
1.1.1.1 How Can I Determine Whether the Card Status Is Normal?

Run the display device [ slot slot-id ] command to view component information and device
status. When the Register field displays Registered and the Status field displays Normal, the
card status is normal.
NOTE
The status indicates the hardware management status excluding the service running status.
<HUAWEI> display device
S7712's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
4 - ES0D0G48TA00 Present PowerOn Registered Normal NA
5 - LE0D0VAMPA00 Present PowerOn Registered Normal NA
8 - Present PowerOn Registered Normal NA
9 - ES0D0X12SA00 Present PowerOn Registered Normal NA
14 - ES0D00SRUB00 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - LE0DCMUA0000 Present PowerOn Registered Normal Slave
CMU2 - LE0DCMUA0000 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
1.1.1.2 How Can I View the Card Type and Subcard Type?
Run the display device [ slot slot-id ] command to view component information and device
status. The Type field indicates the card type and subcard type.
-------------------------------------------------------------------------------
2 - - Present PowerOn Registered Normal NA
5 - LE0D0VAMPA00 Present PowerOn Registered Normal NA
8 - Present PowerOn Registered Normal NA
9 - ES0D0X12SA00 Present PowerOn Registered Normal NA
14 - ES0D00SRUB00 Present PowerOn Registered Normal Master
CMU1 - LE0DCMUA0000 Present PowerOn Registered Normal Slave
CMU2 - LE0DCMUA0000 Present PowerOn Registered Normal Master
1.1.1.3 How Can I Determine Whether the Port on an LPU Is an Optical or

Electrical Port?
Run the display device slot slot-id command to view LPU information. The Port Type field
indicates the port type, in which F indicates an optical port and C indicates an electrical port.
<HUAWEI> display device slot 4
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

Board Type : ES0D0G48TA00

Board Description : 48-Port 10/100/1000BASE-T Interface Card(EA,RJ45)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Port Port Optic MDI Speed Duplex Flow- Port POE
Type Status (Mbps) Ctrl State State
-------------------------------------------------------------------------------
0 GE(C) - auto 1000 full disable down -
4 GE(C) - auto 10 full disable up -
5 GE(C) - auto 1000 full disable *down -
-------------------------------------------------------------------------------
1.1.1.4 Why Does the Standby MPU Fail to Register?

On a chassis with two MPUs, if one MPU has started normally but the other MPU cannot
register and remains in Unregistered state for a long period of time, the MPU that has started
is the active MPU, while the other MPU that cannot register is the standby MPU. You can
perform the following operations to check why the standby MPU cannot register:
1. Check whether the standby MPU is properly installed.

2. Check whether the standby and active MPUs are the same hardware model and have the
same type of subcards installed or do not have any subcard installed.
3. Connect to the standby MPU through the console port to check whether the standby
MPU uses the same system software as the active MPU. If not, replace the system
software of the standby MPU to the one running on the active MPU.
4. Run the display reset-reason command to check why the card restarts. For details, see
"A Card Resets Unexpectedly" in the Troubleshooting - Hardware Troubleshooting.
5. Collect log information, alarm information, and configuration information, and then
contact Huawei technical support personnel to confirm whether a hardware fault occurs.
1.1.1.5 What Does PowerOff Mean and Why Is PowerOff Displayed in an LPU's
Status Information?
If the LPU status displays PowerOff, the LPU is powered off. Perform the following
operations to check why the LPU is powered off:
1. Check whether the power off slot slot-id command has been executed to power off the
LPU according to the current environment and planning requirements. If so, no action is
required. If not, run the power on slot slot-id command to power on the LPU.
2. If the LPU fails to be powered on, run the display power system command to view the
system power and card power. According to the information, you can determine whether
the LPU cannot be powered on because of insufficient power. If the remaining system
power is insufficient, add a system power module to increase the system power.
3. Check whether the LPU matches the running system version. For the mapping between
LPUs and software versions, see "Version Mapping" of the specific card in the Hardware
Description - Cards.
4. Run the display reset-reason command to check the reason why the LPU is powered
off. For details, see "A Card Resets Unexpectedly" in the Troubleshooting - Hardware
Troubleshooting.
5. If you still cannot determine why the LPU is powered off, collect log information, alarm
information, and configuration information, and then contact Huawei technical support
personnel to confirm whether a hardware fault occurs.
1.1.1.6 What Does Unregistered Mean and Why Is Unregistered Displayed in an

LPU's Status Information?
If the power-on status of an LPU is PowerOn but the registration status is Unregistered, the
LPU is starting but has not registered successfully. In the beginning of a system upgrade or
system downgrade, or when an LPU is just installed or powered on, it may take a long time
for the LPU to register because of version update. This is a normal situation, and the LPU will
register successfully. If the LPU cannot register for a long time (more than 30 minutes for
example), the LPU cannot start normally. If a stably running LPU restarts unexpectedly when
no manual operations, such as running a restart command line, upgrading or downgrading the
system, are performed, the LPU status will become Unregistered.
Run the display reset-reason command to view the reason why the LPU restarts. For details,
see "A Card Resets Unexpectedly" in the Troubleshooting - Hardware Troubleshooting.
1.1.2 Displaying Electronic Labels

Context
Electronic labels identify hardware information about a device, including the serial number,
manufacturing date, device model, and hardware description. You can view electronic labels
to learn about the serial number when the hardware is returned for repair or to learn about
hardware information such as the hardware manufacturing date.
Procedure
l Run the display elabel [ chassis-id[/slot-id][/subcard-id ] ] [ brief ] command to view
the electronic labels of a device.
l Run the display elabel backplane [ chassis chassis-id ] command to view the backplane
electronic label.
NOTE
The chassis chassis-id parameter is supported only in a cluster.
----End
FAQ
1.1.2.1 How Can I View the Chassis Electronic Label?

Run the display elabel backplane [ chassis chassis-id ] command to view the electronic label
of a specified chassis. The chassis chassis-id parameter is only supported in a cluster.
<HUAWEI> display elabel backplane chassis 2
Info: It is executing, please wait...
[BackPlane_1]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=ES0B17712
BarCode=2102113308P0AC000021
Item=02113308
Description=Quidway S7712,ES0B17712,S7712 POE Assembly Chassis
Manufactured=2010-12-31
VendorName=Huawei
IssueNumber=00
CLEICode=
BOM=
1.1.2.2 How Can I View the Card Electronic Label?

Run the display elabel chassis-id/slot-id command to view the electronic label of a specified
card. chassis-id/slot-id specifies the chassis ID and slot ID.
<HUAWEI> display elabel 1/4
Info: It is executing, please
wait...
[Slot_4]
/$[Board Integration
Version]
/
$BoardIntegrationVersion=3.0

[Main_Board]
[Board
Properties]
BoardType=ES02G24SC
BarCode=030MQN10AB000014
Item=03030MQN
Description=Quidway S7700,ES02G24SC,24-Port 100/1000BASE-X Interface Card(EC,SFP
),128K MAC
VendorName=Huawei
IssueNumber=00
CLEICode=
BOM=
1.1.2.3 How Can I View the Power Supply Electronic Label?

power module. chassis-id/slot-id specifies a chassis ID and power module slot ID.
<HUAWEI> display elabel 1/PWR1
[Slot_13]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
DATE=10_11_04
SN=2102130859210B010005
TYPE=LE02PSA08
1.1.2.4 How Can I View the Fan Module Electronic Label?

fan module. chassis-id/slot-id specifies a chassis ID and fan module slot ID.
<HUAWEI> display elabel 1/FAN1
[Slot_17]
[Main_Board]
[Board Properties]
BoardType=LE0E2FBX
BarCode=2102120554P0AB001580
Item=02120554
Description=Wide Voltage Fan Box
VendorName=Huawei
IssueNumber=00

CLEICode=
BOM=
1.1.2.5 How Can I View the Optical Module Electronic Label?

Run the display elabel [ chassis-id[/slot-id] ] command to view the electronic label of the
interface where the optical module resides. chassis-id/slot-id specifies the card or subcard
where the optical module resides.
......
[Port_XGigabitEthernet4/0/1]
[Board Properties]
BoardType=PLRXPLSCS4322N
BarCode=CB02UF1SW
Item=
Description=10300Mb/sec-850nm-LC-33(OM1),82(OM2),300(OM3),400(OM4)
/$VendorName=JDSU
IssueNumber=
CLEICode=
BOM=
......
1.1.2.6 How Can I View the Part Number and What Is the Relationship Between
the Part Number and BarCode?
BarCode is the serial number, while the part number is the value of Item in an electronic
label.
The BarCode and part number identify a hardware component. Each component has a unique
serial number. The part number indicates the basic component number and often identifies a
type of components.
To apply for a license, authenticate a device, replace a device, or return a device for repair,
you need to provide the device's serial number to the manufacturer.
To return a card or subcard for repair or replace it, you need to provide the card or subcard
part number to the manufacturer.
[Slot_13]
[Main_Board]
[Board Properties]
BoardType=ET1D2MPUA000
BarCode=03030RPE10AC000007 //Indicate the serial number.
Item=03030RPE //Indicate the part number.
Description=
VendorName=Huawei
IssueNumber=00

CLEICode=
BOM=
1.1.2.7 What Are the MIB OIDs of Electronic Labels?

The following table describes the MIB OIDs of electronic labels.
Object Name OID Syntax Description Implement
ed
Specificatio
ns
hwEntityBomId 1.3.6.1.4.1.2 SnmpAdmi This object read-only

011.5.25.31. nString indicates the
1.1.2.1.1 entity part
number. The
value is
displayed in
the Item field
in the device's
electronic
label.
hwEntityBomEnDesc 1.3.6.1.4.1.2 SnmpAdmi This object read-only

1.1.2.1.2 description of
the entity.
hwEntityManufactured- 1.3.6.1.4.1.2 DateAndTi This object read-only

Date 011.5.25.31. me indicates the
1.1.2.1.4 entity
manufacturing
date.
hwEntityCLEICode 1.3.6.1.4.1.2 SnmpAdmi This object read-only

1.1.2.1.6 entity CLEI
code.
hwEntityArchivesInfoVer- 1.3.6.1.4.1.2 SnmpAdmi This object read-only

sion 011.5.25.31. nString indicates the
1.1.2.1.8 entity
manufacturing
information
version.


ed
Specificatio
ns
hwEntityOpenBomId 1.3.6.1.4.1.2 SnmpAdmi This object read-only

1.1.2.1.9 allocated part
number, which
is different
from
hwEntityBomI
D and
describes an
item number.
The value is
displayed in
the BOM field
in the device's
electronic
label.
hwEntityIssueNum 1.3.6.1.4.1.2 SnmpAdmi This object read-only

1.1.2.1.10 entity issue
number.
hwEntityBoardType 1.3.6.1.4.1.2 SnmpAdmi This object read-only

1.1.2.1.11 entity type.
1.1.3 Displaying the Device Serial Number
Context
Each device has a unique equipment serial number (ESN). When you require technical
assistance or need to apply for a license, you need to provide the device serial number.
Procedure
l Run the display esn command to view the serial number of a device.
l Run the display device manufacture-info [ slot slot-id | backplane ] command to view
manufacturing information about the device, including the serial number and
manufacturing date.
----End

FAQ
1.1.3.1 How Can I View the Serial Number of a Device?
Method 1: Obtain the Chassis Serial Number by Using a Command

On a standalone device
Run the display elabel backplane command to view electronic label information. In the
command output, BarCode specifies the chassis serial number. The command format may
vary according to versions. You can enter a question mark (?) to obtain the command prompt
information and select the corresponding chassis parameters.
<HUAWEI> display elabel backplane
[BackPlane_1]
[Board Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113089
......
In a CSS
Log in to the master switch through Telnet or the Console port, and run the display elabel
backplane chassis chassis-id command in the user view to view electronic label information.
chassis-id specifies the chassis ID, and BarCode specifies the chassis serial number. The
command format may vary according to versions. You can enter a question mark (?) to obtain
the command prompt information and select the corresponding chassis parameters.
<HUAWEI> display elabel backplane chassis ?
INTEGER<1-2> Chassis ID
<HUAWEI> display elabel backplane chassis 2

[BackPlane_2]
[Board Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113549
......
NOTE
You can run the display device manufacture-info command to check the serial number obtained from
the electronic label. Only V200R003 and later versions support this command.
Method 2: Obtain the Chassis Serial Number Through the Web System
When the web system is enabled on a device, view the chassis serial number through the web
system.
EasyOperation web system (supported only in V200R005 and later versions)

Log in to a device through the web system and click Monitor on the toolbar to enter the
Monitor page. You can view device information, including the chassis serial number, as
shown in Figure 1-1.
Figure 1-1 System Description
Web system classical version

Log in to a device through the web system and click Device Summary on the toolbar to view
device information, including the chassis serial number, as shown in Figure 1-2.
Figure 1-2 System Description
Method 3: Obtain the Chassis Serial Number Onsite

You can obtain the chassis serial number onsite. The chassis serial number label is attached to
the top side of the chassis, as shown in Figure 1-3.

Figure 1-3 Location of the serial number label (An S9706 chassis is used as an example.)
Serial number label
RUN/ALM
06
-LE0BSA10
EH1D2
00738 Y
G48TEA0
P0AB
2102113090
4647
44 45
42 43
40 41 RUN/ALM
S9706
38 39
36 37
34 35
32 33
26 27
28 29
30 31 05
24 25
EH1D2
22 23
G48TEA0
20 21
18 19
16 17
14 15
12 13
10 11 4647
EH1D2
8 9 44 45
G48TEA0
6 7 42 43
2
4 5 38 39
40 41 RUN/ALM
3 36 37
1
34 35
32 33
30 31
26 27
28 29 04
24 25
EH1D2
22 23
G48TEA0
20 21
18 19
16 17
14 15
12 13
10 11 4647
EH1D2
8 9 44 45
G48TEA0
6 7 42 43
4 5 40 41
2 3 38 39
1 36 37
34 35
32 33
30 31
26 27
28 29 ETH 08
EH1D2
24 25 CON
SRUDC00
22 23 M
20 21 CLK2 ACT RUN/AL
18 19 CLK1
16 17
14 15
12 13 RST
10 11
EH1D2
8 9
G48TEA0
6 7 SYNC
4 5
2 3
1
ETH 07
EH1D2
CON
SRUDC00
M
CLK2 ACT RUN/AL
CLK1
RST
EH1D2
SRUDC00
SYNC RUN/ALM
03
EH1D2
G48TEA0
4647
EH1D2
44 45
42 43
SRUDC00
40 41 RUN/ALM
38 39
36 37
34 35
32 33
30 31
28 29
24 25
26 27 02
EH1D2
22 23
20 21
G48TEA0
18 19
16 17
14 15
12 13
10 11 4647
EH1D2
8 9 44 45
G48TEA0
6 7 42 43
4 40 41
2 3
5 38 39 RUN/ALM
1 36 37
34 35
32 33
30 31
26 27
28 29 01
24 25
EH1D2
22 23
20 21
G48TEA0
18 19
16 17
14 15
12 13
10 11
EH1D2
8 4647
9 44 45
G48TEA0
6 7 42 43
4 5 40 41
2 3 38 39
1 36 37
34 35
32 33
30 31
28 29
26 27
24 25
22 23
20 21
18 19
16 17 CMU
14 15
12 13
10 11 PWR4
EH1D2
8 9
G48TEA0
6 7
2 3
4 5 PWR3
1
PWR2
RUN/ALM
RUN/ALM
PWR1
ACT
ACT
MON
MON
≤45
kg（99
lb）
RS485
RS485
CMUA
CMUA
ON
RUN
ON
RUN
ALM 2
ON
RUN 1
ON ALM
RUN FAULT
ALM
FAULT OFF
ALM
FAULT OFF
FAULT OFF
OFF
1.1.3.2 How Can I View the Serial Number of a Card?
Method 1: Obtain the Board Serial Number by Using a Command

Run the display elabel command to view electronic label information, and select the slot ID
according to the command prompt information. In the command output, BarCode specifies
the board serial number. The command format may vary according to versions. You can enter
a question mark (?) to obtain the command prompt information and select the corresponding
board parameters.
<HUAWEI> display elabel ?
<1-1> The present chassis
backplane Backplane
brief Display information briefly
<cr>
<HUAWEI> display elabel 1/?
<4,6-8> <CMU1>
<FAN1-FAN2> <PWR1-PWR2>
<HUAWEI> display elabel 1/6 brief
[Slot_6]
[Main_Board]

[Board Properties]
BoardType=EH1D2S08SX1E
BarCode=020LVF6TBB000043
Item=03020LVF
......
NOTE
You can run the display device manufacture-info command to check the serial number obtained from
the electronic label. Only V200R003 and later versions support this command.
Method 2: Obtain the Board Serial Number Through the Web System (Supported
only on MPUs and LPUs)
When the web system is enabled on a device, view the board serial number through the web
system.
EasyOperation web system (supported only in V200R005 and later versions)
Log in to the switch through the web system, and click Monitor on the toolbar to enter the
Monitor page. You can view board information. When you move the mouse on a board, basic
information about the board is displayed, including port, version, and serial number, as shown
in Figure 1-4.
Figure 1-4 Basic board information
Web system classical version

Log in to the switch through the web system, and click Device Summary on the toolbard to
enter the Device Summary page. Click the corresponding board on the switch to enter the
Board Information page. You can view the Slot Basic Information tab. On this tab, you can
view basic board information, including the board serial number, as shown in Figure 1-5.
Figure 1-5 Basic slot information
Method 3: Obtain the Board Serial Number Onsite

You can obtain the board serial number onsite. The location of a board serial number label
varies.
l The serial number label is on the upper right corner of the board panel, as shown in
Table 1-1.
Serial number label

4XEA0
Y3 EH1D2T2
676TB300
21023168
l The serial number label is on the upper left corner of the board panel, as shown in Table
1-2.
Serial number label
SN:21021209
9510DA000256
Y ET1MFBX00000

l The serial number label is on the PCB of the board, as shown in Table 1-3.
Serial number label

C00
5 Y3 LH2D2G48TE
JH0A400003
0200F
Table 1-1 List of boards (The serial number label is on the upper right corner of the board
panel.)
Switch Series Serial Board Model
Number
Label Type
S7700 One- ES0D00SRUA00, ES0D00SRUB00,

dimensional ES0D00MCUA00, LE0DCMUA0000,
label EH1D200CMU00, LE0D0VAMPA00,
ES0D0G24SA00, ES0D0G24SC00,
ES1D2G24SED0, ES0D0G24CA00,
ES1D2G24SED0, ES0D0S24XA00,
ES1D2S24XEC0, ES0D0X2UXA00,
ES0D0X2UXC00, ES0D0X4UXA00,
ES0D0X4UXC00, ES0D0X12SA00,
ES1D2X04XED0, ES1D2X16SFC0,
ES1D2X08SED4, ES1D2X08SED5,
ES1D2X02XEC1, ES1D2X04XEC1,
ES1D2L02QFC0


Number
Label Type
S9700 One- EH1D2SRUDC00, EH1D2SRUDC01,

dimensional EH1D2SRUC000, EH1D2MCUAC00,
label EH1D2VS08000, EH1D200CMU00,
EH1D2PS00P00, LE0D0VAMPA00,
EH1D2G24SSA0, EH1D2G24SEC0,
EH1D2G24SED0, EH1D2S24CSA0,
EH1D2S24CEA0, EH1D2T36SEA0,
EH1D2S24XEA0, EH1D2S24XEC0,
EH1D2X02XEA0, EH1D2X02XEC0,
EH1D2X04XEA0, EH1D2X04XEC0,
EH1D2X04XED0, EH1D2X12SSA0,
EH1D2X16SFC0, EH1D2X08SED4,
EH1D2X08SED5, EH1D2X02XEC1,
EH1D2X04XEC1, EH1D2L02QFC0,
EH1D2L08QFC0, EH1D2WM00000
Table 1-2 List of boards (The serial number label is on the upper left corner of the board
panel.)
Number
Label Type
S7700 One- ES0D00FSUA00, LE0D0VSTSA00, ES02VSTSA,

dimensional ES1D2PS00P00, EH1D2PS00P00, ES0DG24TFA00,
label ES0D0T24XA00
Two- ES1D2G48SX1E, ES1D2G48TX1E,

dimensional ES1D2S04SX1E, ES1D2S08SX1E, ACU2,
label ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01,
ET1D2FW00S02, ES1D2SRUH000,
ES1D2X16SSC2, ES1D2X32SSC0, ES1D2C02FEE0,
ES1D2VS04000, ES1D2L08QX2E,
ES1D2SRUE000, ES1D2MCUAC00,
ES1D2SRUAC00, ES1D2X32SX2S,
ES1D2S24SX2S, ES1D2S16SX2S, ES1D2C04HX2S,
ET1D2H02QX2S, ES1D2X48SX2S,
ES1D2X32SX2E, ES1D2S24SX2E,
ES1D2S16SX2E, ES1D2C04HX2E,
ES1D2H02QX2E
S9700 One- EH1D2G24TFA0, EH1D2T24XEA0, P4CF, P4HF,

dimensional P1UF
label


Number
Label Type
Two- EH1D2G48TX1E, EH1D2G48SX1E,

dimensional EH1D2S04SX1E, EH1D2S08SX1E,
label EH1D2X48SEC0, ACU2, EH1D2VS08000,
ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01,
ET1D2FW00S02, EH1D2X16SSC2,
EH1D2X32SSC0, EH1D2C02FEE0,
EH1D2L08QX2E, ET1D2X32SX2H,
ET1D2X32SX2S, ET1D2S24SX2S,
ET1D2S16SX2S, ET1D2C04HX2S,
ET1D2H02QX2S, ET1D2X48SX2S,
ET1D2X32SX2E, ET1D2S24SX2E,
ET1D2S16SX2E, ET1D2C04HX2E,
ET1D2H02QX2E
Table 1-3 List of boards (The serial number label is on the PCB of the board panel.)
Number
Label Type
S7700 One- ES0D0F48TA00, ES0D0F48TC00, ES0DF48TFA00,

dimensional ES0DG48CEAT0, ES0D0G48VA00,
label ES0D0G48TA00, ES0D0G48TC00,
ES0DG48TFA00, ES0D0G48SA00,
ES0D0G48SC00, ES1D2G48SED0,
ES1D2G48SFA0, ES1D2G48TED0,
ES1D2G48TBC0, ES1D2G48SBC0,
ES1D2X40SFC0
S9700 One- LE0D00CKMA00, EH1D2F48TEA0,

dimensional EH1D2F48TEC0, EH1D2F48TFA0,
label EH1D2F48SEA0, EH1D2F48SEC0,
EH1D2G48TEA0, EH1D2G48TEC0,
EH1D2G48TED0, EH1D2G48TFA0,
EH1D2G48TBC0, EH1D2G48SEA0,
EH1D2G48SEC0, EH1D2G48SED0,
EH1D2G48SFA0, EH1D2G48SBC0,
EH1D2X40SFC0
1.1.3.3 How Can I View the Serial Number of a Power Module?
Method 1: Obtain the Power Module Serial Number by Using a Command

Run the display elabel command to view electronic label information, and select the power
module number according to the command prompt information. In the command output, SN
specifies the power module serial number.


backplane Backplane
<cr>
<5,8,13,16> <CMU1>
<HUAWEI> display elabel 1/PWR1
[Slot_21]
[Main_Board]
DATE=13_02_08
SN=2102310JFA6TGC907205
NOTE
The command format may vary according to versions. You can enter a question mark (?) to obtain the
command prompt information and select the corresponding power module parameters.
Method 2: Obtaining the Power Module Serial Number Onsite

You can obtain the power module serial number onsite, as shown in Table 1-4.
Table 1-4 Location of the power module serial number label

Power Module Serial Number Label Location
Type
l 1600 W DC The serial number label is attached on the power module panel, as
power module shown in Figure 1-6.
l 2200 W DC
power module
l 800 W AC The serial number label is attached on the right shell, as shown in
power module Figure 1-7.
l 2200 W AC
power module

Figure 1-6 Location of the serial number label (A 2200 W DC power module is used as an
example.)
RTN(+)
NEG(-)
21022700998NC60000001 Y W2PSD2201
RUN
ON ALM
OFF FAULT
V; 60 A MAX
-48 -60
Serial number label

Figure 1-7 Location of the serial number label (A 2200 W AC power module is used as an
example.)
21023168676TB3000137
ON
RUN
ALM
OFF
FAULT
Serial number label
1.1.3.4 How Can I View the Serial Number of a Fan Module?
Method 1: Obtain the Fan Module Serial Number by Using a Command

Run the display elabel command to view electronic label information, and select the fan
module number according to the command prompt information. In the command output,
BarCode specifies the fan module serial number.
backplane Backplane
<cr>
<5,8,13,16> <CMU1>
<HUAWEI> display elabel 1/FAN2
[Slot_18]
[Main_Board]
[Board Properties]
BoardType=LE02FCMC

BarCode=2103010JTF0123456789
Item=02120995
......
NOTE
The command format may vary according to versions. You can enter a question mark (?) to obtain the
command prompt information and select the corresponding fan module parameters.
Method 2: Obtaining the Fan Module Serial Number Onsite

You can obtain the fan module serial number onsite. The fan module serial number label is
attached on the upper right corner at the front side and is a one-dimensional label, as shown in
Figure 1-8.
Figure 1-8 Location of the serial number label (A fan module on the S9700 is used as an
example.)
Serial number label
00FBX000
Y EH1H
10C9000059
2102120666
fingers
parts, keeping
us moving
Hazardo
away.
body parts
and other ਬ⡽έ
᧛䀜
᡽ᰁ䖢ᰬ
ћ⾷൞伄
RUN/ALM
1.1.3.5 How Can I View the Serial Number of an Optical Module?
Method 1: Run the display Command to View the Serial Number

l Run the display elabel command to view the electronic label of an optical module.
BarCode indicates the serial number of the optical module.
<HUAWEI> display elabel
......
[Port_XGigabitEthernet4/0/1]
[Board Properties]
BoardType=PLRXPLSCS4322N
BarCode=CB02UF1SW
Item=
Description=10300Mb/sec-850nm-LC-33(OM1),82(OM2),300(OM3),400(OM4)
/$VendorName=JDSU
IssueNumber=
CLEICode=
BOM=
......
l Run the display transceiver interface interface-type interface-number command to

view information about a specified optical module. Manu. Serial Number indicates the
serial number of the optical module.
<HUAWEI> display transceiver interface gigabitethernet 9/0/21
GigabitEthernet9/0/21 transceiver information:

-------------------------------------------------------------
Common information:
Transceiver Type :UNKNOWN_SFP
Connector Type :LC
Wavelength(nm) :850
Transfer Distance(m) :80(50um),30(62.5um),300(OM3)
Digital Diagnostic Monitoring :YES
Vendor Name :JDSU
Vendor Part Number :PLRXPLSCS4322N
Ordering Name :
-------------------------------------------------------------
Manufacture information:
Manu. Serial Number :CB02UF1SW
Manufacturing Date :2011-01-09
Vendor Name :JDSU
-------------------------------------------------------------
Alarm information:
RX loss of signal
RX power low
-------------------------------------------------------------
Method 2: View the Label Attached on an Optical Module to View the Serial
Number
You can check the label attached on the optical module to obtain the serial number.
1.1.4 Displaying Power Supply and Power Information
Context
When a power supply fault occurs on a device, you can run the following display commands
to view power supply and power information.
Procedure
l Run the display power command to view power supply information.
l Run the display power system command to view system power information.
----End
FAQ
1.1.4.1 How Can I Determine Whether the Power Supply Status Is Abnormal?
The power supply status is abnormal in either of the following situations:
1. Run the display power command to view the power supply status. If the State field
displays NotSupply, the power module does not supply power. Check whether the
power module is installed properly and whether the power switch is turned on.
<HUAWEI> display power
--------------------------------------------------------------------------
PowerID Online Mode State Current(A) Voltage(V) RealPwr(W)
--------------------------------------------------------------------------
PWR1 Present AC NotSupply - - -
PWR2 Present AC Supply 0.82 53.40 43.79
PWR5 Absent - - - - -

2. Run the display device command to view the power supply status. If the State field
displays Unregistered or Abnormal, the power supply status is abnormal. You can run
the display alarm all command to check whether there are any power supply alarms.
<HUAWEI> display alarm all
----------------------------------------------------------------------------
Level Date Time Info
Warning 2014-07-28 15:19:02 Fan is invalid for some reason.(Phys

icalName=[FAN2], EntityTrapFaultID=139266
)
Emergency 2014-07-28 15:19:00 Power is invalid for not support DC1
600 and DC2400.(PhysicalName=[PWR2])
Emergency 2014-07-28 15:18:59 Power is invalid for not support DC1
600 and DC2400.(PhysicalName=[PWR1])
----------------------------------------------------------------------------
Common power supply alarm information is as follows:

– When the alarm information contains Power is invalid for not support, an
incompatible power module is installed in the device.
– When PWR_LACK and SWITCH_STAT sensor alarms are generated on the same
power module, the power module is installed but is not connected to any power
cable or the power switch is not turned on.
– If only the PWR_FAULT alarm is generated, the power module is experiencing a
fan failure, output overvoltage, external short circuit, output failure, or input failure.
For details about how to troubleshoot the abnormal power supply status, see "A Power
Module Does Not Work Normally" in the Troubleshooting - Hardware Troubleshooting.
1.1.4.2 How Can I Determine a DC or AC Power Module?

Run the display power command to view power supply information. If the Mode field
displays AC, the power module is an AC power module. If the Mode field displays DC, the
power module is a DC power module.
<HUAWEI> display power
--------------------------------------------------------------------------
PowerID Online Mode State Current(A) Voltage(V) RealPwr(W)
--------------------------------------------------------------------------
POE1 Absent - - - - -
1.1.4.3 How Can I View the Power of Power Modules?

Run the display power system command to view power information, including the total
system power, reserved system power, and card rated power. Card rated power information
displays the rated power of power modules.
<HUAWEI> display power system
The total power supplied : 800.00(W)
The maximum power needed : 797.00(W)
The remain power : 3.00(W)
The system rated power detail information :
-------------------------------------------------
Slot BoardName State Power(W)
-------------------------------------------------
2 LPU board Lack 61.00
4 LPU board On 62.00

14 MPU board On 105.00

CMU1 CMU board On 1.00
CMU2 CMU board On 1.00
FAN1 FAN board On 43.00
PWR1 PWR board On 800.00
1.1.4.4 What Are the MIB OIDs of System Power Information?

The following table describes the MIB OIDs of system power information.
Object Name OID Syntax Description Implemented
Specification
s
hwSystemPowerDeviceID 1.3.6.1.4.1.2 Integer32 This object read-only

011.5.25.31. indicates the
1.1.14.1.1 device ID.
hwSystemPowerTotalPow- 1.3.6.1.4.1.2 Integer32 This object read-only

er 011.5.25.31. indicates the
1.1.14.1.2 total system
power.
hwSystemPowerUsedPow- 1.3.6.1.4.1.2 Integer32 This object read-only

er 011.5.25.31. indicates the
1.1.14.1.3 used system
power.
hwSystemPowerRemain- 1.3.6.1.4.1.2 Integer32 This object read-only

Power 011.5.25.31. indicates the
1.1.14.1.4 remaining
system
power.
1.1.5 Displaying the Fan Status
Context
Fans must operate normally to ensure normal operation of a device. Inefficient heat
dissipation will increase the device temperature and may damage the hardware. You can use
the following commands to view the fan status and check whether fans are operating
normally.
Procedure
l Run the display fan command to view the fan status.
l Run the display fan-para { all | slot slot-id } command to view the rated power and
speed adjustment policy of fans.
----End

1.1.6 Displaying Optical Module Information
Context
When the optical module on an interface is faulty, you can run the display commands to view
information about the optical module.
Procedure
l Run the display transceiver [ interface interface-type interface-number | slot slot-id ]
[ verbose ] command to view information about the optical module on a specified
interface.
----End
FAQ
1.1.6.1 What Is the Impact of Using Non-Huawei-Certified Optical Modules?

When certifying an optical module, Huawei comprehensively verifies the functions of the
optical module to ensure the optical module quality. The functions include the installation and
removal, transmit and receive power, signal transmission quality, basic information query,
fault tolerance, compatibility, electro magnetic compatibility (EMC), and environmental
performance.
The system may fail to obtain information about non-Huawei-certified switch optical modules
or obtain incorrect information. You are advised to use Huawei-certified switch optical
modules.
When a non-Huawei-certified optical module is used, the following problems often occur:
l The optical module cannot be installed in an optical interface because the optical module
structure is nonstandard.
The structure and size of some non-Huawei-certified optical modules do not comply with
the MSA agreement. After such an optical module is installed in an optical interface, the
neighbor interface cannot have an optical module installed because the non-Huawei-
certified optical module has a nonstandard size.
l The device data bus is abnormal because of the data bus defects of the non-Huawei-
certified optical module.
Some non-Huawei-certified optical modules has data bus design defects. When such an
optical module is used on a device, the data bus of the device will become abnormal. As
a result, data on the data bus cannot be read.
l The edge connector of the optical module has a nonstandard size, damaging the
electronic components of the interface.
The edge connectors of some non-Huawei-certified optical modules have a nonstandard
size, causing the interface to be short-circuited and damaging the electronic components
of the interface.
l Optical module temperature monitoring is not standardized, causing alarms to be
incorrectly generated.
The temperature monitoring systems of some non-Huawei-certified optical modules do
not comply with industry specifications, and so a high temperature is obtained. As a
result, the system incorrectly reports a temperature alarm.

l The optical module register is set incorrectly. Consequently, parameters and diagnostic
information cannot be read or read incorrectly.
The A0 registers of some non-Huawei-certified optical modules are set incorrectly. As a
result, parameters and diagnostic information cannot be read or read incorrectly by the
data bus.
l The optical module design does not comply with the EMC, its anti-electromagnetic
interference capability is low, and the optical module brings electromagnetic interference
to surrounding devices.
l The working temperature range of the optical module does not meet requirements,
causing the optical power to be reduced at a high temperature. Subsequently, services are
interrupted.
1.1.6.2 How Can I Determine Whether an Optical Module Is a Huawei-Certified

Switch Optical Module?
Obtain the electronic label of the optical module and contact Huawei technical support
personnel to confirm whether it is a Huawei-certified switch optical module.
NOTE
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
For details about how to check the electronic label of an optical module, see 1.1.2.5 How Can
I View the Optical Module Electronic Label?.
1.1.6.3 What Can I Do If the Optical Power Is Low or High?
Fault Description
Optical power alarms occur when two optical interfaces connect to each other.
Optical Power Alarms

BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.17.1 hwOpticalPowerAbnormal //An alarm
indicateing abnormal transmit or receive power of an optical module.
BASETRAP/3/OPTPWRABNORMAL: OID [oid] Optical module power is abnormal.
(EntityPhysicalIndex=[INTEGER], BaseTrapSeverity=[INTEGER],
BaseTrapProbableCause=[INTEGER], BaseTrapEventType=[INTEGER],
EntPhysicalContainedIn=[INTEGER], EntPhysicalName="[OCTET]", Relati
veResource="[OCTET]", ReasonDescription="[OCTET]")
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.4.5 hwOpticalInvalid 136193 //An alarm
indicating a high transmit power of an optical module.
indicating a low transmit power of an optical module.
indicating a high receive power of an optical module.
indicating a low receive power of an optical module.
ENTITYTRAP/3/OPTICALINVALID:OID [oid] Optical Module is invalid.(Index=[INTEGER],
EntityPhysicalIndex=[INTEGER], PhysicalName=\"
[OCTET]\", EntityTrapFaultID=[INTEGER])
Possible Causes
l The local and remote optical modules have different types and wavelengths.
l The optical module is incorrectly installed or the optical fiber fails.

l The fiber connected to the interface is too long or the fiber attenuation is high.
l The remote transmit power is not within the allowed range.
l The optical module fails.
Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide technical support personnel.
1. Check whether the local and remote optical modules have the same wavelength.
Run the display transceiver [ interface interface-type interface-number | slot slot-id ]
[ verbose ] command to check optical module information on the interface. The
Wavelength(nm) field in the command output indicates the wavelength of an optical
module. If the two optical modules have different wavelengths, replace one optical
module to ensure that the two optical modules have the same wavelength.
If the fault persists, go to step 2.
2. Check the link connection.
Remove and install the fiber and optical module to ensure that the fiber and optical
module are properly connected. Check whether the fiber connector is damaged or dirty.
If so, replace the fiber.
3. Check the fiber length.
The fiber length must be shorter than the maximum transmission distance of an optical
module. For the maximum transmission distance supported by different optical modules,
see Pluggable Modules for Interfaces in the hardware description. If the fiber length
exceeds the maximum transmission distance of the optical modules, shorten the fiber
length or use optical modules with a longer transmission distance.
4. Check the transmit optical power on the remote device.
Ensure that the transmit optical power on the remote device exceeds the lower threshold.
5. Check whether the fiber type matches the optical module.
Determine whether the fiber type matches the optical module type according to the
following information:
– A multimode fiber can be used together with multimode fiber.
– A single-mode fiber can only be used with a single-mode optical module. A single-
mode fiber is generally yellow, and a multimode fiber is generally orange.
– Two connected optical modules must have the same wavelength.
6. Check the optical module type and vendor.
Check whether the local and remote devices use optical modules of the same type but
from different vendors. If the connected optical modules have the same wavelength and
provide short-distance transmission but alarms indicating low or high optical power
occur, the two optical modules may be from different vendors. Although these optical
modules have the same wavelength, optical power alarms occur because different
vendors design different optical power indicators for these optical modules. To rectify
the fault, use optical modules of the same vendor.


7. Replace the parts.
Using a short fiber loopback test. If the fault cannot be located, replace the optical
module or fiber.
8. Collect the following information and contact technical support personnel:
– Results of the preceding troubleshooting procedure
– Configuration file, logs, and alarms of the device
1.1.6.4 How Can I View Optical Power Information?

NOTE
You can run the display transceiver interface interface-type interface-number verbose
command to view power information of a specified optical module.
<HUAWEI> display transceiver interface gigabitethernet 3/0/0 verbose
-------------------------------------------------------------
Common information:
Transceiver Type :1000_BASE_SX_SFP
Connector Type :LC
Wavelength(nm) :850
Transfer Distance(m) :500(50um),300(62.5um)
Vendor Name :FINISAR CORP.
Vendor Part Number :FTLF8519P2BNL-HW
Ordering Name :
-------------------------------------------------------------
Manu. Serial Number :PEP3L5D
-------------------------------------------------------------
Alarm information:
TX power low
-------------------------------------------------------------
Diagnostic information:
Temperature(°C) :39
Voltage(V) :3.31
Bias Current(mA) :6.59
Bias High Threshold(mA) :10.50
Bias Low Threshold(mA) :2.50
Current Rx Power(dBM) :-2.23 //Indicate the current
receive power of the optical module.
Default Rx Power High Threshold(dBM) :3.01 //Indicate the default
receive power upper alarm threshold of the optical module.
Default Rx Power Low Threshold(dBM) :-15.02 //Indicate the default
receive power lower alarm threshold of the optical module.
Current Tx Power(dBM) :-2.45 //Indicate the current
transmit power of the optical module.
Default Tx Power High Threshold(dBM) :3.01 //Indicate the default
transmit power upper alarm threshold of the optical module.
Default Tx Power Low Threshold(dBM) :-9.00 //Indicate the default
transmit power lower alarm threshold of the optical module.
User Set Rx Power High Threshold(dBM) :3.01 //Indicate the
configured receive power upper alarm threshold of the optical
module.
User Set Rx Power Low Threshold(dBM) :-15.02 //Indicate the
configured receive power lower alarm threshold of the optical
module.

User Set Tx Power High Threshold(dBM) :3.01 //Indicate the

configured transmit power upper alarm threshold of the optical
module.
User Set Tx Power Low Threshold(dBM) :-9.00 //Indicate the
configured transmit power lower alarm threshold of the optical
module.
-------------------------------------------------------------
When the current optical module power is between the upper and lower thresholds, the optical
power is normal. When the current optical power exceeds the configured upper alarm
threshold, a high optical power alarm is generated. When the current optical power falls
below the configured lower alarm threshold, a low optical power alarm is generated.
1.1.6.5 How Can I View the Optical Module Wavelength?

NOTE
Two optical modules on the transmit and receive ends must have the same wavelength. You are advised to use
the same type of optical modules on the transmit and receive ends.
You can run the display transceiver interface interface-type interface-number command to
view wavelength of a specified optical module.
-------------------------------------------------------------
Common information:
Connector Type :LC
Wavelength(nm) :850
Ordering Name :
-------------------------------------------------------------
-------------------------------------------------------------
Alarm information:
TX power low
-------------------------------------------------------------
1.1.6.6 How Can I View the Optical Module Transmission Distance?

NOTE
Optical signals sent from different types of sources can transmit over different distances due to negative
effects of optical fibers, such as dispersion and attenuation. When connecting optical interfaces, select optical
modules and fibers according to the longest signal transmission distance.
view the transmission distance of a specified optical module.
-------------------------------------------------------------
Common information:

Connector Type :LC

Wavelength(nm) :850
Ordering Name :
-------------------------------------------------------------
-------------------------------------------------------------
Alarm information:
TX power low
-------------------------------------------------------------
1.1.6.7 How Can I View the Temperature, Voltage, and Current of an Optical
Module?
NOTE
You can run the display transceiver interface interface-type interface-number verbose
command to view the temperature, voltage, and current of a specified optical module.
-------------------------------------------------------------
Common information:
Transceiver Type :UNKNOWN_SFP
Connector Type :LC
Wavelength(nm) :850
Transfer Distance(m) :80(50um),30(62.5um),300(OM3)
Vendor Name :JDSU
Vendor Part Number :PLRXPLSCS4322N
Ordering Name :
-------------------------------------------------------------
Manu. Serial Number :CB02UF1SW
Vendor Name :JDSU
-------------------------------------------------------------
Alarm information:
RX loss of signal
RX power low
-------------------------------------------------------------
Temperature(°C) :33 //Indicate the current
temperature of the optical module.
Voltage(V) :3.32 //Indicate the current voltage
of the optical module.
Bias Current(mA) :7.31 //Indicate the bias current of
the optical module.
Bias High Threshold(mA) :10.00 //Indicate the bias current
higher threshold of the optical module.
Bias Low Threshold(mA) :2.60 //Indicate the bias current
lower threshold of the optical module.
Current Rx Power(dBM) :-29.21
Default Rx Power High Threshold(dBM) :1.50
Default Rx Power Low Threshold(dBM) :-14.00
Current Tx Power(dBM) :-1.82
Default Tx Power High Threshold(dBM) :-1.00
Default Tx Power Low Threshold(dBM) :-8.00
User Set Rx Power High Threshold(dBM) :1.50

User Set Rx Power Low Threshold(dBM) :-14.00

User Set Tx Power High Threshold(dBM) :-1.00
User Set Tx Power Low Threshold(dBM) :-8.00
-------------------------------------------------------------
1.1.6.8 Why I Cannot Obtain Optical Module Information?

You may fail to obtain information about an optical module in the following situations:
l The system may fail to obtain information about non-Huawei-certified switch optical
modules or obtain incorrect information. You are advised to use Huawei-certified switch
optical modules.
l No optical module is installed.
l The system does not support the query of the temperature, voltage, current, receive
power, and transmit power of the optical module.
l If the transmit or receive power is NA, the interface does not have any transmit or
receive signal and the power is 0.
l The optical module experiences a hardware fault. You can replace the optical module for
fault location.
1.1.6.9 How Can I Determine Whether an Optical Module Is Single-Mode or

Multi-Mode?
Optical fibers are classified into single-mode fibers and multi-mode fibers based on core
diameters and features. Generally, multi-mode fibers have large core diameters and severe
dispersion, so they transmit optical signals over short distances. Single-mode fibers have
small dispersion and can transmit optical signals over long distances.
Optical fibers and optical modules must work together. When single-mode optical modules
use multi-mode fibers, signal identification is unstable. When multi-mode optical modules use
single-mode fibers, the receive power loss is high.
NOTE
view information about a specified optical module. The displayed transmission distance
contains fiber diameter information. In the following command output, 50 um and 62.5 um
are fiber diameters, indicating multi-mode fibers. Fibers with a diameter of 9 um are single-
mode fibers. You can determine whether an optical module is single-mode or multi-mode
optical module based on the fiber diameter.

-------------------------------------------------------------
Common information:
Connector Type :LC
Wavelength(nm) :850
Ordering Name :
-------------------------------------------------------------


-------------------------------------------------------------
Alarm information:
TX power low
-------------------------------------------------------------
1.1.6.10 What Are the MIB OIDs of Optical Module Information?

The following table describes the MIB OIDs of optical module information.

ed
Specificatio
ns
hwEntityOpticalVendorSn 1.3.6.1.4.1.2 OCTET This object read-only

011.5.25.31. STRING indicates the
1.1.3.1.4 SN of an
optical
module.
hwEntityOpticalTempera- 1.3.6.1.4.1.2 Integer32 This object read-only

ture 011.5.25.31. indicates the
1.1.3.1.5 temperature of
an optical
module, in °C.
hwEntityOpticalVoltage 1.3.6.1.4.1.2 Integer32 This object read-only

1.1.3.1.6 voltage of an
optical
module, in mV.
hwEntityOpticalBiasCur- 1.3.6.1.4.1.2 Integer32 This object read-only

rent 011.5.25.31. indicates the
1.1.3.1.7 bias current of
an optical
module, in uA.
hwEntityOpticalRxPower 1.3.6.1.4.1.2 Integer32 This object read-only

1.1.3.1.8 receive power
of an optical
module, in uW.
uW =
(10^(dBM/
10))*1000.
hwEntityOpticalTxPower 1.3.6.1.4.1.2 Integer32 This object read-only

1.1.3.1.9 transmit power
of an optical
module, in uW.


ed
Specificatio
ns
hwEntityOpticalVenderPn 1.3.6.1.4.1.2 OCTET This object read-only

011.5.25.31. STRING indicates the
1.1.3.1.25 PN of an
optical
module.
1.1.6.11 What Does Alarm information Mean in Optical Module Information?

When you run the display transceiver interface interface-type interface-number verbose
command to view information about a specified optical module, Alarm information
indicates which fault occurs on the optical module. Table 1-5 describes possible alarm
information and meaning.
-------------------------------------------------------------
Common information:
Connector Type :LC
Wavelength(nm) :850
Ordering Name :
-------------------------------------------------------------
-------------------------------------------------------------
Alarm information:
TX power low
-------------------------------------------------------------
Temperature(°C) :39
Voltage(V) :3.31
Bias Current(mA) :6.59
Bias High Threshold(mA) :10.50
Bias Low Threshold(mA) :2.50
Current Rx Power(dBM) :-2.23
Default Rx Power High Threshold(dBM) :3.01
Default Rx Power Low Threshold(dBM) :-15.02
Current Tx Power(dBM) :-2.45
Default Tx Power High Threshold(dBM) :3.01
Default Tx Power Low Threshold(dBM) :-9.00
User Set Rx Power High Threshold(dBM) :3.01
User Set Rx Power Low Threshold(dBM) :-15.02
User Set Tx Power High Threshold(dBM) :3.01
User Set Tx Power Low Threshold(dBM) :-9.00
-------------------------------------------------------------

Table 1-5 Alarm information and meaning

Alarm Meaning
TX fault A transmission fault occurs.
RX loss of signal Received signals are lost.
Transceiver info I/O error Module information read and write error
occurs.
Transceiver info checksum error Module information checksum is incorrect.
Transceiver type not supported by port An interface does not support the module
hardware type.
Temp high The temperature is high.
Temp low The temperature is low.
Voltage high The voltage is high.
Voltage low The voltage is low.
TX bias high The bias current is high.
TX bias low The bias current is low.
TX power high The transmit power is high.
TX power low The transmit power is low.
RX power high The receive power is high.
RX power low The receive power is low.
1.1.6.12 How Can I View the Optical Attenuation?

You need to view the current optical power in optical module information to determine
whether the optical power is attenuated.
1.1.6.13 How Can I Determine Whether an Interface Has an Optical Module?

NOTE
Run the display transceiver command to view optical module information.

<HUAWEI> display
transceiver
GigabitEthernet3/1/12 transceiver
information:
-------------------------------------------------------------
Common

information:
Transceiver Type :
1000_BASE_SX_SFP
Connector
Type :LC
Wavelength(nm) :
0
Transfer Distance(m) :275(OM1),550(OM2),

1000(OM3)
Digital Diagnostic
Monitoring :NO
Vendor
Name :AGILENT
Vendor Part
Number :HFBR-5710L
Ordering
Name :
-------------------------------------------------------------
Manufacture
information:
Manu. Serial
Number :AJ051801EK
Manufacturing Date :
2005-05-03
Vendor
Name :AGILENT
-------------------------------------------------------------
Alarm
information:
RX loss of
signal
-------------------------------------------------------------
GigabitEthernet3/1/13 transceiver
information:
-------------------------------------------------------------
Common
information:
Transceiver Type :
1000_BASE_SX_SFP
Connector
Type :LC
Wavelength(nm) :
0
Transfer Distance(m) :275(OM1),550(OM2),

1000(OM3)
Digital Diagnostic
Monitoring :NO
Vendor
Name :AVAGO
Vendor Part
Number :HFBR-5710L
Ordering
Name :
-------------------------------------------------------------
Manufacture
information:
Manu. Serial
Number :AM070864WZ
Manufacturing Date :
2007-02-25
Vendor
Name :AVAGO
-------------------------------------------------------------
Alarm
information:
RX loss of
signal
-------------------------------------------------------------
1.1.7 Displaying the Card Voltage
Context
When the voltage of a card is abnormal, you can run the following command to view the
voltage of the card.
Procedure
l Run the display voltage { all | slot slot-id } command to view the voltage of a specified
card.
----End
FAQ
1.1.7.1 Why Is a Voltage Alarm Generated and What Can I Do to Clear the
Alarm?
Voltage Alarms
BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.2.9 hwVoltRisingAlarm //The voltage
exceeds the upper threshold.
BASETRAP/1/VOLTRISING: OID [oid] Voltage exceeded the upper pre-alarm limit.

(Index=[INTEGER], BaseThresholdPhyIndex=[INTEGER],
ThresholdType=[INTEGER], ThresholdIndex=[INTEGER], Severity=[INTEGER],
ProbableCause=[INTEGER], EventType=[INTEGER],PhysicalNa
me=[OCTET], ThresholdValue=[INTEGER], ThresholdUnit=[INTEGER],
ThresholdHighWarning=[INTEGER], ThresholdHighCritical= [INTEGER])
BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.2.11 hwVoltFallingAlarm //The voltage
falls below the lower threshold.
BASETRAP/1/VOLTFALLING: OID [oid] Voltage has fallen below the lower pre-alarm
limit.(Index=[INTEGER], BaseThresholdPhyIndex=
[INTEGER], ThresholdType=[INTEGER], ThresholdIndex=[INTEGER], Severity=[INTEGER],
ProbableCause=[INTEGER], EventType=[INTEGER],
PhysicalName=[OCTET], ThresholdValue=[INTEGER], ThresholdUnit=[INTEGER],
ThresholdLowWarning=[INTEGER], ThresholdLowCritical=
[INTEGER])
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.10.5 hwVoltAlarm 141056 //The voltage
exceeds the upper threshold.
ENTITYTRAP/1/ENTITYVOLTALARM: OID [oid] Voltage of power rise over or fall below
the alarm threshold.(EntityPhysicalIndex=[INT
EGER],
EntityThresholdType=[INTEGER],EntityThresholdValue=[INTEGER],EntityThresholdCurren
t=[INTEGER], EntityTrapFaultID=[INTEGER])
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.10.5 hwVoltAlarm 141057 //The voltage
falls below the lower threshold.
ENTITYTRAP/1/ENTITYVOLTALARM: OID [oid] Voltage of power rise over or fall below
the alarm threshold.(EntityPhysicalIndex=[INTE
GER],
EntityThresholdType=[INTEGER],EntityThresholdValue=[INTEGER],EntityThresholdCurren
t=[INTEGER], EntityTrapFaultID=[INTEGER])
Possible Causes of Voltage Alarms

l The power module is faulty.
l The card has a hardware fault.
Procedure of Clearing a Voltage Alarm

1. Check whether any power module experiences a hardware fault.
(1) If so, go to step 2.
(2) If not, go to step 3.
Perform the following operation to check whether a power module experiences a
hardware fault:
Use a normal power module to replace a power module and run the display voltage slot
slot-id command to check whether the voltage of cards returns to the normal range.
Repeat the operation to check other power modules until you find the faulty power
module.
2. Replace the faulty power module.
3. Run the display voltage slot slot-id command to check whether the voltage of the card
for which an alarm is generated is normal.
(2) If not, replace the card and go to step 4.
4. Check whether the alarm is cleared.
5. Contact Huawei technical support personnel.
6. End.

1.1.7.2 How Can I Determine Whether and Why the Voltage Is Abnormal?
A High or Low Voltage Causes the Abnormal Status in Voltage Information

The Status field in the display voltage all command output displays Minor.
<HUAWEI> display voltage
all
-------------------------------------------------------------------------------
Slot Card Sensor SensorName Status Current(V) Lower(V)

Upper(V)
-------------------------------------------------------------------------------
9 - 5 3.3V Minor 3.3320 3.6456

3.9592
- 6 1.8V Normal 1.8032 1.4406
2.1560
- 7 1.5V Normal 1.5092 1.1956
1.8032
- 8 1.0V_NP Normal 1.0192 0.8036
1.1956
- 9 1.0V_CPU Normal 1.0192 0.8036
1.1956
- 10 1.0V_NP_A Normal 0.9996 0.8036
1.1956
- 11 1.2V Normal 1.1956 0.9604
1.4406
- 12 1.5V_NPDDR Normal 1.4994 1.1956
1.8032
- 13 5.0V Normal 5.0530 4.0300
6.0760
- 14 0.9V_TCAM Normal 0.9016 0.7154
1.0780
- 15 0.9V_TCAM_A Normal 0.9016 0.7154
1.0780
- 16 0.9V_PHY Normal 0.9016 0.7154
1.0780
- 17 12.0V Normal 11.9520 9.5450
14.3590
13 - 5 3.3V Normal 3.3516 2.6460
3.9592
- 6 1.0V Normal 1.0192 0.8036
1.1956
- 7 1.2V Normal 1.1956 0.9604
1.4406
- 8 1.5V Normal 1.5190 1.1956
1.8032
- 9 1.8V Normal 1.8130 1.4406
2.1560
- 10 2.5V Normal 2.5480 1.9992
2.9988
- 11 5.0V Normal 4.9590 3.9440
5.9160
- 12 3.3V_LSW Normal 3.3320 2.6460
3.9592
- 13 1.2V_OAM Normal 1.1858 0.9604
1.4406
- 14 2.0V_OAM Normal 2.0139 1.6023
2.3961
- 15 2.5V_OAM Normal 2.5284 1.9992
2.9988
- 16 3.3V_OAM Normal 3.3320 2.6460
3.9592
- 17 3.3V_CAN Normal 3.6260 2.6460
3.9592
- 18 5.0V_AVS Normal 4.9300 3.9440 5.9160

Solution: See 1.1.7.1 Why Is a Voltage Alarm Generated and What Can I Do to Clear the
Alarm?.
The Card Monitoring Software Is Abnormal. As a Result, All Voltage Values

Cannot Be Obtained and Display as 0.
The Current(V), Lower(V), and Upper(V) fields in the display voltage all command output
display 0.
all
-------------------------------------------------------------------------------

Upper(V)
-------------------------------------------------------------------------------
9 - 5 3.3V Normal 0 0
0
- 6 1.8V Normal 0 0
0
- 7 1.5V Normal 0 0
0
- 8 1.0V_NP Normal 0 0
0
- 9 1.0V_CPU Normal 0 0
0
- 10 1.0V_NP_A Normal 0 0
0
- 11 1.2V Normal 0 0
0
- 12 1.5V_NPDDR Normal 0 0
0
- 13 5.0V Normal 0 0
0
- 14 0.9V_TCAM Normal 0 0
0
- 15 0.9V_TCAM_A Normal 0 0
0
- 16 0.9V_PHY Normal 0 0
0
- 17 12.0V Normal 0 0
0
13 - 5 3.3V Normal 3.3516 2.6460
3.9592
- 6 1.0V Normal 1.0192 0.8036
1.1956
- 7 1.2V Normal 1.1956 0.9604
1.4406
- 8 1.5V Normal 1.5190 1.1956
1.8032
- 9 1.8V Normal 1.8130 1.4406
2.1560
- 10 2.5V Normal 2.5480 1.9992
2.9988
- 11 5.0V Normal 4.9590 3.9440
5.9160
- 12 3.3V_LSW Normal 3.3320 2.6460
3.9592
- 13 1.2V_OAM Normal 1.1858 0.9604
1.4406
- 14 2.0V_OAM Normal 2.0139 1.6023
2.3961
- 15 2.5V_OAM Normal 2.5284 1.9992
2.9988
- 16 3.3V_OAM Normal 3.3320 2.6460
3.9592

- 17 3.3V_CAN Normal 3.6260 2.6460

3.9592
- 18 5.0V_AVS Normal 4.9300 3.9440 5.9160
Solution: Contact Huawei technical support personnel.
A Card Experiences a Hardware Fault. As a Result, the Voltage Cannot Be

Obtained and Displays as 0
The voltage of a sensor of the card cannot be obtained and displays 0 in the display voltage
all command output.
all
-------------------------------------------------------------------------------

Upper(V)
-------------------------------------------------------------------------------
9 - 5 3.3V Normal 3.3320 3.6456

3.9592
- 6 1.8V Normal 1.8032 1.4406
2.1560
- 7 1.5V Normal 1.5092 1.1956
1.8032
- 8 1.0V_NP Normal 1.0192 0.8036
1.1956
- 9 1.0V_CPU Normal 1.0192 0.8036
1.1956
- 10 1.0V_NP_A Normal 0.9996 0.8036
1.1956
- 11 1.2V Normal 1.1956 0.9604
1.4406
- 12 1.5V_NPDDR Normal 1.4994 1.1956
1.8032
- 13 5.0V Normal 5.0530 4.0300
6.0760
- 14 0.9V_TCAM Normal 0.9016 0.7154
1.0780
- 15 0.9V_TCAM_A Normal 0.9016 0.7154
1.0780
- 16 0.9V_PHY Normal 0.9016 0.7154
1.0780
- 17 12.0V Normal 11.9520 9.5450
14.3590
13 - 5 3.3V Normal 3.3516 2.6460
3.9592
- 6 1.0V Normal 1.0192 0.8036
1.1956
- 7 1.2V Normal 1.1956 0.9604
1.4406
- 8 1.5V Normal 1.5190 1.1956
1.8032
- 9 1.8V Normal 1.8130 1.4406
2.1560
- 10 2.5V Normal 0 0
0
- 11 5.0V Normal 4.9590 3.9440
5.9160
- 12 3.3V_LSW Normal 3.3320 2.6460
3.9592
- 13 1.2V_OAM Normal 1.1858 0.9604
1.4406
- 14 2.0V_OAM Normal 2.0139 1.6023
2.3961
- 15 2.5V_OAM Normal 2.5284 1.9992
2.9988

- 16 3.3V_OAM Normal 3.3320 2.6460

3.9592
- 17 3.3V_CAN Normal 3.6260 2.6460
3.9592
- 18 5.0V_AVS Normal 4.9300 3.9440 5.9160
1.1.8 Displaying the Temperature
Context
When the device temperature is too high or too low, the hardware may be damaged. To learn
about the current device temperature, use the following command to view the device
temperature.
Procedure
l Run the display temperature { all | slot slot-id } command to view the device
temperature.
----End
FAQ
1.1.8.1 How Can I Determine Whether the Card Temperature Is too High?
Generally, the recommended operating temperature of a card ranges from 0°C to 45°C.
Each type of cards has its temperature range, and fans can automatically adjust the speed
according to the temperature range to ensure that the card temperature is within the normal
range. The card temperature is within the normal range if no high temperature alarm is
generated on the card.
High temperature alarms are as follows:

ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.10.13 hwBrdTempAlarm 140544
ENTITYTRAP/1/ENTITYBRDTEMPALARM: OID [oid] Temperature rise over or fall below
the warning alarm threshold.(Index=[INTEGER],
ThresholdEntityPhysicalIndex=[INTEGER],EntityPhysicalIndex=[INTEGER],
PhysicalName="[OCTET]", EntityThresholdType=[INTEGER],
EntityThresholdValue=[INTEGER],EntityThresholdCurrent=[INTEGER],
EntityTrapFaultID=[INTEGER])
BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.2.1 hwTempRisingAlarm
BASETRAP/1/TEMRISING: OID [oid] Temperature exceeded the upper pr e-alarm limit.
(Index=[INTEGER], BaseThresholdPhyIndex=[INT
EGER], ThresholdType=[ INTEGER], ThresholdIndex=[INTEGER], Severity=[INTEGER],
ProbableCause=[INTEGER], EventType=[INTEGER],
PhysicalName="[OCTET]", ThresholdValue=[INTEGER], Threshol dUnit=[INTEGER],
ThresholdHighWarning=[INTEGER], ThresholdHighCrit
ical=[INTEGER] )
1.1.8.2 Why Is a High Temperature Alarm Generated and How Can This Alarm
Be Cleared?
Possible Causes for a High Temperature Alarm

l The device is not ventilated well, which causes heat unable to be dissipated.

l The air filter is blocked by dust.

l Vacant slots are not covered with filler panels.
l The ambient temperature of the device is too high.
l The number of fans on the device is insufficient.
l A fan on the device is faulty.
l The chip temperature is high.
Troubleshooting a High Temperature Alarm

1. Clean the air filter and remove the objects that block the air exhaust area (if any). Cover
all vacant slots with filler panels to ensure efficient heat dissipation. Then check whether
the alarm is cleared.
2. Check whether the ambient temperature of the device is too high.
3. Lower the temperature in the equipment room, and then go to step 4.
4. Check whether all the fans are properly installed.
5. Add more fans, and then go to step 6.
6. Run the display fan command to check whether any fan is faulty according to the status
of fans.
7. Replace the faulty fan, and then go to step 8.
8. Run the display temperature all command to view the temperature of each card on the
device. Check whether the chip temperature of the card is high.
9. Contact Huawei technical support personnel.
10. End.
Determining Whether a High Temperature Alarm Is Cleared

1. This alarm is not displayed on the NMS.
2. This alarm is not displayed when you run the display trapbuffer command to view the
trap buffer.
3. This alarm is not displayed when you run the terminal monitor and terminal trapping
commands to view alarm information.

1.1.8.3 How Can I Determine Whether and Why the Temperature Is Abnormal?
A High Temperature Causes the Abnormal Status in Temperature Information

The Status field in the display temperature all command output displays Minor.
<HUAWEI> display temperature
all
---------------------------------------------------------------
Slot Card Sensor Status Current(C) Lower(C)

Upper(C)
---------------------------------------------------------------
9 - 1 Minor 70 0
64
- 2 Normal 30 0
60
13 - 1 Normal 31 0
60
- 2 Normal 34 0
63
14 - 1 Normal 34 0
60
- 2 Normal 37 0
63
18 - 1 Normal 44 0
72
- 2 Normal 38 0
64
1 1 Normal 28 0 55
Solution: See 1.1.8.2 Why Is a High Temperature Alarm Generated and How Can This
Alarm Be Cleared?.
The Card Monitoring Software Is Abnormal. As a Result, All Temperature

Values Cannot Be Obtained and Display as 0
The Current(C), Lower(C), and Upper(C) fields in the display temperature all command
output display 0.
<HUAWEI> display temperature all
---------------------------------------------------------------
Slot Card Sensor Status Current(C) Lower(C) Upper(C)

---------------------------------------------------------------
9 - 1 Normal 0 0 0
- 2 Normal 0 0 0
13 - 1 Normal 31 0
60
- 2 Normal 34 0
63
14 - 1 Normal 34 0
60
- 2 Normal 37 0
63
18 - 1 Normal 44 0
72
- 2 Normal 38 0
64
1 1 Normal 28 0 55

A Card Experiences a Hardware Fault. As a Result, the Temperature Cannot Be

Obtained and Displays as 0
The temperature of a sensor of the card cannot be obtained and displays 0 in the display
temperature all command output.
<HUAWEI> display temperature all
---------------------------------------------------------------
Slot Card Sensor Status Current(C) Lower(C) Upper(C)

---------------------------------------------------------------
9 - 1 Normal 0 0 0
- 2 Normal 30 0 60
13 - 1 Normal 31 0
60
- 2 Normal 34 0
63
14 - 1 Normal 34 0
60
- 2 Normal 37 0
63
18 - 1 Normal 44 0
72
- 2 Normal 38 0
64
1 1 Normal 28 0 55
1.2 Displaying the Version and Configuration
1.2.1 Displaying Version Information
Context
You can view current version information about the device to determine whether the device
needs to be upgraded or is upgraded successfully.
Procedure
l Run the display version [ slot slot-id | cmu cmu-id ] command to view version
information about the device.
----End
FAQ
1.2.1.1 How Can I View the Hardware Version?

Run the display version [ slot slot-id | cmu cmu-id ] command to view version information
about a card. PCB Version indicates the hardware version.
<HUAWEI> display version slot 9
LPU 4 : uptime is 3 weeks, 5 days, 22 hours, 45 minutes
SDRAM Memory Size : 256 M bytes
Flash Memory Size : 16 M bytes
LPU version information :
1. PCB Version : LE02G48V VER.B

2. MAB Version : 1
3. Board Type : ES0D0G48TA00
4. BootROM Version : 0207.00d3
5. BootLoad Version : 0207.00fb
1.2.1.2 How Can I View the Running Time of a Device and Card?
Run the display version command to view version information about the device. uptime
indicates the running time of the device and card.
<HUAWEI> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.150 (S7700 V200R007C00SPC100)
Copyright (C) 2000-2013 HUAWEI TECH CO., LTD
HUAWEI S7703 Terabit Routing Switch uptime is 0 week, 0 day, 1 hour, 3 minutes
BKP 0 version information:
1. PCB Version : LE02BAKB VER.A
2. Support PoE : No
3. Board Type : ES0B017712P0
4. MPU Slot Quantity : 2
5. LPU Slot Quantity : 3
MPU 5(Master) : uptime is 0 week, 0 day, 1 hour, 1 minute

NVRAM Memory Size : 512 K bytes
CF Card1 Memory Size : 977 M bytes
MPU version information :
1. PCB Version : LE02SRUA VER.D
2. MAB Version : 0
3. Board Type : ES0D00SRUA00
4. CPLD0 Version : 1301.1014
5. BootROM Version : 0205.00ab
6. BootLoad Version : 0205.0097
LPU 1 : uptime is 0 week, 0 day, 0 hour, 54 minutes

1. PCB Version : LE02X4UX VER.B
2. MAB Version : 0
3. Board Type : ES0D0X2UXC00
4. CPLD0 Version : 1310.1716
6. BootLoad Version : 0205.00bf

2. MAB Version : 0
4. CPLD0 Version : 1102.1516

2. MAB Version : 0
4. CPLD0 Version : 1310.1716
Tcam version information :
1. Tcam size : 36 M bits

1.2.1.3 How Can I View the Number of LPUs Supported by a Device?

Run the display version command to view version information about the device. LPU Slot
Quantity indicates the number of LPUs supported by the device.
<HUAWEI> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.150 (S7700 V200R007C00SPC100)
Copyright (C) 2000-2013 HUAWEI TECH CO., LTD
Quidway S7703 Terabit Routing Switch uptime is 0 week, 0 day, 1 hour, 3 minutes
BKP 0 version information:
1. PCB Version : LE02BAKB VER.A
2. Support PoE : No
3. Board Type : ES0B017712P0
4. MPU Slot Quantity : 2
5. LPU Slot Quantity : 3
MPU 5(Master) : uptime is 0 week, 0 day, 1 hour, 1 minute

NVRAM Memory Size : 512 K bytes
CF Card1 Memory Size : 977 M bytes
MPU version information :
1. PCB Version : LE02SRUA VER.D
2. MAB Version : 0
3. Board Type : ES0D00SRUA00
4. CPLD0 Version : 1301.1014
6. BootLoad Version : 0205.0097

2. MAB Version : 0
4. CPLD0 Version : 1310.1716

2. MAB Version : 0
4. CPLD0 Version : 1102.1516

2. MAB Version : 0
4. CPLD0 Version : 1310.1716
Tcam version information :
1. Tcam size : 36 M bits
1.2.2 Displaying the Environment Monitoring Software Version

Context
The card monitoring module (CANBUS) and system management software (SMS) are used to
implement basic management and maintenance on cards, for example, monitoring the
environment such as the temperature, power supply, and voltage. You can run the following
command to check the software version of the CANBUS and SMS.
Procedure
l Run the display environment version command to view the CANBUS version of a
specified card and system management software (SMS).
----End
1.2.3 Displaying the Current Configuration
Context
To learn about the services running on a device, run the following command to view the
device configuration.
Procedure
l Run the display current-configuration command to view the current device
configuration.
----End
FAQ
1.2.3.1 How Can I Determine Whether a Device Starts Using the Initial
Configuration?
When a device just finishes starting, you can run the display startup command to view the
startup configuration file. If the startup configuration file is NULL, the device has started
using the initial configuration.
NOTE
If the device configuration has been deleted using the reset saved-configuration command after startup, you
cannot determine whether the device has started using the initial configuration.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/

software.cc
Startup system software: flash:/
software.cc
Next startup system software: flash:/
software.cc
Startup saved-configuration file:
NULL
Next startup saved-configuration file:
NULL
Startup paf file:
default
Next startup paf file:

default
Startup license file:

default
Next startup license file:

default
Startup patch package:

NULL
Next startup patch package: NULL
1.2.3.2 How Can Low-Level Users View the Current Device Configuration?
The system defines a level for each command and manages commands based on command
levels. The system administrator (at level 3 or higher) can run the command-privilege level
level view view-name command-key command in the system view to change the command
level according to user requirements. This configuration can enable a low-level user to use
some high-level commands or raises the command level to improve device security.
Users lower than level 3 (management level) cannot run the display current-configuration
command to view the current device configuration. To view the device configuration, low-
level users need to apply to the administrator. The administrator then determines whether to
lower the command level according to requirements.
You are not advised to change the default command level without the guidance of
professionals. Otherwise, it may result in inconvenience for operation and maintenance and
bring about security problems.
1.2.3.3 How Can the Current Configuration Be Displayed on Multiple Screens?

You can run the screen-length screen-length [ temporary ] command in the user view or user
interface view to set the number of lines displayed on a terminal screen. By default, 24 lines
are displayed on a terminal screen. If screen-length is 0, the split screen function is disabled.
That is, the system does not pause when the information cannot be completely displayed on
one screen.
<HUAWEI> screen-length 40 temporary //temporary is a mandatory parameter in the
user view.
<HUAWEI> system-view
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] screen-length 40
1.3 Collecting Device Information by One Click
1.3.1 Displaying Diagnostic Information
Context
When the system experiences a fault or during routine maintenance, you can view diagnostic
information to collect the running information of all modules.

Diagnostic information is mainly used for fault location. Collecting diagnostic information
may affect system performance. For example, it may cause a high CPU usage. Therefore,
collecting diagnostic information is not recommended when the system is running normally.
Procedure
l Run the display diagnostic-information [ acl | css | arp | bfd | defend | dhcp | l2adp |
l3adp | lldp | mcast | mpls | rrpp | sdk | sep | smlk | srm | stat | stp | ucm ] [ file-name ]
command to view the device diagnostic information.
----End
1.3.2 Displaying the Device Health Status

You can use the display commands to view the device health status.
Context
You can run the following command to view the voltage, temperature, power supply
information, fan information, CPU usage, and memory usage of a device.
Procedure
l Run the display health command to view the device health status.
----End
1.4 Displaying the System MAC Address
Context
You can run the following command to view the current system MAC address.
Procedure
l Run the display system-mac command to view the system MAC address.
----End
1.5 Displaying Alarm Information
Context
When a device becomes faulty, you can run the following commands to view historical alarms
and existing alarms for locating faults or learning about the device running status.

Procedure
l Run the display trapbuffer command to view the alarms recently generated on the
device. Alarms are recorded into a log file. You can view the log file to check historical
alarms.
l Run the display alarm active command to view the alarms that are not cleared after the
device starts.
l Run the display alarm history command to view the historical alarms that are recorded
after the device starts.
l Run the display alarm [ slot slot-id | all ] command to view alarms about hardware
management on all cards or a specified card.
----End
1.6 Displaying the CPU Usage
Context
CPU usage is an important indicator to evaluate device performance. A high CPU usage will
cause service faults, for example, Border Gateway Protocol (BGP) route flapping, frequent
Virtual Router Redundancy Protocol (VRRP) switchovers, or even user login failures. You
can use the following commands to view CPU usage statistics and configurations in real time
and verify that the device is running stably.
You can view CPU usage configurations to learn about the CPU usage alarm threshold and
CPU usage alarm recovery threshold.
l When the CPU usage reaches the alarm threshold, the system generates a CPU usage
alarm.
l When the CPU usage falls below the recovery threshold, the system generates a clear
alarm.
Procedure
l Run the display cpu-usage [ slave | slot slot-id ] command to view CPU usage statistics.
l Run the display cpu-usage configuration [ slave | slot slot-id ] command to view CPU
usage configurations.
----End
FAQ
1.6.1 Does a High CPU Usage Affect Data Forwarding?

Huawei switches use a dual-plane structure. In the structure, the control plane and forwarding
plane are separated from each other, and data forwarding is completed by the forwarding
engine on the forwarding plane. In this situation, a high CPU usage on the control plane does
not affect data forwarding on the forwarding plane. If the high CPU usage on the control
plane leads to protocol flapping, the forwarding table is modified, and data forwarding is
affected.

1.6.2 What Do Common CPU Processes Such as VIDL, SOCK, and

RPCQ Mean?
The following table describes common CPU processes.
Process Name Process Description
VIDL Idle task. A larger value for this task

indicates a lower CPU usage.
SOCK Packet receiving and processing task. If this

task has a high CPU usage, the CPU is
receiving and processing a large number of
protocol packets. When this occurs, the
device may be undergoing an IP packet
attack.
RPCQ Inter-card communication task. The RPCQ

and SOCK tasks can be analyzed together.
If the device receives a large number of
packets and needs to respond to these
packets, the RPCQ task has a high CPU
usage. A packet attack may occur if this task
has a high CPU usage.
bcmRX Bottom-layer packet receiving task. This

task has a high CPU usage when the CPU
receives a large number of packets.
AGNT IPv4 SNMP protocol stack task. This task

has a high CPU usage when network
management operations are frequently
performed.
AGT6 IPv6 SNMP protocol stack task. This task

has a high CPU usage when network
management operations are frequently
performed.
SFPM Optical module management task. This task

has a high CPU usage when the system is
frequently querying and detecting optical
module information.
ROUT Route management task. This task has a

high CPU usage when the system is learning
a large number of routes or many routes
flap. When this occurs, view routing
information to determine whether the route
management module is faulty.
VPR Packet receiving task. This task receives the

packets transmitted through the inter-card
CPU data packet channel.

For more details about CPU processes, see the description of the display cpu-usage [ slave |
slot slot-id ] command output.
1.6.3 How Can I Determine Whether CPU Usages of the System

and Processes Are High?
System CPU usage is within the normal range if the following conditions are met:
1. The CPU usage does not exceed 80% when the system runs for a long period.
2. The CPU usage does not exceed 95% in a short period and does not keep increasing.
3. No high CPU usage alarm is generated.
In the following scenarios, the system may generate an alarm when CPU usage becomes high
instantly and then clear this alarm rapidly. This situation is a normal situation and does not
affect the device operation.
1. Cards just start.
2. Information about all optical modules is queried at a time.
3. Traffic volume increases instantly.
CPU usage of a CPU task process may become low or high, depending on the service volume
and processing time. CPU usage is within a normal range as long as the system CPU usage
does not exceed 80% and no high CPU usage alarm is generated.
High CPU usage alarms are as follows:
l Alarm (of Basetrap type)
BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.4.1 hwCPUUtilizationRisingAlarm
BASETRAP/2/CPUUSAGERISING: OID [oid] CPU utilization exceeded the pre-alarm
threshold.(Index=[INTEGER],
BaseUsagePhyIndex=[INTEGER], UsageType=[INTEGER], UsageIndex=[INTEGER],
Severity=[INTEGER], ProbableCause=[INTEGER],
EventType=[INTEGER], PhysicalName="[OCTET]", RelativeResource="[OCTET]",
UsageValue=[INTEGER], UsageUnit=[INTEGER],
UsageThreshold=[INTEGER])
l Alarm(of the Entitytrap type)

ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.14.1 hwCPUUtilizationRising
ENTITYTRAP/4/ENTITYCPUALARM:OID [oid] CPU utilization exceeded the pre-alarm
threshold.(Index=[INTEGER],
EntityPhysicalIndex=[INTEGER], PhysicalName=[OCTET],
EntityThresholdType=[INTEGER], EntityThresholdValue=[INTEGER],
EntityThresholdCurrent=[INTEGER], EntityTrapFaultID=[INTEGER].)
1.6.4 What Can I Do If the CPU Usage Is High?

When a device has a high CPU usage, perform the following operations:
1. Check whether the CPU usage keeps increasing or increases instantly. If the CPU usage
increases instantly, an operation may be performed, for example, a card just starts,
information about optical modules is read continuously, and traffic volume increases
instantly. This situation does not affect the device operation.
2. Check which task process causes a high CPU usage and analyze the task.
3. Check log information and alarm information to determine whether a hardware fault
alarm is generated.
4. Check whether an interface frequently alternates between Up and Down states according
to log information and alarm information. If so, check whether the optical module of the
interface is faulty or a non-Huawei-certified optical module is used. Additionally,
analyze the configuration and traffic volume of the interface.

5. Check whether network management operations are frequently performed on the device.
6. Check whether STP flaps or routing protocols flap.
7. Check whether the network structure changes and whether a loop occurs on the network.
8. Check whether malicious attacks exist.
For details about how to locate a high CPU usage, see "CPU Usage of a Device Is High" in
the Troubleshooting.
1.6.5 What Are the MIB OIDs of CPU Usage?

The following table describes the MIB OIDs of CPU Usage.

Specifications
hwEntityCpuUs 1.3.6.1.4.1.2011 Integer32 This object read-only

age . indicates a CPU
5.25.31.1.1.1.1. usage.
5
hwEntityCpuUs 1.3.6.1.4.1.2011 Integer32 This object read-write

ageThreshold . indicates the
5.25.31.1.1.1.1. CPU usage
6 threshold.
1.7 Displaying the Memory Usage
Context
Memory usage is an important performance indicator of a device. A high memory usage will
cause service faults. You can view the memory usage of a device in real time to determine
whether the device is running stably.
You can view the memory usage threshold to check the alarm generation conditions.
l When memory usage reaches the alarm threshold, the system generates a memory usage
alarm.
l When memory usage falls below the recovery threshold, the system generates a clear
alarm.
Procedure
l Run the display memory-usage [ slave | slot slot-id ] command to view memory usage
statistics.
l Run the display memory-usage threshold [ slot slot-id ] command to view the memory
usage threshold.
----End

FAQ
1.7.1 How Can I Determine Whether the Memory Usage of a

Device Is High?
Generally, the memory usage of a device is within the normal range in the following
conditions:
l The memory usage does not exceed 80%.
l The memory usage does not keep increasing or fluctuate.
l No memory usage alarm is generated.
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.15.1 hwMemUtilizationRising
ENTITYTRAP/4/ENTITYMEMORYALARM: OID [oid] Memory usage exceeded t he
threshold, and it may cause the system to reboot. (Index=[INTEGER], EntityPhy
sicalIndex=[INTEGER], PhysicalName="[OCTET]", EntityThresholdType=[INTEGER],
Ent ityThresholdValue=[INTEGER],
EntityThresholdCurrent=[INTEGER],EntityTrapFaultID= [INTEGER].)
If the memory usage of a device meets the preceding conditions but still displays a large value
(larger than 60% for example), possible causes are as follows:
l The device is a low-end product with a small memory, and so its memory usage is high
during the device operation.
l The device is transmitting many services, occupying much memory.
1.7.2 What Are the MIB OIDs of Memory Usage?

The following table describes the MIB OIDs of memory usage.
Specifications
hwEntityMemU 1.3.6.1.4.1.2011 Integer32 This object read-only

sage . indicates the
5.25.31.1.1.1.1. memory usage.
7
hwEntityMemU 1.3.6.1.4.1.2011 Integer32 This object read-write

sageThreshold . indicates the
5.25.31.1.1.1.1. memory usage
8 threshold.

Configuration Guide - Device Management 2 Hardware Management
2 Hardware Management
About This Chapter
This chapter describes how to configure hardware management to operate and manage the
hardware resources of devices.
2.1 Configuring the Device MAC Address

You can configure the MAC address of a device to suit your network requirements.
2.2 Backing Up Electronic Labels
2.3 Managing Device Resources
2.4 Managing the Active and Standby MPUs
2.5 Managing a Card and Subcard
2.6 Configuring the Alarm Function or Setting Alarm Thresholds
2.1 Configuring the Device MAC Address

You can configure the MAC address of a device to suit your network requirements.
Context
Billions of devices exist on global networks, and each device has a MAC address. MAC
addresses are managed and allocated by the IEEE. Theoretically, each device has a unique
MAC address. However, MAC address conflicts may occur because of incorrect
configuration. In addition, you may need to use a specified MAC address for a device to suit
your network requirements. To avoid address conflicts and ensure configurations match rules,
you may need to change the MAC address on a device.

NOTE
Each device is assigned a global unique identifier from the manufacturer. Do not change the MAC
address of a device unless the change is absolutely necessary. If you change a MAC address, the
modification takes effect only after the device restarts.
When changing the MAC address, pay attention to the following points:
l The MAC address cannot be all 0s or all 1s.
l The MAC address cannot be a multicast MAC address.
l If a device supports 16 MAC addresses, the last hexadecimal digit of the MAC address must be 0.
If a device supports 256 MAC addresses, the last two hexadecimal digits of the MAC address must
be 0.
Procedure
Step 1 (Optional) Run:
display system-mac
The current and default MAC addresses of the device are displayed.
Step 2 Run:
set system-mac current hex-string [ chassis chassis-id ] ( The chassis chassis-id
parameter is valid only in a CSS. )
The current MAC address of the device is configured.
After configuring the device MAC address, restart the device for the configuration to take
effect.
----End
2.2 Backing Up Electronic Labels
Context
Information in electronic labels helps locate network faults and replace hardware in batches.
Therefore, backing up electronic labels is important to improving maintenance efficiency.
l If a network fault occurs, you can rapidly learn about hardware information using
electronic labels, thereby improving hardware maintenance efficiency. In addition, you
can efficiently analyze and trace hardware defects by analyzing information in electronic
labels of the faulty hardware.
l Before replacing hardware in batches, you can obtain accurate hardware deployment
information based on information in the electronic labels recorded in the archive systems
of customers' devices. Then you can evaluate the impact of hardware replacement and
define policies to efficiently replace hardware in batches.
Electronic labels can be backed up to a file server or the local memory. Before backing up
electronic labels to the file server, ensure that there are reachable routes between the device
and file server. The file server can be an FTP, SFTP or TFTP server. FTP or TFTP cannot
ensure secure file transfer, therefore, an SFTP server is recommended for users requiring high
network security.

Procedure
l Run:
backup elabel filename [ chassis-id[/slot-id ] ]
Electronic labels are backed up to the local memory.

l Run:
backup elabel ftp ftp-server-address filename username password [ chassis-id[/
slot-id ] ]
Electronic labels are backed up to the FTP server.

l Run:
backup elabel sftp sftp-server-address filename username password [ chassis-
id[/slot-id ] ]
Electronic labels are backed up to the SFTP server.

l Run:
backup elabel tftp tftp-server-address filename [ chassis-id[/slot-id ] ]
Electronic labels are backed up to the TFTP server.

l Run:
backup elabel backplane filename chassis chassis-id
Electronic labels of the backplane are backed up to the local memory.

l Run:
backup elabel backplane ftp ftp-server-address filename username password
chassis chassis-id
Electronic labels of the backplane are backed up to the FTP server.

l Run:
backup elabel backplane tftp tftp-server-address filename chassis chassis-id
Electronic labels of the backplane are backed up to the TFTP server.

l Run:
backup elabel backplane sftp sftp-server-address filename username password
chassis chassis-id
Electronic labels of the backplane are backed up to the SFTP server.
----End
2.3 Managing Device Resources
2.3.1 Configuring the SRU Hardware Engine
Context
The EH1D2SRUDC00 and EH1D2SRUDC01 integrate the OAM, BFD, NQA-RTP functions
and reserve a certain amount of bandwidth for these functions. If these functions are not used,
the reserved bandwidth is wasted. When the SRU hardware engine is disabled, the OAM,
BFD, and NQA-RTP functions are unavailable and bandwidth reserved for these functions is
allocated to a specific slot to improve the forwarding performance of the LPU in the slot.

NOTE
Only the S9706 and S9712 support this function.

On the S9706, the released bandwidth is allocated to slot 5 after the SRU hardware engine is disabled.
On the S9712, the released bandwidth is allocated to slot 9 after the SRU hardware engine is disabled.
Prerequisites
Before disabling the SRU hardware engine, ensure that the EH1D2SRUDC00 or
EH1D2SRUDC01 has been installed on the switch.
Procedure
display detect-engine configuration
The SRU hardware engine configuration is displayed.
Step 2 Run:
system-view
The system view is displayed.
Step 3 Run:
undo detect-engine enable
The SRU hardware engine is disabled.
By default, the SRU hardware engine is enabled.
----End
2.3.2 Configuring the Internal Forwarding Resource Allocation

Mode
You can configure the internal forwarding resource allocation mode to provide sufficient
internal forwarding resources to LPUs.
Context
A switch completes internal forwarding using limited resources. An S7706 or S7712
dynamically allocates internal forwarding resources to LPUs based on LPU types by default.
A standalone switch or a CSS system has a total of 64 internal forwarding resources. In
dynamic resource allocation mode, a standalone switch not running the CSS function provides
54 internal forwarding resources for LPUs, and a standalone switch running the CSS function
or a CSS system provides 46 internal forwarding resources for LPUs. In this mode, some
LPUs occupy a large number of internal forwarding resources. Therefore, if the CSS function
is enabled on a switch, allocatable internal forwarding resources may be insufficient for
LPUs. In this case, LPUs not allocated internal forwarding resources or allocated insufficient
internal forwarding resources fail to register and cannot provide services.
The static resource allocation mode prevents this problem. When this mode is configured, the
system allocates only two internal forwarding resources to each LPU, regardless of the LPU
type.

NOTE
Only the S7706 and S7712 support the configuration of the internal forwarding resource allocation
mode. The S9700 supports only the configuration of the static resource allocation mode for LPUs.
If the CSS function is not enabled on the switch, the internal forwarding resources are sufficient and you
do not need to configure the static resource allocation mode.
When the static resource allocation mode is used, SA series LPUs of the S7700 cannot register with the
system.
Procedure
display system-resource-mode configuration
The resource allocation mode configured for LPUs is displayed.

Step 2 Run:
system-view

Step 3 Run:
assign system-resource-mode static
The static resource allocation mode is configured. In this mode, the system allocates only two
internal forwarding resources to each LPU, regardless of the LPU type.
By default, the S7700 dynamically allocates internal forwarding resources to LPUs based on
LPU type.
----End
2.3.3 Configuring the Resource Mode of Extended Entry Space
Context
A core device processes a large number of services and therefore maintains many MAC
address entries, IP address entries, and ACL entries. However, the number of the entries
supported by the device is limited. If these entries cannot meet service requirements, the
service processing efficiency degrades. Some LPUs provide extended entry space resources.
You can configure the resource mode of the extended entry space to increase the number of
MAC address entries, ACL entries, and IP address entries supported by the LPU.
You can use the assign resource-mode command to increase the MAC address entries and IP
address entries supported on X1E series LPUs. To increase the ACL entries supported on X1E
series LPUs, run the assign acl-mode command.
Procedure
display resource-assign configuration [ slot slot-id ]
The configuration of the resource mode of the extended entry space is displayed.
Step 2 Run:
system-view


Step 3 Run:
assign resource-mode slot slot-id mode mode
The resource mode of the extended entry space of an LPU is configured. The resource mode
determines the specifications of the MAC address entries, ACL entries, and IP address entries
stored in the entry space.
By default, the resource allocation mode is enhanced-ipv4 for X1E series LPUs, ipv4-ipv6-acl
for EE series LPUs, and enhanced-mac for EC, BC and ED series LPUs.
NOTE
l Only the EE, EC, BC, ED, and X1E series LPUs support this command.
l After setting the resource allocation mode for extended entry register space of an LPU, save the
configuration and reset the LPU for the configuration to take effect.
l Among the EC series LPUs, the EH1D2X48SEC0 for the S9700 supports only the close-all,
enhanced-mac, enhanced-ipv4, and ipv4-ipv6 modes, among which close-all is the default mode.
The following table lists the entry space specifications obtained by different LPU series when
the resource mode for extended entry register space is configured. In the table,
l K indicates 1024, for example, 32K indicates 32 x 1024.
l Default indicates the default LPU mode, for example, enhanced-mac (Default).
l or, Share indicates that the current specification shares resources with another
specification, for example, 16K IPv4 or 8K IPv6 and 128000 (shared with FIB6).
l 64-bit indicates IPv6 entries with the mask length less than or equal to 64 bits, for
example: (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit.
l 128-bit indicates IPv6 entries with the mask length longer than 64 bits, for example:
(12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit.
l BC/EC series LPU ( excluding the EH1D2X48SEC0 )
Mod Specification
e
MAC FIBv FIBv ARP ND Multi Mult ACL ACL
4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
Close 32K 16K IPv4 or 16376 8K 4000 6K 1K

All 8K IPv6 IPv4 IPv4
or 3K or
IPv6 256
IPv6
enhan 128K 16K IPv4 or 16376 8K 4000 6K 1K

ced- 8K IPv6 IPv4 IPv4
mac or 3K or
(Defa IPv6 256
ult) IPv6

Mod Specification
e
IPv4 IPv6 ess) ss)
enhan 32K 128K 8K 16376 8K 4000 6K 1K

ced- IPv4 IPv4
ipv4 or 3K or
IPv6 256
IPv6
mac- 64K 16K IPv4 or 16376 8K 4000 (6K 1K

acl 8K IPv6 IPv4 IPv4
or 3K or
IPv6) 256
+ 16K IPv6
L2
ACL
ipv4- 32K 64K 8K 16376 8K 4000 (6K 1K

acl IPv4 IPv4
or 3K or
IPv6) 256
+ 16K IPv6
IPv4
ACL
enhan 32K 16K 64K 16376 16376 4000 6K 1K

ced- IPv4 IPv4
ipv6 or 3K or
IPv6 256
IPv6
ipv6- 32K 16K IPv4 or 16376 16376 4000 (6K 1K

or 3K or
IPv6) 256
+ 32K IPv6
IPv6
ACL
ipv4- 32K 16K IPv4 or 16376 8K 4000 (6K 1K

nac 8K IPv6 IPv4 IPv4
or 3K or
IPv6) 256
+ 32K IPv6
IPv4
ACL

Mod Specification
e
IPv4 IPv6 ess) ss)
l2-acl 32K 16K IPv4 or 16376 8K 4000 (6K 1K

8K IPv6 IPv4 IPv4
or 3K or
IPv6) 256
+ 32K IPv6
L2
ACL
ipv4- 32K 64K IPv4 16376 16376 4000 6K 1K

ipv6 + 32K IPv6 IPv4 IPv4
(2:1) or 3K or
IPv6 256
IPv6
ipv4- 32K 96K IPv4 16376 16376 4000 6K 1K

(6:1) or 3K or
IPv6 256
IPv6
ipv4- 32K 32k IPv4 16376 16376 4000 6K 1K

(2:3) or 3K or
IPv6 256
IPv6
l ED series LPU
Mod Specification
e
MA FIBv FIBv ARP ND Multi Mult ACL ACL
C 4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
Close 32K 16K IPv4 or 16376 8K 4000 6K 1K

All 8K IPv6 IPv4 IPv4
or 3K or
IPv6 256
IPv6
enhan 512K 16K IPv4 or 16376 8K 4000 6K 1K

ced- 8K IPv6 IPv4 IPv4
mac or 3K or
(Defa IPv6 256
ult) IPv6

Mod Specification
e
IPv4 IPv6 ess) ss)
enhan 32K 512K 8K 16376 8K 4000 6K 1K

ced- IPv4 IPv4
ipv4 or 3K or
IPv6 256
IPv6
mac- 256K 16K IPv4 or 16376 8K 4000 (6K 1K

or 3K or
IPv6) 256
+ 64K IPv6
L2
ACL
ipv4- 32K 256K 8K 16376 8K 4000 (6K 1K

acl IPv4 IPv4
or 3K or
IPv6) 256
+ 64K IPv6
IPv4
ACL
enhan 32K 16K 256K 16376 16376 4000 6K 1K

ced- IPv4 IPv4
ipv6 or 3K or
IPv6 256
IPv6
ipv6- 32K 16K IPv4 or 16376 8K 4000 (6K 1K

or 3K or
IPv6) 256
+ 64K IPv6
IPv6
ACL
ipv4- 32K 16K IPv4 or 16376 8K 4000 (6K 1K

nac 8K IPv6 IPv4 IPv4
or 3K or
IPv6) 256
+ 64K IPv6
IPv4
ACL

Mod Specification
e
IPv4 IPv6 ess) ss)
l2-acl 32K 16K IPv4 or 16376 8K 4000 (6K 1K

8K IPv6 IPv4 IPv4
or 3K or
IPv6) 256
+ 64K IPv6
L2
ACL
ipv4- 32K 256K IPv4 16376 16376 4000 6K 1K

(2:1) or 3K or
IPv6 256
IPv6
ipv4- 32K 384K IPv4 16376 16376 4000 6K 1K

(6:1) or 3K or
IPv6 256
IPv6
ipv4- 32K 128K IPv4 16376 16376 4000 6K 1K

(2:3) or 3K or
IPv6 256
IPv6
l EE series LPU
Mode Specification
MA FIBv FIBv ARP ND Mult Mul ACL ACL

C 4 6 icast ticas (Ingr (Egr
IPv4 t ess) ess)
IPv6
enhanced- 688K (12K IPv4 or 9600 64K 4000 (6K (1K

mac 6K IPv6 64- 0 IPv4 IPv4
bit) + 1K or 3K or
IPv6 128-bit IPv6) 512
*2 IPv6)
*2
enhanced- 176K 512K 7K 9600 64K 4000 (6K (1K

ipv4 0 IPv4 IPv4
or 3K or
IPv6) 512
*2 IPv6)
*2

Mode Specification
MA FIBv FIBv ARP ND Mult Mul ACL ACL

C 4 6 icast ticas (Ingr (Egr
IPv4 t ess) ess)
IPv6
enhanced- 256K 16K 256K 9600 64K 4000 (6K (1K

ipv6 0 IPv4 IPv4
or 3K or
IPv6) 512
*2 IPv6)
*2
ipv6-acl 96K (12K IPv4 or 9600 64K 4000 ((6K (1K

6K IPv6 64- 0 IPv4 IPv4
bit) + 1K or 3K or
+ 64 IPv6)
K *2
IPv6
ACL)
*2
ipv4-acl 96K (12K IPv4 or 9600 64K 4000 ((6K (1K

6K IPv6 64- 0 IPv4 IPv4
bit) + 1K or 3K or
+ 128 IPv6)
K *2
IPv4
ACL)
*2
enhanced- 144K 256K 128K 1280 64K 4000 (6K (1K

arp 00 IPv4 IPv4
NOTE or 3K or
The IPv6) 512
S7700 *2 IPv6)
does not *2
support
this mode.
ipv4-ipv6- 160K 256K 64K 9600 64K 4000 ((6K (1K

acl 0 IPv4 IPv4
(Default) or 3K or
IPv6) 512
+ 32 IPv6)
K *2
IPv4
ACL)
*2
l X1E series LPU

Mod Specification
e
MAC FIBv4 FIBv6 ARP ND Mul Mul ACL ACL
ticas ticas (Ingr (Egr
t t ess) ess)
IPv4 IPv6
enhan 1M 128K 16K 25600 16K 128000 See the

ced- 0 specifications
mac in acl-mode.
ipv4- 256K Defaul Defaul 25600 12800 128000 See the

ipv6 t: t: 0 0 specifications
(2:1) 256K 128K (share in acl-mode.
Max: Max: d with
512K 256K FIB6)
enhan 256K Defaul 16K 25600 16K 128000 See the

ced- t: 0 specifications
ipv4 256K in acl-mode.
(Defa Max:
ult) 1024K
enhan 128K 16K Defaul 16K 12800 4K See the

ced- t: 0 specifications
ipv6 128K (share in acl-mode.
Max: d with
464K FIB6)
2m- 128K Defaul 128K 25600 16K 32K See the

ipv4 t: 0 specifications
256K in acl-mode.
Max:
2048K
3m- 128K Defaul 16K 128K 16K 4K See the

ipv4 t: specifications
256K in acl-mode.
Max:
30720
00
l EH1D2X48SEC0

Mod Specification
e
IPv4 IPv6 ess) ss)
Close 96K (12K IPv4 or 44K 44K 4000 3K 1K

All 6K IPv6 64- IPv4 IPv4
(Defa bit) + 1K IPv6 or or 512
ult) 128-bit 1.5K IPv6
IPv6
enhan 288K (12K IPv4 or 16K 8K 4000 3K 1K

ced- 6K IPv6 64- IPv4 IPv4
mac bit) + 1K IPv6 or or 512
128-bit 1.5K IPv6
IPv6
enhan 32K 128K 80K 16K 8K 4000 3K 1K

ced- (64- IPv4 IPv4
ipv4 bit) or or 512
(share 1.5K IPv6
d with IPv6
IPv4)
ipv4- 32K 64K 10K 16K 8K 4000 3K 1K

ipv6 (10K IPv4 IPv4
(6:1) 64-bit or or 512
or 1.5K IPv6
10K IPv6
128-
bit)
Step 4 Run:
assign acl-mode mode-id slot slot-id
The ACL resource allocation mode is configured for an LPU.

By default, the ACL resource allocation mode is 0, indicating ACL resources for IPv4 and
IPv6 entries.
NOTE
l Only the X1E series LPUs support this command.

l After configuring the ACL resource allocation mode, save the configuration, and reset the LPU for the
configuration to take effect.
Table 2-1 ACL specifications in different resource allocation modes

Resource Number of IPv4 Number of IPv6 Number of Layer
Allocation Mode ACLs ACLs 2 ACLs
dual-ipv4-ipv6 16K 8K 16K
l2-ipv4 32K 0 32K

Resource Number of IPv4 Number of IPv6 Number of Layer

Allocation Mode ACLs ACLs 2 ACLs
l2-ipv6 0 16K 16K
l2 0 0 64K
ipv4 64K 0 0
----End
2.3.4 Configuring the Fabric Mode
Context
The actual forwarding capability of an LPU depends on the amount of bandwidth resources
allocated to it by the SRU. An LPU can forward data at line speed only when it has sufficient
bandwidth resources. An SRU provides limited bandwidth resources. In common fabric
mode, the SRU allocates equal amounts of bandwidth resources to each LPU. The allocated
bandwidth resources are sufficient for line-speed forwarding on most LPUs but cannot
support line-speed forwarding on some high-performance LPUs. When these high-
performance LPUs cannot realize line-speed forwarding, their forwarding capabilities are
wasted.
A device supports extended fabric mode of the SRU. In this mode, LPUs in slot 6 and slot 7
can obtain more bandwidth resources to ensure line-speed forwarding.
NOTE
Only S7712 and S9712 support this function.
In common fabric mode, the following LPUs cannot realize line-speed forwarding:
l EH1D2X12SSA0 (S9712)
l EH1D2L08QFC0 (S9712)
l EH1D2X08SED4/EH1D2X08SED5 (S9712)
l EH1D2X40SFC0 (S9712)
l EH1D2X16SFC0 (S9712)
l EH1D2X32SSC0 (S9712)
l EH1D2C02FEE0 (S9712)
l EH1D2X48SEC0 (S9712)
l ES0D0X12SA00 (S7712)
l ES1D2X16SFC0 (S7712)
l ES1D2X40SFC0 (S7712)
l ES1D2X32SSC0 (S7712)
l ES1D2X08SED4 (S7712)
l ES1D2C02FEE0 (S7712)

Pre-configuration Tasks
Before configuring the fabric mode on an S9712 switch, ensure that the switch is equipped
with an EH1D2SRUDC00/EH1D2SRUDC01 main control unit.
Before configuring the fabric mode on an S7712 switch, ensure that the switch is equipped
with an ES1D2SRUH000 main control unit, and the chassis type is SWC02BAKG000 (Use
the display version command to check the chassis type.).
Procedure
display fabric-mode configuration
The fabric mode configuration is displayed.

Step 2 Run:
system-view

Step 3 Run:
set fabric-mode turbo [ all | chassis chassis-id ]
The extended fabric mode is configured.

By default, the common fabric mode is used.
----End
2.4 Managing the Active and Standby MPUs
2.4.1 Resetting the Standby MPU
Context
When the standby MPU is not working normally, you can reset it to restore its functions
without affecting the existing services.
Procedure
Step 1 Run:
system-view

Step 2 Run:
slave restart
The standby MPU is reset.
----End
2.4.2 Configuring Active/Standby Switchover

Context
If the system active MPU becomes faulty, you can switch the active and standby MPUs.
After a command is executed to perform an active/standby switchover on a standalone device,
the standby MPU becomes the new active MPU, and the active MPU restarts and then
becomes the new standby MPU.
Figure 2-1 shows change of roles after a active/standby switchover in a CSS is triggered by
commands.
Figure 2-1 Change in roles after a command-triggered active/standby switchover
Chassis 1 Master Chassis 2 Standby
System Candidate System Candidate

master standby standby standby
Active/standby switchover is
triggered by a command
Chassis 1 Standby Chassis 2 Master
Candidate System System Candidate

standby standby master standby
System master Candidate standby System standby
l The original standby switch becomes the master switch, and the original system standby
MPU becomes the system master MPU.
l The original system master MPU becomes a candidate system standby MPU, and the
original master switch becomes the standby switch.
l The standby MPU of the original master switch becomes the system standby MPU and
synchronizes data with the system master MPU.
NOTE
Before running a command to perform an active/standby switchover in a CSS, ensure that the master switch
in the CSS has two MPUs.
Before performing an active/standby switchover, check whether MPUs meet switchover

requirements. Do not perform an active/standby switchover on a device in any of the
following situations:
l The file system is in use. For example, a file or directory is being created, deleted, or
saved.
l The device is loading or deleting LPU information, including the following operations:
– Hot swap LPUs.
– Use commands to reset LPUs.

l The active and standby MPUs have different memory sizes.
During an active/standby switchover, do not insert, remove, or reset active and standby
MPUs, LPUs, power modules, or fan modules. Otherwise, the device may restart or become
faulty.
Procedure
display switchover state
The active/standby switchover status is displayed. According to the status, you can determine
whether the active and standby MPUs meet switchover requirements.
Step 2 Run:
system-view
Step 3 Run:
slave switchover enable
Active/standby switchover is enabled.
By default, the active/standby switchover function is enabled.
Step 4 Run:
slave switchover
An active/standby switchover is performed.
----End
2.5 Managing a Card and Subcard
2.5.1 Resetting a Card
Context
When an LPU needs to be upgraded or cannot work normally, you can reset the LPU to
update the version or restore the LPU to the normal state.
Resetting a card will interrupt services on the card. When a card is not working normally,
rectify the fault rather than reset the card to prevent services from being affected.

Procedure
display device [ slot slot-id ]
The card status is displayed.
Step 2 Run:
reset slot slot-id [ all | master ]
The card is reset.
The all and master parameters are displayed in the command if slot-id specifies an NGFW,
ACU2, or IPS card.
An NGFW, ACU2, or IPS card has two CPUs: one for the value-added service and one for
the switching service. If you specify all, both CPUs are reset. If you specify master, the CPU
of the value-added service is reset.
----End
2.5.2 Powering On or Off a Card
Context
When a card is idle, you can power off the card without affecting services to ensure stable
system operation and save energy. You can also power on a specified card if service volume
increases.
NOTE
The active MPUs cannot be powered on or off using commands.
Procedure
display device [ slot slot-id ]
The card status is displayed.
Step 2 Power on or off a specified card.

l Run:
power on slot slot-id
The specified card is powered on.

l Run:
power off slot slot-id
The specified card is powered off.
----End
2.5.3 Starting, Shutting Down, and Resetting the X86 Subcard on

an OSP Card

Context
An X86 subcard uses an Intel X86 processor. A card with an X86 subcard is an Open Service
Platform (OSP) card. An OSP card can have an independent operating system and service
software. You can configure the OSP card and deploy services on its operating system. When
using an OSP card, you can start, shut down, or reset the X86 subcard on the OSP card to suit
service requirements.
Procedure
display osp status
The status of X86 subcards on all OSP cards is displayed in the system.
Step 2 Start, shut down, and reset the X86 subcard on an OSP card.
l Run:
startup osp slot-id
The X86 subcard on an OSP card is started.

l Run:
shutdown osp slot-id [ force ]
The X86 subcard on an OSP card is shut down.

l Run:
reset osp slot-id
The X86 subcard on an OSP card is reset.
----End
2.6 Configuring the Alarm Function or Setting Alarm

Thresholds
2.6.1 Configuring Temperature Thresholds for Fan Speed

Adjustment
Context
The device uses fixed temperature thresholds to increase and decrease the fan speed by
default. The fan speed increases when the device temperature exceeds the upper threshold and
decreases when the device temperature falls below the lower threshold. If you want to keep
the device working at a lower temperature, you can set lower fixed temperature thresholds.
Procedure
display fan speed-adjust threshold minus
The default temperature thresholds and the adjusted thresholds are displayed

Step 2 Run:
system-view

Step 3 Run:
set fan speed-adjust threshold minus threshold-value [ slot slot-id ]
The temperature thresholds for fan speed adjustment are specified.

The new thresholds are the default temperature thresholds minus threshold-value. After this
command is executed, both the threshold for increasing the fan speed and the threshold for
lowering the fan speed are reduced.
----End
2.6.2 Configuring the CPU Usage Alarm Threshold
Context
The CPU is the core of a device. When the system has a large number of routes, many CPU
resources will be used. This degrades system performance and results in the delay in
processing data or causes high packet loss. During data processing, if the device can generate
an alarm when high CPU usage occurs, you can effectively monitor CPU usage and optimize
system performance to ensure system stability.
l CPU usage alarm threshold
When CPU usage reaches this threshold, the system generates an alarm.
l CPU usage alarm recovery threshold
When CPU usage falls below this threshold, the system clears the alarm.
Procedure
display cpu-usage configuration [ slave | slot slot-id ]
The CPU usage configurations are displayed.

Step 2 Run:
system-view

Step 3 Run:
set cpu-usage threshold threshold-value [ restore restore-threshold-value ]
[ slot slot-id ]
The CPU usage alarm threshold and CPU usage alarm recovery threshold are set.
By default, the CPU usage alarm threshold is 95% and the CPU usage alarm recovery
threshold is 80%.
----End
2.6.3 Configuring the Memory Usage Alarm Threshold

Context
Memory usage is an important indicator used to evaluate device performance. A high memory
usage will cause service faults. During data processing, if the device can generate an alarm
when high memory usage occurs, you can effectively monitor memory usage and optimize
system performance to ensure system stability.
l Memory usage alarm threshold

When memory usage reaches this threshold, the system generates an alarm.
l Memory usage alarm recovery threshold
When memory usage falls below this threshold, the system clears the alarm.
Procedure
display memory-usage threshold [ slot slot-id ]
The memory usage configuration is displayed.
Step 2 Run:
system-view
Step 3 Run:
set memory-usage threshold threshold-value [ slot slot-id ]
The memory usage alarm threshold is set.
By default, when the switch uses SRUH:

l If the memory capacity on the device is lower than or equal to 512 MB, the memory
usage alarm threshold is 85% and the memory usage alarm recovery threshold is 80%.
l If the memory capacity on the device is larger than 512 MB and smaller than or equal to
1.5 GB, the memory usage alarm threshold is 90% and the memory usage alarm recovery
threshold is 85%.
l If the memory capacity on the device is higher than 1.5 GB, the memory usage alarm
threshold is 95% and the memory usage alarm recovery threshold is 90%.
By default, when the switch uses other MPU models:
l If the memory capacity on the device is lower than or equal to 512 MB, the memory
usage alarm threshold is 85% and the memory usage alarm recovery threshold is 80%.
l If the memory capacity on the device is larger than 512 MB and smaller than or equal to
2 GB, the memory usage alarm threshold is 90% and the memory usage alarm recovery
threshold is 85%.
l If the memory capacity on the device is higher than 2 GB, the memory usage alarm
threshold is 95% and the memory usage alarm recovery threshold is 90%.
----End
2.6.4 Setting Optical Power Alarm Thresholds

Context
You can set optical power alarm thresholds using commands. When the transmit or receive
power of an optical module exceeds the alarm threshold, an alarm is generated, indicating that
the optical module may be faulty.
An optical module has default optical power alarm thresholds, which are fixed and cannot be
changed. The configured optical power alarm thresholds must be within the default range. It is
not recommended to change optical power alarm thresholds of optical modules. When an
optical power alarm is generated, check the optical module and connected fibers first.
NOTE
l The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
l Only enhanced optical modules support the query of optical power information.
l The XGE interfaces connected to the ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01, and
ET1D2FW00S02 cards do not support the configuration of optical power alarm thresholds.
l The XGE interface connected to the ACU2 card does not support the configuration of optical power
alarm thresholds.
Procedure
display transceiver [ interface interface-type interface-number | slot slot-id ]
[ verbose ]
Conventional, manufacturing, and alarm information about the optical module on a specified
interface is displayed.
Step 2 Run:
system-view

Step 3 Run:
interface interface-type interface-number
The interface view is displayed.

Step 4 Run:
set transceiver { transmit-power | receive-power } { upper-threshold | lower-
threshold } threshold
Upper and lower alarm thresholds are set for the transmit and receive power of the optical
module on the interface. When the transmit or receive power of an optical module exceeds the
upper alarm threshold or falls below the lower alarm threshold, an alarm is generated.
----End
2.6.5 Configuring the Alarm Function for Non-Huawei-Certified

switch Optical Modules
Context
Non-Huawei-Certified switch optical modules may fail to work normally. If non-Huawei-
Certified switch optical modules are used on devices produced after July 1, 2013(January 1,

2016 for QSFP+ 40GE optical modules, CFP 40GE optical modules and CFP 100GE optical
modules), the devices generate a large number of alarms to prompt users to replace these
optical modules with Huawei-Certified switch optical modules. However, vendor information
of Huawei early-delivered optical modules may not be recorded. Therefore, non-Huawei-
Certified switch optical module alarms are generated. These optical modules can still be used
to protect customer investment. In this case, you can disable the alarm function for non-
Huawei-Certified switch optical modules.
Procedure
Step 1 Run:
system-view

Step 2 Run:
transceiver phony-alarm-disable
The alarm function for non-Huawei-Certified switch optical modules is disabled.

By default, the alarm function for non-Huawei-Certified switch optical modules is enabled.
To enable the alarm function for non-Huawei-Certified switch optical modules, run the undo
transceiver phony-alarm-disable command.
----End

Configuration Guide - Device Management 3 Information Center Configuration
3 Information Center Configuration
About This Chapter
This chapter describes how to configure the information center. It works as the information
hub and records system running information in real time, which helps the network
administrator and developers monitor network operation and analyze network faults.
3.1 Information Center Overview
3.2 Principles
3.3 Applications
3.4 Licensing Requirements and Limitations for the Information Center
3.5 Configuring Information Center
3.6 Maintaining the Information Center
3.7 Configuration Examples
3.1 Information Center Overview
Definition
The information center works as the information hub. Logs, traps, and debugging messages
generated by the device are sent to the information center for unified management and
flexible output.
Purpose
When an exception or a fault occurs on the device, users need to immediately and accurately
collect information generated during device running. The information center records
information generated by each module during device running, including logs, traps, and
debugging messages. You can configure the information center to classify and filter
information based on information types and severities so that information can be flexibly
output to different destinations such as the console, user terminal, and log host. By doing this,

users or network administrators can collect device information from different destinations so
that they can easily monitor the device running status and locate faults.
3.2 Principles
The information center receives information generated by the device and controls information
output based on defined severity.
3.2.1 Information Classification

The device generates three types of messages: logs, traps, and debugging messages. Table 3-1
lists information classification.
Table 3-1 Information classification

Information Type Description
Log Logs record user operations, system faults, and system

security. Logs include user logs, security logs, and diagnostic
logs.
l User logs: record user operations and system operating
information.
l Security logs: record security information including user
account management, protocols, attack defense, and status.
l Diagnostic logs: record information used for fault location.
Trap Traps are notifications generated when the device detects

faults. Traps record system status information.
Different from logs, traps need to be notified to administrators
in a timely manner.
Debugging message Debugging messages show internal operating information of

the system and help you trace the device running status.
Debugging messages are generated only after the debugging
of a module is enabled.
3.2.2 Information Hierarchy

If too much information is generated, it is difficult to differentiate information about normal
operation and information about faults. Through information hierarchy, users do not need to
handle unwanted information.
Information has eight severities. The lower the severity level, the more severe the
information. Table 3-2 lists severities.

Table 3-2 Description of information severities

Value Severity Description
0 Emergencies A fault causes the device to fail to run normally unless it is

restarted. For example, the device restarts because of a
program exception or a fault about memory usage.
1 Alert A fault needs to be rectified immediately. For example,

memory usage of the system reaches the upper limit.
2 Critical A fault needs to be analyzed and processed. For example, the

memory usage falls below the lower threshold; BFD detects
that a device is unreachable.
3 Error An improper operation is performed or exceptions occur

during service processing. The fault does not affect services
but needs to be analyzed. For example, users enter incorrect
commands or passwords; error protocol packets are received.
4 Warning Some events or operations may affect device running or cause

service processing faults, which requires full attention. For
example, a routing process is disabled; BFD detects packet
loss; error protocol packets are detected.
5 Notification A key operation is performed to keep the device running

normally. For example, the shutdown command is run; a
neighbor is discovered; protocol status changes.
6 Informational A normal operation is performed. For example, a display

command is run.
7 Debugging A normal operation is performed, which requires no attention.
When information filtering based on severity levels is enabled, only the information whose
severity level threshold is less than or equal to the configured value is output.For example, if
the severity level value is configured to 6, only information with a severity level ranging from
0 to 6 is output.
3.2.3 Information Output

Information generated by the device can be output to the remote terminal, console, log buffer,
log file, and SNMP agent. To output information in different directions, 10 information
channels are defined for the information center. These channels work independently from one
another.You can configure output rules so that information is output through different
channels in different directions based on information type and severity level, as shown in
Figure 3-1.

Figure 3-1 Information center

Output
Information type Channel
destination
0
Console Console
1
Logs Monitor Remote terminal
Loghost Log host

Traps 2
Trapbuffer Trap buffer
3
Debugging
Logbuffer Log buffer
4
messages
5 SNMP agent SNMP agent
6 channel6
7 channel7
Log flow 8 channel8

Trap flow
channel9 Log file
Debugging message flow 9
By default, logs, traps, and debugging messages are output from default channels. You can
change channel names or relationships between channels and output directions as required.
For example, the name of channel 6 is user1 and channel 6 is used to send information to the
log host. The information sent to the log host is output from channel 6 but not channel 2.
Table 3-3 lists relationships between default channels and output directions.
Table 3-3 Relationship between default channels and output directions

Chan Default Output Description
nel Channel Direction
Numb Name
er
0 Console Console Outputs logs, traps, and debugging messages to the

local console.
1 Monitor Remote Outputs logs, traps, and debugging messages to the

terminal VTY terminal for remote maintenance.
2 loghost Log host Outputs logs, debugging messages, and traps. The
information is saved to the log host in file format for
easy reference.
3 trapbuffer Trap Outputs traps.

buffer
4 logbuffer Log buffer Outputs logs.
5 snmpagent SNMP Outputs traps.

agent

Chan Default Output Description

nel Channel Direction
Numb Name
er
6 channel6 Unspecifie Reserved. You can specify an output destination for

d this channel.

d this channel.

d this channel.
9 channel9 Logfile Outputs logs, debugging messages, and traps.
3.2.4 Information Filtering

To control information output flexibly, the information center provides the information
filtering function. After the device works properly, each module reports information during
service processing. To filter unwanted information about a service module or of certain
severity, configure the filtering function.
The information center filters information in a channel through the information filtering table.
The information filtering table is used to filter information output to different directions based
on information types, severities, and sources.
The content of the information filtering table is as follows:
l Number of the module that generates information

l Log output status
l Log output severity
l Trap output status
l Trap output severity
l Debugging message output status
l Debugging message severity
3.2.5 Information Output Format

l Output format of logs
Figure 3-2 shows the format of logs.
Figure 3-2 Output format of logs

<Int_16>TimeStampTimeZone HostName %%ddModuleName/Severity/Brief(1)[DDD]:Description
1 2 3 4 5 6 7 8 9 10 11 12
Leading Timestamp Time Host Huawei Version Module Log Summary Log SequenceDetails
character Zome name identifier number name level type number
Table 3-4 describes each field in a log.

Table 3-4 Description of each field in a log

Field Description Remarks
<Int_16> Leading character. This character is added to the information to

be sent to the syslog server, not the
information saved on a local device.
TimeStamp Time to send logs. Five timestamp formats are available:

l boot: indicates that the timestamp is
expressed in the format of relative time, a
period of time since system start. The
format is xxxxxx.yyyyyy. xxxxxx is the
higher order 32 bits of the milliseconds
elapsed since the start of the system;
yyyyyy is the lower order 32 bits of the
milliseconds elapsed since the start of the
system.
l date: indicates the current date and time. It
is expressed in mm dd yyyy hh:mm:ss
format.
l short-date: indicates the short date. This
timestamp differs from date is that the year
is not displayed.
l format-date: indicates that the timestamp is
expressed in YYYY-MM-DD hh:mm:ss
format.
l none: indicates that no timestamp is
contained in information.
Logs use the date format.
TimeZone Local zone. Indicates local time zone information. This

information is consistent with the Time Zone
field of the display clock command output.
HostName Host name. -
%% Huawei identifier. The log is output by Huawei products.
dd Version number. Version number of the log.
ModuleNam Module name. Name of the module that outputs information

e to the information center.
Severity Log severity. Log severity.
Brief Brief description. Brief description about logs.
(l) Information type. The information types are as follows:

l l: log.
l S: security log.
l D: debugging log.

DDD Log sequence By default, the information center can output

number. logs to the console, log buffer, SNMP agent,
and log file. In the logbuffer, the value
depends on the log buffer size. For example,
the log buffer can store a maximum of 100
logs. The log sequence number ranges from 0
to 99.
Description Description. Log content.
l Trap output format

Figure 3-3 shows the trap output format.
Figure 3-3 Trap output format

#TimeStampTimeZone HostName ModuleName/Severity/Brief:Description
1 2 3 4 5 6 7 8
Information Timestamp Time Host Module Trap Summary Details
type Zone name name level
Table 3-5 describes each field in a trap.
Table 3-5 Description of each field in a trap

# Information type. The number sign (#) indicates a trap and only
appears in the trapbuffer.

TimeStamp Time trap Five timestamp formats are available:

information is l boot: indicates that the timestamp is
output. expressed in the format of relative time, a
period of time since system start. The
format is xxxxxx.yyyyyy. xxxxxx is the
higher order 32 bits of the milliseconds
elapsed since the start of the system;
yyyyyy is the lower order 32 bits of the
milliseconds elapsed since the start of the
system.
l date: indicates the current date and time. It
is expressed in mm dd yyyy hh:mm:ss
format.
l short-date: indicates the short date. This
timestamp differs from date is that the year
is not displayed.
l format-date: indicates that the timestamp is
expressed in YYYY-MM-DD hh:mm:ss
format.
l none: indicates that no timestamp is
contained in information.
Traps use the date format.
TimeZone Local zone. Indicates local time zone information. This

information is consistent with the Time Zone
field of the display clock command output.
HostName Host name. The host name and module name are separated
by a space.
ModuleNam Module name. Name of the module that outputs information

e to the information center.
Severity Severity. Trap severity.
Brief Brief description. Brief description about traps.
Description Description. Trap content.
3.2.6 Binary Log

With rapid development of network scale and complexity, device configurations become more
complex and the operating environment keeps changing. Consequently, devices are generating
more logs than ever before. If a switch saves only dynamic contents of logs, it needs to save
much less information and write data to the disk for fewer times. This can increase the
number of logs that the switch can save and time span of the saved logs, improve log
processing efficiency, and prolong the lifespan of the storage device.
The switch can write logs to a log file in binary format. A binary log file consists of two parts:

l Dynamic part: variable information, such as the time

l Static part: fixed information
Each log has a unique ID and the static information in each log can be identified with its ID.
Therefore, only the log ID and dynamic parameters need to be saved. Binary log files only
record the dynamic parameters and each log is identified by a unique ID. You can view a
binary log file in the following ways:
l Run commands on the device to view log information.
l Copy the binary log file to your local PC and parse it using the log parsing tool.
Only diagnostic log files can be saved in binary format, and they are always saved in binary
format.
For example, a log contains the following the registration information:
The user chose [Y/N] when deciding whether to reboot the system.
The log ID is 1078464521. Normally, the following information is saved:
2009-5-21 19:46:52 Switch %%01CMD/4/REBOOT(l):The user chose N when deciding
whether to reboot the system.
When the log is saved in binary format, only the dynamic parameters are saved:
Time (2009-5-21 19:46:52) + ID (1078464521) + dynamic parameter (N)
To parse the binary log file offline, use a data dictionary and log parsing tool. A data
dictionary is a centralized repository of information about all modules in the system, such as
the log ID and format string. It can be generated on the device using commands. The log
parsing tool is an executable file. This tool searches the data dictionary downloaded to the
local PC for the static information according to the log IDs in the binary log file. Then, it
integrates the static information in the data dictionary and dynamic parameters in the binary
log file into a complete log.
You can also check the binary log file on the switch using commands. In this case, a complete
log is also generated by combing static information with dynamic information. However, this
method does not generate an independent data dictionary and does not need a log parsing tool.
The entire log parsing process is completed by the system automatically.
In actual application, the binary log format has obvious advantages. For example, an 8 MB
binary log file can be parsed into a 21 MB log file in the text format. This proves that binary
logs can save the storage space, reduce the I/O operations, and prolong the lifespan of the
storage device.
If you need the log paring tool, contact Huawei technical support personnel.
3.3 Applications
Outputting Logs to a Log File

As shown in Figure 3-4, the information center is configured on the device, and the device is
connected to an FTP server. The information center stores the logs of the specified severity in
a log file, and the log file needs to be transferred to the FTP server. The logs help an
administrator learn the device running status or troubleshoot the device.

Figure 3-4 Outputting logs to a log file
Network
Switch FTP Server
Outputting Logs to a Log Host

connected to multiple log hosts. The information center sends logs of different severities to
different log hosts. The logs help an administrator learn the device running status.
Figure 3-5 Outputting logs to a log host
Log Host 1
Log Host 2
Network
Switch
Log Host 3
Log Host 4
Outputting Traps to the NMS

connected to a network management system (NMS). The information center sends traps to the
NMS, and the NMS monitors the device running status based on the traps.
Figure 3-6 Outputting traps to the NMS
Network
Switch
NMS

Outputting Debugging Messages to the Console

As shown in Figure 3-7, the information center is configured on the device. The information
center sends debugging messages to the console, and the maintenance personnel debugs the
device based on the debugging messages.
Figure 3-7 Outputting debugging messages to the console
Console
Switch PC
3.4 Licensing Requirements and Limitations for the

Information Center
Involved Network Elements

After configuring the information center on a switch, you can use any of the following
methods to view logs on the switch:
l Run a command to view logs in the log buffer. Only the latest logs are saved in the log
buffer.
l Run a command to view logs in the storage device.
l Export logs to a log server and view logs on the server.
The first two methods do not require other network elements. To use the third method, you
need a server to save logs.
Licensing Requirements
Information center is a basic feature of a switch and is not under license control.
Version Requirements
Table 3-6 Applicable product models and versions
Product Product Model Software Version
S7700 S7703, S7706, and V100R003C01, V100R006C00,

S7712 V200R001(C00&C01), V200R002C00,
V200R003C00, V200R005C00, V200R006C00,
V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C10

S9700 S9703, S9706, and V200R001(C00&C01), V200R002C00,

S9712 V200R003C00, V200R005C00, V200R006C00,
V200R007(C00&C10), V200R008C00,
V200R009C00, V200R010C00, V200R011C10
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
None
3.5 Configuring Information Center
3.5.1 Configuring Log Output
Before enabling log output, start the Switch.
Configuration Process
Table 3-7 lists the configuration process for enabling log output.
Table 3-7 Configuration process for enabling log output
No. Configuration Description Remarks

Task
1 3.5.1.1 Enabling You can configure the information Steps 2 to 7 are

the Information center only after the information optional and can be
Center center is enabled. performed in any
By default, the information center is sequence.
enabled.
2 3.5.1.2 (Optional) You can rename channels, which

Naming an facilitates memorization and usage.
Information
Channel
3 3.5.1.3 (Optional) If some logs are unnecessary,

Configuring Log configure the Switch not to output
Filtering these logs.

No. Configuration Description Remarks

Task
4 3.5.1.4 (Optional) To adjust the time format and time

Setting the precision for information output,
Timestamp configure the timestamp.
Format of Logs
5 3.5.1.5 (Optional) To enable the Switch not to

Disabling the Log encapsulate sequence numbers in logs
Counter Function sent to the log buffer, log file,
console, or terminal, disable the log
counter function.
6 3.5.1.6 (Optional) You can configure suppression of

Configuring the massive logs to protect the
Suppression of the information center against the impact
Log Processing of a large number of logs.
Rate
7 3.5.1.7 (Optional) You can configure suppression of

Enabling consecutive repeated logs to protect
Suppression of the information center against the
Statistics About impact of duplicate logs.
Consecutive
Repeated Logs
8 3.5.1.8 To view logs in the log buffer, Steps 8 to 12 can be

Configuring the configure the Switch to output logs to configured in any
Device to Output the log buffer. sequence. You can
Logs to the Log configure the device
Buffer to output logs to one
or more destinations
9 3.5.1.9 After logs are output to a log file, you according to your
Configuring the can download the log file anytime to needs.
Device to Output monitor device running based on the
Logs to a Log File logs.
10 3.5.1.10 After logs are output to the console,

Configuring the you can view logs on the console
Device to Output (host from which you can log in to
Logs to the the Switch through the console
Console interface) to monitor device running.
11 3.5.1.11 After logs are output to a user

Configuring the terminal, you can view logs on the
Device to Output user terminal (host from which you
Logs to a log in to the Switch through STelnet)
Terminal to monitor device running.
12 3.5.1.12 After configuring the Switch to

Configuring the output logs to a log host, you can
Device to Output view logs saved on the log host to
Logs to a Log monitor device running.
Host

3.5.1.1 Enabling the Information Center
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center enable
The information center is enabled.
By default, the information center is enabled.
----End
3.5.1.2 (Optional) Naming an Information Channel
Context
You can rename channels, which facilitates memorization and usage.
NOTE
Channel names must be unique. It is recommended that channel names represent channel functions.
The following lists default channel names.
Table 3-8 Default channel names

Channel Number Default Channel Name
0 console
1 monitor
2 loghost
3 trapbuffer
4 logbuffer
5 snmpagent
6 channel6
7 channel7
8 channel8
9 channel9

Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center channel channel-number name channel-name
A name is configured for the information channel with the specified number.
----End
3.5.1.3 (Optional) Configuring Log Filtering
Context
If some logs are unnecessary, configure the device not to output these logs. When the filtering
function is enabled, the information center does not send the specified logs that satisfy the
filtering condition to any channel. As a result, all output directions cannot receive the
specified logs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center filter-id { id | bymodule-alias modname alias } &<1-50>
or
info-center filter-id { id | bymodule-alias modname alias } [ bytime interval |
bynumber number ]
The filtering function is configured for specified logs.
NOTE
l Currently, the device can filter logs or modules with a maximum of 50 log IDs or modules. If there
are more than 50 log IDs or modules, the system displays a message indicating that the filtering table
is full. To configure the filtering function, run the undo info-center filter-id { id | bymodule-alias
modname alias } &<1-50>, undo info-center filter-id { id | bymodule-alias modname alias }
[ bytime interval | bynumber number ], or undo info-center filter-id all command to delete
original IDs or modules, and reconfigure the log ID or module.
l To add multiple IDs or modules at a time, use a space to separate IDs or modules. The system
displays a message to report the result of adding each ID or module.
l You cannot add the same ID or module repeatedly.
l When you add an unregistered or nonexistent log ID or alias name, the system displays a message
indicating that the system fails to filter the log with the specified log ID or alias name.
----End

3.5.1.4 (Optional) Setting the Timestamp Format of Logs
Context
To adjust the time format and time precision for information output, configure the timestamp.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center timestamp log { { date | format-date | short-date } [ precision-time
{ second | tenth-second | millisecond } ] | boot | none }
The timestamp format of logs is configured.
By default, the timestamp format of logs is date.
----End
3.5.1.5 (Optional) Disabling the Log Counter Function
Context
Logs generated on the Switch contain sequence numbers. That is, the log counter function is
enabled by default. For example, you can run the display logbuffer command to view the
sequence numbers of logs.
<HUAWEI> display logbuffer
Logging buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 5
Current messages : 512
Jul 17 2012 14:49:32 HUAWEI %%01IFPDT/4/IF_STATE(l)[0]:Interface Ether

net5/0/23 has turned into UP state.
net5/0/23 has turned into DOWN state.
net5/0/23 has turned into UP state.
Jul 17 2012 14:14:02 HUAWEI %%01SHELL/4/LOGINFAILED(l)[3]:Failed to lo
gin. (Ip=10.138.123.123, UserName=**, Times=1, AccessType=TELNET)
Jul 17 2012 11:15:03 HUAWEI %%01INFO/4/RST_LOGB(l)[4]:When deciding wh
ether to reset the logbuffer, the user chose N.
……
If the Switch has been running for a long time, many logs may be generated.
l To enable the Switch not to encapsulate sequence numbers in logs sent to the log buffer,
log file, console, or terminal, disable the log counter function.
l To re-collect statistics on logs sent to the log buffer, log file, console, or terminal, disable
the log counter function, disable the log counter function, and then enable the log counter
function.

l To view logs sent to the log buffer, log file, console, or terminal, disable the log counter
function, enable the log counter function so that logs contain sequence numbers in
ascending order.
NOTE
l If logs are sent to the console, log file, or terminal, logs are counted independently and sequence
numbers in the logs are in ascending order. That is, the sequence number of the log that was
generated first is 0 and the log that is generated later has a larger sequence number.
l If logs are sent to the log buffer, sequence numbers in logs are in descending order. That is, the
sequence number in the log that is generated recently is 0 and the log that was generated earlier has a
larger sequence number.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center local log-counter disable
The log counter function is disabled.

By default, the log counter function is enabled.
----End
3.5.1.6 (Optional) Configuring the Suppression of the Log Processing Rate
Context
During the running of a device, if too many logs with the same log ID are generated, the
information center is too busy processing these logs to process logs with other log IDs, which
may even affect the running service. The information center monitors the traffic of logs with
different log IDs. When the traffic of logs with a specific log ID repeatedly exceeds the
threshold during the monitoring period, the information center suppresses the processing rate
of these specified logs by processing only the conforming traffic and discarding the non-
conforming traffic; when the traffic of logs with the specific log ID falls below the threshold
and remains below the threshold for five monitoring periods, the suppression is removed.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center rate-limit threshold value [ byinfoid infoID | bymodule-alias modname
alias ]
The maximum number of logs with the same log ID that the information center can process
every second is set.
By default, the information center processes a maximum of 30 logs with the same log ID in
every second. In certain application scenarios, by default, the information center needs to

process more than 50 logs with the same log ID in every second. You can set thresholds for
logs with different log IDs.
NOTE
Generally, the default threshold is recommended.

l If the threshold is too low, some logs may be discarded.
l If the threshold is too high, the information center cannot identify the log ID under which too many
logs are generated.
Step 3 Run:
info-center rate-limit global-threshold value
The total number of logs that the information center can process each second is set.
Step 4 Run:
info-center rate-limit monitor-period value
The period for the information center to limit the log processing rate is set.
info-center rate-limit except { byinfoid infoID | bymodule-alias modname alias }
Cancel the log processing rate limit for logs with the specified ID or module name.
If logs with the specified ID or module name will never be generated in a huge number, you
can run this command to cancel the log processing rate limit for the logs. After this command
is run, the configured log processing rate limit will not be effective for logs with the specified
ID or module name.
----End
3.5.1.7 (Optional) Enabling Suppression of Statistics About Consecutive

Repeated Logs
Context
On the system, service modules generate logs and control the volume of generated logs. The
information center processes the received logs.
When an ARP attack or route link failure occurs, service modules, such as ARP and VRRP,
generate a large number of repeated logs within a short period. In this situation, you can
enable suppression of statistics about consecutive repeated logs to protect the information
center against the impact of a large number of repeated logs.
Logs that are generated consecutively and have identical log IDs and parameters can be
regarded as repeated logs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center statistic-suppress enable

Suppression of statistics about consecutive repeated logs is enabled.
By default, suppression of statistics about consecutive repeated logs is enabled.
----End
3.5.1.8 Configuring the Device to Output Logs to the Log Buffer
Context
To view logs in the log buffer, configure the device to output logs to the log buffer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center logbuffer
The device is enabled to output information to the log buffer.
By default, the device is enabled to output logs to the log buffer.
Step 3 Run:
info-center logbuffer channel { channel-number | channel-name }
The channel used by the device to output logs to the log buffer is specified.
By default, the device uses channel 4 to output logs to the log buffer.
Step 4 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } log { state { off | on } | level severity } *
A rule for outputting logs to a channel is set.
By default, channel 4 is enabled to output logs and the lowest log severity is warning.

info-center logbuffer size logbuffer-size
The maximum number of logs in the log buffer is set.
By default, a log buffer can store a maximum of 512 logs.
----End
3.5.1.9 Configuring the Device to Output Logs to a Log File
Context
After logs are output to a log file, you can view the log file anytime to monitor device running
based on the logs.

Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center logfile channel { channel-number | channel-name }
A channel through which logs are output to a log file is specified.
By default, the device uses channel 9 to output logs to a log file.
Step 3 Run:
By default, channel 9 is enabled to output logs and the lowest log severity is debugging.

info-center logfile size size
The log file size is set.
By default, the log file size is 8 MB.
NOTE
If the size of a log file generated on the device exceeds the configured log file size, the system
decompresses the log file into a zip file.

info-center max-logfile-number filenumbers
The maximum number of log files that can be saved is set.
By default, a maximum of 200 log files can be saved.
If the number of log files generated on the Switch exceeds the limit, the system deletes the
oldest log file.
If the remaining flash memory or CF card space is less than 30 MB, earlier compressed log
files are deleted. If no compressed log files can be deleted and the remaining flash memory or
CF card space is less than 30 MB, no log files will be generated.
Step 6 Run the quit command to return to the user view.

save logfile
Logs in the log buffer are saved to a log file.
The system saves logs in the log buffer to a log file periodically or when the log buffer is full.
To view current log information, run this command to save the logs in the log buffer to a log
file.
Logs in the log buffer can be manually saved to a log file. These logs will also be saved in a
log file in the following situations:

l Since the device starts, logs in the log buffer will be automatically saved to a log file
every 24 hours, and this saving interval cannot be configured.
l When the 64 KB log buffer is full, logs in the log buffer will be automatically saved to a
log file, and the log buffer size cannot be configured.
----End
3.5.1.10 Configuring the Device to Output Logs to the Console
Context
After logs are output to the console, you can view logs on the console (host from which you
can log in to the device through the console interface) to monitor device running.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center console channel { channel-number | channel-name }
A channel through which logs are output to the console is specified.
By default, the device uses channel 0 to output logs to the console.
Step 3 Run:
Step 4 Run:
quit
Return to the user view.
Step 5 Run:
terminal monitor
Display of logs, traps, and debugging message output is enabled on the user terminal.
By default, console display is enabled and terminal display is disabled.
Step 6 Run:
terminal logging
Log display is enabled on the user terminal.
By default, log display is enabled on the user terminal.
----End

3.5.1.11 Configuring the Device to Output Logs to a Terminal
Context
After logs are output to a user terminal, you can view logs on the user terminal (host from
which you log in to the device through Telnet) to monitor device running.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center monitor channel { channel-number | channel-name }
A channel through which logs are output to a user terminal is specified.
By default, the Switch uses channel 1 to output logs to a user terminal.
Step 3 Run:
Step 4 Run:
quit
Step 5 Run:
terminal monitor
Step 6 Run:
terminal logging
Log display is enabled on the user terminal.
By default, log display is enabled on the user terminal.
----End
3.5.1.12 Configuring the Device to Output Logs to a Log Host
Context
After configuring the device to output logs to a log host, you can view logs saved on the log
host to monitor device running.

There is a reachable route between the device and the log host.
Procedure
Step 1 Run:
system-view

Step 2 Run the following command as required.
l Run:
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | language language-name | { vpn-instance vpn-instance-
name | public-net } | local-time | log-counter { disable | enable } | port
port | { source-ip source-ip-address } | transport { udp | tcp ssl-policy
policy-name } ] *
The device is configured to output logs to the IPv4 log host.

l Run:
info-center loghost ipv6 ipv6-address [ channel { channel-number | channel-
name } | facility local-number | language language-name | local-time | log-
counter { disable | enable } | port port | transport { udp | tcp ssl-policy
policy-name } ] *
The device is configured to output logs to the IPv6 log host.

l Run:
info-center loghost domain domain-name [ channel { channel-number | channel-
name } | facility local-number | language language-name | log-counter
{ disable | enable } | local-time | port port | transport { udp | tcp ssl-
policy policy-name } ] *
The device is configured to output logs to the log host with the specified domain name.
By default, the device does not output logs to a log host.
The device can output logs to eight log hosts (IPv4 and IPv6 hosts) to implement backup
among log hosts.
Step 3 Run:

By default, channel 2 is enabled to output logs and the lowest log severity is informational.
info-center loghost source interface-type interface-number
The source interface used by the device to send messages to a log host is specified.
By default, the source interface for a device to send messages to a log host is the actual
interface that sends the messages.
After the source interface is specified, the log host determines the device that sends messages.
The log host then can easily retrieve received messages.
info-center loghost source-port source-port

The source interface number used by the device to send messages to a log host is configured.
By default, the device sends messages to a log host using interface 38514.
----End
3.5.1.13 Checking the Configuration
Procedure
l Run the display channel [ channel-number | channel-name ] command to view the
channel configuration.
l Run the display info-center filter-id [ id | bymodule-alias modname alias ] command
to view information filtered by the information center.
l Run the display logbuffer command to check logs recorded in the log buffer.
l Run the display logfile file-name [ offset | hex ] * command to check the log file.
----End
3.5.2 Configuring Trap Output
Before enabling trap output, start the Switch.
Table 3-9 lists the configuration process for enabling trap output.
Table 3-9 Configuration process for enabling trap output
No. Name Description Remarks
1 3.5.2.1 Enabling the You can configure the Steps 2 to 4 are optional
Information Center information center only and can be performed in
after the information any sequence.
center is enabled.
By default, the
information center is
enabled.
2 3.5.2.2 (Optional) You can rename channels,

Naming an Information which facilitates
Channel memorization and usage.
3 3.5.2.3 (Optional) If some traps are

Configuring Trap unnecessary, configure
Filtering the Switch not to output
these traps.

4 3.5.2.4 (Optional) To adjust the time format

Setting the Timestamp and time precision for
Format of Traps information output,
configure the timestamp.
5 3.5.2.5 Configuring the To view traps in the trap Steps 5 to 10 can be

Device to Output Traps buffer, configure the configured in any
to the Trap Buffer Switch to output traps to sequence. You can
the trap buffer. configure the device to
output traps to one or
6 3.5.2.6 Configuring the After traps are output to a more destinations
Device to Output Traps log file, you can according to your needs.
to a Log File download the log file
anytime to view traps
generated by the Switch
to monitor device
running.
7 3.5.2.7 Configuring the After traps are output to

Device to Output Traps the console, you can view
to the Console traps on the console (host
from which you can log
in to the Switch through
the console interface) to
monitor device running.
8 3.5.2.8 Configuring the After traps are output to a

Device to Output Traps user terminal, you can
to a Terminal view traps on the user
terminal (host from which
you log in to the Switch
through STelnet) to
9 3.5.2.9 Configuring the After configuring the

Device to Output Traps Switch to output traps to
to a Log Host a log host, you can view
traps saved on the log
host to monitor device
running.

10 3.5.2.10 Configuring the When an exception or a

Device to Output Traps fault occurs on the
to an SNMP Agent Switch, the network
administrator wants to
learn device running. You
can configure the Switch
to output traps to an NMS
server so that the network
administrator can monitor
the Switch in real time
and locate faults
immediately. Before
configuring the Switch to
output traps to an NMS
server, configure the
Switch to output traps to
an SNMP agent. Then the
SNMP agent sends traps
to the NMS server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center enable
----End
Context
NOTE


0 console
1 monitor
2 loghost
3 trapbuffer
4 logbuffer
5 snmpagent
6 channel6
7 channel7
8 channel8
9 channel9
Procedure
Step 1 Run:
system-view

Step 2 Run:
----End
3.5.2.3 (Optional) Configuring Trap Filtering
Context
If some traps are unnecessary, configure the device not to output these traps. When the
filtering function is enabled, the information center does not send the specified traps that
satisfy the filtering condition to any channel. As a result, all output directions cannot receive
the specified traps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center filter-id { id | bymodule-alias modname alias } &<1-50>

info-center filter-id { id | bymodule-alias modname alias } [ bytime interval |

bynumber number ]
The filtering function is configured for specified traps.
NOTE
l Currently, the device can filter logs or modules with a maximum of 50 log IDs or modules. If there
are more than 50 log IDs or modules, the system displays a message indicating that the filtering table
is full. To configure the filtering function, run the undo info-center filter-id { id | bymodule-alias
modname alias } &<1-50>, undo info-center filter-id { id | bymodule-alias modname alias }
[ bytime interval | bynumber number ], or undo info-center filter-id all command to delete
original IDs or modules, and reconfigure the log ID or module.
l To add multiple IDs or modules at a time, use a space to separate IDs or modules. The system
displays a message to report the result of adding each ID or module.
l You cannot add the same ID or module repeatedly.
l When you add an unregistered or nonexistent ID or alias name, the system displays a message
indicating that the system fails to filter the trap with the specified ID or alias name.
----End
3.5.2.4 (Optional) Setting the Timestamp Format of Traps
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center timestamp trap { { date | format-date | short-date } [ precision-time
{ second | tenth-second | millisecond } ] | boot | none }
The timestamp format of traps is set.
By default, the timestamp format of traps is date.
----End
3.5.2.5 Configuring the Device to Output Traps to the Trap Buffer
Context
To view traps in the trap buffer, configure the device to output traps to the trap buffer.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center trapbuffer
The device is enabled to output traps to the trap buffer.

By default, the device is enabled to output traps to the trap buffer.
Step 3 Run:
info-center trapbuffer channel { channel-number | channel-name }
The channel used by the device to output traps to the trap buffer is specified.
By default, the device uses channel 3 to output traps to the trap buffer.
Step 4 Run:
name } trap { state { off | on } | level severity } *
A rule for outputting traps to a channel is set.

By default, channel 3 is enabled to output traps and the lowest severity is debugging.
info-center trapbuffer size trapbuffer-size
The maximum number of traps in the trap buffer is set.

By default, the trap buffer can store a maximum of 256 traps.
----End
3.5.2.6 Configuring the Device to Output Traps to a Log File
Context
After traps are output to a log file, you can view the log file anytime to monitor device
running based on the traps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A channel through which traps are output to a log file is specified.

By default, the device uses channel 9 to output traps to a log file.
Step 3 Run:





oldest log file.

save logfile

file.
----End
3.5.2.7 Configuring the Device to Output Traps to the Console
Context
After traps are output to the console, you can view traps on the console (host from which you
can log in to the device through the console interface) to monitor device running.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A channel through which traps are output to the console is specified.

By default, the device uses channel 0 to output traps to the console.
Step 3 Run:

Step 4 Run:
quit

Step 5 Run:
terminal monitor
Step 6 Run:
terminal trapping
Traps display is enabled on the user terminal.

By default, trap display is enabled on the user terminal.
----End
3.5.2.8 Configuring the Device to Output Traps to a Terminal
Context
After traps are output to a user terminal, you can view traps on the user terminal (host from
which you log in to the device through Telnet) to monitor device running.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A channel through which traps are output to a user terminal is specified.

By default, the device uses channel 1 to output traps to a user terminal.
Step 3 Run:


Step 4 Run:
quit

Step 5 Run:
terminal monitor
Step 6 Run:
terminal trapping
Traps display is enabled on the user terminal.

By default, trap display is enabled on the user terminal.
----End
3.5.2.9 Configuring the Device to Output Traps to a Log Host
Context
After configuring the device to output traps to a log host, you can view traps saved on the log
host to monitor device running.
Procedure
Step 1 Run:
system-view

l Run:
policy-name } ] *
The device is configured to output traps to the IPv4 log host.

l Run:
policy-name } ] *
The device is configured to output traps to the IPv6 log host.

l Run:
name } | facility local-number | language language-name } | log-counter
The device is configured to output traps to the log host with the specified domain name.
By default, the device does not output traps to a log host.
The device can output traps to eight log hosts (IPv4 and IPv6 hosts) to implement backup
among log hosts.
Step 3 Run:


----End
3.5.2.10 Configuring the Device to Output Traps to an SNMP Agent
Context
When an exception or a fault occurs on the device, the network administrator needs to learn
the device running status. You can configure the device to output traps to an NMS server so
that the network administrator can monitor the device in real time and locate faults
immediately. Before configuring the device to output traps to an NMS server, configure the
device to output traps to an SNMP agent. Then the SNMP agent sends traps to the NMS
server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center snmp channel { channel-number | channel-name }
The channel used by the device to output traps to an SNMP agent is specified.
By default, the device uses channel 5 to output traps to an SNMP agent.
Step 3 Run:

Step 4 Run:
snmp-agent
The SNMP agent function is enabled.

By default, the SNMP agent function is disabled.
The SNMP agent can work properly and receive traps only when the SNMP agent function is
enabled.
For details on how to configure the SNMP agent, see SNMP Configuration in the S7700 and
S9700 Series Switches Configuration Guide - Network Management and Monitoring.
----End
Procedure
l Run the display trapbuffer [ size value ] command to check traps recorded in the trap
buffer.
----End
3.5.3 Configuring Debugging Message Output
Before enabling debugging message output, start the Switch.
Debugging occupies CPU resources on the device, affecting system running. After debugging,
run the undo debugging all command to disable it immediately.

Table 3-11 lists the configuration process for enabling debugging message output.
Table 3-11 Configuration process for enabling debugging message output
No. Configuration Task Description Remarks
1 3.5.3.1 Enabling the You can configure the Steps 2 and 3 are optional
Information Center information center only and can be performed in
after the information any sequence.
center is enabled.
By default, the
information center is
enabled.
2 3.5.3.2 (Optional) You can easy-to-

Naming an Information remember names for
Channel channels to facilitate
information center usage.
3 3.5.3.3 (Optional) To adjust the time format

Setting the Timestamp and time precision for
Format of Debugging information output,
Messages configure the timestamp.
4 3.5.3.4 Configuring the After debugging Steps 4 to 7 can be

Device to Output messages are output to a performed in any
Debugging Messages to log file, you can sequence. You can view
the Log File download the log file debugging messages in
anytime to monitor the console or terminal.
device running based on
debugging messages.
5 3.5.3.5 Configuring the After debugging

Device to Output messages are output to
Debugging Messages to the console, you can
the Console view debugging
messages on the console
(host from which you can
log in to the through the
console interface) to
6 3.5.3.6 Configuring the After debugging

Device to Output messages are output to a
Debugging Messages to user terminal, you can
the Terminal view debugging
messages on the user
terminal (host from
which you log in to the
Switch through STelnet)
to monitor device
running.

No. Configuration Task Description Remarks
7 3.5.3.7 Configuring the After configuring the

Device to Output Switch to output
Debugging Messages to debugging messages to a
the Log Host log host, you can view
debugging messages
saved on the log host to
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center enable
----End
Context
NOTE

0 console
1 monitor
2 loghost
3 trapbuffer
4 logbuffer

5 snmpagent
6 channel6
7 channel7
8 channel8
9 channel9
Procedure
Step 1 Run:
system-view

Step 2 Run:
----End
3.5.3.3 (Optional) Setting the Timestamp Format of Debugging Messages
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center timestamp debugging { { date | format-date | short-date } [ precision-
time { second | tenth-second | millisecond } ] | boot | none }
The timestamp format of debugging messages is set.

By default, the timestamp format of debugging messages is date.
----End
3.5.3.4 Configuring the Device to Output Debugging Messages to the Log File
Context
After debugging messages are output to a log file, you can download the log file anytime to
monitor device running based on debugging messages.

Procedure
Step 1 Run:
system-view

Step 2 Run:
The channel used by the device to output debugging messages to a log file is specified.
By default, the device uses channel 9 to output debugging messages into a log file.
Step 3 Run:
name } debug { state { off | on } | level severity } *
A rule for outputting debugging messages to a channel is set.

By default, channel 9 is disabled to output debugging messages and the lowest severity is
debugging.

NOTE


oldest log file.

save logfile

file.

----End
3.5.3.5 Configuring the Device to Output Debugging Messages to the Console
Context
After debugging messages are output to the console, you can view debugging messages on the
console (host from which you can log in to the device through the console interface) to
Procedure
Step 1 Run:
system-view

Step 2 Run:
A channel used by the device to output debugging messages to the console is specified.
By default, the device uses channel 0 to output debugging messages to the console.
Step 3 Run:

By default, channel 0 is enabled to output debugging messages and the lowest severity is
debugging.
Step 4 Run:
quit

Step 5 Run:
terminal monitor
Step 6 Run:
terminal debugging
Debugging message display is enabled on the user terminal.

By default, debugging message display is disabled on the user terminal.
----End

3.5.3.6 Configuring the Device to Output Debugging Messages to the Terminal
Context
After debugging messages are output to a user terminal, you can view debugging messages on
the user terminal (host from which you log in to the device through STelnet) to monitor
device running.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A channel used by the device to output debugging messages to a user terminal is specified.
By default, the device uses channel 1 to output debugging messages to a user terminal.
Step 3 Run:

By default, channel 1 is enabled to output debugging messages and the lowest severity is
debugging.
Step 4 Run:
quit

Step 5 Run:
terminal monitor
Step 6 Run:
terminal debugging
Debugging message display is enabled on the user terminal.

By default, debugging message display is disabled on the user terminal.
----End
3.5.3.7 Configuring the Device to Output Debugging Messages to the Log Host
Context
After configuring the device to output debugging messages to a log host, you can view
debugging messages saved on the log host to monitor device running.

Procedure
Step 1 Run:
system-view

l Run:
policy-name } ] *
The device is configured to output debugging messages to the IPv4 log host.
l Run:
policy-name } ] *
The device is configured to output debugging messages to the IPv6 log host.
l Run:
name } | facility local-number | language language-name } | log-counter
The device is configured to output debugging messages to the log host with the specified
domain name.
By default, the device does not output debugging messages to a log host.
The device can output debugging messages to eight log hosts (IPv4 and IPv6 hosts) to
implement backup among log hosts.
Step 3 Run:

By default, channel 2 is disabled to output debugging messages and the lowest severity is
debugging.


----End
Procedure
----End
3.6 Maintaining the Information Center
3.6.1 Clearing Statistics

Context
Statistics of the information center cannot be restored after you clear them. Exercise caution
when running the commands.
Procedure
l To clear the statistics of the information center, run the reset info-center statistics
command in the user view.
l To clear the statistics in the log buffer, run the reset logbuffer command in the user
view.
l To clear the statistics in the trap buffer, run the reset trapbuffer command in the user
view.
----End
3.6.2 Monitoring the Information Center

Procedure
l Run the display info-center command to view output configuration of the information
center.

l Run the display info-center statistics command to view statistics of the information
center.
l Run the display logbuffer command to view logs recorded in the log buffer.
l Run the display logfile file-name [ offset | hex ] * command to view the log file.
l Run the display trapbuffer [ size value ] command to view traps recorded in the trap
buffer.
----End
3.7.1 Example for Outputting Logs to the Log File

Networking Requirements
As shown in , SwitchA connects to the FTP server through the Network. There is a reachable
route between SwitchA and the FTP server. The network administrator wants to use the FTP
server to view logs generated by SwitchA and learn operations on SwitchA.
NOTE
FTP is not a secure protocol. SFTP is recommended on networks that require high security.
Figure 3-8 Networking diagram for outputting logs to the log file
Network
SwitchA FTP Server

10.2.1.1/16 10.1.1.1/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the information center.
2. Configure a channel and a rule for outputting logs to a log file so that logs are saved in
the log file.
3. Configure SwitchA to transfer the log file to the FTP server so that the network
administrator can use the FTP server to view logs generated by SwitchA.
Procedure
Step 1 Enable the information center.
[HUAWEI] sysname SwitchA
[SwitchA] info-center enable

Step 2 Configure a channel and a rule for outputting logs to a log file.
# Configure a channel for outputting logs to a log file.

[SwitchA] info-center logfile channel channel6
NOTE
By default, channel 9 is used to send logs to a log file. If the default setting is used, skip this step.
# Configure a rule for outputting logs to a log file.

[SwitchA] info-center source default channel channel6 log level warning
[SwitchA] quit
Step 3 Configure SwitchA to transfer the log file to the FTP server.
# Log in to the FTP server with user name user1 and password huawei2012.
<SwitchA> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):user1
331 Password required for user1.
Enter password:
230 User logged in.
# Configure SwitchA to transfer the log file to the FTP server.

[ftp] put cfcard:/logfile/log.log
200 Port command okay.
150 Opening ASCII mode data connection for log.log.
226 Transfer complete.
FTP: 7521956 byte(s) send in 3.1784917300 second(s) 2311.409Kbyte(s)/sec.
[ftp] quit
Step 4 Verify the configuration.
# View information recorded by the channel.

<SwitchA> display info-center
Information Center:enabled
Log host:
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 512, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 37
Trap buffer:
current messages 146, channel number:3, channel name:trapbuffer
Logfile:
channel number : 6, channel name : channel6, language : English
Information timestamp setting:
log - date, trap - date, debug - date millisecond
Sent messages = 273315, Received messages = 284694
IO Reg messages = 2 IO Sent messages = 11379

# View the received log file on the FTP server. The configuration details are not mentioned
here.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
info-center source default channel 6 log level warning
info-center logfile channel 6
#
return
3.7.2 Example for Outputting Logs to a Log Host
As shown in Figure 3-9, SwitchA connects to four log hosts. Log hosts are required to have
reliability and receive logs of different types so that the network administrator can monitor
logs generated by different modules on SwitchA.
Figure 3-9 Networking diagram for outputting logs to a log host
10.1.1.2/24 10.1.1.1/24
Server 3 Server1
VLANIF100
172.16.0.1/24
10GE1/0/1
SwitchA
Server 4 Server 2
10.2.1.2/24 10.2.1.1/24

2. Configure SwitchA to send logs of notification generated by the ARP module to Server1,
and specify Server3 as the backup of Server1. Configure SwitchA to send logs of
warning generated by the AAA module to Server2, and specify Server4 as the backup of
Server2.
3. Configure the log host on the server so that the network administrator can receive logs
generated by SwitchA on the log host.

Procedure
Step 2 Configure a channel and a rule for outputting logs to a log host.
# Name a channel.
[SwitchA] info-center channel 6 name loghost1
[SwitchA] info-center channel 7 name loghost2
# Configure a channel for outputting logs to a log host.

[SwitchA] info-center loghost 10.1.1.1 channel loghost1
# Configure a rule for outputting logs to a log host.

[SwitchA] info-center source arp channel loghost1 log level notification
[SwitchA] info-center source aaa channel loghost2 log level warning
Step 3 Configure an IP address for the interface that sends log information.
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif100
[SwitchA-Vlanif100] ip address 172.16.0.1 255.255.255.0
[SwitchA-Vlanif100] return
Step 4 Configure the log host on the server.

The Switch can generate many logs, which may exceed the limited storage space of the
Switch. To address this problem, configure a log server to store all the logs.
The log host can run the Unix or Linux operating system or run third-party log software. For
details about the configuration procedure, see the relevant documentation.
# View the configuration of the log host.
Log host:
10.1.1.1, channel number 6, channel name loghost1,
language English , host facility local7
Console:
Monitor:
SNMP Agent:
channel number : 5, channel name : snmpagent

Log buffer:
Trap buffer:
logfile:
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
info-center channel 6 name loghost1
info-center channel 7 name loghost2
info-center source ARP channel 6 log level notification
info-center source AAA channel 7 log level warning
info-center loghost 10.1.1.1 channel 6
#
vlan batch 100
#
interface Vlanif100
ip address 172.16.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
3.7.3 Example for Outputting Traps to the SNMP Agent

As shown in Figure 3-10, SwitchA connects to the NMS station. There is a reachable route
between SwitchA and the NMS station. The network administrator wants to view traps of
ARP module generated by SwitchA on the NMS station to monitor device running and locate
faults.
Figure 3-10 Networking diagram for outputting traps to the SNMP agent
10.1.1.2/24
VLANIF2
GE1/0/1
NM Station SwitchA
10.1.1.1/24

2. Configure a channel and a rule for outputting traps to the SNMP agent so that the SNMP
agent can receive traps generated by SwitchA.
3. Configure SwitchA to output traps to the NMS station so that the NMS station can
receive traps generated by SwitchA.
Procedure
Step 2 Configure a channel and a rule for outputting traps to the SNMP agent.
# Configure a channel for outputting traps to the SNMP agent.
[SwitchA] info-center snmp channel channel7
# Configure a rule for outputting traps to the SNMP agent.

[SwitchA] info-center source arp channel channel7 trap level informational state
on
NOTE
By default, the device uses the SNMP agent to output traps of all modules.
Step 3 Configure an IP address for the interface used to send trap messages.
[SwitchA] vlan batch 2
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.1.1.2 24
[SwitchA-Vlanif2] quit
Step 4 Configure the SNMP agent to output traps to the NMS station.
# Enable the SNMP agent and set the SNMP version to SNMPv2c.
[SwitchA] snmp-agent sys-info version v2c
# Configure a community name.

[SwitchA] snmp-agent community write adminnms1
# Configure the trap function.

[SwitchA] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
[SwitchA] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public v2c
[SwitchA] quit

# View the channel used by the SNMP agent to output traps.

Log host:
Console:
Monitor:
SNMP Agent:
channel number : 7, channel name : channel7
Log buffer:
Trap buffer:
logfile:
# View traps output through the channel used by the SNMP agent.
<SwitchA> display channel 7
channel number:7, channel name:channel7
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y debugging Y debugging N debugging
416e0000 ARP Y debugging Y informational N debugging
# View traps output to the NMS station by the SNMP agent.

<SwitchA> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
IP-address : 10.1.1.1
Source interface : -
VPN instance : -
Security name : %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
Port : 162
Type : trap
Version : v2c
Level : No authentication and privacy
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
info-center source ARP channel 7 trap level informational
info-center snmp channel 7
#
vlan batch 2
#
interface Vlanif2

ip address 10.1.1.2 255.255.255.0

#
port link-type trunk
port trunk allow-pass vlan 2
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF00003B4C
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-
h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%#
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%# v2c
snmp-agent trap enable
#
return
3.7.4 Example for Outputting Traps to the Console
As shown in Figure 3-11, the PC connects to SwitchA through a console interface. It is
required that debugging messages of the ARP module be displayed on the PC.
Figure 3-11 Networking diagram for outputting debugging messages to the console
Console
SwitchA PC

2. Configure a channel and a rule for outputting debugging messages to the console so that
the console can receive debugging messages generated by SwitchA.
3. Enable terminal display so that users can use the terminal to view debugging messages
generated by SwitchA.
Procedure
Step 2 Configure a channel and a rule for outputting debugging messages to the console.
# Configure a channel for outputting debugging messages to the console.

[SwitchA] info-center console channel console
# Configure a rule for outputting debugging messages to the console.

[SwitchA] info-center source arp channel console debug level debugging state on
[SwitchA] quit
Step 3 Enable terminal display.

<SwitchA> terminal monitor
<SwitchA> terminal debugging
Step 4 Debug the ARP module.

<SwitchA> debugging arp packet

# View debugging message output.
<SwitchA> display channel 0
channel number:0, channel name:console
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y warning Y debugging Y debugging
416e0000 ARP Y warning Y debugging Y debugging
----End
Configuration Files
#
sysname SwitchA
#
info-center source ARP channel 0
#
return

Configuration Guide - Device Management 4 NTP Configuration
4 NTP Configuration
About This Chapter
This chapter describes how to configure Network Time Protocol (NTP) to synchronize time
among a set of distributed time servers and clients.
NOTE
The XGE interface connected to ACU2 does not support NTP.

The XGE interface connected to ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01, or
ET1D2FW00S02 does not support NTP.
4.1 Overview
4.2 Principles
4.3 Application
This section describes the usage scenarios of NTP.
4.4 Licensing Requirements and Limitations for NTP
4.5 Configuring the NTP
4.6 Maintaining NTP
4.8 Reference
This section lists references of NTP.
4.1 Overview
Definition
The Network Time Protocol (NTP) is an application layer protocol in the TCP/IP protocol
suite. NTP is used to synchronize the time among a set of distributed time servers and clients.
NTP is implemented based on the Internet Protocol (IP) and User Datagram Protocol (UDP).
NTP packets are transmitted using UDP port 123.

Purpose
As network topologies become increasingly complex, clock synchronization becomes more
important for devices on the entire network. If a system clock is modified manually by
network administrators, the workload is heavy and the modification is error-prone, which
affects clock precision. NTP is formulated as a networking protocol for clock synchronization
between devices on a network.
NTP applies to the following situations where all the clocks of the devices on a network need
to be consistent:
l In network management, analysis of logs or debugging messages collected from different
routers requires time for reference.
l An accounting system requires that the clocks of all the devices be consistent.
l When several systems work together to process a complicated event, they have to refer
to the same clock to ensure a correct execution order.
l Incremental backup between a backup server and clients requires that their clocks be
synchronized.
l Some applications need to obtain the time in which a user logs in a system and a
document is modified.
Version Evolution
NTP is evolved from a time protocol and the ICMP Timestamp message, but is specifically
designed to maintain time accuracy and clock robustness. Table 4-1 shows the NTP version
evolution.
Table 4-1 NTP version evolution

V Date Proto Description
er col
si Num
o ber
n
N June RFC NTPv1 puts forward complete NTP rules and algorithms for the
T 1988 1059 first time, but it does not support authentication and control
Pv messages.
1
N Septemb RFC NTPv2 supports authentication and control messages.

T er 1989 1119
Pv
2
N March RFC NTPv3 uses correctness principles and improves clock selection
T 1992 1305 and filter algorithms, and it is widely used.
Pv
3

V Date Proto Description

er col
si Num
o ber
n
N June RFC NTPv3 only applies to an IPv4 network. As IPv6 develops and
T 2010 5905 network security requirements grow, NTPv4 is produced.
Pv NTPv4, an extension of NTPv3, is compatible with NTPv3.
4 l NTPv4 applies to both IPv4 and IPv6 networks.
l NTPv4 provides a complete encryption and authentication
system so it is more secure than NTPv3.
4.2 Principles
4.2.1 Principles
In Figure 4-1, the NTP client and server are connected. They are independent clock systems,
and synchronize system clock through NTP.
The parameter settings and synchronization are as follows:
l Before the NTP client and server synchronizes their system clocks, the NTP client's
clock is set to Ta and NTP server's clock is set to Tb.
l The NTP server functions as NTP clock server, and NTP client needs to synchronize
clock with the NTP server.
l Assume that the precision of system clocks on NTP client and server is 0, that is, exactly
precise.
Figure 4-1 NTP implementation
Sent NTP
request packet
at T1
NTP server
T1
NTP client Internet
T1 T2 T3
Received NTP
reply packet at T4
NTP packet

The system clock synchronization process is as follows:

1. The NTP client sends an NTP request to the NTP server at T1. The request packet carries
the timestamp T1, which is the time the packet leaves the client.
2. The request packet reaches the NTP server at T2. The NTP server processes the packet,
and sends an NTP reply packet at T3. This reply packet carries T1, T2, and T3.
3. The NTP client receives the reply packet at T4.
Through the preceding interaction, the NTP client obtains four time parameters: T1, T2, T3,
and T4. The clocks of NTP client and server are precise, so the time difference between the
clocks of NTP client and server can be calculated using the following formula. The time
difference is the time that the NTP client needs to adjust.
1. Calculate the time (Delay) for sending an NTP packet from the client to server.
Delay = [ ( T4 - T1 ) - ( T3 – T2 ) ] / 2
2. Calculate the time difference (Offset) between the clocks of client and server.
At T4, for example, the clock of server is T3 + Delay. The Offset is calculated as
follows:
T4 + Offset = T3 + Delay
That is, Offset = T3 + Delay - T4 = T3 + [ ( T4 - T1 ) - ( T3 - T2 ) ] / 2 – T4 = [ ( T2-
T1 ) + ( T3 – T4 ) ] / 2
The NTP client adjusts its own clock based on the Offset to synchronize clock with the server.
NOTE
In the preceding description, the clocks are precise. However, there may be time difference between the
clocks of client and server. Therefore, RFC 1305 defines complicated algorithms for NTP to ensure
clock synchronization precision.
4.2.2 Network Architecture

The NTP network architecture involves the following concepts:
l Synchronization subnet consists of the primary time server, secondary time servers, PC
clients, and interconnecting transmission paths, as shown in Figure 4-2.
l Primary time server directly synchronizes its clock with a standard reference clock
using a cable or radio. The standard reference clock is usually a radio clock or the Global
Positioning System (GPS).
l Secondary time server synchronizes its clock with the primary time server or other
secondary time servers on the network. A secondary time server transmits the time
information to other hosts on a LAN through NTP.
l Stratum is a hierarchical standard for clock synchronization. It represents precision of a
clock. The value of a stratum ranges from 1 to 16. A smaller value indicates higher
precision. The value 1 indicates the highest clock precision, and 16 indicates that the
clock is not synchronized.

Figure 4-2 NTP network architecture

SwitchA
SwitchB SwitchD
Primary time server
Secondary time server Secondary time server
stratum1
stratum2 stratum2
Secondary time server Secondary time server

SwitchC SwitchE stratum3
stratum3
PC1 PC2 PC3 PC4
Under normal circumstances, the primary time server and the secondary time servers in a
synchronization subnet are arranged in a hierarchical-master-slave structure. In this structure,
the primary time server is located at the root, and the secondary time servers are arranged
close to leaf nodes. As their strata increase, the precision decreases accordingly. The extent to
which the precision of the secondary time servers decreases depends on stability of network
paths and the local clock.
NOTE
When the synchronization subnet has multiple primary time servers, the optimal server can be selected
using an algorithm.
Such a design ensures that:

l When faults occur in one or more primary/secondary time servers or network paths
interconnecting them, the synchronization subnet will automatically be reconstructed
into another hierarchical-master-slave structure to obtain the most precise and reliable
time.
l When all primary time servers in the synchronization subnet become invalid, a standby
primary time server runs.
When all primary time servers in the synchronization subnet become invalid, other secondary
time servers are synchronized among themselves. These secondary time servers become
independent of the synchronization subnet and automatically run at the last determined time
and frequency. When a switch with a stable oscillator becomes independent of the
synchronization subnet for an extended period of time, its timing error can be kept less than
several milliseconds in a day because of highly precise calculations.
4.2.3 Operating Mode

A device may use multiple NTP operating modes to perform time synchronization.
l Unicast Server/Client Mode
l Peer Mode

l Broadcast Mode
l Multicast Mode
l Manycast Mode
You can select an appropriate operating mode as required.
Unicast Server/Client Mode

The unicast server/client mode runs on a higher stratum on a synchronous subnet. In this
mode, devices need to obtain the IP address of the server in advance.
l Client: A host running in client mode (client for short) periodically sends packets to the
server. The Mode field in the packets is set to 3, indicating that the packets are coming
from a client. After receiving a reply packet, the client filters and selects clock signals,
and synchronizes its clock with the server that provides the optimal clock. A client does
not check the reachability and stratum of the server. Usually, a host running in this mode
is a workstation on a network. It synchronizes its clock with the clock of a server but
does not change the clock of the server.
l Server: A host running in server mode (server for short) receives the packets from clients
and responds to the packets received. The Mode field in reply packets is set to 4,
indicating that the packets are coming from a server. Usually, the host running in server
mode is a clock server on a network. It provides synchronization information for clients
but does not change its own clock.
Figure 4-3 Unicast Client/Server Mode

Client Server
Clock synchronization packets

（mode3）
Automatically run in
s erver mode, and
Perform clock filtering send reply packets
and clock selection, and
synchronize its clock to Reply packets（mode4）
that of the preferred
server
During and after the restart, the host operating in client mode periodically sends NTP request
messages to the host operating in server mode. After receiving the NTP request message, the
server swaps the position of destination IP address and source IP address, and the source port
number and destination port number, fills in the necessary information, and sends the message
to the client. The server does not need to retain state information. The client freely adjusts the
interval for sending NTP request messages according to the local conditions.
Peer Mode
The peer mode runs on a lower stratum on a synchronous subnet. In this mode, a active peer
and a passive peer can synchronize with each other. The peer with a higher stratum (a lower
level) synchronizes with a peer with a lower stratum (a higher level).

In peer mode, the active peer initiates an NTP packet with the Mode field set to 3 (the client
mode), and the passive peer responds with an NTP packet with the Mode field set to 4 (the
server mode). This interaction creates a network delay so that devices at both ends enter the
peer mode.
l Active peer: A host that functions as a active peer sends packets periodically. The value
of the Mode field in a packet is set to 1. This indicates that the packet is sent by a active
peer, without considering whether its peer is reachable and which stratum its peer is on.
The active peer can provide time information about the local clock for its peer, or
synchronize the time information about the local clock based on that of the peer clock.
l Passive peer: A host that functions as a passive peer receives packets from the active
peer and sends reply packets. The value of the Mode field in a reply packet is set to 2.
This indicates that the packer is sent by a passive peer. The passive peer can provide time
information about the local clock for its peer, or synchronize the time information about
the local clock based on that of the peer clock.
Figure 4-4 Peer mode

Symmetric active peer Symmetric passive peer
Interaction of clock synchronization

packets (mode3 and mode4)
Clock synchronization packets

(mode1) Automatically work in
symmetric peer mode,
and send reply packets
Reply packets (mode2)
The symmetric peer mode
being established, and the Synchronize clocks with each other
two can synchronize
clocks with each other
NOTE
The passive peer does not need to be configured. A host sets up a connection and sets relevant state
variables only when it receives an NTP packet.
Broadcast Mode
The broadcast mode is applied to the high speed network that has multiple workstations and
does not require high accuracy. In a typical scenario, one or more clock servers on the
network periodically send broadcast packets to the workstations. The delay of packet
transmission in a LAN is at the milliseconds level.
l Broadcast server: A host that runs in broadcast mode sends clock synchronization
packets to the broadcast address 255.255.255.255 periodically. The value of the Mode
field in a packet is set to 5. This indicates that the packet is sent by a host that runs in
broadcast or multicast mode, without considering whether its peer is reachable and
which stratum its peer is on. The host running in broadcast mode is usually a clock
server running high-speed broadcast media on the network, which provides
synchronization information for all of its peers but does not alter the clock of its own.

l Broadcast client: The client listens to the clock synchronization packets sent from the
server. When the client receives the first clock synchronization packet, the client and
server exchange NTP packets whose values of Mode fields are 3 (sent by the client) and
the NTP packets whose values of Mode fields are 4 (sent by the server). In this process,
the client enables the server/client mode for a short time to exchange information with
the remote server. This allows the client to obtain the network delay between the client
and the server. Then, the client returns the broadcast mode, and continues to sense the
incoming clock synchronization packets to synchronize the local clock.
Figure 4-5 Broadcast mode
Broadcast Server Broadcast Client
Periodically broadcast clock

synchronization packets (mode5) Initiate a request for server/client
mode after receiving the first
broadcast packet
packets (mode3 and mode4)
Obtain a network delay, and enter
broadcast client mode
Periodically broadcast clock
synchronization packets (mode5) Receive the broadcast packets,
and synchronize the local clock to
that of the broadcast server
Multicast Mode
Multicast mode is useful when there are large numbers of clients distributed in a network.
This normally results in large number of NTP packets in the network. In the multicast mode, a
single NTP multicast packet can potentially reach all the clients on the network and reduce the
control traffic on the network.
l Multicast server: A server running in multicast mode sends clock synchronization

packets to a multicast address periodically. The value of the Mode field in a packet is set
to 5. This indicates that the packet is sent by a host that runs in broadcast or multicast
mode. The host running in multicast mode is usually a clock server running high-speed
broadcast media on the network, which provides synchronization information for all of
its peers but does not alter the clock of its own.
l Multicast client: The client listens to the multicast packets from the server. When the
client receives the first broadcast packet, the client and server exchange NTP packets
whose values of Mode fields are 3 (sent by the client) and the NTP packets whose values
of Mode fields are 4 (sent by the server). In this process, the client enables the server/
client mode for a short time to exchange information with the remote server. This allows
the client to obtain the network delay between the client and the server. Then, the client
returns the multicast mode, and continues to sense the incoming multicast packets to
synchronize the local clock.

Figure 4-6 Multicast mode
Multicast server Multicast client
Periodic multicast clock

synchronization packets (mode5) Initiate a server/client
request after receiving the
first multicast packet
packets (mode3 and mode4) Obtain a network delay, and
enter multicast client mode
Periodic multicast clock
synchronization packets (mode5) Receive the multicast packets,
and synchronize the local clock
to that of the multicast server
Manycast Mode
Manycast mode is applied to a small set of servers scattered over the network. Clients can
discover and synchronize to the closest manycast server. Manycast can especially be used
where the identity of the server is not fixed and a change of server does not require
reconfiguration of all the clients in the network.
l Manycast server: The manycast server continuously listens to the packets. If a server can
be synchronized, the server returns a packet (the Mode field is set to 4) by using the
unicast address of the client as the destination address.
l Manycast client: The client in manycast mode periodically sends request packets (the
Mode field is set to 3) to an IPv4/IPv6 multicast address. After receiving a reply packet,
the client filters and selects clock signals, and synchronizes its clock with the server that
provides the optimal clock.
To prevent the client from constantly sending NTP request packets to the manycast server and
reduce the load of the server, the NTP protocol defines a minimum number of connections. In
manycast mode, the client records the number of connections established every time it
synchronizes clock with the server. The minimum number of connections is the minimum
number of connections called during a synchronization process. If the number of connections
called by the client reaches the minimum number during subsequent synchronization
processes and the synchronization is completed, the client considers that the synchronization
is completed. After that, the client sends a packet every time a timeout period expires to
maintain the connection. The NTP protocol uses the time to live (TTL) mechanism to ensure
that the client can successfully synchronize with the server. Every time the client sends an
NTP packet, the TTL of the packet increases (the initial value as 1) until the minimum
number of connections is reached or the TTL value reaches the upper limit. If the TTL
reaches the upper limit or the number of connections called by the client reaches the minimum
number, but connections called by the client still cannot complete the synchronizing process,
the client stops data transmission in a timeout period to eliminate all connections. Then the
client repeats the preceding process.

NOTE
In NTP implementation, a peer structure is established for each synchronization source, and these peer
structures are stored in a chain in a Hash form. Each peer structure is corresponding to a connection.
Figure 4-7 Manycast mode
Client Server
Periodic request packets Automatically run in

(mode3) server mode, and send
reply packets
Perform clock filtering and
Reply packets (mode4)
clock selection, and
synchronize its clock to that
of the preferred server
4.2.4 NTP Access Control

When a time server on a synchronization subnet is faulty or encounters a malicious attack,
timekeeping on other clock servers on the subnet should not be affected. To meet this
requirement, NTP provides the following security mechanisms to ensure network security:
access authority, Kiss-o'-Death (KOD) and NTP authentication.
Access Authority
A device provides access authority, which is simpler and more secure, to protect a local clock.
NTP access control is implemented based on an access control list (ACL). NTP supports five
levels of access authority, and a corresponding ACL rule can be specified for each level. If an
NTP access request hits the ACL rule for a level of access authority, they are successfully
matched and the access request enjoys the access authority at this level.
When an NTP access request reaches the local end, the access request is successively matched
with the access authority from the maximum one to the minimum one. The first successfully
matched access authority takes effect. The matching order is as follows:
1. peer: indicates that a time request may be made for the local clock and a control query
may be performed on the local clock. The local clock can also be synchronized to a
remote server.
2. server: indicates that a time request may be made for the local clock and a control query
may be performed on the local clock, but the local clock cannot be synchronized with the
clock of the remote server.
3. synchronization: indicates that only a time request can be made for the local clock.
4. query: indicates that only a control query can be performed on the local clock.
5. limited: When the rate of NTP packets exceeds the upper limit, the incoming NTP
packets are discarded, and a Kiss code is sent if the KOD function is enabled.

KOD
When a server receives a large number of client access packets within a specified period of
time and cannot bear the load, the KOD function can be enabled on the server to perform
access control. KOD is a brand new access control technology that is put forward in NTPv4,
and it is used by the server to provide information, such as a status report and access control,
for the client.
A KOD packet is a special NTP packet. When the Stratum field in an NTP packet is 0, the
packet is called a KOD packet and the ASCII message it conveys is called kiss code and
represents access control information. Currently, only two types of kiss codes are supported:
DENY and RATE.
After the KOD function is enabled on the server, the server sends kiss code DENY or RATE
to the client based on the configuration.
NOTE
After the KOD function is enabled, the corresponding ACL rule needs to be configured. When the ACL
rule is configured as deny, the server sends the deny kiss code. When the ACL rule is configured as
permit and the rate of NTP packets received reaches the configured upper limit, the server sends the rate
kiss code.
l When the client receives kiss code DENY, the client terminates all connections to the
server and stops sending packets to the server.
l When the client receives kiss code RATE, the client immediately reduces its polling
interval to the server and continues to reduce the interval each time it receives a RATE
kiss code.
Authentication
The NTP authentication function can be enabled on networks demanding high security.
Different keys may be configured in different operating modes.
When a user enables the NTP authentication function in a certain NTP operating mode, the
system records the key ID in this operating mode.
l Sending process
The system determines whether authentication is required in this operating mode. If
authentication is not required, the system directly sends a packet. If authentication is
required, the system encrypts the packet using the key ID and an encryption algorithm
and sends it.
l Receiving process
After receiving a packet, the system determines whether the packet needs to be
authenticated. If the packet does not need to be authenticated, the system directly
performs subsequent processing on the packet. If the packet needs to be authenticated,
the system authenticates the packet using the key ID and a decryption algorithm. If the
authentication fails, the system directly discards the packet. If the authentication
succeeds, the system processes the received packet.
4.3 Application
This section describes the usage scenarios of NTP.

Typical Application
On the network as shown in Figure 4-8, SwitchA accessing a standard clock is used as the
NTP master clock server to achieve synchronization of clocks on the entire network. SwitchA
is configured as the unicast server, and SwitchB, SwitchC and SwitchD are configured as
unicast clients. SwitchE acts as a symmetric peer of the upstream SwitchB and downstream
SwitchF.
Figure 4-8 Typical networking

SwitchA
Local
Workgroup
servers
SwitchB SwitchC SwitchD
SwitchE
SwitchF
Workstations
Workstations
Application in VPN Networking

Figure 4-9 shows application of the NTP service on a VPN network. Both CE A and CE B
belong to VPN 2. CE B is used as an NTP unicast server, CE A is used as an NTP unicast
client, and NTP time synchronization can be implemented between CE B and CE A.

Figure 4-9 NTP application in VPN networking
PE P PE
CE A CE B
VPN2 VPN2
NTP Client NTP Server
CE C CE D
VPN1 VPN1
4.4 Licensing Requirements and Limitations for NTP

Other network elements are required to support NTP.
NTP is a basic feature of a switch and is not under license control.
S7700 S7703, S7706, and V100R003C01, V100R006C00,

S7712 V200R001(C00&C01), V200R002C00,
V200R003C00, V200R005C00, V200R006C00,
V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C10
S9700 S9703, S9706, and V200R001(C00&C01), V200R002C00,

S9712 V200R003C00, V200R005C00, V200R006C00,
V200R007(C00&C10), V200R008C00,
V200R009C00, V200R010C00, V200R011C10
NOTE

Feature Limitations
l The existing configuration will not be deleted when the NTP service is disabled.
l The XGE interface connected to ACU2 does not support NTP.
l The XGE interface connected to ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01,
or ET1D2FW00S02 does not support NTP.
4.5 Configuring the NTP
4.5.1 Configuring Basic NTP Functions

You can configure basic NTP functions to enable devices on the network to synchronize
clocks.
Before configuring basic NTP functions, configure the network layer address and routing
protocol of an interface to ensure that NTP packets can reach the destination.
Configuration Procedure
Basic NTP configuration contains the configuration of the NTP primary clock and operating
mode.
4.5.1.1 Configuring an NTP primary clock
Context
A device on the network can synchronize its clock in the following manners.
l Synchronizing with the local clock: The local clock is used as the reference clock.
l Synchronizing with another device on the network: This device is used as an NTP clock
server to provide a reference clock for the local clock.
If both manners are configured, the device selects an optimal clock source by comparing the
clocks determined in the two manners. The clock of a lower stratum is preferred.
An authoritative clock is used as a reference time source for a synchronization subnet, and is
located at the top of a hierarchical structure on the synchronization subnet. The authoritative
clock is stratum0. The current authoritative clock is mostly a Radio Clock or the Global
Positioning System. The time of the authoritative clock is synchronized through the broadcast
UTC time code other than NTP.
In actual circumstances, the NTP server synchronized with the authoritative clock is set as
stratum1, and is used as a master reference clock source. Other devices on the network
synchronize their clocks with the clock of the NTP server, which means the local clock of the
NTP server is configured as the NTP primary clock. The NTP distance from a device on the
network to the master reference clock source, that is, the number of NTP servers on the NTP
synchronization chain, determines the stratum of the clock on the device.
As shown in Figure 4-10, SwitchA is the primary clock, and the clock stratum is 1. The clock
synchronization direction is from SwitchA to SwitchB, and further to SwitchC. Only after the

SwitchB is synchronized with SwitchA, SwitchC can synchronize its clock with the clock of
SwitchB. After all the devices on the synchronization subnet are synchronized, SwitchB and
SwitchC are respectively stratum2 and stratum3.
Figure 4-10 NTP synchronization subnet
SwitchA
Stratum1
SwitchB
Stratum2
SwitchC
Stratum3
Synchronization direction
NOTE
After the local clock is configured as the reference clock, the local device can be used as the clock
source to synchronize other devices on the network. Confirm before this configuration, so as avoid clock
errors on the network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service refclock-master [ ip-address ] [ stratum ]
The local clock is configured as the NTP primary clock.
By default, no NTP primary clock is specified.
----End
4.5.1.2 Configuring NTP Operating Modes
Context
The following NTP operating modes are supported by a device:

Operating Usage Scenario Deployment Location

Mode and Synchronization
Direction
Unicast The unicast client/server mode is used on a You need to configure only
client/server higher stratum on a synchronization subnet. the client. The server needs
mode In this mode, the IP address of the server to be configured with only
needs to be obtained in advance. an NTP primary clock.
Note that the client can be
synchronized to the server
but the server cannot be
synchronized to the client.
Symmetric The symmetric peer mode is used on a You need to configure only
peer mode lower stratum on the synchronization the symmetric active peer.
subnet. In this mode, a symmetric active The symmetric passive peer
peer and a symmetric passive peer can be does not need to be
synchronized with each other. configured with an NTP
command.
In symmetric peer mode, a
symmetric peer of a higher
stratum is synchronized to a
symmetric peer of a lower
stratum.
Broadcast When the IP address of a server or a Relevant commands need to

mode symmetric peer is not determined, or when be run on the server and the
the clocks of a large number of devices client.
need to be synchronized on a network, Note that the client can be
clock synchronization can be implemented synchronized to the server
in the broadcast mode. but the server cannot be
synchronized to the client.
Multicast The multicast mode applies to the high- Relevant commands need to
mode speed network that has multiple clients and be run on the server and the
does not require high precision. In a typical client.
scenario, one or more clock servers on the Note that the client can be
network periodically send multicast packets synchronized to the server
to clients, and the clients synchronize time but the server cannot be
based on the multicast packets. synchronized to the client.
Manycast The manycast mode applies to the scenario Relevant commands need to
mode where servers are scattered on a network. be run on the server and the
The client can discover and synchronize to client.
the closest manycast server. The manycast Note that the client can be
mode applies to the scenario where the synchronized to the server
servers are not stable and clients on the but the server cannot be
entire network need not to be configured synchronized to the client.
again due to a change of the server.

NOTE
If a source address from which NTP packets are sent is specified on the server, the address must be the
same as the server IP address configured on the client. Otherwise, the client cannot process the NTP
packets sent by the server, resulting in failed clock synchronization.
Procedure
l Unicast Client/Server Mode
NOTE
In the unicast client/server mode, you need to configure only the client. Only an NTP primary
clock needs to be configured on the server.
Only after the clock on the server is synchronized, the server can function as a clock server to
which other devices can be synchronized. When the clock stratum of the server is greater than or
equal to the clock stratum of the client, the client is not synchronized to the server.
You can run the ntp-service unicast-server command repeatedly to configure multiple servers.
The client selects the optimal clock source by selecting a preferred clock.
Configure the unicast client.
a. Run:
system-view

b. Run:
n ntp-service unicast-server ip-address [ version number |
authentication-keyid key-id | source-interface interface-type
interface-number | preference | vpn-instance vpn-instance-name |
maxpoll max-number | minpoll min-number | burst | iburst | preempt |
port port-number ] *
An NTP server with a specified IPv4 address is configured.

n ntp-service unicast-server ipv6 ipv6-address [ authentication-keyid
key-id | source-interface interface-type interface-number |
preference | vpn-instance vpn-instance-name | maxpoll max-number |
minpoll min-number | burst | iburst | preempt | port port-number ] *
An NTP server with a specified IPv6 address is configured.
The value of ip-address or ipv6-address is the IP address of the NTP server. It can
be the address of a host but cannot be a broadcast address or a multicast address.
To specify the parameter authentication-keyid, see 4.5.5.4 Configuring NTP

Authentication.
If the port parameter is specified, you must specify the same port number on the
server by using the ntp-service port port-value command.
l Symmetric Peer Mode
NOTE
You only need to specify the IP address of the symmetric passive peer on the symmetric active
peer, and both symmetric peers use this IP address to exchange NTP packets.
Either of the symmetric active peer or the symmetric passive peer must be in the synchronized
state. Otherwise, they cannot be synchronized.
You can run the ntp-service unicast-peer command repeatedly to configure multiple symmetric
passive peers. When a symmetric active peer has multiple symmetric passive peers configured, the
synchronization direction follows the principle that a symmetric peer of a larger stratum is
synchronized with a symmetric peer of a smaller stratum.

Configure the symmetric active peer.
a. Run:
system-view

b. Run:
n ntp-service unicast-peer ip-address [ version number |
authentication-keyid key-id | source-interface interface-type
interface-number | preference | vpn-instance vpn-instance-name |
maxpoll max-number | minpoll min-number | preempt | port port-
number ]*
The NTP peer with a specified IPv4 address is configured.

n ntp-service unicast-peer ipv6 ipv6-address [ authentication-keyid
key-id | source-interface interface-type interface-number |
preference | vpn-instance vpn-instance-name | maxpoll max-number |
minpoll min-number | preempt | port port-number ]*
The NTP peer with a specified IPv6 address is configured.
The values of ip-address or ipv6-address must be a unicast address, and cannot be a

broadcast address or a multicast address.

Authentication.
passive peer by using the ntp-service port port-value command.
l Broadcast Mode
NOTE
The broadcast mode can be used only on a local area network (LAN).
Only after the clock of the broadcast server is synchronized, the broadcast client can be
synchronized with the broadcast server.
Configure the NTP broadcast server.
a. Run:
system-view

b. Run:
The interface for sending NTP broadcast packets is specified, and the interface view
is displayed.
c. Run:
ntp-service broadcast-server [ version number | authentication-keyid key-
id | port port-number ] *
The local switch is configured as the NTP broadcast server.

Authentication.
broadcast client by using the ntp-service port port-value command.
Configure the NTP broadcast client.

a. Run:
system-view

b. Run:
The interface for receiving NTP broadcast packets is specified, and the interface
view is displayed.
c. Run:
ntp-service broadcast-client
The local switch is configured as the NTP broadcast client.

l Multicast Mode
NOTE
Only after the clock of the multicast server is synchronized, the multicast client can be
synchronized with the multicast server. You can configure a maximum of 128 multicast servers on
the device.
Currently a maximum of 1024 multicast clients can be configured, but a maximum of 128
multicast clients can work simultaneously.
Configure the NTP multicast server.
a. Run:
system-view

b. Run:
The interface for sending NTP multicast packets is specified, and the interface view
is displayed.
c. Run:
n ntp-service multicast-server [ ip-address ] [ version number |
authentication-keyid key-id | ttl ttl-number | port port-number ] *
The local switch is configured as the NTP multicast server on an IPv4

network.
n ntp-service multicast-server ipv6 [ ipv6-address ] [ authentication-
keyid key-id | ttl ttl-number | port port-number ] *
The local switch is configured as the NTP multicast server on an IPv6

network.
Authentication.
multicast client by using the ntp-service port port-value command.
Configure the NTP multicast client.
a. Run:
system-view

b. Run:

The interface for receiving NTP multicast packets is specified, and the interface
view is displayed.
c. Run:
ntp-service multicast-client [ ip-address | ipv6 [ ipv6-address ] ]
The local switch is configured as the NTP multicast client.

l Manycast Mode
Configure the NTP manycast server.
a. Run:
system-view

b. Run:
The interface for receiving NTP manycast packets is specified, and the interface
view is displayed.
c. Run:
ntp-service manycast-server [ ip-address | ipv6 [ ipv6-address ] ]
The local switch is configured as the NTP manycast server.

Configure the NTP manycast client.
a. Run:
system-view

b. Run:
The interface for sending NTP manycast packets is specified, and the interface view
is displayed.
c. Run:
ntp-service manycast-client [ ip-address | ipv6 [ ipv6-address ] ]
[ authentication-keyid key-id | ttl ttl-number | port port-number ] *
The local switch is configured as the NTP manycast client.

Authentication.
manycast server by using the ntp-service port port-value command.
----End
4.5.1.3 Enabling the NTP Server Function
Context
After NTP-related commands are configured on a device, the device automatically disables
the NTP server function to prevent external devices from synchronizing their clocks with the
device's clock. In addition, the device also generates the ntp-service server disable and ntp-
service ipv6 server disable commands in its configuration file. If you want to use the device
as an NTP server, enable the NTP server function on the device.

Procedure
Step 1 Run:
system-view

Step 2 Run:
undo ntp-service [ ipv6 ] server disable
The NTP server function is enabled on the device.

By default, the NTP server function is disabled.
----End
Prerequisites
All configurations of basic NTP functions are completed.
Procedure
l Run the display ntp-service status command to check the NTP service status.
l Run the display ntp-service sessions [ verbose ] command to check the NTP session
status.
l Run the display ntp-service trace command to check the path from the local device to
the reference clock source.
l Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-instance
vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance vpn-instance-name ] ] ] ]
command to check the statistical information about NTP packets or symmetric peers.
----End
4.5.2 Configuring the Client Clock
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service { max-sys-poll max-sys-poll-value | spike-offset spike-offset-value |
sync-interval interval } *
The maximum polling interval, the timestamp difference between packets sent by the clock
server and received by the client, the interval at which the clock of the client is synchronized
is configured.
By default, the maximum polling interval is 217s, the timestamp difference between packets
sent by the clock server and received by the client is 128ms, the interval at which the clock of
the client is synchronized is 600 seconds.

Step 3 Run:
ntp-service max-distance max-distance-value
The maximum NTP synchronization distance are configured.

By default, The maximum NTP synchronization distance is 1 second.
----End
Checking the Configuration

l Run the display current-configuration | include ntp command to check configuration
of NTP.
4.5.3 Configuring the Local Source Interface for Sending and

Receiving NTP Packets
Prerequisites
All configurations of basic NTP functions have been completed.
NOTE
If the ntp-service unicast-server or the ntp-service unicast-peer command specifies the source
interface of NTP packets, the specified source interface takes effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service [ ipv6 ] source-interface interface-type interface-number [ vpn-
instance vpn-instance-name ]
The local source interface for sending and receiving NTP packets is configured.
By default, the local source interface for sending NTP packets is not specified. The source IP
address of an NTP packet is selected according to the route.
In the broadcast, multicast, and manycast modes, the NTP service is performed on the source
interface and the ntp-service source-interface command does not take effect.
If the specified NTP source interface is in Down state, the source IP address of a sent NTP
packet is the primary IP address of the packet's outbound interface.
----End

l Run the display current-configuration | include ntp command to check the
configuration about the local source interface for sending and receiving NTP packets.
4.5.4 Limiting the Number of Local Dynamic Sessions

Prerequisites
Context
In both unicast client/server mode and symmetric peer mode, command lines are used to
establish a connection, which is a static session. Dynamic sessions are established in
broadcast mode, manycast mode and multicast mode, so that the limit on the number of local
dynamic sessions takes effect.
NOTE
The ntp-service max-dynamic-sessions command runs without affecting the existing NTP sessions. When
the number of local dynamic NTP sessions exceeds the maximum number, a new session cannot be
established.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service max-dynamic-sessions number
The number of local dynamic sessions that can be established is configured.
By default, a maximum of 100 NTP dynamic sessions can be established.
----End

l Run the display current-configuration | include ntp command to check the number of
local dynamic sessions that can be established.
4.5.5 Configuring NTP Access Control
Prerequisites
Configuration Order
You can perform the following configuration tasks in any sequence as required.
4.5.5.1 Disabling a Specified Interface from Receiving NTP Packets
Context
You can disable the interface connected to external devices from receiving NTP packets in the
following scenarios:

l An unreliable clock server exists on the interface. After the NTP function is enabled, all
interfaces can receive NTP packets by default. However, an unreliable clock source
makes NTP clock data inaccurate.
l The NTP clock data is modified when the interface is attacked maliciously.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interface for receiving NTP packets is specified.
Step 3 Run:
ntp-service [ ipv6 ] in-interface disable
The interface is disabled from receiving NTP packets.
----End
4.5.5.2 Configuring NTP Access Control Authority
Context
NTP access control is a simple security measure. When an access request reaches the local
end, the access request is successively matched with the access authority from the highest one
to the lowest one. The first successfully matched access authority takes effect. The matching
order is: peer, server, synchronization, query and limited.
l peer: The remote end can send time requests and control queries to the local NTP
service. The local clock can also be synchronized with the clock of the remote server.
l server: The remote end can send time requests and control queries to the local end. The
local clock, however, cannot be synchronized with the clock of the remote server.
l synchronization: The remote end can send only time requests to the local end.
l query: The remote end can send only control queries to the local end.
l limited: When the rate of NTP packets exceeds the upper limit, the incoming NTP
packets are discarded.
The access control authority is configured on different devices in different NTP operating
modes, as described in Table 4-3.
Table 4-3 Configuration of the NTP access control authority
NTP Operating Restricted NTP Request Configured Device

Mode Type
Unicast NTP client/ The client is restricted from Client

server mode synchronizing to the server.

NTP Operating Restricted NTP Request Configured Device

Mode Type
Unicast NTP client/ The server is restricted from Server

server mode processing the clock
synchronization request sent
by the client.
NTP symmetric A symmetric passive peer and Symmetric active peer

peer mode a symmetric active peer are
restricted from synchronizing
with each other.
NTP symmetric The symmetric passive peer is Symmetric passive peer

peer mode restricted from processing the
clock request sent by the
symmetric active peer.
NTP multicast The client is restricted from NTP multicast client

mode synchronizing to the server.
NTP broadcast The client is restricted from NTP broadcast client

mode synchronizing to the server.
NTP manycast The client is restricted from NTP manycast client

client mode synchronizing to the server.
NTP manycast The server is restricted from NTP manycast server

server mode processing the clock
synchronization request sent
by the client.
Procedure
Step 1 Run:
system-view

Step 2 Configure the basic ACL.
Before configuring the access control authority, you must create a basic ACL. For the creation
procedure, see "ACL Configuration" in the S7700 and S9700 Series Switches Configuration
Guide-Security.
Step 3 Run:
ntp-service access { peer | query | server | synchronization | limited } { acl-
number | ipv6 acl6-number } *
The access control authority of the NTP service is configured.

By default, no access control authority is set.

NOTE
Check the configuration of the ACL rule before configuring the NTP access control authority in the ACL.
When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the
NTP service on the local device. The access right of the peer device is configured using the ntp-service
access command. When the ACL rule is deny, the peer device with the source IP address specified in this
rule cannot access the NTP service on the local device.
Step 4 Run:
ntp-service discard { min-interval min-interval-val | avg-interval avg-interval-
val } *
The minimum inter-packet interval and the average inter-packet interval of NTP are
configured.
By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds,
namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2
in seconds, namely, 32 seconds.
----End
4.5.5.3 Configuring KOD
Context
The Kiss-o'-Death (KOD) is a brand new access control technology put forward by NTPv4,
and the KOD is mainly used for a server to provide information, such as a status report and
access control, for a client.
After the KOD is enabled on the server, the server sends the kiss code DENY or the kiss code
RATE to the client according to the operating status of the system.
l When receiving the kiss code DENY, the client terminates all connections with the
server, and stops sending packets to the server.
l When receiving the kiss code RATE, the client immediately shortens a poll interval with
the server. Every time the kiss code RATE is received after the first shortening operation,
the poll interval is further shortened.
NOTE
The KOD supports the unicast client/server mode, symmetric peer mode, and manycast mode.
The KOD only functions in NTPv4.
The following configuration is performed on the server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service kod-enable
The KOD function is enabled.
By default, the KOD function is disabled.

Step 3 Configure the basic ACL.
Before configuring the access control authority, you must create a basic ACL. For the creation
procedure, see "ACL Configuration" in the S7700 and S9700 Series Switches Configuration
Guide-Security.
Step 4 Run:
ntp-service access limited { acl-number | ipv6 acl6-number } *
Control on the rate of incoming NTP packets is enabled.
By default, control on the rate of incoming NTP packets is disabled.
NOTE
Before enabling control on the rate of incoming NTP packets, check the ACL rule configuration. When
the ACL rule is deny, the server sends the kiss code DENY. When the ACL is permit and the rate of
incoming NTP packets reaches the upper threshold, the server sends the kiss code RATE.
Step 5 Run:
ntp-service discard { min-interval min-interval-val | avg-interval avg-interval-
val } *
The minimum inter-packet interval and the average inter-packet interval of NTP are
configured.
By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds,
namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2
in seconds, namely, 32 seconds.
----End
4.5.5.4 Configuring NTP Authentication
Context
In some networks demanding high security, the authentication function needs to be enabled
when you use the NTP protocol. Password authentication of a client and a server ensures that
the client only synchronizes with a device that has been authenticated, improving the network
security.
When configuring the NTP authentication function, note the following rules:
l The NTP authentication function must be enabled first; otherwise, authentication cannot
be implemented.
l The NTP authentication function needs to be configured on both the client and the
server. Otherwise, the NTP authentication function does not take effect.
l If the NTP authentication function is enabled, a trusted key is configured on the client.
l Keys configured on the server and the client must be identical.
l The device that wants to synchronize its clock should declare its key as reliable.
Otherwise, NTP authentication will fail.
NOTE
In NTP symmetric peer mode, the symmetric active peer functions as a client and the symmetric passive
peer functions as a server.

Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service authentication enable
The NTP authentication function is enabled.
Step 3 Run:
ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-
sha256 } [ cipher ] password
The NTP authentication key is configured.
Step 4 Run:
ntp-service reliable authentication-keyid key-id
The reliable key is specified.
----End
Follow-up Procedure
After the configuration of the NTP authentication is completed, apply the NTP authentication
key in Configuring NTP Operating Modes. That is, specify the parameter authentication-
keyid.
Prerequisites
The configuration of NTP access control is completed.
Procedure
l Run the display current-configuration | include ntp command to check the NTP
configuration.
l Run the display ntp-service status command to check the NTP service status.
l Run the display ntp-service sessions [ verbose ] command to check the NTP session
status.
----End
4.6 Maintaining NTP

4.6.1 Clearing NTP Statistics
Context
NOTE
After NTP statistics are cleared by using the reset ntp-service statistics packet command, the statistics
cannot be recovered. Confirm the action before running this command.
Procedure
l Run the reset ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-instance
command to clear statistics on NTP packets or symmetric peers.
----End
4.6.2 Monitoring the Running Status of NTP
Context
To monitor the NTP running status after configurations of NTP are complete, run the
following commands in any view.
Procedure
l Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-instance
command to check statistics on NTP packets or symmetric peers.
l Run the display ntp-service status command to check the NTP status.
l Run the display ntp-service sessions [ verbose ] command to check all session
information maintained by the local NTP service.
l Run the display ntp-service trace command to check the path from the local device to
l Run the display ntp-service event clock-unsync command to check the reasons of the
last 10 clock synchronization failures.
----End
4.7.1 Example for Configuring the NTP Unicast Server/Client

Mode with NTP Authentication Enabled
As shown in Figure 4-11, SwitchA, SwitchB, and SwitchC are connected. SwitchA has
synchronized its clock with an authoritative clock, the Global Positioning System (GPS).

It is required that SwitchB and SwitchC synchronize their clocks with the clock of SwitchA to
ensure accounting accuracy.
Figure 4-11 Networking diagram for configuring the NTP unicast server/client mode with
NTP authentication enabled
GE1/0/1 GE1/0/1
SwitchA VLANIF100 SwitchB VLANIF10 SwitchC
10.1.1.1/24 10.1.2.2/24
GE1/0/1 GE1/0/2
VLANIF100 VLANIF10
10.1.1.2/24 10.1.2.1/24
You can configure the NTP unicast server/client mode with NTP authentication enabled to
meet the clock synchronization requirement on the LAN. The configuration roadmap is as
follows:
1. Configure SwitchA as the NTP master clock server.
2. Configure the NTP unicast server/client mode to synchronize the clocks of SwitchA,
SwitchB, and SwitchC. Configure SwitchA as the NTP server and SwitchB and SwitchC
as NTP clients.
3. Enable NTP authentication to ensure NTP clock synchronization security.
NOTE
When configuring NTP authentication in the unicast server/client mode, enable NTP authentication on
the client, and specify the NTP server's IP address and the authentication key sent to the server.
Otherwise, NTP authentication is not performed, and the NTP server and client directly synchronize
their clocks.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC and ensure that they have
reachable routes to each other.
# Configure an IP address and a route on SwitchA.
[SwitchA] vlan 100
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchA] ip route-static 10.1.2.0 24 10.1.1.2
# Configure two IP addresses on SwitchB.

[HUAWEI] sysname SwitchB
[SwitchB] vlan 100
[SwitchB-vlan100] quit
[SwitchB] interface vlanif 100

[SwitchB-Vlanif100] ip address 10.1.1.2 24

[SwitchB-Vlanif100] quit
[SwitchB] vlan 10
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
# Configure an IP address and a route on SwitchC.

[HUAWEI] sysname SwitchC
[SwitchC] vlan 10
[SwitchC-vlan10] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 10.1.2.2 24
[SwitchC-Vlanif10] quit
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] ip route-static 10.1.1.0 24 10.1.2.1
Step 2 On SwitchA, configure the NTP master clock and enable NTP authentication.
# Configure the local clock of SwitchA as the master clock, and set the clock stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Enable NTP authentication, configure the authentication key, and declare that the key is
reliable.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
cipher Hello123
[SwitchA] ntp-service reliable authentication-keyid 42
# Enable the NTP server function on SwitchA.

[SwitchA] undo ntp-service server disable
Step 3 On SwitchB, enable NTP authentication, configure the authentication key, declare that the key
is reliable, and specify SwitchA as the NTP server.
[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
cipher Hello123
[SwitchB] ntp-service reliable authentication-keyid 42
[SwitchB] ntp-service unicast-server 10.1.1.1 authentication-keyid 42
Step 4 On SwitchC, enable NTP authentication, configure the authentication key, declare that the key
is reliable, and specify SwitchA as the NTP server.
[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
cipher Hello123
[SwitchC] ntp-service reliable authentication-keyid 42
[SwitchC] ntp-service unicast-server 10.1.1.1 authentication-keyid 42

# Check the NTP status of SwitchA.

[SwitchA] display ntp-service status

clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL(0)
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^17
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 10.96 ms
peer dispersion: 10.00 ms
reference time: 08:54:40.010 UTC Nov 22 2013(D6399696.029E9079)
synchronization state: clock synchronized
# Check the NTP status of SwitchB. The clock status is synchronized, indicating that the
clock synchronization is complete. The clock stratum is 3, which is one stratum lower than
that of the NTP server SwitchA.
[SwitchB] display ntp-service status
clock stratum: 3
reference clock ID: 10.1.1.1
clock offset: -1.6796 ms
root delay: 2.71 ms
reference time: 08:54:44.160 UTC Nov 22 2013(D6399A54.29247CB7)
# Check the NTP status of SwitchC. The clock status is synchronized, indicating that the
[SwitchC] display ntp-service status
clock stratum: 3
root delay: 2.71 ms
reference time: 08:57:44.160 UTC Nov 22 2013(D6399E4E.052B2BFD)
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
ntp-service ipv6 server disable
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %^
%#uLLi;!VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT2,.T%^%#
ntp-service reliable authentication-keyid
42
ntp-service refclock-master 2

#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1
#
return
l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 10 100
#
ntp-service server disable
%#cVg6'G;i2*@[$uB@!^}:g$V6+~Hc}V,]M"Y/voeF%^%#
ntp-service reliable authentication-keyid 42
ntp-service unicast-server 10.1.1.1 authentication-keyid 42
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif10
ip address 10.1.2.1 255.255.255.0
#
#
#
return
l SwitchC configuration file

#
sysname SwitchC
#
vlan batch 10
#
%#G;i2;!VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT2,.T%^%#
ntp-service unicast-server 10.1.1.1 authentication-keyid 42
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1
#
return

4.7.2 Example for Configuring the NTP Symmetric Peer Mode
As shown in Figure 4-12, SwitchA, SwitchB, and SwitchC are located on the same LAN.
All devices on the LAN need to synchronize their clocks to facilitate device management.
SwitchA has synchronized its clock with an authoritative clock, the Global Positioning
System (GPS), through a network. It is required that SwitchB and SwitchC synchronize their
clocks with the clock of SwitchA.
Figure 4-12 Networking diagram for configuring the NTP symmetric peer mode
SwitchA
GE1/0/1
VLANIF10
10.0.0.1/24
GE1/0/1 GE1/0/1
VLANIF10 GE1/0/1 VLANIF10
10.0.0.2/24 10.0.0.3/24
GE1/0/3 GE1/0/2
SwitchB Switch SwitchC
You can use NTP to synchronize time and configure the NTP symmetric peer mode to meet
the clock synchronization requirement. The configuration roadmap is as follows:
1. Configure the local clock of SwitchA as the NTP master clock.
2. Configure the NTP unicast server/client mode to synchronize the clocks of SwitchB and
SwitchA. Configure SwitchA as the NTP server and SwitchB as the NTP client.
3. Configure the NTP symmetric peer mode to synchronize the clocks of SwitchB and
SwitchC. Configure SwitchC as the symmetric active peer that sends a clock
synchronization request to SwitchB.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
Configure an IP address for each interface according to Figure 4-12. After the configuration
is complete, SwitchA, SwitchB, and SwitchC can ping each other.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC are
similar to the configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] vlan 10


Step 2 Configure Layer 2 forwarding on the Switch.

[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/1] quit
Step 3 Configure the NTP server/client mode.
# Configure the local clock of SwitchA as the NTP master clock, and set the clock stratum to
2.

# On SwitchB, specify SwitchA as its NTP server.

[SwitchB] ntp-service unicast-server 10.0.0.1
# Enable the NTP server function on SwitchB.

[SwitchB] undo ntp-service server disable
After the configuration is complete, SwitchB can synchronize its clock with the clock of
SwitchA.
Check the NTP status of SwitchB. The clock status is synchronized, indicating that the clock
synchronization is complete. The clock stratum is 3, which is one stratum lower than that of
SwitchA.
clock stratum: 3
root delay: 62.50 ms
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
synchronization state: clock set

Step 4 Configure the NTP symmetric peer mode.

# On SwitchC, specify SwitchB as its symmetric passive peer.
[SwitchC] ntp-service unicast-peer 10.0.0.2
# Enable the NTP server function on SwitchC.

[SwitchC] undo ntp-service server disable
Because SwitchC is not configured with a master clock and its clock stratum is lower than
that of SwitchB, SwitchC synchronizes its clock with the clock of SwitchB.
# Check the clock status of SwitchC. SwitchThe clock status is synchronized, indicating that
the clock synchronization is complete. The clock stratum of SwitchC is 4, which is one
stratum lower than that of the symmetric passive peer SwitchB.
clock stratum: 4
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
synchronization state: clock set but frequency not determined
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
ntp-service unicast-server 10.0.0.1
#
interface Vlanif10
ip address 10.0.0.2 255.255.255.0

#
#
return

#
sysname SwitchC
#
vlan batch 10
#
ntp-service unicast-peer 10.0.0.2
#
interface Vlanif10
ip address 10.0.0.3 255.255.255.0
#
#
return
l Switch configuration file

#
sysname Switch
#
vlan batch 10
#
#
#
#
return
4.7.3 Example for Configuring the NTP Broadcast Mode with NTP
Authentication Enabled
As shown in Figure 4-13, SwitchA, SwitchB, and SwitchC are located on the same LAN.
SwitchA synchronizes its clock with an authoritative clock, the Global Positioning System
(GPS), through the radio.
It is required that all switches in Figure 4-13 synchronize their clocks with the clock of
SwitchA to ensure accounting accuracy.

Figure 4-13 Networking diagram for configuring the NTP broadcast mode with NTP
authentication enabled
SwitchA
GE1/0/1
VLANIF10
10.0.0.1/24
GE1/0/1 GE1/0/1
10.0.0.2/24 10.0.0.3/24
GE1/0/3 GE1/0/2
SwitchB Switch SwitchC
You can use NTP to synchronize time and configure the NTP broadcast mode with NTP
authentication enabled to meet the clock synchronization requirement. The configuration
roadmap is as follows:
1. Configure SwitchA as the master clock server, use its local clock as the NTP master
clock, and set the clock stratum to 3.
2. Configure SwitchA as the NTP broadcast server that sends broadcast packets through
VLANIF 10 (the corresponding physical interface is GE1/0/1).
3. Configure SwitchB and SwitchC as NTP broadcast clients.
4. Enable NTP authentication to ensure NTP clock synchronization security.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC are
similar to the configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] vlan 10

[Switch] vlan 10

Step 3 Configure the NTP broadcast server and enable NTP authentication.
# Configure the local clock of SwitchA as the NTP master clock, and set the clock stratum to
3.
# Enable NTP authentication.

[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 16 authentication-mode hmac-sha256
cipher Hello123
[SwitchA] ntp-service reliable authentication-keyid 16
# Configure SwitchA as the NTP broadcast server that sends NTP broadcast packets from
VLANIF 10, and specify key 16 for encryption.
[SwitchA-Vlanif10] ntp-service broadcast-server authentication-keyid 16

Step 4 Configure SwitchB as an NTP broadcast client, which is on the same network segment as the
NTP server.

[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 16 authentication-mode hmac-sha256
cipher Hello123
[SwitchB] ntp-service reliable authentication-keyid 16
# Configure SwitchB as an NTP broadcast client that listens to NTP broadcast packets on
VLANIF 10.
[SwitchB-Vlanif10] ntp-service broadcast-client
Step 5 Configure SwitchC as an NTP broadcast client, which is on the same network segment as the
NTP server.

[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 16 authentication-mode hmac-sha256
cipher Hello123
[SwitchC] ntp-service reliable authentication-keyid 16
# Configure SwitchC as an NTP broadcast client that listens to NTP broadcast packets on
VLANIF 10.


[SwitchC-Vlanif10] ntp-service broadcast-client

After the configuration is complete, SwitchB and SwitchC can synchronize their clocks to the
clock of SwitchA.
# Check the NTP status of SwitchC. The clock status is synchronized, indicating that the
clock stratum: 4
root delay: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2012(C7B7F851.C5EAF25B)
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
%#uLLi;!VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT2,.T%^%#
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
ntp-service broadcast-server authentication-keyid 16
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
%#cVg6'G;i2*@[$uB@!^}:g$V6+~Hc}V,]M"Y/voeF%^%#

#
interface Vlanif10
ip address 10.0.0.2 255.255.255.0
#
#
return
#
sysname SwitchC
#
vlan batch 10
#
%#vLLi;!VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT3,.T%^%#
#
interface Vlanif10
ip address 10.0.0.3 255.255.255.0
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
#
return
#
sysname Switch
#
vlan batch 10
#
#
#
#
return
4.7.4 Example for Configuring the NTP Multicast Mode

In Figure 4-14, SwitchA, SwitchB, and SwitchC are located within the same LAN. SwitchC
synchronizes its clock with GPS through radio.

To ensure accounting accuracy, all switches on the LAN require clock synchronization with
the clock of SwitchC.
Figure 4-14 Configuring the NTP multicast mode

SwitchC
GE1/0/1
VLANIF10
GE1/0/2 10.1.3.2/24 GE1/0/1
10.1.3.1/24 10.1.3.3/24
GE1/0/1 GE1/0/2
SwitchA Switch SwitchB
1. Configure SwitchC as the master clock server, use its local clock as the NTP master
clock, and set the clock stratum to 2.
2. Configure SwitchC as the NTP multicast server that sends multicast packets through
VLANIF 10 (the corresponding physical interface is GE1/0/1).
3. Configure SwitchA and SwitchB as NTP multicast clients. Configure SwitchA to listen
to multicast packets on VLANIF 10 (the corresponding physical interface is GE1/0/2).
Configure SwitchB to listen to multicast packets on VLANIF 10 (the corresponding
physical interface is GE1/0/1).
Procedure
Step 1 Configure an IP address for each interface according to Figure 4-14 and ensure that the
switches have reachable routes to each other.
# Configure an IP address and a routing protocol on SwitchB. The configurations of SwitchC
and SwitchA are similar to the configuration of SwitchB, and are not mentioned here. For
details, see the configuration files.
[SwitchB] vlan 10
[SwitchB-GigabitEthernet1/0/1] port link-type hybrid
[SwitchB-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchB] ospf 1
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit


[Switch] vlan 10
Step 3 Configure the NTP multicast server.

# Configure the local clock of SwitchC as the NTP master clock, and set the clock stratum to
2.
[SwitchC] ntp-service refclock-master 2
# Configure SwitchC as the NTP multicast server that sends NTP multicast packets through
VLANIF 10.
[SwitchC-Vlanif10] ntp-service multicast-server
# Enable the NTP server function on SwitchC.

[SwitchC] undo ntp-service server disable
Step 4 Configure SwitchA and SwitchB as NTP multicast clients, which are on the same network
segment as the NTP multicast server.
# Configure SwitchA as an NTP multicast client that listens to NTP multicast packets on
VLANIF 10.
[SwitchA-Vlanif10] ntp-service multicast-client
# Configure SwitchB as an NTP multicast client that listens to NTP multicast packets on
VLANIF 10.
[SwitchB-Vlanif10] ntp-service multicast-client

After the configuration is complete, SwitchA and SwitchB can synchronize their clocks with
the clock of SwitchC.
# Check the NTP status of SwitchC. The clock stratum is 2 and the reference clock is
LOCAL, indicating that the local clock functions as the reference clock.
clock stratum: 2
reference clock ID: LOCAL(0)


root delay: 0.00 ms
reference time: 12:25:19.710 UTC Nov 19 2013(D635D72F.B5F41AEF)
# Check the NTP status of SwitchA. The clock status is synchronized, indicating that the
that of the NTP server SwitchC.
[SwitchA] display ntp-service status
clock stratum: 3
# Check the NTP status of SwitchB. The clock status is synchronized, indicating that the
that of the NTP server SwitchC.
clock stratum: 3
root delay: 0.00 ms
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.1.3.1 255.255.255.0
ntp-service multicast-client
#
#
ospf 1

area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.3.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.1.3.3 255.255.255.0
ntp-service multicast-client
#
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
#
return
#
sysname SwitchC
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.1.3.2 255.255.255.0
ntp-service multicast-server
#
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
#
return
#
sysname Switch
#
vlan batch 10
#
#
#

#
return
4.8 Reference
This section lists references of NTP.
The following table provides reference standards and protocols for NTP.
Document No. Description
RFC 1305 Network Time Protocol (Version 3) Specification,

Implementation and Analysis
RFC 5905 Network Time Protocol Version 4: Protocol and Algorithms

Specification
RFC 5906 Network Time Protocol Version 4: Autokey Specification

Configuration Guide - Device Management 5 Ethernet Clock Synchronization Configuration
5 Ethernet Clock Synchronization

Configuration
About This Chapter
This chapter describes how to configure Ethernet clock synchronization. This technology
synchronizes clocks through the Ethernet.
5.1 Overview
5.2 Principles
5.3 Licensing Requirements and Limitations for Ethernet Clock Synchronization
5.4 Configuring Ethernet Clock Synchronization
5.1 Overview
Definition
The Ethernet clock synchronization feature is used to synchronize the clock frequency on the
Ethernet. The clock signal can be obtained from the circuit or received from the external BITS
interface and transmitted to the downstream network through the Ethernet. After this function
is enabled, the clock frequency is synchronized through the Ethernet.
Purpose
Rapid development and wide application of telecommunications technologies require high
precision clock frequency synchronization. Table 5-1 describes the requirements for clock
frequency synchronization in telecommunications services. In the past, to synchronize the
clock frequency on the telecommunications network, the sites on the network obtained
accurate clock signals from the Global Positioning System (GPS). Antennas need to be
installed to receive clock signals from the GPS, which causes high construction and security

costs. Ethernet clock synchronization enables the device to synchronize clock frequency from
another site through an Ethernet network or obtain the optimal clock signals from lines.
Table 5-1 Synchronization requirements of wireless technologies

Wireless Technology Required Clock Required Phase
Frequency Accuracy Synchronization
Accuracy
GSM 0.05 ppm NA
WCDMA 0.05 ppm for the base NA

station
Pico 0.1 ppm NA
TD-SCDMA 0.05 ppm 3 us
CDMA2000 0.05 ppm 3 us
WiMax FDD 0.05 ppm NA
WiMax TDD 0.05 ppm 1 us
Benefits
Using the Ethernet clock synchronization feature, carriers do not need to install antennas to
obtain the clock frequency from the GPS. Clock signals can be transmitted from other sites
through the Ethernet. This reduces costs of network construction and maintenance. As
Ethernet clock synchronization allows clock synchronization without the GPS, this
technology protects national security.
5.2 Principles
On the synchronization Ethernet, clock signals are transmitted at the physical layer, as shown
in Figure 5-1. The device requires a clock module, that is, a clock pinch board, to send high-
accuracy system clock signals to all the Ethernet interface line cards.
l In the receiving direction, the PHY chip of an Ethernet interface line card restores and
abstracts the clock signals sent from the circuit, divides the frequency, and sends the
clock signals to the clock pinch board. The clock pinch board selects the clock with the
highest accuracy as the reference clock source according to the SSM protocol and other
related information, and then sends the clock source system phase-locked loop (PLL).
The PLL traces this reference clock source and sends high-accuracy clock signals to each
interface line card.
l In the sending direction, the PLL on an Ethernet interface line card traces the clock
source sent from the clock pinch board and generates the reference clock for data
sending of the PHY chip.
Through the preceding process, clock frequency signals can be transmitted at the
physical layer. The SSM quality level of the Ethernet clock is transmitted through
dedicated SSM frames.

Figure 5-1 Synchronization of clock frequency on the synchronization Ethernet
Clock pinch Circuit clock

Provide RCLK
board Frequency
Report accurate
circuit division
system
clock to clock for
clock line PHY MAC
pinch cards
board
System clock
PLL
Ethernet interface
line card
Ethernet interface line
card
On the device, clock signals are transmitted as follows:
1. Clock signals from different clock sources are sent to the clock pinch board.
The clock pinch board of the device can obtain clock signals from the following
components:
– Circuit clock
The switching chip on the LPU of the device can obtain clock signals from an
optical interface, and then sends the clock signals to the clock pinch board on the
main control board through the circuit on the backplane.
– External clocks, such as the building integrated timing supply (BITS) clocks
– The high-accuracy oscillator of the clock pinch board, which is used in emergencies
when neither the LPUs nor the external clocks can provide the clock source
2. The clock pinch board selects the best clock source from the received clock signals, and
then sends 19.44 MHz clock signals to all LPUs through the downlink circuits on the
backplane.
3. The switching chip of each LPU uses the this clock signal as the drive clock signal to
send and receive packets.
Synchronization Status Message

The synchronization status message (SSM) is used to transmit the quality level of timing
signals on the synchronization timing link. A node on the Synchronous Digital Hierarchy
(SDH) network or clock synchronization network can obtain the clock information of the
upstream device by parsing the SSM message. The node performs operations such as tracing,
switching, or holding the local clock source according to the SSM message, and then forwards
the SSM message to the downstream device. The SSM message contains a 4-bit code, which
can express 16 types of signals to indicate different quality levels.
Table 5-2 lists the quality levels in the SSM message.

Table 5-2 SSM quality levels

S1 Bit (Bits 5 to 8) SDH Synchronization Quality Level
0000 Not used.
0001 Reserved. See note 1.
0010 Stratum-1 clock. See note 2.
0011 Reserved.
0100 Stratum-2 clock. See note 3.
0101 Reserved.
0110 Reserved.
0111 Reserved.
1000 Stratum-3 clock.
1001 Reserved.
1010 Reserved.
1011 SDH clock (G813)
1100 Reserved.
1101 Reserved.
1110 Reserved.
1111 Not used for synchronization.
Note 1: Usage of the reserved codes depends on future application.

Note 2: This code is applicable to the V type clock defined in G.812 for SDH.
Note 3: This code is not applicable to the VI type clock defined in G.812 for SDH.
NOTE
The S1 byte is transmitted through frames on the BITS interface and through SSM messages on the
Ethernet.
Table 5-3 shows the mappings between International clock classes and Chinese clock classes.
Table 5-3 Mappings between international clock classes and Chinese clock classes
International Clock Class Chinese Clock Class
QL-PRC Stratum-1 clock
QL-SSU-T Stratum-2 clock
QL-SSU-L Stratum-3 clock

International Clock Class Chinese Clock Class
QL-SEC SDH clock (G.813 Option I)
QL-DNU Cannot be used to Synchronize.
BITS
The BITS clock is an accurate external clock.
The accuracy levels of clocks in descending order are: BITS clock, circuit clock, and clock
generated by the local oscillator of the clock pinch board.
The clock pinch board provides two BITS interfaces, which can receive clock signals from
two sources or obtain clock signals from the circuit.
Clock Input Modes

The following clock sources can provide input clock signals:
l External clock
l Circuit clock
l Oscillator of the clock pinch board
The device supports three clock source selection modes, as described in Table 5-4.
Table 5-4 Clock source selection modes

Mode Description
Without the SSM quality l This mode is used when the circuit clock or external clock
level does not provide the SSM quality level or when the quality
level of each circuit clock source is already known. For
example, if you know that the quality level of clock A is
higher than the quality level of clock B, you can set a higher
priority for clock A.
l The system selects the clock source according to the priority
that you set for each clock source. The clock source with the
highest priority is selected.
With the SSM quality l This mode is used when most of the circuit clock sources
level have SSM quality levels.
l The system selects the clock source with the highest SSM
quality level. When two clock sources have the same SSM
quality level, the one with higher priority is selected.

Mode Description
Extended mode with the l The system selects the clock source in the same way as the
SSM quality second mode.
l The lower four bits of the S1 byte indicate the SSM quality
level.
The higher four bits are used to transmit the clock source ID.
The clock source ID prevents timing loops, where the output
timing signal is sent back to the sender.
In the preceding modes, through running related commands, you can perform manual
switchover or forcible switchover to select a specifically clock.
l Through manual switchover, you can change the clock source regardless of the priority
of the clock source.
l Through forcible switchover, you can change the clock source regardless of the priority
and SSM quality of the clock source.
The selected clock signal is then sent to all LPUs through circuits on the backplane so that all
LPUs obtain an accurate clock signal. The clock signal is then sent to the downstream
network through interfaces on the LPUs.
Working Modes of the Clock Chip

The clock chip can work in any of the following modes:
l Tracing
If a BITS clock or circuit clock is selected as the clock source, the clock chip needs to
trace and lock the clock frequency. This task is performed by the PLL.
l Holding
When tracing an external clock (a BITS clock or circuit clock), the clock chip keeps
saving the data of the clock.
When the clock cannot be used as the clock source, the clock chip maintains the
frequency of the clock source for a certain period (24 hours at most) according to the
clock data saved previously.
In permanent holding mode, the clock chip uses the last saved data as the output clock
frequency.
l Free running
In free running mode, the clock chip uses the clock generated by the oscillator as the
external clock.

Common Networking Modes
Table 5-5 Clock transmission networking modes

Networking Mode Usage
Circuit clock transmitted l The clock module obtains high-accuracy clock signals from
downstream the circuit and sends the clock signals to the downstream
network.
l The equipment uses the high-accuracy clock signals
obtained from the circuit.
BITS clock to circuit l A BITS clock generates high-accuracy clock signals.

clock l The high-accuracy clock signals are transmitted through the
Ethernet.
obtained from the BITS clock.
Circuit clock to BITS l The clock module obtains high-accuracy clock signals from
clock the circuit.
l A BITS clock generates high-accuracy clock signals.
obtained from the circuit.
SSM Message Transmission on the Ethernet

The SSM quality level is transmitted on the Ethernet through SSM messages. Generally, an
interface sends an SSM message every second. If the interface does not receive any SSM
message from the peer interface within five seconds, the system considers that the SSM
quality level of the circuit on the peer interface is Do not use (DNU). That is, the clock of this
circuit will not be selected.
The Ethernet type value in an SSM message is 0x8809, indicating that the SSM protocol is a
slow protocol. Figure 5-2 shows the format of an SSM message.

Figure 5-2 Format of an SSM message in an Ethernet frame
Octet number Size Field

1-6 6 octets Destination Address=01-80-C2-00-00-02(hex)
7-12 6 octets Source Address
13-14 2 octets Slow Protocol Ethertype=88-09(hex)
15 1 octets Slow Protocol Subtype=0A(hex)
16-18 3 octets ITU-OUI=00-19-A7(hex)
19-20 2 octets ITU Subtype
4 bits Version
21 1 bit Event flag
3 bits Reserved
22-24 3 octets Reserved
25-1532 36-1490 octets Data and Padding
Last 4 4 octets FCS
The fields in the SSM message are described as follows:
l The value of the ITU Subtype field is 0x0001.

l The value of the Version field is 1.
l The Event Flag field indicates whether an event is reported and the value is 0.
l The Data and Padding field uses the TLV structure. The first TLV contains the SSM
quality level, as shown in Figure 5-3.
Figure 5-3 Format of the first TLV
8 bits Type: 0x01

16 bits Length: 0x04
4 bits 0 (unused)
4 bits SSM Code
The minimum length of the Data and Padding field is 64 bytes.
SSM Message Transmission in the BITS

The G.704 standard specifies that the SSM quality level should be transmitted in timeslot TS0
in the 2048 kbit/s multiframe. Figure 5-4 shows the structure of a 2048 kbits/s multiframe.

Figure 5-4 Structure of a 2048 kbit/s multiframe
Bit 1 to bit 8
Sub-multiframe Frame No.
1 2 3 4 5 6 7 8
C1 0 0 1 1 0 1 1
0 1 A Sa Sa Sa Sa Sa
0 C2 0 0 4 5 6 7 8
1 0 1 A 1 1 0 1 1
2 C3 0 0 Sa Sa Sa Sa Sa
3 1 1 A 4 5 6 7 8
I
4 C4 0 0 1 1 0 1 1
5 0 1 A Sa Sa Sa Sa Sa
6 4 5 6 7 8
7 1 1 0 1 1
Sa Sa Sa Sa Sa
4 5 6 7 8
C1 0 0 1 1 0 1 1
1 1 A Sa Sa Sa Sa Sa
Multiframe
8 C2 0 0 4 5 6 7 8
9 1 1 A 1 1 0 1 1
10 C3 0 0 Sa Sa Sa Sa Sa
11 E 1 A 4 5 6 7 8
II
12 C4 0 0 1 1 0 1 1
13 E 1 A Sa Sa Sa Sa Sa
14 4 5 6 7 8
15 1 1 0 1 1
Sa Sa Sa Sa Sa
4 5 6 7 8
Sa4-Sa8 are spare bits. Sa4 bit of the first frame in the sub-multiframe of a PCM
CRC multiframe is the first bit of the SSM quality level.
A multiframe consists of eight sub-multiframes. If the SA4 bit is used to transmit the SSM
quality level, each sub-multiframe transmits an SA4 bit. The eight sub-multiframes jointly
carry a byte, which is called the S1 byte. The fifth to eighth bits of the S1 byte indicate the
SSM quality level. You can specify the bit from which the clock module obtains the S1 byte.
Timing Loop Avoidance

A timing loop occurs when a clock receives its own clock signal. That is, the output signal of
a clock becomes the input signal of the clock. Measures to prevent timing loops should be
taken in the network design stage. Timing loops can be prevented in the following ways:
l When a circuit clock is selected as the clock source, you can set the SSM quality level of
the clock to DNU to prevent timing loops that may occur on the peer device.

Figure 5-5 Timing loop avoidance
Switch
Circuit clock Another
device
DNU
l Use the extended clock source selection mode with the SSM quality level.
This mode is developed by Huawei and has been used as a standard in China.
Implementation of this mode is as follows:
– On the synchronization Ethernet, the SSM quality level occupies only the lower
four bits of the S1 byte and the higher four bits are idle. The ID of the clock source
is transmitted through the higher four bits of the S1 byte.
– In a simple ring network, the reverse path of the ring network will transmit clock
signals if the path of the ring network is down. The ID of the clock source can
prevent timing loops by signing the primary clock source so that the clock source is
protected.
On a complicated network, however, clock source IDs cannot completely eliminate
timing loops because there are only 16 clock source IDs. In addition, the timing
loops generated on a subnet that does not contain the origin clock source cannot be
prevented. To prevent timing loops more effectively, you can use the clock source
IDs to separate the subnets.
– A complicated network can be divided into two or more subnets. On a subnet, the
clock source IDs are allocated by the network designer. The following is an
example of subnet division.
Figure 5-6 Subnet division
Master BITS
A C
a
B b D
Slave BITS
Figure 5-6 shows a common networking mode, in which two rings are connected through two
links. There are two available reference clock sources on the entire network. If you set IDs
only for the two reference clock sources, the IDs cannot be terminated on the right ring when
the links between the two rings fail because the IDs come from the left ring. In this case, a
timing loop occurs.
The solution is as follows:

Divide the network into two subnets, namely, left ring and right ring.
l Specify the master and slave BITS clocks on the left ring and set IDs for the BITS
clocks.
l Specify the two links as the master and slave reference clock sources for the right ring.
By setting clock source IDs, you can separate the left and right rings logically. On network
element C on the right ring, set an ID for link a. Similarly, set an ID for link b on network
element D. If faults occur on link a and link b, no timing loop is generated because the right
ring has clock source IDs.
NOTE
The clock source IDs set on the right ring identify the reference clock sources and separate the right ring
from the left ring. The clock source IDs set on the left ring cannot be sent to the right ring through link a
and link b, and the right ring can receive only the SSM quality level from the left ring.
The clock source IDs set on the right ring can be the same as the IDs set on the left ring,
solving the problem of a limited number of IDs.
5.3 Licensing Requirements and Limitations for Ethernet

Clock Synchronization

BITS clock source
Ethernet clock synchronization is not under license control.

S7700 S7703, S7706, and V200R010C00 and V200R011C10

S7712
S9700 S9703, S9706, and V200R001(C00&C01), V200R002C00,

S9712 V200R003C00, V200R005C00, V200R006C00,
V200R007(C00&C10), V200R008C00,
V200R009C00, V200R010C00, V200R011C10
NOTE
Feature Limitations
Constraints on Ethernet Clock Synchronization

l To use the Ethernet clock synchronization feature, you must install the CKM-clock
daughter card on the switch.
l Only the EH1D2S24CEA0, X series (except the EH1D2G48TX1E card) support
Ethernet clock synchronization. On the X1E series cards, the function takes effect only
after the enhanced working mode is configured using the set service-mode command.
l Ethernet clock synchronization is not supported on GE electrical interfaces, including
GE combo interfaces that work in electrical interface mode.
Clock Sources Supported by the Switch
The device can transmit clock signals on the Ethernet or synchronous digital hierarchy (SDH)
network. Table 5-7 lists types of clock sources supported by the switch.
Table 5-7 Supported clock sources

Clock No. Name Description
0 Inner Clock Clock signal generated by the local oscillator of the clock
daughter card.
1 BITS0 Clock signal sent or received by the BITS0 interface of the

master main control board on local device.
2 BITS1 Clock signal sent or received by the BITS1 interface of the

master main control board on local device.
3 Slave Board Clock signal sent or received by the BITS0 interface of the
BITS0 slave main control board on local device.
4 Slave Board Clock signal sent or received by the BITS1 interface of the
BITS1 slave main control board on local device.
5 Left Frame Clock signal sent from the left side of the frame by the
Clock LPUs with smaller slot IDs.
l On the S7703 and S9703, LPUs in slot 1 to slot 3 send
clock signals from the left side of the frame.
6 Right Frame Clock signal sent from the right side of the frame by the
Clock LPUs with greater slot IDs.
l S7703 and S9703 do not have this clock.
clock signals from the right side of the frame.
clock signals from the right side of the frame.
7 FSU Clock source on the flexible service unit (FSU). This clock
source is reserved.

Clock No. Name Description
8 Slave Board Clock source on the FSU of the peer board (MPU). This
FSU clock source is reserved.
9 System System clock.

Clock
10 Peer System System clock of the peer board (MPU).

Clock
The clock sources are described as follows:
l The system clock, BITS0 clock, and BITS1 clock are external clocks used to
synchronize clock signals. Only external clocks need to select the clock source.
l An external clock can function as the reference clock source of other clocks or send
clock signals. Other clocks can function only as the reference clock of external clocks.
l The system clock can select the reference clock source among clocks 0 to 8.
l The BITS clocks can select clocks 5 to 9 as the reference clock source.
Clock Source Selection Mode Supported by the Device
The device supports the following modes of clock source selection:
l Free running
– Non-SSM mode: The clock source is selected based on the priority. A smaller
priority level indicates a higher priority.
– SSM mode: The clock source is selected based on the SSM quality level and
priority.
The SSM quality level takes precedence over the priority in clock source selection.
The clock source with the highest SSM quality level is selected first.
When two clock sources have the same SSM quality level, the one with higher
priority is selected.
– SSM extended mode: This mode is based on the SSM mode, and you can set the
clock ID in this mode.
l Forcible mode
l Manual mode
The SSM quality level takes precedence over the priority when the SSM quality level is used
in clock source selection. In forcible mode, you can specify a clock source regardless of the
SSM quality level and priority of the clock source. In manual mode, you can specify a clock
source regardless of the priority of the clock source, but the SSM quality level still affects the
selection result.
If you enable the result of frequency offset check to affect clock source selection, the selection
result also depends on the result of frequency offset check. If the frequency offset of a clock is
out of the specified range, the signal of the clock is considered invalid (Signal-fail), and the
clock cannot be selected as the clock source.

5.4 Configuring Ethernet Clock Synchronization
5.4.1 Forcibly Specifying a Reference Clock Source for the Main

Control Board
The device allows you to forcibly specify a reference clock source.
Context
Generally, the system selects the clock source automatically. You can forcibly select the clock
source of a clock in special situations.
You can forcibly specify a clock source regardless of the SSM quality level and priority of the
clock source. Different from the manual mode, you can specify a clock source in Signal-fail
state in forcible mode.
l When you forcibly specify a clock source to replace the original clock source of the
system clock:
– If the specified clock source is in Signal-fail state, the system automatically uses the
inner clock as the reference clock source.
– When the specified clock source recovers, the system automatically uses this clock
source as the reference clock source.
l When you forcibly specify a clock source to replace the original clock source of a BITS
clock:
– If the specified clock source is in Signal-fail state, the BITS clock automatically
uses the system clock as the reference clock source.
– When the specified clock source recovers, the BITS clock automatically uses this
clock as the reference clock source.
Before forcibly specifying a reference clock source, complete the following tasks:
l Set parameters of the link layer protocol and IP addresses for the interfaces to ensure that
the link layer protocol on the interfaces is in Up state.
l Configure the routing protocol to make the IP routes between the nodes reachable.
l Ensure that the clock to be configured meets the following conditions:
– All clock sources provide valid clock signals.
– The result of frequency offset check does not affect clock source selection or the
frequency offset of the clock sources is within the specified range.
– The clock sources are not locked.
– The priority of the clock is other than 255 (DIS) so that the clock can function as
the clock source.

Procedure
Step 1 Run:
system-view
Step 2 Run:
clock force-switch source source { system | bits0 | bits1 }
A new reference clock source is forcibly specified for the system clock, BITS0 clock, or
BITS1 clock.
l The number of the clock source for the system clock ranges from 0 to 8.
l The number of the clock source for the BITS clocks ranges from 5 to 9.
Table 5-8 shows the mappings between the clock source numbers and clock sources.
Table 5-8 Mappings between the clock source numbers and clock sources
Clock No. Clock Source
0 Inner Clock
1 BITS0
2 BITS1
3 Slave Board BITS0
4 Slave Board BITS1
5 Left Frame Clock
6 Right Frame Clock
7 FSU (reserved)
8 Slave Board FSU (reserved)
9 System Clock
----End

You can run either of the following commands to check the configuration of forcible clock
source selection.
l Run the display clock mode [ slave ] command to view the mode of clock source
selection.
l Run the display clock selection [ slave ] command to view the current clock sources of
the external clocks.

5.4.2 Manually Specifying a Reference Clock Source for the Main

Control Board
The device allows you to manually specify a reference clock source flexibly.
Context
When clock sources are configured with priorities but not configured with SSM quality levels,
you can manually specify a clock source if you need to select a clock with a lower priority as
the clock source.
NOTE
l You cannot manually specify a clock source in Signal-fail state.

l When the SSM quality level is used in clock source selection, you cannot specify a clock source
whose SSM quality level is lower than the SSM quality level of the current clock source.
l If the signal of the manually specified clock source becomes invalid or if the SSM quality level of
the clock source degrades, the system automatically enters the free running state. The specified clock
source never takes effect again even if its signal or quality level recovers.
Before manually specifying a clock source, complete the following tasks:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock manual-switch source source { system | bits0 | bits1 }
A new reference clock source is manually specified for the system clock, BITS0, or BITS1
clock.

0 Inner Clock
1 BITS0
2 BITS1
3 Slave Board BITS0
4 Slave Board BITS1
5 Left Frame Clock
6 Right Frame Clock
7 FSU (reserved)
9 System Clock
----End
Checking the result of configuration

You can run either of the following commands to check the configuration of manual clock
source selection.
l Run the display clock mode [ slave ] command to check the mode of clock source
selection.
l Run the display clock selection [ slave ] command to check the current clock sources of
5.4.3 Setting the Priority of a Clock Source

After you set priorities of clock sources, the system selects the reference clock source based
on priorities.
Context
When there are multiple clock sources, you can set different priorities for them. In normal
situations, a clock board uses the clock source of the highest priority. If no clock source is
specified forcibly or manually and the SSM quality level is not used in clock source selection,
when the clock source of the highest priority fails, the clock board uses the clock source of the
second highest priority.
To implement clock synchronization on the entire network, you can set priorities of clock
sources to ensure that the clock source on the input line of the primary reference clock has the
highest priority on each device.
The primary reference clock must be stable. When configuring multiple clock sources, you
need to configure a backup clock transmission path. When clock signals are lost on the
original clock transmission path, a new clock source is selected and clock signals are
transmitted on the backup path.

Before selecting the clock source based on the priority, complete the following tasks:
l Disable the SSM from being used in clock source selection.
l Cancel the configuration of forcible or manual clock source selection.
l Ensure the clock that will be configured to meet the following conditions:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock priority priority source source { system | bits0 | bits1 }
The priority is set for a clock source.
By default, the priority of the inner clock source and system clock source is 254, and the
priority of other clock sources is 255. A smaller priority value indicates a higher priority.
0 Inner Clock
1 BITS0
2 BITS1
3 Slave Board BITS0
4 Slave Board BITS1
5 Left Frame Clock
6 Right Frame Clock
7 FSU (reserved)

9 System Clock
----End
Example
selection.
5.4.4 Selecting the Clock Source Based on the SSM Quality Level
If the SSM quality level is used in clock source selection, the device selects the clock source
based on the SSM quality level and then based on the priority.
Applicable Environment
If multiple clock sources can obtain their SSM quality levels, the system can select the
reference clock source based on the SSM quality level. If no reference clock source is
specified forcibly, the clock board uses the clock source of the highest SSM quality level. If
this clock source fails, the clock source uses the clock source of the second highest SSM
quality level. The SSM quality level of the external clock source will change to the SSM
quality level of the clock source selected by the system.
The SSM quality level takes precedence over the priority in clock source selection; therefore,
the SSM quality level of the primary reference clock source must be the highest so that clock
synchronization can be implemented on the entire network.
The SSM quality levels, in descending order, are Primary Reference Clock (PRC),
Synchronization Supply Unit-T (SSU-T), Synchronization Supply Unit-L (SSU-L), SDH
Equipment Clock (SEC), and Do Not Use (DNU). If the SSM level of a clock source is DNU,
and the SSM level is used in clock source selection, this clock source will not be selected as
the reference clock source. The default SSM quality level of the inner clock and system clock
(19.44 MHz) is SEC.
The primary reference clock must be stable. When configuring multiple clock sources, you
need to clock a backup clock transmission path. When clock signals are lost on the original
clock transmission path, a new clock source is selected and clock signals are transmitted on
the backup path.
Before selecting the clock source based on the SSM quality level, complete the following
tasks:

l Cancel the configuration of forcible clock source selection.

Complete the following tasks to configure clock source selection based on the SSM quality
level.
5.4.4.1 Enabling the SSM Quality Level to Be Used in Clock Source Selection
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock ql-enable [ extend ]
The SSM quality level is used in clock source selection.
By default, the SSM quality level is not used in clock source selection. To set clock source
IDs to prevent timing loops, you must enable the SSM quality level to extended SSM mode.
----End
5.4.4.2 (Optional) Setting the SSM Quality Level of a Clock Source
Context
l If the SSM quality level is used in clock source selection but the SSM quality level of a
clock source cannot be obtained, you can specify the SSM quality level of the clock
source by using the clock ssm-config command.
l If the S1 byte of a clock source obtained from the system is 0, the system considers the
SSM quality level of the clock source as the unknown level. By default, the unknown
level maps the DNU level and the clock source of this level is not selected. You can use
the clock ql-unknown command to set the unknown level to a higher level so that the
clock source can participate in clock source selection.
l When the BITS interface selects the clock source based on the SSM quality level:
– If the BITS clock works in BPS mode, the BITS interface obtains the SSM quality
level from the received SSM message. If the SSM quality level can be obtained
from the system, you do not need to run the clock ql-unknown and clock ssm-
config commands. If the SSM quality level cannot be obtained, you can run the
clock ql-unknown and clock ssm-config commands to specify the SSM quality
level.

– When the BITS clock works in 2 MHz mode, the clock does not have an SSM
quality level. If the SSM quality level needs to be used in clock source selection,
run the clock ssm-config command to set an SSM quality level for the clock.
Complete the following tasks according to the preceding description and actual situation.
Procedure
l Setting the SSM quality level of a clock source
a. Run:
system-view

b. Run:
clock ssm-config { prc | ssu-t | ssu-l | sec | dnu } source source
The SSM quality level of a clock source is set.

By default, the SSM quality level of a clock source is SEC.
l Specifying the SSM quality level mapping the unknown quality level
a. Run:
system-view

b. Run:
clock ql-unknown { prc | ssu-t | ssu-l | sec }
the unknown quality level is specified.

By default, the unknown quality level is Do Not Use (DNU).
NOTE
This command is applicable to the clock source whose SSM value is 0. The device considers
the SSM quality level of such a clock source as the value set in this command.
----End
5.4.4.3 (Optional) Preventing Timing Loops Between BITS Interfaces
Context
The device supports bidirectional communication on a BITS interface.
When the SSM quality level is used in clock source selection, unidirectional communication
causes loops because the SSM quality level returned from the remote end may be the same as
the SSM quality level sent from the local end. In this case, clock source selection for the BITS
interface is affected. The loops can be avoided through configurations.
Do as follows on the remote device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock force-out-s1 s1-dnu { bits0 | bits1 }
The S1 byte of the SSM message sent to the local BITS interface is set to DNU so that this
clock does not participate in clock source selection. This prevents timing loops between
interconnected devices.
----End
Procedure
selection.
----End
5.4.5 (Optional) Configuring Other Attributes of a Clock Source

This section describes the method of configuring other attributes of a clock source.
Applicable Environment
To control clock synchronization more effectively, perform the following operations:
l Set the transmission mode of clock synchronization and time synchronization of a BITS
clock.
l Set the ID of a clock source to prevent timing loops generated in the SSM extended
mode.
l Set the priorities of the clock sources provided by different interfaces to specify the
sequence of the clock source signals sent from different interfaces to the main control
board. Only the interface of the highest priority can send the clock source signal to the
main control board.
l Lock a clock source to prevent the clock source from being selected.
l Enable the result of frequency offset check to affect clock source selection. The clock
sources with greater frequency offset have lower priority in clock source selection.
l Set the delay time for the system to consider a clock source lost and the wait-to-restore
(WTR) time of the clock source to prevent frequent switchover of clock sources caused
by network flapping.
l Set the permanent holding mode. In this mode, when all the clock sources are lost, the
clock module enters the holding state and retains the original frequency offset according
to the clock information traced before.
NOTE
The permanent holding mode is not recommended.

l Set the non-retrieve mode. In this mode, the system changes the clock source only when
the original clock source fails.

Before configuring the attributes of a clock source, complete the following tasks:
l Set the mode of clock source selection, that is, based on the SSM quality level or
priority.
The following configuration tasks are optional and can be performed at any sequence as
required.
5.4.5.1 Setting Mode of a BITS Clock
Context
The BITS clock refers to the clock signal sent from the BITS interface to a network element.
The signal would be clock signal or time signal. The signal that a BITS clock receives
depends on the signal that the BITS interface sends and receives.
Do as follows on the device as required.
NOTE
The interconnected devices must use the same transmission mode of the BITS clock.
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock bits-type { bps-2m | hz-2m | bps-1544m } { bits0 | bits1 }
The clock mode is set for the BITS0 or BITS1 clock.

Or run:
clock bits-type { dcls-time | 1pps-tod } { in | out } { bits0 | bits1 }
The time mode is set for the BITS0 or BITS1 clock.

By default, the BITS clocks adopt the bps-2m mode.
----End
5.4.5.2 Setting the ID of a Clock Source
Context
If the clock signals sent from a clock source are looped back to the sender directly or through
the network, it indicates that a timing loop occurs. Timing loops should be avoided in network

design. In extended SSM mode, the higher four bits of the S1 bytes are used to transmit the
clock source ID, which reduces timing loops on the network.
Do as follows on the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock id id source source
The ID of a clock source is set.

The default ID of a clock source is 0.
clock no-id-out { bits0 | bits1 }
The BITS0 or BITS1 interface is disabled from sending the ID of the clock source.

clock no-id-out
The interface is disabled from sending the ID of the clock source.
----End
5.4.5.3 Configuring Attributes of the S1 Byte
Context
A multiframe transmitted between BITS interfaces consists of eight sub-multiframes. Each
sub-multiframe contains five spare bits, namely, SA4 bit to SA8 bit. You can select any one of
the spare SA bits to transmit the SDH synchronization code (S1 byte). The eight sub-
multiframes jointly carry the eight bits of the S1 byte.
You can specify the SA bit that is used to transmit the S1 byte.
In special scenarios, you need to manually set the S1 byte that an interface sends to adjust the
SSM.
Do as follows on the device according to the actual situation.
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock recv-sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } { bits0 | bits1 }
The bit of the SA bits from which the SDH synchronization status code (S1 byte) is received
is specified.
By default, the S1 byte is transmitted in the SA4 bit.
NOTE
If the sender and the receiver are of the same model, you do not need to perform this step because the
device can identify the S1 byte no matter which bit transmits it.
This step is performed when the device synchronizes the clock with another type of device through the
BITS interface. In this case, you need to specify the same bit that transmits the S1 byte on both ends to
ensure that both ends can identify the S1 byte.
Step 3 Run:
clock send-sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } { bits0 | bits1 }
The bit of the SA packet that is used to transmit the SDH synchronization status code (S1
byte) is specified.
By default, the S1 byte is transmitted in the SA4 bit.
Step 4 Run:
clock force-out-s1 { s1-prc | s1-ssu-t | s1-ssu-l | s1-sec | s1-dnu | else-s1-
byte } { bits0 | bits1 }
The content of the S1 byte sent from the BITS0 or BITS1 interface is set.
By default, the S1 byte is set automatically according to the SSM level of the selected clock
source.
Step 5 Run:
Step 6 Run:
clock force-out-s1 { s1-prc | s1-ssu-t | s1-ssu-l | s1-sec | s1-dnu | else-s1-
byte }
The content of the S1 byte sent from the interface is set.
By default, the S1 byte is set automatically according to the SSM level of the selected clock
source.
----End
5.4.5.4 Setting the Priority of the Clock Signal That an Interface Sends to the
Clock Board
Context
You can set priorities of the clock signals sent to the clock board from the interfaces that the
clock signals enter to determine the direction of clock synchronization.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
clock left-frame priority
The priority of the clock signal that the interface sends to the main control board from the left
side of the frame is set.
Or run:
clock right-frame priority
The priority of the clock signal that the interface sends to the main control board from the
right side of the frame is set.
The default priority is 255.
The greater the value is, the lower the priority is.
----End
5.4.5.5 Locking a Clock Source
Context
By locking a clock source, you can prevent the clock source from being selected.
Do as follows on the device where you need prevent a clock source from being selected.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock lockout source source { system | bits0 | bits1 }
A clock source is locked and cannot be selected as the reference clock source.
By default, no clock source is locked.
----End
5.4.5.6 Configuring Frequency Offset Check

Context
If the frequency offset of a clock source is out of the valid range, the clock source is
considered unavailable.
You can affect the result of clock source selection by setting the valid range of frequency
offset.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock freq-check
Frequency offset check is enabled to affect clock source selection.
By default, the result of frequency offset check does not affect clock source selection.
Step 3 Run:
clock freq-check-range left-range right-range
The valid range of the frequency offset is set. If the frequency offset of a clock source is out
of the specified range, the frequency offset is too high.
By default, the maximum left frequency offset is -9.2 ppm, and the maximum right frequency
offset is 9.2 ppm.
----End
5.4.5.7 Setting the Delay Time for the System to Consider a Clock Source Lost
Context
Setting the delay time for the system to consider a clock source lost can avoid some mistakes
in determining the clock source caused by occasional signal jitter on the network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock hold-off-time hold-off-time source source
The delay time for the system to consider a clock source lost is set.

By default, the delay time for the system to consider a clock source lost is 500 ms.
----End
5.4.5.8 Setting the WTR Time of a Clock Source
Context
Setting the WTR time of a clock source can avoid some mistakes in determining the clock
source caused by occasional signal jitter on the network. The default WTR time of a clock
source is 1 minute. Generally, you do not need to change the default value. If you want to see
the clock source switching result during debugging, set the WTR time to 0.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock wait-to-restore wait-to-restore-time source source
The wait-to-restore (WTR) time of a clock source is set.
By default, the WTR time of a clock source is 1 minute.
----End
5.4.5.9 Enable the Permanent Holding Mode of the Clock Module
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock hold-for-ever
The permanent holding mode of the clock module is enabled. That is, the clock module holds
the clock information permanently after the clock source is lost.
By default, the clock module retains the clock information for 24 hours after the clock source
is lost.
----End
5.4.5.10 Configuring the Non-Retrieve Mode of the Clock Source

Procedure
Step 1 Run:
system-view
Step 2 Run:
clock no-retrieve
The non-retrieve mode of the clock source is configured.
By default, the retrieve mode is used. That is, if a better clock source is found, the system
selects this clock source automatically.
----End
Procedure
l Run the display clock { bits0 | bits1 } [ slave ] command to view the configuration of
the BITS clock, including the mode of the BITS clock, bit used to transmit the SDH
synchronization status code (S1 byte), content of the S1 byte that is set forcibly, and
whether the ID of the clock source is sent, and so on.
l Run the display clock source command to view information about clock sources,
including the validity of clock signals, SSM quality level, and ID of each clock source,
and so on.
l Run the display clock state interface interface-type interface-number command to view
the clock status on an interface. You can use this command to query all the clock
configurations on an interface.
l Run the display clock freq-check-range command to view the valid range of the clock
frequency offset.
l Run the display clock freq-check-result command to view the result of frequency offset
check.
l Run the display clock hold-off-time command to view the delay time for the system to
consider a clock source lost.
l Run the display clock wait-to-restore command to view the WTR time of each clock
source.
l Run the display clock mode [ slave ] command to view whether the SSM quality level
is used in clock source selection, whether the result of frequency offset check affects
clock source selection, retrieve mode, holding mode, and running status of the clock
module, and clock selection results of the external clocks, and so on.
l Run the display clock { left-frame | right-frame } command to view the priorities of
the clock signals that different interfaces send from the left side or right side of the
frame.
l Run the display clock lockout command to check whether a clock source is locked.
l Run the display clock priority command to view the priorities of clock sources.
l Run the display clock ql-unknown command to view the SSM quality level mapping
the unknown level.

l Run the display clock selection [ slave ] command to view the clock source selected by
each external clock.
l Run the display clock ssm-config command to view the SSM quality levels of clock
sources.
----End
5.5.1 Example for Selecting the Clock Source Based on the Priority
On a ring network, the clock of a switch is configured as the primary reference clock. You can
set the priorities of clock sources so that the clock source is selected based on priorities. In
addition, timing loops must be prevented. A timing loop occurs when the device where the
primary reference clock is located receives clock signals from a clock source with higher
priority and the clock source of the primary reference clock is re-selected.
As shown in Figure 5-7, three switches form a ring network. The clock of SwitchA is the
primary reference clock. The switches obtain clock signals from the LPUs and select clock
sources based on priorities. Normally, the clock synchronization direction is shown by the red
arrows. If the clock signal fails to be transmitted in this direction, the switches can quickly
change the clock synchronization direction, as shown by the blue arrows. SwitchA is always
Figure 5-7 Networking diagram for Selecting the Clock Source Based on the Priority
SwitchA SwitchC
GE 2/0/0 GE 2/0/0
3
BITS 0/
G
2/
E
E
2/
G
0/
7
G
3
E
0/
5/
5/
0/
E
7
G
SwitchB
Normal clock synchronization

direction
Clock synchronization direction after signal
transmission between SwitchA and SwitchB fails.

1. Configure the routing protocol to make the IP routes between the nodes reachable.
2. Configure the BITS0 interface of SwitchA to use the BITS clock as the input primary
reference clock.
3. Set the mode of clock source selection on SwitchB and SwitchC. Make sure that the
priority of the clock signals sent from the left side of the frame is higher than that of the
clock signals sent from the right side of the frame on each switch. Clock source selection
proceeds in the direction shown by the red arrows.
Procedure
Step 1 Verify that the clock of SwitchA is the primary reference clock.
# Set the priority of the BITS0 clock on SwitchA to 1.
[SwitchA] clock priority 1 source 1 system
# Verify that the SSM quality level is not used in clock source selection.
[SwitchA] display clock mode
QL-Enable : No.
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Free.
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 1: BITS0.
Bits0 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Verify that the system clock selects the BITS0 clock as the clock source and that the system
clock sends the clock signal to the LPUs as the output clock signal.
[SwitchA] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 1. BITS0
bits0 9. System Clock
Step 2 Set the mode of clock source selection on SwitchB.

# On SwitchB, set the priority of the clock signal that GigabitEthernet5/0/7 sends from the
right side of the frame to 10, and set priority of the clock signal that GigabitEthernet5/0/3
sends from the right side of the frame to 20. Retain the default WTR time. Set the priority of
the clock signal sent from the right side of the frame to 6.
NOTE
If you want to see the clock source switching result during debugging, set the WTR time to 0.
[SwitchB-GigabitEthernet5/0/7] clock right-frame 10


[SwitchB] clock priority 6 source 6 system
# View information about the clock sources sent from the right side of the frame. You can see
that the clock source of GigabitEthernet5/0/7 is sent to the clock board, and the clock
synchronization direction is shown by the red arrows in Figure 5-7.
[SwitchB] display clock right-frame
Interface Priority Clock Signal Selected
---------------------------------------------------------------------
GigabitEthernet5/0/3 20 N
GigabitEthernet5/0/7 10 Y
# View the clock information on SwitchB, and you can see that the inner clock, Right Frame
Clock, and system clock provide clock signals normally.
[SwitchB] display clock source

Reference Clock Source Signal Fail S1 Byte ID SSM
---------------------------------------------------------------------
0 Inner Clock No -- - SEC
1 BITS0 Yes -- - DNU
3 Slave Board BITS0 Yes -- - DNU
5 Left Frame Clock Yes -- - DNU
6 Right Frame Clock No 0f - DNU
7 System Clock No -- - SEC
[SwitchB] display clock mode
QL-Enable : No.
Freq-Check : No.
Retrieve : Yes.
Run Mode : Trace.(SyncOK, Locked)
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 6: Right Frame Clock.
# Verify that the system clock selects the clock source sent from the right side of the frame as
the clock source and that the system clock sends the clock signal to the LPUs as the output
clock signal.
[SwitchB] display clock selection
---------------------------------------------------------------------
system 6. Right Frame Clock
Step 3 Set the mode of clock source selection on SwitchC.

# On SwitchC, set the priority of the clock signal that GigabitEthernet 2/0/3 sends from the
left side of the frame to 30, and set priority of the clock signal that GigabitEthernet 2/0/0
sends from the left side of the frame to 40. Retain the default WTR time. Set the priority of
the clock signal sent from the left side of the frame to 5.
NOTE


[SwitchC-GigabitEthernet2/0/3] clock left-frame 30
[SwitchC] clock priority 5 source 5 system
# View information about the clock sources sent from the left side of the frame. You can see
[SwitchC] display clock left-frame
---------------------------------------------------------------------
# View the clock information on SwitchC. You can see that the inner clock, Left Frame Clock,
and system clock provide clock signals normally.
[SwitchC] display clock source

---------------------------------------------------------------------
5 Left Frame Clock No 0f - DNU
6 Right Frame Clock Yes -- - DNU
7 System Clock No -- - SEC
[SwitchC] display clock mode
QL-Enable : No.
Freq-Check : No.
Retrieve : Yes.
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 5: Left Frame Clock.
# Verify that the system clock selects the clock source sent from the left side of the frame as
the clock source and that the system clock sends the clock signal to the LPUs as the output
clock signal.
[SwitchC] display clock selection
---------------------------------------------------------------------
system 5. Left Frame Clock

The commands used to verify the configuration result are included in the preceding steps.
----End

Configuration Files
#
sysname SwitchA
#
clock priority 1 source 1 system
#

#
sysname SwitchB
#
#
clock right-frame 20
#
#

#
sysname SwitchC
#
#
clock left-frame 40
#
clock left-frame 30
#
5.5.2 Example for Selecting the Clock Source Based on the SSM
Quality Level
On a ring network, the clock of a switch is configured as the primary reference clock. You can
set the priorities of clock sources so that the clock source is selected based on the SSM quality
level. Timing loops must be prevented.
As shown in Figure 5-8, three switches form a ring network. The clock of SwitchA is the
primary reference clock. The switches obtain clock signals from the LPUs and select the clock
source based on the SSM quality level. The normal clock synchronization direction is shown
by the red arrows. If the clock signal fails to be transmitted in this direction, the switches can
quickly change the clock synchronization direction, as shown by the blue arrows.

Figure 5-8 Networking diagram for Selecting the Clock Source Based on the SSM Quality
Level
SwitchA SwitchC
GE 2/0/0 GE 2/0/0
3
BITS 0/
G
2/
E
E
2/
G
0/
7
G
3
E
0/
5/
5/
0/
E
7
G
SwitchB

direction
2. Configure the BITS0 interface of SwitchA to use the BITS clock as the input primary
reference clock. (The SSM quality level of the BITS0 clock is PRC.)
3. Set the mode of clock source selection on SwitchA, SwitchB and SwitchC.
Procedure
Step 1 Verify that the clock of SwitchA is the primary reference clock and enable the SSM quality
level to be used in clock source selection.
# On SwitchA, enable the SSM quality level to be used in clock source selection and set the
priority of the BITS0 clock to 1.
[SwitchA] clock ql-enable
# View the clock information on SwitchA, and you can see that the inner clock and system
clock provide clock signals normally.
[SwitchA] display clock source
---------------------------------------------------------------------
1 BITS0 No -- - PRC


7 System Clock No -- - PRC
# Verify that the SSM quality level is used in clock source selection.
QL-Enable : Yes.
Freq-Check : No.
Retrieve : Yes.
Run Mode : Free.
Bits0 : Locked.
Bits1 : Locked.
# Verify that the system clock selects the BITS0 clock as the clock source and that the system
clock sends clock signal to the LPUs as the output clock signal.
---------------------------------------------------------------------
system 1. BITS0

NOTE
[SwitchB] clock ql-enable
---------------------------------------------------------------------

---------------------------------------------------------------------


6 Right Frame Clock No 02 - PRC
QL-Enable : Yes.
Freq-Check : No.
Retrieve : Yes.
Bits0 : Locked.
Bits1 : Locked.
# Ensure that the system clock selects the clock source sent from the right side of the frame as
the clock source and that the system clock sends clock signal to the LPUs as the output clock
signal.
---------------------------------------------------------------------

# On SwitchC, set the priority of the clock signal that GigabitEthernet2/0/3 sends from the left
side of the frame to 30, and set priority of the clock signal that GigabitEthernet2/0/0 sends
from the left side of the frame to 40. Retain the default WTR time. Set the priority of the
clock signal sent from the left side of the frame to 5.
NOTE
[SwitchC] clock ql-enable
that the clock source of GigabitEthernet 2/0/3 is sent to the clock board, and the clock
---------------------------------------------------------------------
# View the clock information on SwitchC, and you can see that the inner clock, Left Frame


---------------------------------------------------------------------
5 Left Frame Clock No 02 - PRC
QL-Enable : Yes.
Freq-Check : No.
Retrieve : Yes.
Bits0 : Locked.
Bits1 : Locked.
# Ensure that the system clock selects the clock source sent from the left side of the frame as
signal.
---------------------------------------------------------------------

----End
Configuration Files
#
sysname SwitchA
#
clock ql-enable
#

#
sysname SwitchB
#
clock ql-enable
#
#
#

#
sysname SwitchC
#
clock ql-enable
#
clock left-frame 40
#
clock left-frame 30
#
5.5.3 Example for Selecting the Clock Source Based on the SSM
Quality Level in Extended Mode
If the clock signal sent from the local device is sent back to the local device directly or
through the network, a timing loop occurs. In extended SSM mode, you can set IDs for the
circuit or external clock sources to prevent timing loops.
As shown in Figure 5-9, three switches form a ring network. SwitchC is connected to the
primary clock. The Switches synchronize their clocks with the primary clock. Timing loops
must be prevented through configuration.
Figure 5-9 Networking diagram for Selecting the Clock Source Based on the SSM Quality
Level in Extended Mode
SwitchA SwitchC
GE 2/0/0 GE 2/0/0
3
BITS 0/
G
2/
E
E
2/
G
0/
7
G
3
E
0/
5/
5/
0/
E
7
G
SwitchB

direction

2. Configure the primary clock as the input clock source of SwitchA and set the ID of the
reference clock source.
3. Set the mode of clock source selection on SwitchB and SwitchC.
Procedure
Step 1 On SwitchA, enable the extended SSM mode and set the ID of the BITS clock source.
# Enable the extended SSM mode. Set the ID of the BITS0 clock to 1 and the priority of the
BITS0 clock to 1.
[SwitchA] clock ql-enable extend
[SwitchA] clock id 1 source 1
# View the clock information on SwitchA, and you can see that the inner clock and system
clock provide clock signals normally.
[SwitchA] display clock priority
Reference Clock Source System bits0 bits1
---------------------------------------------------------------------
0 Inner Clock 254 - -
1 BITS0 1 - -
2 BITS1 255 - -
3 Slave Board BITS0 255 - -
4 Slave Board BITS1 255 - -
5 Left Frame Clock 255 255 255
6 Right Frame Clock 255 255 255
7 System Clock - 254 254
QL-Enable : Yes (Extend Mode).
Freq-Check : No.
Retrieve : Yes.
Run Mode : Free.
Bits0 : Locked.
Bits1 : Locked.
# Verify that the system clock selects the inner clock as the clock source and that the system
clock sends the clock signal to the LPUs as the output clock signal.
---------------------------------------------------------------------
system 1. BITS0

NOTE
[SwitchB] clock ql-enable extend
---------------------------------------------------------------------
---------------------------------------------------------------------
6 Right Frame Clock No 12 - PRC
Freq-Check : No.
Retrieve : Yes.
Bits0 : Locked.
Bits1 : Locked.
# Ensure that the system clock selects the clock source sent from the right side of the frame as
signal.
---------------------------------------------------------------------

# On SwitchC, set the priority of the clock signal that GigabitEthernet2/0/3 sends from the left
side of the frame to 30, and set priority of the clock signal that GigabitEthernet2/0/0 sends

from the left side of the frame to 40. Retain the default WTR time. Set the priority of the
clock signal sent from the left side of the frame to 5.
NOTE
[SwitchC] clock ql-enable extend
---------------------------------------------------------------------
# View the clock information on SwitchC, and you can see that the inner clock, Left Frame
---------------------------------------------------------------------
5 Left Frame Clock No 12 - PRC
Freq-Check : No.
Retrieve : Yes.
Bits0 : Locked.
Bits1 : Locked.
# Ensure that the system clock selects the clock source sent from the left side of the frame as
signal.
---------------------------------------------------------------------


----End
Configuration Files
#
sysname SwitchA
#
clock ql-enable extend
clock id 1 source 1
#

#
sysname SwitchB
#
#
#
#

#
sysname SwitchC
#
#
clock left-frame 40
#
clock left-frame 30
#

Configuration Guide - Device Management 6 Energy-Saving Management
6 Energy-Saving Management
About This Chapter
This chapter describes how to configure energy-saving management.
6.1 Overview
6.2 Licensing Requirements and Limitations for Energy-Saving Management
6.3 Configuring Energy-Saving Management
6.1 Overview
Purpose
As network scale enlarges, device power consumption increases enterprise operating expense.
Energy saving becomes the major concern in network construction. Devices use multiple
energy-saving technologies to reduce power consumption.
Energy-Saving Management Features Supported by the Device

The device supports energy-saving features such as Intelligent fan speed adjustment, Energy
Efficient Ethernet (EEE), and automatic laser shutdown (ALS).
l Intelligent Fan Speed Adjustment

The device adopts the intelligent fan speed adjustment technology to monitor the
temperature of key components. If a sensitive component overheats, the fan speed
increases; when the temperature falls back to its normal range, the fan speed decreases.
In this way, the fan module enables the device to run in normal temperature and reduces
power consumption and noise.
l ALS

The automatic laser shutdown (ALS) mechanism controls the pulse of the laser of an
optical module by detecting the Loss of Signal (LOS) on an optical interface. The ALS
mechanism protects operators against laser injury and saves energy.
When ALS is disabled, if the optical fiber link fails, data communication is interrupted.
However, the optical interface and the laser of an optical module are enabled. If the laser
of an optical module still sends pulses after data communication is interrupted, energy is
wasted and eyes of operators may be hurt.
When ALS is enabled, if the optical fiber link fails, the system automatically disables the
laser of an optical module from sending pulses on the optical interface after detecting the
LOS on the optical interface. When the faulty optical fiber link is recovered, the system
detects that the LOS of the optical interface is cleared and enables the laser to send
pulses.
l EEE
Energy Efficient Ethernet (EEE) dynamically adjusts the electrical interface power
according to network traffic volume.
When the EEE function is not configured on the electrical interface, the system provides
power for each interface. Even though an interface is idle, it consumes the same power
as working interfaces. After the EEE function is configured, the system reduces the
power on an interface when the interface is idle and restores the power when the
interface starts to transmit data. This reduces power consumption in the system.
l Port Dormancy
In port dormancy mode, the physical layer (PHY) chip on the electrical interface enters
the low energy consumption mode to reduce power consumption. When interfaces are
not connected, major data transmission channels of the chip enter the dormancy state to
save energy. When interfaces are connected and traffic on the cable is detected, the PHY
chip restores to normal working state.
l Powering off Redundant Power Modules
The device powers off redundant power modules based on rated power consumption or
real-time power consumption. This does not affect system power supply and saves
energy. When the rated power or real-time power increases, the device automatically
powers on redundant power modules. This ensures stable power supply.
l Energy-saving Mode
Besides intelligent fan speed adjustment and ALS, the device saves energy through the
energy-saving mode.
The device supports the following energy-saving modes:
– Standard mode: Factory mode and default power saving mode.
– Basic energy saving mode: Components not in use are shut down or switched to the
sleeping state when no services are configured or users are not online.
– Deep mode: Power consumption is dynamically adjusted for running services, and
components not in use are shut down or switched to the sleeping state according to
the actual situation of services.

NOTE
l The ALS, EEE, and port sleeping functions are disabled by default in the standard energy
saving mode.
l The ALS, EEE, and port sleeping functions are enabled by default in the basic or deep energy
saving mode.
l Redundant power modules can be powered off to save energy only in basic or deep energy
saving mode. In basic energy saving mode, redundant power modules are powered off
according to the rated power consumption of a device. In deep energy saving mode, redundant
power modules are powered off according to the real-time power consumption of a device.
After redundant power modules are powered off, the power module status displays Normal in
the display device command output and NotSupply in the display power command output,
indicating that the power modules are not providing power; the power of the power modules
displays 0 in the display power system command output.
6.2 Licensing Requirements and Limitations for Energy-

Saving Management

Other network elements are not required.
Energy-saving management is a basic feature of a switch and is not under license control.

S7700 S7703, S7706, and V100R003C01, V100R006C00,

S7712 V200R001(C00&C01), V200R002C00,
V200R003C00, V200R005C00, V200R006C00,
V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C10
S9700 S9703, S9706, and V200R001(C00&C01), V200R002C00,

S9712 V200R003C00, V200R005C00, V200R006C00,
V200R007(C00&C10), V200R008C00,
V200R009C00, V200R010C00, V200R011C10
NOTE
Feature Limitations
None

6.3 Configuring Energy-Saving Management
6.3.1 Configuring Fan Speed Adjustment
Context
The device adjusts fan speed by monitoring the optical module temperature on the board.
When the temperature of an optical module exceeds the upper threshold, the fan speed
increases. When the temperature of optical modules falls below the lower threshold, the fan
speed is reduced.
Procedure
Step 1 Run:
system-view

Step 2 Run:
set transceiver temperature threshold low-temperature high-temperature { all |
slot slot-id }
The upper and lower temperature thresholds for fan speed adjustment are configured.
By default, the fan speed is reduced when the temperature falls below 60°C and is increased
when the temperature exceeds 65°C.
NOTE
Some boards including EH1D2C02FEE0, ES1D2C02FEE0, EH1D2X32SSC0, ES1D2X32SSC0,

EH1D2X16SSC2, and ES1D2X16SSC2 do not support fan speed adjustment based on the optical module
temperature. Therefore, these boards do not support this command. When you input a question mark (?), the
system will not display information about slot IDs of the boards that do not support this command.
----End

l Run the display transceiver temperature threshold { current | default } slot slot-id
command to check the upper and lower temperature thresholds of the fan module.
l Run the display fan command to check the fan status.
6.3.2 Configuring ALS

NOTE
XGE interfaces that connect switches to ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01, and

ET1D2FW00S02 boards do not support the ALS function.
XGE interfaces that connect switches to ACU2 boards do not support the ALS function.
6.3.2.1 Enabling ALS on an Interface

Context
The constraints on ALS are as follows:
l Only optical interfaces support ALS. Electrical interfaces do not support ALS.
l When optical interfaces transmit services unidirectionally, they do not support ALS.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
als enable
ALS is enabled on an interface.

After ALS is enabled on an interface, ALS takes effect on this interface.
By default, ALS is disabled on an interface.
----End
6.3.2.2 Setting the Restart Mode of the Laser
Context
After ALS is enabled, the laser is automatically shut down when a fiber is not properly
installed on an interface or the connected optical link fails. However, the laser still needs to
send pulses at a certain interval. When a fiber is installed on an interface or the connected
optical link recovers, the laser is automatically restored to set up a connection for data
communication. Therefore, you need to configure the restart mode of the laser after ALS is
enabled.
The laser of an optical module works in automatic restart mode or manual restart mode.
l Automatic restart mode: The laser automatically sends a pulse at an interval to detect
whether the link recovers.
l Manual restart mode: After the laser is manually started using a command, the laser
sends a pulse to detect whether the optical link recovers.
By default, a laser works in automatic restart mode.
After the optical link recovers, the laser is started after a certain interval if the restart mode is
automatic restart. To start the laser immediately after the optical link recovers, set the restart
mode of the laser to manual restart and run the als restart command.
NOTE
After ALS is enabled on an interface, the laser may send a pulse if the attributes (for example, auto-
negotiation) of the interface is changed or the optical module of the interface is removed and then inserted.

Procedure
l Configure automatic restart mode
a. Run:
system-view

b. Run:
interface interface-type interface—number

c. Run:
undo als restart mode manual
The laser of the optical module is configured to work in automatic restart mode.
By default, a laser works in automatic restart mode.
l Configure manual restart mode
a. Run:
system-view

b. Run:
interface interface-type interface—number

c. Run:
als restart mode manual
The laser of the optical module is configured to work in manual restart mode.
d. (Optional) Run:
als restart
The laser of the optical module is started immediately.

In manual restart mode, if this command is not executed, the laser automatically
sends a pulse after receiving a pulse from the remote end.
----End
6.3.2.3 Setting the ALS Pulse Interval and Width of the Laser
Context
The ALS pulse interval indicates the time between two consecutive pulse transmissions and
applies to the automatic restart mode. The ALS pulse width indicates the pulse period and
applies to the automatic restart mode and manual restart mode.
l In automatic restart mode, a small pulse width and a long pulse interval save more
energy but cannot ensure that optical link recovery can be detected in a timely manner.
l In manual restart mode, a small ALS pulse width saves energy but cannot ensure that
optical link recovery can be detected in a timely manner. In contrary, a large ALS pulse
width ensures that optical link recovery can be detected in a timely manner but wastes
energy.
You can set a proper laser pulse interval and width to ensure energy conservation and timely
detection of optical link recovery.

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
als restart pulse-interval pulse-interval
The ALS pulse interval of the laser is set.

By default, the ALS pulse interval is 100s.
Step 4 Run:
als restart pulse-width pulse-width
The ALS pulse width of the laser is set.

By default, the ALS pulse width is 2s.
----End
Procedure
l Run the display als configuration slot slot-id command to check ALS configurations on
all interfaces of a specified slot.
l Run the display als configuration interface interface-type interface-number command
to check ALS configuration on a specified interface.
----End
6.3.3 Configuring the EEE function
Context
A device provides power for each interface. Even though an interface is idle, it consumes the
same power as working interfaces. This wastes power. After the Energy Efficient Ethernet
(EEE) function is configured on an electrical interface, the system reduces the power on the
interface when the interface is idle and restores the power when the interface starts to transmit
data. This reduces power consumption in the system.
NOTE
Only electrical interfaces support the EEE function. Optical interfaces do not support the EEE function.
If an electronic interface works at 10 Mbit/s after auto-negotiation, the EEE function does not take
effect.
Only the ES1D2G48TX1E, ES0DG24TFA00 on the S7700 and EH1D2G48TX1E, EH1D2G24TFA0 on
the S9700 support the EEE function.

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
energy-efficient-ethernet enable
EEE function is enabled on the electrical interface.

By default, the EEE function is disabled on an electrical interface.
NOTE
The EEE function takes effect only when it is configured on both ends of a link.
----End
6.3.4 Configuring Electrical Port Dormancy
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port-auto-sleep enable
Electrical port dormancy is enabled.

By default, electrical port dormancy is disabled.
----End

l Run the display this command in the interface view to check whether electrical port
dormancy is enabled.
6.3.5 Configuring an Energy-Saving Mode
Context
The device supports the following energy-saving modes:

l Standard mode: Factory mode and default power saving mode.

l Basic energy saving mode: Components not in use are shut down or switched to the
sleeping state when no services are configured or users are not online.
l Deep mode: Power consumption is dynamically adjusted for running services, and
components not in use are shut down or switched to the sleeping state according to the
actual situation of services.
NOTE
l The ALS, EEE, and port sleeping functions are disabled by default in the standard energy saving
mode.
l The ALS, EEE, and port sleeping functions are enabled by default in the basic or deep energy saving
mode.
l Redundant power modules can be powered off to save energy only in basic or deep energy saving
mode. In basic energy saving mode, redundant power modules are powered off according to the
rated power consumption of a device. In deep energy saving mode, redundant power modules are
powered off according to the real-time power consumption of a device. After redundant power
modules are powered off, the power module status displays Normal in the display device command
output and NotSupply in the display power command output, indicating that the power modules are
not providing power; the power of the power modules displays 0 in the display power system
command output.
Procedure
Step 1 Run:
system-view
Step 2 Run:
set power manage mode mode-id
An energy-saving mode is configured for the device.
By default, the standard energy-saving mode is used.
NOTE
After the energy-saving mode is set to basic or deep mode, loopback test on interfaces is disabled.
Therefore, before performing a loopback test, set the energy-saving mode to standard mode.
----End

l Run the display power manage mode command to check the energy-saving mode of the
device.
6.4.1 Example for Configuring ALS

As shown in Figure 6-1, GigabitEthernet1/0/1 on SwitchA connects to GigabitEthernet1/0/1
on SwitchB through optical fibers.
When a link fails, the laser on the optical module is required to automatically stop sending
pulses and recover pulse sending after the link is recovered.
Figure 6-1 Networking diagram for configuring ALS

GE1/0/1 GE1/0/1
SwitchA SwitchB
1. Enable ALS on the interface so that the laser automatically stops sending pulses when a
link fails.
2. Set the restart mode of the laser to automatic restart mode so that the laser sends pulses
again after the link is recovered.
Procedure
Step 1 Configure ALS on the interface and the restart mode of the laser.
# Enable ALS on interfaces GigabitEthernet1/0/1 of SwitchA and set the restart mode of the
laser to automatic restart. By default, a laser works in automatic restart mode.
[SwitchA-GigabitEthernet1/0/1] als enable
[SwitchA-GigabitEthernet1/0/1] undo als restart mode manual
[SwitchA-GigabitEthernet1/0/1] return
# Enable ALS on interfaces GigabitEthernet1/0/1 of SwitchB and set the restart mode of the
laser to automatic restart. By default, a laser works in automatic restart mode.
[SwitchB-GigabitEthernet1/0/1] als enable
[SwitchB-GigabitEthernet1/0/1] undo als restart mode manual
[SwitchB-GigabitEthernet1/0/1] return

# Check ALS configurations on interfaces of SwitchA and SwitchB.
<SwitchA> display als configuration interface gigabitethernet 1/0/1
-------------------------------------------------------------------------------
Interface ALS Laser Restart Interval(s) Width(s)
Status Status Mode
-------------------------------------------------------------------------------
GigabitEthernet1/0/1 Enable On Auto 100 2
-------------------------------------------------------------------------------
<SwitchB> display als configuration interface gigabitethernet 1/0/1
-------------------------------------------------------------------------------

Interface ALS Laser Restart Interval(s) Width(s)

Status Status Mode
-------------------------------------------------------------------------------
GigabitEthernet1/0/1 Enable On Auto 100 2
-------------------------------------------------------------------------------
----End
Configuration file
#
sysname SwitchA
#
als enable
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
als enable
#
return

Configuration Guide - Device Management 7 PoE Configuration
7 PoE Configuration
About This Chapter
This chapter describes how to configure PoE. PDs, such as wireless telephones and APs, are
provided with power when the devices are configured with PoE.
7.1 PoE Overview

7.2 Principles
7.3 Applications
7.4 Licensing Requirements and Limitations for PoE
7.5 Default Configuration
7.6 Configuring PoE Functions
7.1 PoE Overview
Definition
Power over Ethernet (PoE) provides power through the Ethernet. It is also called Power over
LAN (PoL) or active Ethernet.
Purpose
As IP phones, network video monitoring, and wireless Ethernet networks are widely applied,
the power supply requirements on the Ethernet become urgent. In most situations, access
point devices need DC power supply, but access point devices are often installed outdoors or
on the ceiling that has a long distance from the ground. The nearby proper power socket is
difficult to find. Even if the proper power socket is available, the network administrator finds
it hard to install the AC/DC converter required by access point devices. On many large-scale
LANs, administrators need to manage multiple access point devices that require uniform

power supply and management. In this case, power supply management is difficult. The PoE
function addresses this problem.
The PoE technology is used on the wired Ethernet and is most widely used on local LANs.
The PoE function transmits power together with data to terminals over cables or transmits
power without data over idle lines. This technology provides power on the 10Base-T,
100Base-TX, or 1000Base-T Ethernet at a distance of up to 100 m. PoE can be used to
effectively provide centralized power for terminals such as IP phones, Access Points (APs),
chargers of portable devices, POS machines, cameras, and data collection devices. Terminals
are provided with power when they access the network. Therefore, indoor cabling of power
supply is not required.
The PoE has the following advantages:
l Reliable: Multiple PDs are powered by one device, facilitating power backup.
l Easy to deploy: Network terminals can be powered over network cables, without a need
for external power sources.
l Standard: The PoE function complies with IEEE 802.3af and 802.3at, and all PoE
devices use uniform power sources.
Benefits
l Saves the costs on the cabling of power supply and facilitates power module installation.
l Works with the Uninterruptible Power Supply (UPS) to provide backup power supply for
IP cameras, video servers, and IP phones, and prevents power-off.
7.2 Principles
Introduction to PoE
PoE involves the following devices:
l Power-sourcing Equipment (PSE): The PSE provides power for Powered Devices (PDs)
on the Ethernet and supports detection, analysis, and intelligent power management.
l PD: PDs are provided with power, such as the wireless AP, portable device charger, POS
machine, and camera. According to whether a PD conforms to IEEE standard, PDs are
classified into standard and non-standard PDs.
l PoE power supply: The PoE power supply provides power for the PoE system. The
number of PDs connected to the PSE is limited by power of the PoE power supply.
According to whether a PoE power supply is swappable, PoE power supplies are
classified into built-in and external power supplies.

Working Process of PoE Power Supply
Table 7-1 PoE working process
Pr
oc
ed Item Description
ur
e
The PSE provides a low voltage on an interface to detect PDs. If specified

PD resistance is detected, PDs that support IEEE 802.3af or IEEE 802.3at on
1 detecti the cable are connected to the terminal of the cable. The resistance is 19 kΩ
on to 26.5kΩ. The voltage is 2.7 V to 10.1 V. The detection period is 2
seconds.
Power
supply
The PSE classifies PDs and supports power supply capability negotiation.
capabil
2 Power supply capability negotiation is classified into two modes: analysis
ity
of detected resistance and LLDP Power Capability Negotiation.
negotia
tion
Power-
In a period shorter than 15 μs, the PSE provides low voltage for PDs, and
3 on
then the voltage is increased to 48 V.
starting
Power- The PSE provides 48 V DC power supply for PDs and the power
4
on consumption of the PDs is smaller than 37 W.
During the power supply process, the PSE detects the input current of the
PD continuously. The PSE cuts off the power supply and repeats detection
when the current of the PD is reduced to the minimum value or increased
Power- sharply in any of the following situations:
5
off l The PD is removed.
l The power consumption of the PD is overloaded or short-circuited.
l The power consumption of the PD exceeds the power supply load.
PoE Power Management Mode

When PDs connected to the PSE increase, the PoE power supply cannot provide power for all
PDs. Therefore, the PSE should manage the power supply. Power management is classified
into two modes: automatic and manual.
l Automatic mode: The PSE automatically powers on or powers off PDs based on power
priorities. You can configure a power priority of each interface as Critical, High, or Low
based on the importance of the PD connected to each interface. When providing power
nearly at full capacity, the PSE provides power first for the PD connected to the interface
of Critical priority and then provides power for the PD connected to the interface of High
priority. If multiple PoE interfaces have the same priority, the system first supplies power
to the PDs connected to the interfaces with smaller interface numbers.

l Manual mode: You can manually power on or power off interfaces. In manual mode, the
PSE provides power for an interface without considering the priority. Powering on or
powering off a single interface does not affect the power supply status. When providing
power nearly at full capacity, the PSE cannot continue to power on a new PD.
Power Supply Mode of PSEs

As defined in IEEE standard, PSEs provide power for PDs and are classified into MidSpan
(the PoE module is installed out of the device) and Endpoint (the PoE module is integrated to
device) PSEs. Huawei PoE modules are Endpoint PSEs. The Endpoint PSE is compatible
with 10Base-T, 100Base-TX, and 1000Base-T interfaces. The Endpoint PSE is more widely
used than the Midspan PSE.
Endpoint PSEs can work in Alternative A (line pair 1/2 and line pair 3/6) and Alternative B
(Line pair 4/5 and line pair 7/8) power supply modes according to different copper line pairs.
l Alternative A mode: Power is transmitted over pairs of lines that transmit data.
The PSE provides power for the PD over copper line pairs connected to pins 1 and 2 and
pins 3 and 6. Pins 1 and 2 use the positive voltage and pins 3 and 6 use the negative
voltage.
10Base-T and 100Base-TX interfaces use copper line pairs connected to pins 1 and 2 and
pins 3 and 6 to transmit data, and 1000Base-T interfaces use four line pairs to transmit
data. DC power and data frequency are independent. Therefore, the power and data can
be transmitted in one pair of lines.
l Alternative B mode: Power is transmitted over idle pairs of lines.
The PSE provides power for the PD over copper line pairs connected to pins 4 and 5 and
pins 7 and 8. Pins 4 and 5 use the positive voltage and pins 7 and 8 use the negative
voltage.
Generally, a standard PD supports the two modes, whereas the PSE only needs to support one
mode. Huawei PSE supports only Alternative A.
LLDP Power Capability Negotiation

Originally, a device analyzes the current that is transmitted between the PSE and PD to
classify PDs. Besides current analysis, the device supports Link Layer Discovery Protocol
(LLDP) power capability negotiation. IEEE 802.1ab defines the optional TLV: Power via
MDI TLV. The Power via MDI TLV is encapsulated in LLDP packets, and is used for
discovery and advertisement of MDI power capabilities, and network management.
When the PSE detects a PD, the PSE and PD periodically send LLDP packets with the
defined TLV to each other. The peer end records the information in LLDPDIs for information
exchange.
The Power via MDI TLV is composed of 2-byte packet header and 12-byte TLV information
field, as shown in Figure 7-1.

Figure 7-1 TLV packet
TLV Extended
TLV
information TIA OUT Power via MDI PSE Power Power Power Power
Type= Power Power Power
String 00-12-OF MDI Class Type Source Priotity Value
127
Length=12 Subtype=2 Support Pair
7bits 9bits 3bytes 1byte 1byte 1byte 1byte 2bits 2bits 4bits 4bytes
TLV MED Power Extended

Header Header via MDI Power via MDI
The fields of TLV packets are described as follows:

l MDI power support
Bit Function Description
0 Port type 1: PSE-side port

0: PD-side port
1 Whether the PSE supports 1: indicates that the PSE

MDI power supply. supports MDI power
supply.
0: indicates that the PSE
does not support MDI
power supply.
2 MDI power supply status 1: enabled

of the PSE. 0: disabled
3 Whether the PSE can 1: indicates that the PSE

control the line pair. can control the line pair.
0: indicates that the PSE
cannot control the line
pair.
4-7 Reserved. -
l PSE power pair:

– 1: Alternative A: The Endpoint PSE use line pairs connected to pins 1 and 2 and
pins 3 and 6 for power supply.
– 2: Alternative B: The Endpoint PSE use line pairs connected to pins 4 and 5 and
pins 7 and 8 for power supply.
l power class

Class Current (Unit: Reference Power Description

mA) (Unit: W)
0 0 to 4 15.4 The default class is

used when no class
can be specified for
a PD.
1 9 to 12 4 Very low power
2 17 to 20 7 Low power
3 26 to 30 15.4 Medium power
4 36 to 44 37 High power, which

is supported by
802.3at
l Type/source/priority
Field Functions Description
Power Priority Power supply priority of 11: indicates the lowest

an interface. priority.
10: indicates the secondary
highest priority.
01: indicates the highest
priority.
NOTE
This field contains four bits.
The two left-most bits are
reserved for the system.
Power Source Power supply source. PD:

l 11: indicates the PSE
and local source.
l 10: indicates to be
reserved.
l 01: indicates the PSE.
PSE:
l 11: indicates to be
reserved.
l 10: indicates the
backup power supply.
l 01: indicates the
primary power supply.

Field Functions Description
Power Type Power supply type. 11: indicates the PD that

does not support IEEE
802.3at.
10: indicates the PSE that
does not support IEEE
802.3at.
01: indicates the PD that
supports IEEE 802.3at.
00: indicates the PSE that
supports IEEE 802.3at.
l Power value: contains PD requested power value and PSE allocated power value. When
the PoE power is sufficient, the two values are the same. The value is an integer that
ranges from 1 to 255. Exchange power = 0.1 x Hexadecimal value of the field. For
example, if the value of the field is 255, the exchange power is 25.5 W.
PoE Technical Specifications

PoE technical specifications vary depending on PoE technologies. You can select the required
PoE technology to power on PDs according to PD requirements.
Table 7-2 PoE technical specifications

Power supply PoE PoE+ PoE++
technology
Power supply 100 m 100 m 100 m

distance
Power class 0-3 0-4 0-4
Maximum current 350 mA 600 mA 960 mA
PSE output voltage 44 V DC-57 V DC 50 V DC-57 V DC 50 V DC-57 V DC
PSE output power ≤ 15400 mW ≤ 30000 mW ≤ 90000 mW
PD input voltage 36 V DC-57 V DC 42.5 V DC-57 V DC 42.5 V DC-57 V DC
Maximum PD 12950 mW 25500 mW 8160 0mW

power
Cable requirements Unstructured CAT-5e or better CAT-5e or better
Power supply cable 2 2 4

pairs
l PoE technology complies with IEEE 802.3af.

l PoE+ technology complies with IEEE 802.3at.

7.3 Applications
Terminals such as IP phones, cameras, and data collectors require DC power. These terminals
are usually installed in corridors or on the ceilings where power sockets are unavailable. On
most large-scale LANs, administrators manage many access point devices that require
centralized power supply; therefore, power supply management is difficult.
As shown in Figure 7-2, the device, which has the PoE function, provides power for access
devices, such as IP phones and cameras. The PoE function reduces power cables, saves
network construction costs, and facilitates access device management because external power
supplies are not required.
Figure 7-2 PoE application
Internet
SwitchA SwitchB SwitchC SwitchD

PSE
PD
7.4 Licensing Requirements and Limitations for PoE

Powered devices (PDs)
PoE is a basic feature of a switch and is not under license control.

S7700 S7703, S7706, and V100R003C01, V100R006C00,

S7712 V200R001(C00&C01), V200R002C00,
V200R003C00, V200R005C00, V200R006C00,
V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C10
S9700 S9703, S9706, and Not supported

S9712
NOTE
Feature Limitations
PoE power supplies supported by the switch
l A switch supports three types of PoE power modules: 800 W AC, 2200 W AC, and 2200
W DC. 2200 W DC power modules can be used as PoE power modules only in
V200R006C00 and later versions. With 220 V input voltage, 800 W AC and 2200 W AC
power modules provide maximum output power of 800 W and 2200 W, respectively.
With 110 V input voltage, they provide maximum output power of 400 W and 1100 W,
respectively.S7712 does not support inputting 110 V voltage.
l S7706 and S7712 provide four PoE power supply slots that can be installed with four
PoE power supplies simultaneously. The PoE power supplies can work in redundancy
mode. S7703 supports only one PoE power supply slot. The PoE power supply cannot
work in redundancy mode.
l The maximum output power of the system is determined by the number, type, and
voltage of PoE power supplies. For the maximum PoE power of each switch, see "PoE
power modules" in the Hardware Description - Power Supply Slot Configuration.
PoE function
l The switch supports power supply capability negotiation using the Link Layer Discovery
Protocol (LLDP).
l The switch supports perpetual power supply and fast power-on.
l If a switch supports PoE, its PoE feature is not affected after it joins a CSS.
l The maximum PoE power supply distance is 100 m.
Restrictions on the PoE function

l Currently, the switch supports only one type of PoE board, that is, ES0D0G48VA00.
l A PoE board can provide power to PDs only a chassis has both a PoE power module and
PoE board installed. In a CSS, if chassis 1 has a PoE board installed but does not have
any PoE power module installed, the PoE board of chassis 1 cannot provide power to
PDs even if chassis 2 has a PoE power module installed.

l If a CMU board fails or is reset on the switch, the PD is powered off.
Table 7-4 PoE default configuration
Parameter Default Setting
Power management mode Auto
Power supply priority of an interface Low
Maximum output power of an interface 37000 mW
Reserved PoE power percentage 20%
PoE power alarm threshold 90%
7.6 Configuring PoE Functions
Before configuring PoE, complete the following tasks:
l Ensure that the ES0D0G48VA00 has been installed because only the ES0D0G48VA00
board supports PoE currently.
l Install the PoE power module and power on.
l Connect the interfaces on the PSE to PD to ensure that the status of the link layer
protocol of the interface is Up.
Generally, the device can detect whether a PD connected to it needs power supply and
provides PoE function. If you need to modify the PoE configuration or manually power on the
PD, see the following configuration.
7.6.1 Enabling the PoE Function
Context
Ensure that the PoE function on the interface is enabled before powering on a PD connected
to the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
poe enable
The PoE function is enabled on the interface.
By default, the PoE function is enabled on the interfaces.
----End
7.6.2 (Optional) Configuring the LLDP Power Capacity

Negotiation
Context
You can configure the TLV in LLDP so that the device can classify PDs through the LLDP
function enabled on the device. The device that is not configured with the LLDP function
detects and classifies PDs through analyzing current and resistance between the device and
PDs. Compared with current and resistance analysis, the LLDP function provides a more
comprehensive and accurate analysis.
Procedure
Step 1 Run:
system-view
Step 2 Run:
lldp enable
LLDP is enabled globally.
By default, LLDP is disabled globally.
Step 3 Run:
Step 4 Run:
lldp enable
LLDP is enabled on an interface.
If LLDP is enabled globally, by default, LLDP is enabled on each interface.
Step 5 Run:
lldp tlv-enable dot3-tlv power
LLDP is configured to advertise Power Via MDI TLV.
By default, LLDP is configured to advertise Power Via MDI TLV.

NOTE
After LLDP is configured advertise Power Via MDI TLV, the device can analyze the interface type,
whether the PSE supports MDI, status of MDI power supply, whether the PSE can control the line pairs
and analyze the line pairs and power priority.
Step 6 Run:
lldp tlv-enable med-tlv power-over-ethernet
LLDP is configured to advertise extended Power Via MDI TLV.

By default, LLDP is configured to advertise extended Power Via MDI TLV.
NOTE
After LLDP is configured advertise extended Power Via MDI TLV, the device can analyze the power
type, power supply, and interface power priority.
----End
7.6.3 Configuring PoE Power Management

Context
The maximum output power of the device is determined by the PoE power supply backup
mode, PoE-capable module quantity, type, and input voltage. You can configure the maximum
power, percentage of the reserved PoE power to the total PoE power, PoE power alarm
threshold, and maximum power on each interface. Setting power parameters based on
requirement of PDs connected to the device helps you effectively use PoE power and ensures
device stability.
Procedure
l Configure the PoE power supply backup mode.
When a chassis PoE device is equipped with multiple power supplies and the power is
sufficient, configure some of power supplies as backup power supplies. If the active
power supply is faulty, the backup power supply continues to provide power for PDs,
ensuring system stability.
a. Run:
system-view

b. Run:
poe-power backup-mode backup-mode
The PoE power supply backup mode is configured.

By default, the PoE power has no backup.
NOTE
The S7703 has only one PoE power supply slot and does not support PoE power backup
mode.
l Configure the maximum output power of the devicecard.
The number and requirements for power of PDs connected to each card are different. In
addition, the total power of the device may fluctuate. To solve this problem, you can
configure the power for each card to provide a fixed power of each card.
a. Run:

system-view

b. Run:
poe max-power max-power slot slot-id
The maximum output power of the card is configured.
By default, the maximum power of each card is the average power that is allocated
from the maximum power of the device.
l Configure the maximum output power for an interface.
The PD power negotiation result may be different from the power required by some non-
standard PDs or PDs that cannot be classified. You can configure the maximum output
power of an interface to prevent power overload for PDs and save energy.
a. Run:
system-view

b. Run:

c. Run:
poe power port-max-power
The maximum output power is configured for the interface.
By default, the maximum power of each interface is 37000 mW.

l Configure the reserved PoE power percentage.
The power of a PD keeps changing when the PD is running. Sometimes, the power
consumption increases sharply and the available power of the device cannot support the
burst increase of power. The device may not detect this problem and does not cut off PDs
on low-priority interfaces. As a result, all PDs are powered off because of overload. You
can configure proper reserved power to solve the problem. When the power consumption
increases sharply, the reserved power can support the system running. Then the device
can immediately power off PDs on low-priority interfaces to ensure stable running of
other PDs.
a. Run:
system-view

b. Run:
poe power-reserved power-reserved
The percentage of the reserved PoE power to the maximum output power is
configured.
By default, 20% of the total power is reserved.

l Configure the alarm threshold of power consumption percentage.
When the power consumption increases sharply within a range, the reserved power can
satisfy the power requirement. However, if the power consumption exceeds the range,
some PDs are powered off. To solve this problem, configure the alarm threshold for the
power consumption percentage. When the power consumption exceeds the threshold, the

system generates an alarm so that administrators can take measures to reduce the power
consumption.
a. Run:
system-view

b. Run:
poe-power utilization-threshold threshold-value
The alarm threshold for the power consumption percentage is configured.
By default, the alarm threshold is 90%. That is, an alarm is generated when the
consumed power accounts for 90% of the total power.
----End
7.6.4 (Optional) Configuring the Device to Allow High Inrush

Current During Power-on
Context
High inrush current is generated when a non-standard PD is powered on. In this case, the
device cuts off the power of the PD to protect itself. If the device is required to provide power
for the PD, the PSE must allow high inrush current.
If high inrush current is allowed, the self-protection of the device is disabled. This may
damage components of the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
poe high-inrush enable slot slot-id
The device is configured to allow high inrush current during power-on.
By default, the device does not allow high inrush power during power-on.
----End
7.6.5 Configuring PoE Power-on and Power-off Management
Context
The device supports two power-on and power-off modes: automatic and manual.

l In automatic mode, the interface power supply priority can be configured as critical,
high, or low. When the remaining power is insufficient, PDs with higher power supply
priority are first provided with power.
l In manual mode, you can power on or power off the specified interface as required.
When the remaining power is insufficient, PDs cannot be powered on.
Besides powering on PDs in the automatic and manual modes, the interface PoE power
management provides the following functions:
l Configuring the power-on and power-off time range.
l Being compatible with non-standard PDs.
Procedure
l Configure the PoE power management mode.
a. Run:
system-view

b. Run:
poe power-management { auto | manual } slot slot-id
The PoE power management mode is set.

By default, the device uses the automatic power management mode.
n In automatic mode, configure the power supply priority of the interface. The
device powers on or powers off PDs connected to an interface based on the
power supply priority of the interface.
1) Run:

2) Run:
poe priority { critical | high | low }
The power supply priority of the interface is set.

The priorities in descending order are critical, high, and low.
By default, the power supply priority of an interface is low.
n (Optional) In automatic mode, when interfaces have the same power supply
priority, the device does not power on or off PDs connected to the interfaces
based on the interface numbers.
A device may power off PDs connected to interfaces with larger interface
numbers to power on PDs connected to interfaces with smaller interface
numbers later when the device powers on or off PDs based on interface
numbers. To prevent this problem, perform this step to disable the device from
powering on or off PDs based on interface numbers. The device then powers
on PDs in the sequence in which the PDs are connected to it.
1) Run:
system-view

2) Run:
poe power-policy port-index-priority disable [ all | chassis
chassis-id ]

The device is disabled from powering on or off PDs based on the

interface numbers.
n In manual power management mode, PDs connected to each interface are
manually powered on or powered off. In manual mode, you can select some
PDs to power on or power off as required.
1) Run:
system-view

2) Run:
poe { power-on | power-off } interface interface-type interface-
number
The PD connected to an interface is powered on or powered off manually.

l (Optional) Set the power-off time range of a PoE interface.
PDs connected to an interface do not keep working. You can set the power-off time range
of a PoE interface so that it can automatically power off when it is idle to save energy.
a. Run:
system-view

b. Run:
time-range time-name { start-time to end-time days | from time1 date1
[ to time2 date2 ] }
A power-off time range of PoE is defined.

c. Run:

d. Run:
poe power-off time-range time-range-name
A configured PoE power-off time range is applied to an interface.
Within the power-off time range, if the power management mode is changed, the set
power-off time range becomes invalid. PDs are powered on according to the newly
set power management mode. For example, if the manual mode is changed into the
automatic mode within the power-off time range, the power-off time range becomes
invalid and PDs power on automatically.
l (Optional) Configure the device to be compatible with non-standard PDs

When a non-standard PD is connected to the device, the device cannot detect the proper
resistance and cannot identify the PD. When compatibility check is enabled, the device
can detect and provide power for the PD that does not comply with the 802.3af or
802.3at standard.
a. Run:
system-view

b. Run:


c. Run:
poe legacy enable
The interface is enabled to check compatibility of non-standard PDs

By default, compatibility detection for PDs is disabled on an interface.
----End
7.6.6 Checking the Configuration
Procedure
l Run the display poe-power command to view the status of the PoE power supply.
l Run the display lldp tlv-config command to view the TLV types supported by the
interface.
l Run the display lldp local command to view the status of the LLDP on the interfaces
and device.
l Run the display lldp neighbor command to view the information of the interface
neighbors.
l Run the display lldp neighbor brief command to view the information of the device
neighbors.
l Run the display poe device command to display the information about the devices that
support the PoE function.
l Run the display poe information [ slot slot-id ] command to view the information about
the PoE function.
l Run the display poe power { slot slot-id | interface interface-type interface-number }
command to view the current power of the interface.
l Run the display poe power-state { slot slot-id | interface interface-type interface-
number } command to view the PoE power supply status on the interface.
----End
7.7.1 Example for Configuring PoE
Figure 7-3 shows that switches are deployed at the access layer on the network. The IP phone
connected to the switch is deployed outdoors and the AP is deployed on the external wall of
the office. It is difficult to connect power supplies to these devices. The user wants the switch
to provide power for these devices and save the deployment costs.
As the office network of a bank, AP1 cannot be powered off and should be configured with
the highest power supply priority. IP Phone1 with a large amount of services need to obtain
power supply with high priority and generally cannot be powered off.

Figure 7-3 Networking diagram of the PoE application

Switch
GE1/0/1 GE1/0/2
GE2/0/1 GE2/0/2
IP Phone1 AP1
IP Phone2 AP2
The switch supporting PoE and installed with the PoE power supply is required.
1. Configure the power management mode as automatic mode so that PDs can be flexibly
managed.
2. Configure the maximum output power of the board in slot 1 to ensure that the board in
slot 1 provided with stable power when the power of the device is insufficient.
3. Configure the power supply priority on GigabitEthernet1/0/2 and GigabitEthernet1/0/1
so that AP1 and IP phone1 are provided with power preferentially.
4. Configure the maximum output power on GigabitEthernet1/0/1, GigabitEthernet2/0/1,
and GigabitEthernet1/0/2 to limit the power of the corresponding interface and ensure
security of the device.
Procedure
Step 1 Configure the power management mode of the device as automatic mode.
[Switch] poe power-management auto slot 1
[Switch] poe power-management auto slot 2
Step 2 Configure the maximum output power of the PoE board in slot 1 as 200 W.
[Switch] poe max-power 200000 slot 1
Warning: This operation may power off some PD. Continue?[Y/N]:y
Step 3 Configure the maximum output power on GigabitEthernet1/0/1, GigabitEthernet2/0/1, and

GigabitEthernet1/0/2 as 15 W, 15 W, and 20 W respectively. On the device, the unit of the
output power is mW.
[Switch-GigabitEthernet1/0/1] poe power 15000


Step 4 Configure the power supply priority on GigabitEthernet1/0/2 as critical.

[Switch-GigabitEthernet1/0/2] poe priority critical
Warning: This operation may power off some PD with lower priority. Continue?[Y/N
]:y
Step 5 Configure the power supply priority on GigabitEthernet1/0/1 as high.

[Switch-GigabitEthernet1/0/1] poe priority high
Warning: This operation may power off some PD with lower priority. Continue?[Y/N
]:y
Step 6 Check the configuration.

# Display the PoE power supply status of the interface on the board in slot 1.
[Switch] display poe power-state slot 1
PORTNAME POWERON/OFF ENABLED PRIORITY STATUS
--------------------------------------------------------------------------------
GigabitEthernet1/0/0 off enable Low Detecting
GigabitEthernet1/0/1 on enable High Delivering-power
GigabitEthernet1/0/2 on enable Critical Delivering-power
# Display the PoE power supply status of the interface on the board in slot 2.
[Switch] display poe power-state slot 2
PORTNAME POWERON/OFF ENABLED PRIORITY STATUS
--------------------------------------------------------------------------------
GigabitEthernet2/0/1 on enable Low Delivering-power
GigabitEthernet2/0/2 on enable Low Delivering-power


----End
Configuration Files
#
sysname
Switch
#
#
poe max-power 200000 slot 1
#
poe priority high
poe power 15000
#
poe priority critical
poe power 20000
#
poe power 15000
#
return

Configuration Guide - Device Management 8 CSS Configuration
8 CSS Configuration
About This Chapter
This chapter describes how to configure Cluster Switch System (CSS) to improve forwarding
performance and reliability.
8.1 Using the CSS Assistant Tool to Quickly Obtain Information
8.2 Introduction to CSS
8.3 Principles
8.4 Applications
8.5 CSS Connection Modes
8.6 Configuration Task Summary
8.7 CSS Support and Version Requirements
8.9 Establishing a CSS by Connecting CSS Cards
8.10 Establishing a CSS Using Service Port Connections
8.11 Configuring Enhanced CSS Functions
This section describes how to configure enhanced CSS functions that improve CSS system
reliability and make operations easier.
8.12 Maintaining the CSS
8.13 Splitting a CSS
8.15 FAQ
8.1 Using the CSS Assistant Tool to Quickly Obtain

Information

Figure 8-1 shows the CSS assistant tool page.
Figure 8-1 CSS assistant tool page
Figure 8-2 describes how to use this tool:

1. Select the Switch series > Switch name, MPU type > CSS mode, LPU/CSS card mode
and Cluster cable in sequence.
Click behind each select box to get detailed information and figures.
2. Click Submit after finishing the selection. The CSS precautions, connection rules, and
software configuration are displayed. Set up a CSS according to these information.
Figure 8-2 Tool page after Submit is clicked

8.2 Introduction to CSS
Definition
A Cluster Switch System (CSS) is a logical switch consisting of two clustering-capable
switches. A CSS is also called a cluster. Figure 8-3 shows the topology of a CSS.
Figure 8-3 Topology of a CSS

CSS
CSS link
Link aggregation
Eth-Trunk
Purpose
In addition to high forwarding performance, CSS technology provides high network reliability
and high scalability, while simplifying network management.
l High reliability: Member switches in a CSS work in redundancy mode. Link redundancy
can also be implemented between member switches through link aggregation.
l High scalability: Switches can set up a CSS to increase the number of ports, bandwidth,
and packet processing capabilities.
l Simplified configuration and management: After two switches set up a CSS, they are
virtualized into a single device. You can log in to the CSS from either member switch to
configure and manage the entire CSS.
8.3 Principles
8.3.1 Basic Concepts

Figure 8-4 shows the concepts defined in CSS technology.
Figure 8-4 CSS-related concepts
CSS
SwitchA SwitchB
(Master) (Standby)
CSS link
CSS ID = 1 CSS ID = 2
CSS priority = 200 CSS priority =100

l Roles of member switches

Switches in a CSS are member switches. Each CSS member switch plays one of the
following roles:
– Master switch
The master switch manages the entire CSS. A CSS has only one master switch.
– Standby switch
The standby switch acts as a backup to the master switch. If the master switch fails,
the standby switch takes over all services from the master switch. A CSS has only
one standby switch.
l CSS ID
CSS IDs are used to identify and manage member switches in a CSS. Each member
switch has a unique CSS ID.
l CSS priority
The CSS priority of a member switch determines the role of that member switch in role
election. A larger value indicates a higher priority and higher probability that the
member switch is elected as the master switch.
8.3.2 CSS Setup
A CSS is set up automatically after you use cluster cables to connect two switches, enable the
CSS function on the two switches, and restart the switches. The member switches then send
CSS competition packets to each other. After the competition, one switch becomes the master
switch to manage the entire CSS, and the other becomes the standby switch.
Role Election
The master switch of a CSS is elected based on the following rules:
1. The switch that starts and enters the single-chassis CSS state first becomes the master
switch.
2. If the two switches startup at the same time, the switch with a higher priority becomes
the master switch.
3. If the two switches startup at the same time and have the same priority, the switch with a
smaller MAC address becomes the master switch.
4. If the two switches startup at the same time and have the same priority and MAC
address, the switch with a smaller CSS ID becomes the master switch.
NOTE
If the master switch is elected because it starts and enters the single-chassis CSS state first, the other
joins the CSS using the process described in 8.3.5 New Member Join and CSS Merge.
After a CSS is set up, the master MPU of the master switch works as the system master MPU
to manage the entire CSS. The master MPU of the standby switch works as the system
standby MPU. The standby MPUs of the master and standby switches work as candidate
system standby MPUs. Figure 8-5 shows the role election result after a CSS is set up. In this
example, SwitchA is elected as the master switch.

Figure 8-5 Role election result in a CSS

Local master Local master
MPU MPU
Local standby CSS Link Local standby
MPU MPU
LPU LPU
: :
SwitchA SwitchB
After a CSS is set up,
SwitchA is elected as
the master switch
CSS
System master
MPU
Candidate system Master
standby MPU SwitchA
LPU
:
System standby
MPU
Candidate system Standby
standby MPU SwitchB
LPU
:
Software Version Synchronization

CSS technology provides an automatic software loading mechanism. Member switches do not
have to run the same software version, and they can set up a CSS as long as the software
versions running on the member switches are compatible with one another. If the software
version running on the standby switch is different from that on the master switch, the standby
switch downloads the system software from the master switch, restarts with the new system
software, and joins the CSS again.
Configuration File Synchronization

CSS technology uses a strict configuration file synchronization mechanism to ensure that
member switches in a CSS function as a single device.
l After the standby switch starts, it synchronizes its configuration file with the master
switch.
l When CSS is running, all the configurations performed by users are recorded in the
configuration file of the master switch and synchronized to the standby switch.
The configuration file synchronization mechanism ensures that the member switches save the
same configuration file. If the master switch fails, the standby switch takes over all services
using the same configuration file. After the CSS splits, the configuration of the master switch
is not lost even if it is not saved in a timely manner, and the CSS becomes two single-chassis

CSSs with the same configuration. In this situation, if a member switch restarts, its unsaved
configuration is lost. For details about a CSS split, see 8.3.6 CSS Split and MAD.
Configuration File Backup

After a switch enters the CSS state, it automatically backs up its configuration file used in
standalone state by adding the extension .bak to the configuration file name. For example, if
the original configuration file name extension is .cfg, the backup configuration file name
extension is .cfg.bak. In this way, the device can restore the previous configuration after the
CSS function is disabled.
If you want to restore the original configuration of a switch after disabling the CSS function,
delete the extension .bak from the backup configuration file name, specify this configuration
file for next startup, and then restart the switch.
8.3.3 CSS Login and File System Access
Two switches in a CSS set up a virtual device on the network. The interface numbering rules,
system login methods, and file system access methods used in the CSS are different from
those used on standalone switches.
8.3.3.1 Interface Numbering Rules
On a standalone switch without CSS enabled, interfaces are numbered in the slot ID/subcard
ID/port sequence number format. In a CSS, member switches are identified by their CSS IDs
and their interfaces are numbered in the CSS ID/slot ID/subcard ID/port sequence number
format.
For example, an interface on a standalone switch without CSS enabled is numbered

GigabitEthernet1/0/1. After the switch joins a CSS and is assigned CSS ID 2, the interface
number changes to GigabitEthernet2/1/0/1.
The management interface in a cluster is numbered Ethernet0/0/0/0.
NOTE
After you enable CSS on a standalone switch and restart it, the switch becomes a single-chassis CSS and
its interfaces are also numbered in the CSS ID/slot ID/subcard ID/port sequence number format.
After CSS is disabled on a switch, the interface numbering format on the switch must be
manually changed from CSS ID/slot ID/subcard ID/port sequence number to slot ID/subcard
ID/port sequence number. The procedure is as follows:
1. After CSS is enabled on the switch, the switch automatically backs up the configuration
file used in standalone state by adding the extension .bak to the configuration file name.
2. Before CSS is disabled on the switch, specify this configuration file for next startup.
3. Disable CSS and then restart the switch.
8.3.3.2 CSS Login
You can log in to a CSS using the following methods:
l Local login: Log in through the console interface on any MPU of the CSS.

l Remote login: Log in through the management interface or another Layer 3 interface of
any MPU in the CSS. You can remotely log in to the CSS using Telnet, STelnet, web, or
SNMP if your operation terminal has a reachable route to the CSS.
After logging in to a CSS, you have actually logged in to the master switch, no matter which
member switch you log in through. After you perform configurations in the CSS, the master
switch issues the configurations to the standby switch. In this way, resources of member
switches are managed uniformly.
8.3.3.3 File System Access
File system access refers to operations performed on the storage device, including file/
directory creation, deletion, and modification, and file display. The S7700 and S9700 use CF
card and flash memory as storage devices.
The location of a file is identified by drive + path + filename:
l drive indicates the storage device.
l path indicates a directory and its sub-directories.
l filename indicates the file name.
For details, see File System Overview.
The value of drive varies depending on whether the switch is a standalone switch or joins a
CSS:
l The switch is a standalone switch:
– To access the root directory of the CF card or flash memory on the system master
MPU, set drive to cfcard: or flash:.
– To access the root directory of the CF card or flash memory on the standby MPU,
set drive to slave#cfcard: or slave#flash:.
l The switch joins a CSS:
– To access the root directory of the CF card or flash memory on the system master
MPU, set drive to cfcard: or flash:.
– To access the root directory of the CF card or flash memory on the system standby
MPU or candidate system standby MPU, set drive to chassis ID/slot ID#cfcard: or
chassis ID/slot ID#flash:. (The chassis ID is the CSS ID.)
For example, 1/8#cfcard: means the root directory of the CF card in slot 8 of
chassis 1.
8.3.4 Cluster Link Aggregation and Local Preferential Forwarding
Cluster Link Aggregation

CSS supports cluster link aggregation (Eth-Trunk). You can bundle physical Ethernet
interfaces on different member switches into an Eth-Trunk interface and connect a CSS to an
upstream or downstream device through the Eth-Trunk link. If a member switch or a member
link of the Eth-Trunk fails, data flows are forwarded through the cluster cables between the
member switches. Cluster link aggregation ensures reliable data transmission and implements
backup between member switches. It is important to the core switching system and networks
with high QoS requirements because it prevents service interruptions caused by single-point
failures and greatly improves network availability.

As shown in Figure 8-6, traffic sent to the core device on the network is equally distributed to
member links of an Eth-Trunk set up between CSS member switches. When a member link
fails, traffic on this link is distributed to the other link through the cluster cables between the
member switches. This link backup mechanism improves network reliability.
Figure 8-6 Cluster link aggregation 1
Network Network
CSS CSS
Forwarding paths before Forwarding paths after

a link failure a link failure
CSS Link
Eth-Trunk
Data flow 1
Data flow 2
As shown in Figure 8-7, traffic sent to the core device on the network is equally distributed to
member links of an Eth-Trunk set up between CSS member switches. When a member switch
fails, traffic toward this switch is distributed to the other switch. This device backup
mechanism improves network reliability.

Figure 8-7 Cluster link aggregation 2
Network Network
CSS CSS
Forwarding paths before Forwarding paths after a

a device failure device failure
CSS Link
Eth-Trunk
Data flow 1
Data flow 2
Local Preferential Forwarding

To implement reliable data traffic transmission and backup between member switches, a CSS
usually connects to upstream and downstream devices through inter-chassis Eth-Trunk links.
Similar to a standalone switch, a CSS uses the hash algorithm to select outbound interfaces in
an inter-chassis Eth-Trunk. Therefore, traffic is load balanced among the Eth-Trunk member
links, and some traffic is forwarded across the member switches.
Inter-chassis forwarding consumes bandwidth on the cluster cables. As bandwidth provided
by a cluster cable is limited, this forwarding mode increases load on cluster cables and
reduces forwarding efficiency. To improve forwarding efficiency and reduce traffic on cluster
cables, the switch provides the local preferential forwarding feature. This feature allows
traffic reaching the local switch to be preferentially forwarded through a local interface. If the
local device has no outbound interface or all the outbound interfaces fail, traffic is forwarded
through an interface on another member switch.
As shown in Figure 8-8, SwitchA and SwitchB set up a CSS, and their uplink and downlink
interfaces are bundled to Eth-Trunk interfaces. If local preferential forwarding is not
configured, traffic reaching SwitchA is load balanced between the Eth-Trunk member links,
and some traffic is forwarded through the cluster cables and sent out from a physical interface
on SwitchB. If local preferential forwarding is configured, traffic reaching SwitchA is
preferentially forwarded through a local physical interface and does not pass through the
cluster cables.

Figure 8-8 Local preferential forwarding
Network Network
SwitchA CSS SwitchB SwitchA CSS SwitchB
Local preferential forwarding Local preferential forwarding

not supported supported
CSS Link
Eth-Trunk
Data flow 1
Data flow 2
8.3.5 New Member Join and CSS Merge
Member Switch Join

A new member switch can join a running single-chassis CSS. As shown in Figure 8-9,
SwitchA is running in single-chassis CSS state. After SwitchB joins the CSS, the two
switches set up a new CSS. SwitchA becomes the master switch, and SwitchB becomes the
standby switch.
NOTE
A single CSS-enabled switch is a single-chassis CSS.

Figure 8-9 New member switch joining a single-chassis CSS

Single-
chassis CSS
SwitchA +
SwitchB
CSS ID = 1 CSS ID=2 (predefined)
SwitchB joins the CSS
CSS
SwitchA SwitchB
(Master) (Standby)
CSS link
A new member switch joins a single-chassis CSS in either of the following situations:
l After two switches are connected using cluster cables, one switch is configured with the
CSS function and restarted. This switch enters the single-chassis CSS state. After the
other switch is configured with the CSS function and restarted, it joins the CSS as the
standby switch.
l In a running two-chassis CSS, one switch is restarted. Then this switch joins the CSS
again as the standby switch.
CSS Merge
Two single-chassis CSS systems can merge into one CSS. As shown in Figure 8-10, two
single-chassis CSS systems merge into one and elect a master switch. The master switch
retains its original configuration and its standby MPU resets, without affecting services. The
standby switch restarts, joins the new CSS as the standby switch, and synchronizes the
configuration file with the master switch. Original services on this standby switch are
interrupted.

Figure 8-10 Two CSS systems merging into one

Single-chassis Single-chassis
CSS CSS
SwitchA SwitchB
Priority = 100 Priority = 200
Merge
CSS
SwitchA SwitchB
(Standby) (Master)
CSS link
CSS merging occurs in either of the following situations:

l After two switches are configured with the CSS function and restarted, they run as
single-chassis CSS systems. After they are connected using cluster cables, they merge
into one CSS.
NOTE
Setting up a CSS through a CSS merge is not recommended.

l A CSS splits due to a failure of a cluster link or member switch. When the link or switch
recovers, the two single-chassis CSS systems merge into one.
After two single-chassis CSS systems merge, the master switch is elected based on the
following rules:
1. The switch with a higher CSS priority becomes the master switch.
2. If the two switches have the same priority, the switch with a smaller MAC address
becomes the master switch.
3. If the two switches have the same priority and MAC address, the switch with a smaller
CSS ID becomes the master switch.
NOTE
Ensure that the two chassis have different CSS IDs in both new member join and CSS merge scenarios.
If the CSS IDs are the same, modify the CSS ID of one switch first.
8.3.6 CSS Split and MAD
CSS Split
After a CSS is set up, the master and standby MPUs of the CSS periodically send heartbeat
packets to each other to maintain the CSS status. If a cluster cable or a CSS card fails or one
switch is powered off or restarted, communication between the two switches is interrupted.
When the heartbeat timeout timer (8s) expires, the CSS splits into two single-chassis CSS
systems, as shown in Figure 8-11.

Figure 8-11 CSS split
Multi-Active Detection
After a CSS splits, the two switches use the same global configuration if they are running
normally. In this case, the two switches use the same IP address and MAC address (that is, the
MAC address of the stack) to communicate with other network devices, because the switches
run the same configuration file (configuration file of the previous CSS). The address collision
causes a communication failure on the entire network. To prevent this problem, multi-active
detection (MAD) can be configured to ensure that only one master switch exists after the CSS
splits.
Multi-active detection (MAD) is a CSS split detection protocol. When a link failure causes a
CSS split, MAD provides split detection, multi-active handling, and fault recovery
mechanisms to minimize the impact on services.
MAD Modes
MAD can be implemented in direct or relay mode. The direct and relay modes cannot be
configured together in the same CSS.
l Direct mode
In direct mode, CSS member switches use direct links over ordinary network cables as
dedicated MAD links. When the CSS is running normally, member switches do not send
MAD packets. After the CSS splits, the member switches send a MAD packet every 1s
over the MAD link to check whether multiple master switches exist.
In direct mode, CSS member switches can be directly connected to an intermediate
device or directly connected to each other:
– Directly connected to an intermediate device (Figure 8-12): Each member switch
has at least one MAD link connected to the intermediate device. This deployment
can be used when member switches are far from each other.
– Directly connected to each other (Figure 8-13): No intermediate device is
deployed, preventing MAD from being affected by intermediate device failures.
NOTE
l After configuring MAD in direct mode on an interface, do not configure other services on the
interface.
l A maximum of four direct MAD links can be configured between member switches to ensure
reliability.
l MAD packets are bridge protocol data units (BPDUs), so the intermediate device must be able
to forward BPDUs. For details on how to configure this function, see Configuring Interface-
based Layer 2 Protocol Transparent Transmission.

Figure 8-12 MAD through direct links to an intermediate device
Figure 8-13 MAD through direct links between member switches
l Relay mode
In relay mode, MAD relay detection is configured on an Eth-Trunk interface in the CSS,
and the MAD detection function is enabled on an agent. Every member switch must have
a link to the agent and these links must be added to the same Eth-Trunk. In contrast to
the direct mode, the relay mode does not require additional interfaces because the Eth-
Trunk interface can run other services while performing MAD relay detection.
In relay mode, when the CSS is running normally, member switches send MAD packets
at an interval of 30s over the MAD links and do not process received MAD packets.
After the CSS splits, member switches send MAD packets at an interval of 1s over the
MAD links to check whether multiple master switches exist.
You can use an independent relay agent (Figure 8-14) or use two CSS systems as each
other's relay agents (Figure 8-15).
NOTE
l The relay agent is a switch that supports the MAD relay function. Currently, all the S7700 and
S9700 series switches support this function.
l To implement MAD relay detection by using two CSS systems as each other's relay agent,
configure different domain IDs for the two CSS systems. Member switches of a CSS form a CSS
domain. A network may have multiple CSS domains, with different domain IDs.

Figure 8-14 Single switch as the MAD relay agent
Figure 8-15 Two CSS systems as MAD relay agents of each other
Multi-Active Handling
After a CSS splits, the MAD mechanism sets the new single-chassis CSS systems to Detect or
Recovery state. The CSS in Detect state still works, whereas the CSS in Recovery state is
disabled.
MAD handles a multi-active situation in the following way: When MAD detects two CSS
systems (two master switches) in Detect state, MAD allows only the switch with a higher CSS
priority to work. (If the two switches have the same CSS priority, their MAC addresses and
CSS IDs are compared in turn.) Then the other switch enters the Recovery state, and all its
physical ports except the excluded ones are shut down to prevent the switch from forwarding
service packets.
Fault Recovery
After the faulty link recovers, the CSS systems merge into one in either of the following
ways:

l The CSS in Recovery state restarts and merges with the CSS in Detect state. The service
ports that have been shut down are restored to Up state, and the entire CSS recovers.
l If the CSS in Detect state is also faulty before the faulty link recovers, remove this CSS
from the network, start the CSS in Recovery state to switch service traffic to this CSS,
and rectify the CSS system fault. After the CSS recovers, connect it to the network so
that it can merge with the other CSS.
8.3.7 Master/Standby Switchover
Many factors can cause master/standby switchover events in a CSS. The following describes
master/standby switchover events triggered by MPU failures and those triggered using
commands.
Master/Standby Switchover Triggered by an MPU Failure

Roles in a CSS may change if an MPU of the CSS fails. The switchover process differs
depending on whether the MPU is the system master, the system standby, or a candidate
standby.
l The system master MPU fails.

Figure 8-16 shows how the roles in both chassis 1 and 2 change after the system master
MPU fails.
Figure 8-16 Changes of roles after a failure of the system master MPU

A master/standby switchover
occurs in the CSS
System System Candidate

standby master standby
System master Candidate standby

System standby Faulty card
– The original standby switch becomes the master switch, and the original system
standby MPU becomes the system master MPU.
– The original master switch becomes the standby switch.
– The standby MPU of the original master switch becomes the system standby MPU
and synchronizes data with the system master MPU.
l The system standby MPU fails.

Figure 8-17 shows how the roles in both chassis 1 and 2 change after the system standby
MPU fails.
Figure 8-17 Change of roles after a failure of the system standby MPU

A master/standby switchover
occurs in the chassis
System Candidate System

master standby standby

System standby Faulty card
– The master and standby switches retain their roles.

– The standby MPU of the standby switch becomes the system standby MPU and
l A candidate standby MPU fails.
Failures of candidate standby MPUs do not cause any change of roles in the CSS.
Master/Standby Switchover Triggered Using Commands

Figure 8-18 shows how the roles in both chassis 1 and 2 change after a master/standby
switchover is triggered using commands.

Figure 8-18 Change of roles after a command-triggered master/standby switchover

Master/standby switchover
is triggered by a command

System standby
8.3.8 CSS Upgrade
A CSS can be upgraded using the traditional upgrade method (specifying the next-startup files
and restarting the entire CSS) or the fast upgrade function.
The traditional upgrade method causes service interruption for a relatively long time and is
therefore not applicable to scenarios requiring short service interruption time. The fast
upgrade function is more suited to these scenarios.
In a fast upgrade, the standby switch first restarts with the new system software. Data traffic is
forwarded by the master switch during this period. After the standby switch completes the
upgrade, it becomes the master switch and starts to forward data traffic. Then the original
switch restarts with the new system software. After the original switch completes the upgrade,
it becomes the standby switch. If the standby switch fails in the upgrade, it restarts and rolls
back to the old version, and the CSS upgrade fails.
To minimize traffic loss during an upgrade, bundle uplinks and downlinks of the CSS to Eth-
Trunks to implement link redundancy.

8.4 Applications
Bandwidth Expansion and Inter-Chassis Link Redundancy

As shown in Figure 8-19, when higher uplink bandwidth is required, you can connect a new
member switch to the original one using cluster cables so that the two switches set up a CSS.
Then bundle physical links of the member switches into a link aggregation group to increase
the uplink bandwidth.
Downstream switches connect to the CSS through inter-chassis Eth-Trunks. This networking
implements redundancy between devices and links, enhancing network reliability.
Figure 8-19 Bandwidth expansion and inter-chassis link redundancy
CSS
CSS Link
Eth-Trunk
Data flow before a failure

Data flow after a failure
Simplifying Network Topology

As shown in Figure 8-20, two switches are virtualized into a single logical switch. This
simplified network does not require Multiple Spanning Tree Protocol (MSTP) or Virtual
Router Redundancy Protocol (VRRP), so network configuration is much simpler. Inter-
chassis link aggregation also speeds up network convergence and improves network
reliability.

Figure 8-20 Simplifying network topology

MSTP + VRRP
CSS
CSS Link
Eth-Trunk
Long-Distance Clustering
Long-distance clustering enables switches far from each other to form a CSS. As shown in
Figure 8-21, users on each floor of two buildings connect to the aggregation switches through
respective corridor switches. The aggregation switches connect users to the external network.
The aggregation switches in the two buildings can be connected using cluster cables to form a
CSS. The two aggregation switches then work like one device, simplifying the network
structure. The device management and maintenance costs are therefore reduced. In addition,
two links to the external network are available to users in each building, which greatly
improves service reliability.

Figure 8-21 Long-distance clustering
Network
Building Building
A CSS B
Floor 1 Floor 2 Floor 3 Floor 1 Floor 2 Floor 3
CSS Link
Eth-Trunk
8.5 CSS Connection Modes

Member switches can set up a CSS through CSS card connection and service port connection.
l CSS card connection
Member switches are connected using dedicated CSS cards installed on MPUs and
cluster cables.
l Service port connection
Member switches are connected using service ports, without a need for CSS cards. The
service ports must be configured as physical member ports of logical CSS ports. Figure
8-22 shows physical member ports and logical CSS ports in a CSS.

Figure 8-22 Service port connection
Physical Logical CSS port

member port CSS
CSS link
– Physical member port

A physical member port is a service port used to set up a cluster link between CSS
member switches. Physical member ports forward service packets or CSS protocol
packets between member switches.
– Logical CSS port
A logical CSS port is bound to physical member ports for CSS connection. Each
CSS member switch supports two logical CSS ports.
NOTE
l For details about CSS connection modes, see 8.9 Establishing a CSS by Connecting CSS Cards
and 8.10 Establishing a CSS Using Service Port Connections.
l Two member switches in a CSS must be directly connected. That is, there are only the two member
switches on the CSS link.
Table 8-1 compares CSS connection modes.
Table 8-1 Comparison of CSS connection modes

Item CSS Card Service Port Description
Connection Connection
Whether Yes No The CSS card connection mode

CSS cards ensures high stability and low
are required latency, and facilitates CSS
troubleshooting.
Whether No Yes The service port connection

service ports mode occupies service ports and
are occupied requires at least XGE ports on
LPUs.
MPU Both the master The master and The CSS card connection mode
configuratio and standby standby switches has higher hardware
n switches must can have one or requirements.
requirement have two MPUs two MPUs
s installed. installed.

Item CSS Card Service Port Description

Connection Connection
Cluster CSS ports on the The switches can The service port connection
cable CSS cards of the set up a CSS as mode is more flexible:
connection S7700 must be long as they are l Even if multiple cluster cables
requirement connected. CSS connected by one fail, the CSS can still work, as
s ports on the CSS cluster cable. It is long as one cluster cable is
cards of the S9700 recommended that working normally.
must be connected the switches be
using at least one connected by at l Cabling in CSS card
cluster cable in a least two cluster connection mode is complex
group. cables. and there is a limit on the
number of faulty cluster
cables. CSS card connection
on the S7700s allows only one
faulty cluster cable. When
CSS ports are fully connected,
CSS card connection on the
S9700s allows three faulty
cluster cables at most.
Configuratio Simple Complex The service port connection

n mode requires service ports to be
complexity configured as physical member
ports of logical CSS ports.

CSS configuration tasks include CSS setup, CSS configuration and maintenance, and CSS
split.
Table 8-2 lists the CSS configuration tasks.
Table 8-2 CSS configuration task summary
Item Description Task
Establishin The two CSS connection modes Use one of the following methods:
g a CSS have different hardware and l 8.9 Establishing a CSS by
software requirements. Select an Connecting CSS Cards
appropriate mode to set up a CSS
based on device resources or l 8.10 Establishing a CSS Using
network requirements. Service Port Connections
NOTE
To set up a CSS, confirm the When establishing a CSS, select either
software and hardware requirements, CSS connection mode as required.
complete hardware installation, and
software configuration. After that,
check whether the CSS is set up
successfully.

Item Description Task
8.11 The following configurations can be 8.11 Configuring Enhanced CSS

Configuri performed to enhance system Functions
ng reliability and facilitate CSS
Enhanced management:
CSS l 8.11.1 Configuring MAD
Functions
l 8.11.2 Configuring a System
MAC Address
l 8.11.3 Setting a Delay Time
Before Service Ports Restore to
the Up State
l 8.11.4 Enabling the CSS Port
Error-Down Function
(Applicable to S9700 CSS Card
Connection Mode)
l 8.11.5 Configuring the CSS
Physical Port-Down Delay
Function
The preceding tasks are optional and
can be configured based on your
needs. It is recommended that you
configure MAD immediately after a
CSS is set up.
8.12 You can perform the following tasks 8.12 Maintaining the CSS
Maintaini during CSS maintenance:
ng the l 8.12.1 Monitoring the CSS
CSS Status
l 8.12.2 Enabling/Disabling CSS
Traps
l 8.12.3 Performing a Master/
Standby Switchover
l 8.12.4 Upgrading CSS
Software
l 8.12.5 Checking Connectivity
of CSS Links (Applicable to
S9700 CSS Card Connection
Mode)
The preceding tasks are optional and
can be configured based on your
needs.
8.13 If the CSS is not required, split the 8.13 Splitting a CSS
Splitting a CSS to restore the member switches
CSS to standalone switches.

8.7 CSS Support and Version Requirements
8.7.1 CSS Feature Limitations

Features Not Supported in a CSS
After two switches set up a CSS, the following features cannot be configured in the CSS:
l Synchronous Ethernet clock
l Precision Time Protocol (PTP) (IEEE 1588)
CSS Specifications and Limitations
l For MAD specifications:
– You can configure a maximum of four direct detection links for each member
switch in a CSS.
– You can configure the relay mode on a maximum of four Eth-Trunks in a CSS.
– In V200R008C00 and earlier versions, you can configure a maximum of 64 Eth-
Trunks on a relay agent to provide the relay function for multiple CSS systems.
This restriction does not apply to versions later than V200R008C00.
Requirements for Loading a License for a CSS
To load a license for a CSS, see FAQ "How Do I Install a License File for a CSS?".
Notes About CSS Card Clustering
If MPUs of S7700 switches have flexible service units (FSUs) installed, the CSS connection
mode cannot be set to CSS card connection. If an S7700 switch uses the CSS card connection
mode, FSUs cannot be used on the switch. If an FSU is installed on the MPU of the switch,
the FSU is powered off.
When VS08/VS04 CSS cards are used to set up a CSS, the bandwidth that the MPUs provide
to LPUs decreases because the CSS cards consume some bandwidth of the MPUs.
Notes About Service Port Clustering
Hardware Installation:
l The use of LPUs with the same port speed is recommended. If member switches are
connected using LPUs with different port speeds, inter-chassis forwarding may be
unstable.
l When the service port connection mode is used, FSUs can be installed on the member
switches.
l In service port clustering, if a device has CSS cards installed, CSS cards will be powered
off.
Software Configuration:
l When switches using SRUAs, SRUBs, SRUCs, and SRUDs set up a CSS in service port
clustering mode, the system software file (system startup package) must be saved in the
CF card. If it is saved in the flash memory, the CSS cannot be set up in service port
clustering mode.
l If a switch using SRUCs needs to set up a CSS with a switch using SRUDs, run the
undo detect-engine enable command to disable hardware engine of the SRUDs (restart

the switch for the configuration to take effect), and then configure the CSS function. If
SRU hardware engine is not disabled on the switch using SRUDs, the two switches may
restart repeatedly or the CSS may split and merge.
l Avoid deploying inter-chassis forwarding services on the LPUs that provide service ports
for clustering. Such LPUs preferentially forward received traffic from local ports, so
inter-card load balancing cannot be implemented.
l If a load balancing profile is configured on the LPUs that provide service ports for
clustering, traffic distribution among cluster links is affected, or even traffic loss may
occur. The load balancing profile configured using the load-balance-profile command
controls the load balancing mode used on cluster links. (If the specified profile does not
exist, the default load balancing mode is used.) When configuring the load balancing
mode for a specific type of packets using the mpls field, l2 field, ipv4 field, or ipv6
field command, you are advised to specify multiple keywords in the command so that
traffic can be load balanced properly.
l If the capwap source interface command has been executed to specify the source
interface used by the AC to establish a CAPWAP tunnel with an AP, the port interface
enable command configuration may fail because of insufficient ACL resources. The
port interface enable command is used to add physical member ports to a logical CSS
port.
l After a service port is configured as a physical member port of a logical CSS port, the
service port can transmit only CSS-related traffic and cannot be configured with any
other services. Most commands are unavailable in the corresponding interface view,
except the following
– set flow-stat interval
– description (interface view)
– log-threshold input-rate output-rate
– trap-threshold
– display interface
– display interface brief
– display interface description
– display counters
– reset counters interface
– reset counters if-mib interface
– set flow-statistics include-interframe
Version Rollback:
If a member switch has FSUs installed and uses the service port connection mode, it cannot
be degraded to a version that does not support the service port connection mode. Therefore,
before degrading the system version to such a version, delete the configuration of the service
port connection.
8.7.2 CSS Version Requirements

NOTE
The Stack & SVF Assistant is provided to help configure CSS on switches. To obtain the assistant, click
CSS Assistant.


Other network elements are not required.
CSS is not under license control.
Table 8-3 Products and versions supporting CSS

Prod Prod Version Supporting CSS Card Version Supporting Service
uct uct Clustering Port Clustering
Mode
l
S7700 S7703 Not supported Not supported
S7700 S7706 V200R001(C00&C10), V200R002C00, V200R003C00,

S7712 V200R002C00, V200R003C00, V200R005C00, V200R006C00,
V200R005C00, V200R006C00, V200R007C00, V200R008C00,
V200R007C00, V200R008C00, V200R009C00, V200R010C00,
V200R009C00, V200R010C00, V200R011C10
V200R011C10
S9700 S9703 Not supported Not supported
S9700 S9706 V200R003C00, V200R005C00, V200R001C01, V200R002C00,

S9712 V200R006C00, V200R007C00, V200R003C00, V200R005C00,
V200R008C00, V200R009C00, V200R006C00, V200R007C00,
V200R010C00, V200R011C10 V200R008C00, V200R009C00,
V200R010C00, V200R011C10
8.7.3 Software and Hardware Support for S7700 CSS Card

Clustering
Table 8-4 Software and Hardware Support for S7706&S7712 CSS Card Clustering
Device Model l S7706
l S7712

CSS Card and l CSS card: ES02VSTSA (All l CSS card: ES1D2VS04000
Installation Slot ports on the CSS cards must (CSS ports on the CSS cards
be connected.) must have at least one cable
l Installation slot: subcard connected and ports on both
slots of ES1D2SRUAC00, ends of the cable must use the
ES0D00SRUA00 (non- same port number.)
VER.A) and l Installation slot: subcard slots
ES0D00SRUB00 (non- of ES1D2SRUH000 and
VER.A) ES1D2SRUE000
CSS card and MPU models are CSS card and MPU models are abbreviated to
abbreviated to VSTSA and SRUA (or VS04 and SRUH (or SRUE) respectively.
SRUB) respectively.
Software Version ES0D00SRUA00 and SRUH: V200R009C00 and later

ES0D00SRUB00: versions
V200R001C00 and later SRUE: V200R010C00 and later
versions versions
ES1D2SRUAC00:
V200R010C00 and later
versions
Hot Swap of CSS Not supported Supported

Cards
Number of CSS 2 2
Cards Supported
by Each Chassis
Number of CSS Four 16G ports Four 10G ports

Ports on Each
CSS Card and
Bandwidth of a
Single CSS Port

Pluggable l 3 m and 10 m QSFP+ high- l 1 m, 3 m, 5 m (passive), and 10

Modules for speed cables m (active) SFP+ cables
Ports on CSS l QSFP+ optical module (only l SFP+ optical module and fiber
Cards QSFP-40G-SR4, l 3 m and 10 m SFP+ AOC
QSFP-40G-iSR4, and cables
QSFP-40G-eSR4) and fiber
l 10 m QSFP+ AOC cable
(supported since
V200R010C00)
l 5 m QSFP+ high-speed
cables (supported since
V200R011C10)
NOTE
1-to-4 QSFP+ high-speed cables,
1-to-4 QSFP+ AOC cables, and
QSFP+ optical modules that
connect a 40GE port to four 10GE
ports using a 1-to-4 cable do not
support CSS.
Hardware l Two S7706s, one S7706 and l Two S7706s, one S7706 and
Configuration one S7712, or two S7712s one S7712, or two S7712s can
can set up a CSS. set up a CSS.
l Each chassis must have both l Each chassis can have only one
active and standby MPUs SRU installed, and a CSS card
installed, and the two MPUs can be installed in any MPU
must have stack cards slot. To ensure reliability, you
installed. are advised to install two
l MPUs in a single chassis MPUs in each chassis.
must be the same model. l MPUs in a single chassis must
Two chassis with different be the same model. Two
SRUs can set up a CSS only chassis with different SRUs can
in one case: SRUA in one set up a CSS only in one case:
chassis and SRUB in the SRUH in one chassis and
other. SRUE in the other and both
chassis run V200R010C00 or a
later version.
License Required No
8.7.4 Software and Hardware Support for S9700 CSS Card

Clustering
l S9712

CSS Card and CSS card: EH1D2VS08000 (Eight ports on a CSS card are divided
Installation Slot into two groups, each of which must have at least one cable
connected.)
Installation slot: subcard slot of EH1D2SRUC000
CSS card and MPU models are abbreviated to VS08 and SRUC respectively.
Software Version V200R003C00 and later versions
Hot Swap of CSS Not supported

Cards
Number of CSS 2
Cards Supported
by Each Chassis
Number of CSS Eight 10G ports

Ports on Each
CSS Card and
Bandwidth of a
Single CSS Port
Pluggable l 1 m, 3 m, 5 m (passive), and 10 m (active) SFP+ cables

Modules for Ports l SFP+ optical module and fiber
on CSS Cards
l 3 m and 10 m SFP+ AOC cables
Hardware l Two S9706s, one S9706 and one S9712, or two S9712s can set up
Configuration a CSS.
l Switches to set up a CSS must have both active and standby
MPUs installed, and the two MPUs must have stack cards
installed.
License Required No
8.7.5 Software and Hardware Support for S7700 Service Port

Clustering
l S7712
Software V200R002C00 and later

Version

Service Card l ES1D2X08SED4 ES1D2L02QFC0

Model l ES1D2X08SED5
NOTE
l ES0D0X12SA00
For details
about service l ES1D2X16SFC0
cards, see
"Cards" in l ES1D2X40SFC0
the Hardware l ES1D2X32SSC0
Description of
the specific l ES1D2X16SSC2
product
model.
Pluggable l 1 m, 3 m, 5 m (passive), and 10 l 1 m, 3 m, and 5 m QSFP+ high-

Modules on m (active) SFP+ cables speed cables
Service Ports l SFP+ optical module and fiber l QSFP+ optical module (except
l 3 m and 10 m SFP+ AOC the QSFP-40G-SR-BD model)
cables and fiber
NOTE l 10 m QSFP+ AOC cable
The ES0D0X12SA00 does not support (supported since
3 m and 5 m SFP+ high-speed cables. V200R009C00)
Usage l On the ES1D2X08SED4 and The interconnected CSS physical

Constraints ES1D2X08SED5 LPUs, at member ports on the two member
most four ports can be switches must be both 40GE ports.
configured as CSS physical XGE ports derived from a 40GE
member ports. The four port cannot be added to a logical
physical member ports must be CSS port.
the first four ports (numbered 0
to 3) or the last four ports
(numbered 4 to 7) on the LPUs.
l On the ES1D2X16SFC0,
ES1D2X40SFC0,
ES1D2X32SSC0 and
ES1D2X16SSC2 LPUs, four
contiguous ports must be
configured as a group of
physical member ports together.
The port numbers of the four
ports must start with 4xN and
end with 4xN+3 (N = 0, 1, 2...).
For example, ports 0 to 3 or
ports 4 to 7 must be configured
together, but ports 2 to 5 cannot
be configured together. If any
port in a group is configured as
a physical member port, the
other three ports of the same
group must also be configured
as physical member ports.

Hardware l Only two S7706 switches, two S7712 switches, or one S7706 and one
Configuration S7712 can set up a CSS.
l MPUs in one chassis must be the same model. MPUs in the local and
remote chassis can be the same model or different models; however,
the same MPU model is recommended. Two chassis with different
SRUs can set up a CSS only in two cases: (1) SRUA in one chassis
and SRUB in the other; (2) SRUH in one chassis and SRUE in the
other and both chassis run V200R010C00 or a later version.
l Each chassis can have at most two LPUs for CSS connection. It is
recommended that you use the same type of LPUs in a chassis for
CSS connection. The two chassis must use the same type of ports for
CSS connection, for example, 10GE SFP+ optical ports.
l Each LPU allows only one logical CSS port. Each logical CSS port
supports a maximum of 32 physical member ports.
l Some ports on an LPU can function as CSS ports, while other ports
on the LPU function as service ports.
License No
Required
8.7.6 Software and Hardware Support for S9700 Service Port

Clustering
l S9712
Software V200R001C01 and later

Version
Service Card l EH1D2X08SED4 l EH1D2L02QFC0

Model l EH1D2X08SED5 l EH1D2L08QFC0
NOTE
l EH1D2X12SSA0
For details
about service l EH1D2X16SFC0
cards, see
"Cards" in l EH1D2X40SFC0
the Hardware l EH1D2X32SSC0
Description of
the specific l EH1D2X16SSC2
product
model.

Pluggable l 1 m, 3 m, 5 m (passive), and 10 l 1 m, 3 m, and 5 m QSFP+ high-

Modules on m (active) SFP+ cables speed cables
Service Ports l SFP+ optical module and fiber l QSFP+ optical module (except
l 3 m and 10 m SFP+ AOC the QSFP-40G-SR-BD model)
cables and fiber
NOTE l 10 m QSFP+ AOC cable
The EH1D2X12SSA0 does not (supported since
support 3 m and 5 m SFP+ high-speed V200R009C00)
cables.
Usage l On the EH1D2X08SED4 and The interconnected CSS physical

Constraints EH1D2X08SED5 LPUs, at member ports on the two member
most four ports can be switches must be both 40GE ports.
configured as CSS physical XGE ports derived from a 40GE
member ports. The four port cannot be added to a logical
physical member ports must be CSS port.
the first four ports (numbered 0
to 3) or the last four ports
(numbered 4 to 7) on the LPUs.
l On the EH1D2X16SFC0,
EH1D2X40SFC0,
EH1D2X32SSC0 and
EH1D2X16SSC2 LPUs, four
contiguous ports must be
configured as a group of
physical member ports together.
The port numbers of the four
ports must start with 4xN and
end with 4xN+3 (N = 0, 1, 2...).
For example, ports 0 to 3 or
ports 4 to 7 must be configured
together, but ports 2 to 5 cannot
be configured together. If any
port in a group is configured as
a physical member port, the
other three ports of the same
group must also be configured
as physical member ports.
Hardware l Only two S9706 switches, two S9712 switches, or one S9706 and one
Configuration S9712 can set up a CSS.
l MPUs in one chassis must be the same model. MPUs in the local and
peer chassis can be different models but are recommended to be the
same model.

l Each chassis can have at most two LPUs for CSS connection. It is
recommended that you use the same type of LPUs in a chassis for
CSS connection. The two chassis must use the same type of ports for
CSS connection, for example, 10GE SFP+ optical ports.
l Each LPU allows only one logical CSS port. Each logical CSS port
supports a maximum of 32 physical member ports.
l Some ports on an LPU can function as CSS ports, while other ports
on the LPU function as service ports.
License No
Required
Table 8-5 Default CSS configuration

CSS function Disabled
CSS ID 1
CSS priority 1
8.9 Establishing a CSS by Connecting CSS Cards

Carefully review the software and hardware requirements, and the role and functions of
member switches before you establish a CSS by connecting CSS cards. You are advised to
follow the process in Figure 8-23 to establish a CSS.

Figure 8-23 Process of establishing a CSS by connecting CSS cards (recommended)
Confirm software/ Set CSS connection

hardware requirements mode
Install CSS cards Configure CSS IDs
Configure CSS Check whether the CSS

Install MPUs
priorities is set up successfully
Enable the CSS

Connect cluster cables End
function
Hardware Software
Verification
installation configuration
Mandatory
Optional
NOTE
8.9.1 Installing Hardware
8.9.1.1 Installing a CSS Card
Preparing for Installation

l Required components: MPUs and CSS cards
l Required tools: Phillips screwdriver and an ESD wrist strap (or ESD gloves)
Precautions
The CSS card is not hot swappable. When the switch has an MPU installed and powered on,
power off the MPU before you install or remove a CSS card.
Card storage and transportation:

l Handle a CSS card carefully when it is outside the cabinet (chassis). Take ESD
protection measures. Place the card horizontally. Keep the side with electronic
components facing upward. Do not place any objects on the card.

l Do not place the card in a humid environment or direct sunlight. Ensure that the
environment where the card is temporarily stored is suitable for storage.
l Do not stack multiple cards together for transportation. Handle one card each time.
Card installation and removal:
l Take ESD protection measures and do not touch the surface of the printed circuit board
(PCB).
l Push or pull the card slowly and horizontally along the guide rail. Avoid short circuits
caused by metal objects and place tools in proper locations.
Installation Procedure
1. Wear an ESD wrist strap and connect the ground terminal to the ESD jack on the chassis.
2. Install the CSS card on an MPU according to Figure 8-24.
Figure 8-24 Installing the CSS card on an MPU
3. Install the MPU on the chassis according to Figure 8-25.
Figure 8-25 Installing an MPU in the chassis
4. View the RUN/ALM indicator on the new MPU and CSS card.
NOTE
After a new MPU is installed in the chassis, it starts and registers automatically. The start and
registration process takes less than 5 minutes.
– If the RUN/ALM indicator blinks green fast, the MPU or CSS card is starting.
– If the RUN/ALM indicator blinks green slowly, the MPU or CSS card is running
normally.
8.9.1.2 Connecting Cluster Cables


l Required components: electrical cables or optical modules with matching optical fibers
or AOC cables
l Required tools: cable ties, fiber binding tapes, labels, and an ESD wrist strap (or ESD
gloves)
Precautions
When removing or connecting an optical fiber, do not look into the optical port without eye
protection. The laser emitted from the optical port can injure your eyes.
l Take ESD protection measures before the installation.

l Prevent the cables from being twisted.
l Insert or remove optical fibers carefully to prevent damage to optical fiber connectors.
l Ensure that the bend radius of an optical fiber or electrical cable is larger than its
minimum bend radius. The minimum bend radius of QSFP+ cables, SFP+ to SFP+
cables, and AOC cables is 50.8 mm, 25 mm, and 30 mm respectively. The bend radius of
optical fibers is generally larger than or equal to 40 mm.
l Clean the optical fiber connector with alcohol swab or air-laid paper along one direction,
if the connector is dirty.
l Push the connector inward gently first, and then pull the handle on the electrical cable to
remove it.
2. Attach labels to both ends of a cluster cable according to Figure 8-26 and number these
labels starting from 1.
Figure 8-26 Attaching labels

3. Connect cluster cables according to the connection rule shown in Figure 8-27 or Figure
8-28.
– When you hear a click, the electrical cable, optical module, or optical fiber is
installed properly.
– When removing the electrical cable, optical module, or optical fiber, push the
connector or handle inward first, and then pull it out.
Figure 8-27 ES02VSTSA (S7700) connection rule
NOTE
Follow these rules when connecting VSTSA CSS cards: Each VSTSA CSS card has four ports.
All ports with the same port number and color must be connected, as shown in the preceding
figure. For example, port 1 in blue on the left chassis must be connected to port 1 in blue on the
right chassis.
The CSS set up using VSTSA CSS cards allows at most one faulty cluster cable.
Figure 8-28 EH1D2VS08000 (S9700) connection rule

NOTE
Follow these rules when connecting VS08 CSS cards: Each VS08 CSS card provides eight ports,
which are divided into two groups. Ports in the groups with the same ID and color must be
connected. For example, ports in group 1 in blue on the left and right chassis must be connected,
and ports in group 2 in blue on the left and right chassis must be connected. See the preceding
figure to connect cables between groups. Ports in a group can be connected in any sequence, but
each group must have at least one cable connected. Full-mesh connections are recommended.
4. Arrange the cables in order and bundle the cables with a cable divider.
5. To power on the switches, ensure that power cables and ground cables are correctly
connected and then switch on the external power modules and built-in power modules in
turn.
8.9.2 Configuring CSS Software
Context
Table 8-6 lists software configurations for establishing a CSS by connecting CSS cards.
Table 8-6 Software configurations for establishing a CSS by connecting CSS cards
Item Description Remarks
Setting the Connection Before connecting two -

Mode to CSS Card switches to establish a CSS,
Connection set the connection mode to
CSS card connection on
both switches.
By default, the CSS card
connection mode is used on
MPUs including SRUA
(S7700), SRUB (S7700) and
SRUC (S9700) that support
CSS card clustering.
Configuring a CSS ID The two member switches in NOTICE

a CSS must have different Do not change the CSS ID of
the switch after a CSS is
CSS IDs (1 and 2). Switches
established. Otherwise, the
with the same CSS ID CSS splits.
cannot set up a CSS. By
default, all switches use
CSS ID 1. Before
establishing a CSS, change
the CSS ID to 2 on one of
the member switches.

(Optional) Configuring a The CSS priority determines However, if a switch with

CSS Priority the role of member switches the highest priority starts
during role election. A slowly, it cannot be the
larger value indicates a master switch. If you want a
higher priority and higher switch to be the master
probability that the member switch, start the switch first.
switch is elected as the When two switches
master switch. complete the start at the
By default, the CSS priority same time, the switch with
of a switch is 1. the higher CSS priority
(Optional) Specifying the Generally, the master switch If this step is performed on
Master Switch Forcibly of a CSS is elected when the two switches before they set
CSS is set up. You can also up a CSS, the configuration
forcibly specify one switch does not take effect after the
as the master switch of a CSS is set up. The master
CSS. switch of the CSS is elected
through competition.
NOTICE
After a switch is manually
specified as the master switch,
a forcible master/standby
switchover may occur when
both switches run normally. If
a master/standby switchover
occurs, network services may
be affected. Therefore,
specifying the master switch
forcibly is not recommended.
Enabling the CSS Function By default, the CSS function You can run the display css
and Restarting Switches is disabled on a switch. status [ saved ] command to
The CSS function must be check whether the CSS
enabled on both two function is enabled on the
member switches. current switch. If the
parameter saved is set, you
can view the saved CSS
configuration.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the set css mode css-card command to set the connection mode to CSS card connection.
Step 3 Run the set css id new-id command to set a CSS ID for the switch.
Step 4 (Optional) Run the set css priority priority command to set a CSS priority for the switch.
Step 5 (Optional) Run the css master force command to specify a switch as the master switch.

Step 6 Run the css enable command to enable the CSS function on the switch.
After you enable the CSS function, the system prompts you to restart the switches. Enter Y to
restart the switches; otherwise, configurations cannot take effect, and the CSS cannot be
established.
----End
8.9.3 Verifying a CSS Is Established

After you complete CSS configurations, review key indicators to confirm the CSS has been
established successfully. If the CSS has been successfully established, log in to the CSS and
run commands to confirm the CSS state information and configure enhanced CSS functions.
If a CSS has not been established, check the indicator abnormalities or log in to the CSS and
run commands to locate and rectify faults.
8.9.3.1 Reviewing Indicators to Confirm a CSS Is Established
Background
After a CSS is set up, you can review indicators on the member switches to check CSS state
information, including the master/standby state of switches and link status.
Checking Whether Indicator Status Is Normal

When two S7700 switches with SRUAs or SRUBs and the ES02VSTSA CSS cards establish
a CSS successfully, the indicator status is as follows:
l The MASTER indicator on only one CSS card is steady green.
l On one switch, the CSS ID indicators numbered 1 on both CSS cards are steady green.
On the other switch, the CSS ID indicators numbered 2 on both CSS cards are steady
green.
l The ACT/LINK indicators on all CSS cards are steady green.
When two S9700 switches with SRUCs and the EH1D2VS08000 CSS cards installed set up a
CSS successfully, the indicator status is as follows:
l The MASTER indicator on only one CSS card is steady green.
l On one switch, the CSS ID indicators numbered 1 on both SRUCs are steady green. On
the other switch, the CSS ID indicators numbered 2 on both SRUCs are steady green.
l The LINK/ALM indicators on all CSS cards are steady green.
For details on the indicator status and meanings, see Indicator Status in Clustering
Through CSS Cards.
Follow-Up Process
l If the indicator status is normal, log in to the CSS and run commands to check CSS state
information and configure enhanced CSS functions.

l If the indicator status is abnormal, locate the fault according to Table 8-7 or log in to the
CSS and run commands to locate and rectify the faults.
Indicator Status in Clustering Through CSS Cards

Table 8-7 describes the indicators that show state of a CSS set up by connecting CSS cards.
Table 8-7 Indicator status in clustering through CSS cards

CSS Card and Indicator Location Indicator Description
MPU Models
MPU: SRUA, CSS card MASTER: master/ l Steady green:

SRUB (S7700) standby status The MPU is the
CSS card: indicator master MPU of
ES02VSTSA the CSS, and the
local chassis is
the master
switch.
l Off: The CSS
function is not
enabled or the
local MPU is not
the master MPU
of the CSS.
NOTE
On the standby
switch, the MPU with
the ACT indicator
steady on is the
standby MPU of the
CSS.
CSS ID: CSS ID There are eight CSS

indicator ID indicators on the
panel, but only one
is on at a time.
l CSS ID N is
steady on: The
CSS ID of the
local chassis is
N.
l All CSS ID
indicators are off:
The chassis is not
running the CSS
service.


MPU Models
LINK: port status l Steady green:

indicator The link status of
the CSS port is
Up.
l Off: The link
status of the port
is Down.
MPU: MPU CSS ID: CSS ID There are eight CSS

SRUC(S9700) indicator ID indicators on the
CSS card: panel, but only one
EH1D2VS08000 is on at a time.
l CSS ID N is
steady on: The
CSS ID of the
local chassis is
N.
l All CSS ID
indicators are off:
The chassis is not
running the CSS
service.
CSS card MASTER: master/ l Steady green:

standby status The MPU is the
indicator master MPU of
the CSS, and the
local chassis is
the master
switch. The
MASTER
indicator is off on
the standby
switch. On the
standby switch,
the MPU with the
ACT indicator
steady on is the
standby MPU of
the CSS.
l Off: The CSS
function is not
enabled or the
local MPU is not
the master MPU
of the CSS.


MPU Models
LINK/ALM: port l Steady green:

status indicator The port is Up,
and cable
connection on the
port is correct.
l Steady red: Cable
connection on the
port is incorrect.
l Off: The link
status of the port
is Down.
8.9.3.2 Logging In to a CSS to Verify that a CSS Is Established
Context
You can log in to a CSS and run display commands to check whether the CSS is established
successfully. If the CSS fails to be established, you can locate the faults according to the
command output.
Procedure
Step 1 Log in to the CSS.
l Local login: Log in to the CSS from the console port on any MPU.
l Remote login: After reachable routes are configured, you can remotely log in to the CSS
from a management interface on any MPU or a Layer 3 interface using Telnet, STelnet,
web, or SNMP.
NOTE
l After a CSS is established successfully, the configuration file of the master switch takes effect.
When logging in to a CSS remotely, access the IP address of the master switch.
l If a CSS is not established, log in to the two member switches respectively for troubleshooting.
Step 2 Check whether a CSS is established successfully.

Run the display device command to check the card status. If the card status of two member
switches is displayed in the command output, the CSS is established successfully.
Chassis 1 (Master Switch)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 - EH1D2S24CEA0 Present PowerOn Registered Normal NA
7 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
8 - EH1D2SRUC000 Present PowerOn Registered Normal Slave

CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master

Chassis 2 (Standby Switch)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 - EH1D2S24CEA0 Present PowerOn Registered Normal NA
Alternatively, run the display css status command to check the CSS status. If CSS status of
two member switches is displayed, the CSS is established successfully.
<HUAWEI> display css status
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 255 Off
2 On Standby CSS card 1 Off
l If the command output contains information about both switches, go to step 3.

l If the command output contains information about only one switch, rectify the fault
according to Checking Whether Cables Are Correctly Connected.
Step 3 Check whether the cluster links are normal.
Run the display css channel command to check the cluster link status.
If two S7700 switches are connected using ES02VSTSA CSS cards, check whether the cluster
link status [VSTS Port(Status)] is Up and whether there is a symbol ! following the port rate.
(The ! symbol indicates unstable link status.)
<HUAWEI> display css channel
Chassis 1 || Chassis 2
================================================================================
Num [SRUB HG] [VSTS Port(Status)] || [VSTS Port(Status)] [SRUA HG]
1 1/7 1/15 -- 1/7/0/1(UP 16G) ---||--- 2/7/0/4(UP 16G) -- 2/8 0/14
2 1/7 0/15 -- 1/7/0/3(UP 16G) ---||--- 2/8/0/2(UP 16G) -- 2/7 0/15
3 1/7 1/14 -- 1/8/0/4(DOWN NA) --||--- 2/7/0/1(DOWN NA) -- 2/7 0/0
4 1/7 0/14 -- 1/8/0/2(UP 16G) ---||--- 2/8/0/3(UP 16G) -- 2/8 0/1
5 1/8 1/15 -- 1/8/0/1(UP 16G) ---||--- 2/8/0/4(UP 16G) -- 2/7 0/14
6 1/8 0/15 -- 1/8/0/3(UP 16G) ---||--- 2/7/0/2(UP 16G) -- 2/8 0/15
7 1/8 1/14 -- 1/7/0/4(UP 16G) ---||--- 2/8/0/1(UP 16G!) -- 2/8 0/0
8 1/8 0/14 -- 1/7/0/2(UP 16G) ---||--- 2/7/0/3(UP 16G) -- 2/7 0/1
Current system time: 2013-12-14 10:48:13:0000

CSS channel 1 last physical down time: 2013-12-13 10:01:49:0130
l If the command output contains no DOWN NA or !, all the cluster links are running
normally and a CSS is established successfully.
l If the command output contains DOWN NA or !, rectify the fault according to
Rectifying a CSS Link Fault.
If two S9700 switches are connected using EH1D2VS08000 CSS cards, check whether the
cluster link connections and status are consistent with actual hardware connections.
<HUAWEI> display css channel

================================================================================
Num [SRUC HG] [VS08 Port(Status)] || [VS08 Port(Status)] [SRUC HG]
1 1/7 0/12 -- 1/7/0/1(UP 10G) ---||--- 2/7/0/1(UP 10G) -- 2/7 0/12
2 1/7 0/16 -- 1/7/0/2(UP 10G) ---||--- 2/7/0/2(UP 10G) -- 2/7 0/16
3 1/7 0/13 -- 1/7/0/3(UP 10G) ---||--- 2/7/0/3(UP 10G) -- 2/7 0/13
4 1/7 0/17 -- 1/7/0/4(UP 10G) ---||--- 2/7/0/4(UP 10G) -- 2/7 0/17
5 1/7 0/14 -- 1/7/0/5(UP 10G) ---||--- 2/8/0/5(UP 10G) -- 2/8 0/14
6 1/7 0/18 -- 1/7/0/6(UP 10G) ---||--- 2/8/0/6(UP 10G) -- 2/8 0/18
7 1/7 0/15 -- 1/7/0/7(UP 10G) ---||--- 2/8/0/7(UP 10G) -- 2/8 0/15
8 1/7 0/19 -- 1/7/0/8(UP 10G) ---||--- 2/8/0/8(UP 10G) -- 2/8 0/19
9 1/8 0/12 -- 1/8/0/1(UP 10G) ---||--- 2/8/0/1(UP 10G) -- 2/8 0/12
10 1/8 0/16 -- 1/8/0/2(UP 10G) ---||--- 2/8/0/2(UP 10G) -- 2/8 0/16
11 1/8 0/13 -- 1/8/0/3(UP 10G) ---||--- 2/8/0/3(UP 10G) -- 2/8 0/13
12 1/8 0/17 -- 1/8/0/4(UP 10G) ---||--- 2/8/0/4(UP 10G) -- 2/8 0/17
13 1/8 0/14 -- 1/8/0/5(UP 10G) ---||--- 2/7/0/5(UP 10G) -- 2/7 0/14
14 1/8 0/18 -- 1/8/0/6(UP 10G) ---||--- 2/7/0/6(UP 10G) -- 2/7 0/18
15 1/8 0/15 -- 1/8/0/7(UP 10G) ---||--- 2/7/0/7(UP 10G) -- 2/7 0/15
16 1/8 0/19 -- 1/8/0/8(UP 10G) ---||--- 2/7/0/8(UP 10G) -- 2/7 0/19
l If the displayed cluster link connections and status are consistent with actual hardware
connections, all the cluster links are running normally and a CSS is established
successfully.
l If some cluster links are not displayed (abnormal cluster links), run the display css port
all command to check the status of all CSS ports.
<HUAWEI> display css port all
*down: administratively down
(e): ERROR down
VS08 Port status InUit OutUit inErrors outErrors
1/7/0/1 down 0% 0% 0 0
1/7/0/2 down 0% 0% 0 0
1/7/0/3 down 0% 0% 0 0
1/7/0/4 up 0% 0% 0 0
1/7/0/5 up 0% 0% 0 0
1/7/0/6 up 0% 0% 0 0
1/7/0/7 up 0% 0% 0 0
1/7/0/8 up 0% 0% 0 0
1/8/0/1 up 0% 0% 0 0
1/8/0/2 up 0% 0% 0 0
1/8/0/3 up 0% 0% 0 0
1/8/0/4 up 0% 0% 0 0
1/8/0/5 up 0% 0% 0 0
1/8/0/6 up 0% 0% 0 0
1/8/0/7 up 0% 0% 0 0
1/8/0/8 up 0% 0% 0 0
2/7/0/1 down 0% 0% 0 0
2/7/0/2 down 0% 0% 0 0
2/7/0/3 down 0% 0% 0 0
2/7/0/4 up 0% 0% 0 0
2/7/0/5 up 0% 0% 0 0
2/7/0/6 up 0% 0% 0 0
2/7/0/7 up 0% 0% 0 0
2/7/0/8 up 0% 0% 0 0
2/8/0/1 up 0% 0% 0 0
2/8/0/2 up 0% 0% 0 0
2/8/0/3 up 0% 0% 0 0
2/8/0/4 up 0% 0% 0 0
2/8/0/5 up 0% 0% 0 0
2/8/0/6 up 0% 0% 0 0
2/8/0/7 up 0% 0% 0 0
2/8/0/8 up 0% 0% 0 0
l If the CSS ports with abnormal cluster links are Up, the cluster cables may be connected
incorrectly. Rectify the fault according to Checking Whether Cables Are Correctly
Connected.

l If the CSS ports with abnormal cluster links are Down, check whether the cluster cables
on the ports are loose or damaged. If so, reconnect or replace the cluster cables.
----End
Rectifying Common CSS Faults

l Checking Whether Cables Are Correctly Connected
Run the terminal monitor and terminal trapping commands in the user view to enable
the alarm function. Check whether an alarm on incorrect CSS card connection is
displayed. (The OIDs for the ES02VSTSA CSS card are
1.3.6.1.4.1.2011.5.25.183.3.3.2.4 hwCssConnectError and
1.3.6.1.4.1.2011.5.25.183.3.3.2.19 hwCssPhyCardConnectError, and the OID for the
EH1D2VS08000 CSS card is 1.3.6.1.4.1.2011.5.25.183.3.3.2.15
hwCssPhyVs08ConnectError.)
– If no alarm is generated and the configuration is correct, a hardware fault may have
occurred. For example, an MPU, a CSS card, or a cluster cable is faulty.
– If such an alarm is displayed, connect cluster cables correctly according to the
alarm message. You can obtain the following information from the alarm message:
n CSS ID, slot ID, and number of the CSS port where the cluster cable is
incorrectly connected
n Correct connection of the cluster cable
If the following alarm message is displayed (take the ES02VSTSA CSS card as an
example):
Mar 31 2013 10:53:43 SYS-136 CSSM/4/CSSCONNECTERROR:OID
1.3.6.1.4.1.2011.5.25.183.3.3.2.4 Connect error, 2/7 CSS port 3 link to
1/8 port 2, this port should link to 1/7 port 2
The message indicates that the CSS port 2/7/3 (CSS ID/slot ID/port number) is
incorrectly connected to the CSS port 1/8/2. The CSS port 2/7/3 should be
connected to the CSS port 1/7/2.
Table 8-8 describes how to rectify a fault according to the alarm message.

Table 8-8 Rectifying a fault according to the alarm message

Error Message Cause Problem Handling
ES02VSTSA CSS card: Some or all cluster If two devices have been
The connection between cables are incorrectly in the single-chassis CSS
CSS port 1/7/0/1 and connected. state before cluster
1/14/0/1 is incorrect. cables are connected, the
two devices remain in
this state. If two devices
are connected through
cluster cables and then
have the CSS function
enabled, the master
chassis will be in the
single-chassis CSS state,
while the standby chassis
will restart repeatedly.
Reconnect the cluster
cables according to the
rules and ensure that the
cable connectors are
securely connected to the
ports. After the cables
are correctly connected,
two switches merge into
a CSS.

EH1D2VS08000 CSS Some or all cluster If some cluster cables are

card: The connection cables are incorrectly incorrectly connected, a
between CSS port 2/1 connected. CSS has been set up. If
5/0/5 and 1/16/0/4 is all cluster cables are
incorrect. 2/15/0/5 incorrectly connected,
belongs to group 2 of pay attention to the
slot2/15 and should be following points:
connected to a port in l If two devices have
group 2 of slot1/16. 1 / been in the single-
16/0/4 belongs to group chassis CSS state
1 of slot1/16 and should before cluster cables
be connected to a port in are connected, the
group 1 of slot2/15. two devices remain in
(group 1: 1-4 group 2: this state.
5-8)
l If two devices are
connected through
cluster cables and
then have the CSS
function enabled, the
master chassis will be
in the single-chassis
CSS state, while the
standby chassis will
restart repeatedly.
Connect the cluster
cables to the correct
ports according to the
alarm message and
ensure that the cable
connectors are securely
connected to the ports.
After the cables are
correctly connected, two
switches merge into a
CSS.

ES02VSTSA&EH1D2V The possible causes are: Run the display css

S08000 CSS card: The l The cluster cable status command to
connection between CSS connects two CSS check the CSS IDs of the
port 1/7/0/8 and 1/14/0/8 ports on the same two switches.
is incorrect. Chassis ID switch. l If they are different,
conflict or self-loop. the CSS IDs are
l The connected ports
are on different configured correctly.
switches, but the This alarm message
switches are indicates that the
configured with the cluster cable connects
same CSS ID. two CSS ports on the
same switch. Connect
the cluster cable
correctly according to
the alarm message.
l If they are the same,
run the set css id
command to change
the CSS ID of one
switch and then
restart the switch.
l Rectifying a CSS Link Fault (Applicable to ES02VSTSA CSS Card Connection)

If a CSS port status is DOWN or there is the symbol ! following the port rate indicating
that the port has received error packets, follow the procedure to rectify the fault.
a. Find the cable connected to the CSS port, remove and then insert two ends of the
cable to ports, and ensure that they are securely connected to the ports.
b. Run the reset counters css port command to clear statistics on the port, and then
run the display css channel command. If the port status is still DOWN or the port
rate is still followed by the symbol !, proceed to the next step.
c. Power off the two switches and remove the MPU on which the faulty port is located
from the switch. Remove the CSS card from the MPU and then install it back.
Install the MPU back to the switch. Ensure that they are securely installed. After
that, power on the two switches.
d. If the fault persists, replace the cluster cable and then place the CSS card to check
whether the fault can be rectified.
8.10 Establishing a CSS Using Service Port Connections

Carefully review the software and hardware requirements, and the role and functions of
member switches before you establish a CSS using service port connections. You are advised
to follow the process in Figure 8-29 to establish a CSS.

Figure 8-29 Process of establishing a CSS using service port connections (recommended)
Set CSS connection

mode
Confirm software/ Configure CSS IDs

hardware requirements
Configure logical
CSS ports
Install LPUs
Configure CSS Check whether the CSS
priorities is set up successfully
Enable the CSS

Connect cluster cables End
function
Hardware Software
Verification
installation configuration
Mandatory
Optional
NOTE
8.10.1 Installing Hardware
8.10.1.1 Installing a Service Card

l Required components: service cards
l Required tools: an ESD wrist strap (or ESD gloves)
Precautions
Card storage and transportation:
l Handle a card carefully when it is outside the cabinet (chassis). Take ESD protection
measures. Place the card horizontally. Keep the side with electronic components facing
upward. Do not place any objects on the card.
l Do not place the card in a humid environment or direct sunlight. Ensure that the card is
stored in an environment suitable for storage.

l Do not stack multiple cards together for transportation. Handle one card each time.
Card installation and removal:
l Take ESD protection measures and do not touch the surface of the printed circuit board
(PCB).
l Push or pull the card slowly and horizontally along the guide rail. Avoid short circuits
caused by metal objects and place tools in proper locations.
Suggestion
If two service cards need to be installed in a switch for CSS setup, install the service cards
symmetrically besides the MPUs, for example, in slots 6 and 7, slots 5 and 8, or slots 1 and
12. You are advised to install the service cards on the same slot of the two member switches.
2. Install the service card on the chassis in the same way as installing an MPU. For details,
see Installing an MPU in the chassis.
8.10.1.2 Connecting Cluster Cables

l Required components: electrical cables or optical modules with matching optical fibers
or AOC cables
l Required tools: cable ties, fiber binding tapes, labels, and an ESD wrist strap (or ESD
gloves)
Precautions
When removing or connecting an optical fiber, do not look into the optical port without eye
protection. The laser emitted from the optical port can injure your eyes.
l Take ESD protection measures before the installation.

l Prevent the cables from being twisted.
l Insert or remove optical fibers carefully to prevent damage to optical fiber connectors.
l Ensure that the bend radius of an optical fiber or electrical cable is larger than its
minimum bend radius. The minimum bend radius of QSFP+ cables, SFP+ to SFP+
cables, and AOC cables is 50.8 mm, 25 mm, and 30 mm respectively. The bend radius of
optical fibers is generally larger than or equal to 40 mm.
l Clean the optical fiber connector with alcohol swab or air-laid paper along one direction,
if the connector is dirty.
l Push the connector inward gently first, and then pull the handle on the electrical cable to
remove it.

2. Attach labels to both ends of a cluster cable according to Figure 8-30 and number these
labels starting from 1.
Figure 8-30 Attaching labels
3. Connect cluster cables according to the connection rule shown in Figure 8-31.
– When you hear a click, the electrical cable, optical module, or optical fiber is
installed properly.
– When removing the electrical cable, optical module, or optical fiber, push the
connector or handle inward first, and then pull it out.

Figure 8-31 Service port connection rule
Two ends must have member ports of same type and

same count, which can be connected in any sequence.
…… …… …… ……
Recommended: Install LPUs symmetrically besides MPU slots
…… …… …… ……
SwitchA SwitchB
Physical
Logical CSS port Cluster cable
member port
MPU slots LPU slots
Service ports are connected in two ways according to link distribution:

– 1+0 networking: Each member switch has one logical CSS port and connects to
another member switch through the physical member ports located on the same
service card.
– 1+1 networking: Each member switch has two logical CSS ports, and physical
member ports of the logical CSS ports are located on two service cards. Cluster
links on the two service cards implement link redundancy. The preceding figure
shows the cable connections in this networking.
NOTE
When connecting cluster cables, pay attention to the following points:

l Physical member ports of a logical CSS port on one switch must connect to physical
member ports of a logical CSS port on the other switch.
l In 1+1 networking, it is recommended that two service cards have the same number of
cluster links.
To ensure reliability, pay attention to the following points when using the preceding two service
port clustering networkings:
l To ensure high reliability, you are advised to use 1+1 networking and configure multi-active
detection (MAD).
l At least two physical member ports on an LPU must be added to one logical CSS port.
l It is recommended that the cards to which uplink ports and MAD-enabled port belong be the
LPUs that are not used for CSS connections.
4. Arrange the cables in order and bundle the cables with a cable divider.

5. To power on the switches, ensure that power cables and ground cables are correctly
connected and then switch on the external power modules and built-in power modules in
turn.
8.10.2 Configuring CSS Software
Context
Table 8-9 lists the software configuration for establishing a CSS using service port
connections.
Table 8-9 Software configuration for establishing a CSS using service port connections
Setting the Before connecting two switches to The S7700 supports SRUA,
connection mode establish a CSS, set the SRUB and SRUH.
to service port connection mode to service port The S9700 supports SRUC and
connection connection on both switches. SRUD.
When the switches use SRUA,
SRUB, SRUC or SRUH, the
default connection mode is CSS
card connection. When the
switches use SRUD, the default
connection mode is service port
connection.
NOTE
In V200R008, switches using SRUHs
do not support the CSS card
connection mode (but the related
keyword is reserved in the CSS
connection mode configuration
command for function expansion). To
enable these switches to set up a CSS,
set the CSS connection mode to
service port connection.
Configuring a The two member switches in a NOTICE

CSS ID CSS must have different CSS IDs Do not change the CSS ID of the
switch after a CSS is established.
(1 and 2). Switches with the same
Otherwise, the CSS splits.
CSS ID cannot set up a CSS. By
default, all switches use CSS ID 1.
Before establishing a CSS, change
the CSS ID to 2 on one of the
member switches.

Configuring When the service port connection l A physical member port can be
logical CSS mode is used, you need to added to only one logical CSS
ports configure ports on two switches as port.
physical member ports and add l Physical member ports of the
them to logical CSS ports. You same logical CSS port must be
can then connect the logical CSS on the same card.
ports to set up a CSS after the
switches start. Each switch in the l Physical member ports of a
CSS supports two logical CSS logical CSS port on one switch
ports. must connect to physical
member ports of a logical CSS
Configure logical CSS ports for port on the other switch.
the two switches according to
connections between them. In 1+0 l XGE ports derived from a
networking, configure one logical 40GE port cannot be added to
CSS port for each switch. In 1+1 a logical CSS port.
networking, configure two logical l When a service port is
CSS ports for each switch. configured as a physical
member port, CRC errors may
occur on the port. To avoid this
problem, run the shutdown
command to shut down the
port before configuring it as a
physical member port.
(Optional) The CSS priority determines the However, if a switch with the
Configuring a role of member switches during highest priority starts slowly, it
CSS priority role election. A larger value cannot be the master switch. If
indicates a higher priority and you want a switch to be the master
higher probability that the switch, start the switch first.
member switch is elected as the When two switches complete the
master switch. start at the same time, the switch
By default, the CSS priority of a with the higher CSS priority
switch is 1. becomes the master switch.
(Optional) Generally, the master switch of a If this step is performed on two

Specifying the CSS is elected when the CSS is switches before they set up a CSS,
master switch set up. You can also forcibly the configuration does not take
forcibly specify one switch as the master effect after the CSS is set up. The
switch of a CSS. master switch of the CSS is
elected through competition.
NOTICE
After a switch is manually specified
as the master switch, a forcible
master/standby switchover may occur
when both switches run normally. If a
master/standby switchover occurs,
network services may be affected.
Therefore, specifying the master
switch forcibly is not recommended.

Enabling the By default, the CSS function is You can run the display css status
CSS function disabled on a switch. [ saved ] command to check
and restarting The CSS function must be enabled whether the CSS function is
switches on both two member switches. enabled on the current switch. If
the parameter saved is set, you
can view the saved CSS
configuration.
Procedure
Step 2 Run the set css mode lpu command to set the connection mode to service port connection.
Step 3 Run the set css id new-id command to set a CSS ID for the switch.
Step 4 Run the interface css-port port-id command to enter the logical CSS port view.
Step 5 Run the port interface { interface-type interface-number1 [ to interface-type interface-
number2 ] } &<1-10> enable command to configure a service port as a physical member port
and add it to a logical CSS port.
After a port is configured as a physical member port of a logical CSS port, this port is no
longer used for service forwarding. All the CSS-irrelevant commands on the port are deleted
and only basic interface configuration commands, such as description (interface view) are
saved on the port.
Step 6 Run the quit command to return to the system view.

Step 7 (Optional) Run the set css priority priority command to set a CSS priority for the switch.
Step 8 (Optional) Run the css master force command to specify a switch as the master switch.
Step 9 Run the css enable command to enable the CSS function on the switch.
After you enable the CSS function, the system prompts you to restart the switches. Enter Y to
restart the switches; otherwise, configurations cannot take effect, and the CSS cannot be
established.
----End
8.10.3 Verifying a CSS Is Established

After you complete CSS configurations, review key indicators to confirm the CSS has been
established successfully. If the CSS has been successfully established, log in to the CSS and

run commands to confirm the CSS state information and configure enhanced CSS functions.
If a CSS has not been established, check the indicator abnormalities or log in to the CSS and
run commands to locate and rectify faults.
8.10.3.1 Reviewing Indicators to Confirm a CSS Is Established
Background
After a CSS is set up, you can review indicators on the member switches to check CSS state
information, including the master/standby state of switches and link status.
Checking Whether Indicator Status Is Normal

When two switches establish a CSS successfully, the indicator status is as follows:
l On one switch, the ACT indicator on an MPU is steady green. On the other switch, the
ACT indicator on an MPU is blinking green.
l All the LINK indicators for physical member ports on service cards are steady green.
l When SRUCs are used on the S9700s, the CSS ID indicator numbered 1 on an SRUC of
one switch is steady green, and the CSS ID indicator numbered 2 on an SRUC of the
other switch is steady green.
For details on the indicator status and meanings, see Indicator Status in Service Port
Connection Mode.
Follow-Up Process
l If the indicator status is normal, log in to the CSS and run commands to check CSS state
information and configure enhanced CSS functions.
l If the indicator status is abnormal, locate the fault according to Table 8-10 or log in to
the CSS and run commands to locate and rectify the faults.
Indicator Status in Service Port Connection Mode

Table 8-10 describes the indicators that show state of a CSS set up using service ports.

Table 8-10 Indicator status in service port connection mode

Indicator Location Indicator Description
MPU ACT: MPU master/standby l Steady green: The MPU

status indicator is the master MPU of the
CSS, and the local
chassis is the master
switch.
l Blinking green: The
MPU is the standby
MPU of the CSS, and the
local chassis is the
standby switch.
l Off: The MPU is the
cold standby MPU of the
CSS.
MPU CSS ID: CSS ID indicator There are eight CSS ID

NOTE indicators on the panel, but
The MPU models SRUA, only one is on at a time.
SRUB and SRUH (S7700) do
l CSS ID N is steady on:
not have CSS ID indicators.
The CSS ID of the local
chassis is N.
l All CSS ID indicators
are off: The chassis is
not running the CSS
service.
Service card LINK: port status indicator l Steady green: The port is
Up, and cable connection
on the port is correct.
l Blinking green: Cable
connection on the port is
incorrect.
l Off: The link status of
the port is Down.
8.10.3.2 Logging In to a CSS to Verify that a CSS Is Established
Context
You can log in to a CSS and run display commands to check whether the CSS is established
successfully. If the CSS fails to be established, you can locate the faults according to the
command output.
Procedure
Step 1 Log in to the CSS.

l Local login: Log in to the CSS from the console port on any MPU.
l Remote login: After reachable routes are configured, you can remotely log in to the CSS
from a management interface on any MPU or a Layer 3 interface using Telnet, STelnet,
web, or SNMP.
NOTE
l After a CSS is established successfully, the configuration file of the master switch takes effect.
When logging in to a CSS remotely, access the IP address of the master switch.
l If a CSS is not established, log in to the two member switches respectively for troubleshooting.
Step 2 Check whether a CSS has been established successfully.

Run the display device command to check the card status. If the card status of two member
switches is displayed in the command output, the CSS is established successfully.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 - EH1D2X12SSA0 Present PowerOn Registered Normal NA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Alternatively, run the display css status command to check the CSS status. If the CSS status
of two member switches is displayed, the CSS is established successfully.
------------------------------------------------------------------------------
1 On Master LPU 100 Off
2 On Standby LPU 10 Off
l If the command output contains information about both switches, go to step 3.

l If the command output contains information about only one switch, rectify the fault
according to Checking Whether Cables Are Correctly Connected.
Step 3 Check whether the cluster link topology is the same as the actual hardware connection.
Run the display css channel all command to check whether the cluster link connections are
the same as the actual hardware connections.
<HUAWEI> display css channel all
CSS link-down-delay: 500ms

================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/10/0/3 XGigabitEthernet2/10/0/3 2/1
================================================================================
l If the displayed cluster link connections are the same as the actual hardware connections,
all the cluster links are running normally and a CSS is established successfully.
l If some cluster links are not displayed, run the display css css-port all command to
check the status of all CSS ports.
<HUAWEI> display css css-port all
B : broadcast *down : administratively down
Logic Port Num Phy Port Status
(B)css-port1/1 6 XGigabitEthernet1/10/0/0 down
XGigabitEthernet1/10/0/1 down
XGigabitEthernet1/10/0/3 up
css-port1/2 0
(B)css-port2/1 6 XGigabitEthernet2/10/0/0 down
css-port2/2 0
l If the CSS ports with abnormal cluster links are Up, the cluster cables may be connected
incorrectly. Rectify the fault according to Checking Whether Cables Are Correctly
Connected.
l If the CSS ports with abnormal cluster links are Down, check whether the physical
member ports have been shut down (*down in Status field) and whether cluster cables on
the ports are loose or damaged.
----End
Rectifying Common CSS Faults

Checking Whether Cables Are Correctly Connected
Run the terminal monitor and terminal trapping commands in the user view to enable the
alarm function. Check whether an alarm on incorrect cluster cable connection is displayed.
(The OID is 1.3.6.1.4.1.2011.5.25.183.3.3.2.8 hwCssPhyCsuConnectError.)
l If no alarm is generated, check the LINK indicator. If the indicator is off, check whether
the optical modules, optical fibers, and cables are working normally.
l If such an alarm is displayed, connect cluster cables correctly according to the alarm
message. You can obtain the following information from the alarm message:
– Incorrect connection information. You can find the incorrectly connected cluster
cable according to the CSS ID, logical CSS port number, and physical member port
number displayed in the alarm message.
– Correct connection of the cluster cable.

Table 8-11 describes how to rectify a fault according to the alarm message.
Table 8-11 Rectifying a fault according to the alarm message

A cluster cable connects CSS IDs are correctly Connect the cluster cable
two switches with different configured but the cluster to the correct ports
CSS IDs. For example, cable is connected to an according to the alarm
The connection between incorrect port. message and ensure that
CSS port 1/10/0/9 and the cable connectors are
2/1/0/1 is incorrect. securely connected to the
Reason: 1 To 2 ports. After the cables are
correctly connected, two
switches merge into a
CSS.
A cluster cable connects The possible causes are: Run the display css status
two switches with the l The cluster cable command to check the
same CSS ID. For connects two CSS ports CSS IDs of the two
example, The connection on the same switch. switches.
between CSS port 1/10/0/9 l If they are different, the
and 1/1/0/1 is incorrect. l The connected ports
are on different CSS IDs are configured
Reason: Chassis ID correctly. This alarm
conflict or self-loop. switches, but the
switches are configured message indicates that
with the same CSS ID. the cluster cable
connects two CSS ports
on the same switch.
Connect the cluster
cable correctly
according to the alarm
message.
l If they are the same,
run the set css id
command to change the
CSS ID of one switch
and then restart the
switch.
8.11 Configuring Enhanced CSS Functions

This section describes how to configure enhanced CSS functions that improve CSS system
reliability and make operations easier.
The enhanced CSS functions can be configured in any sequence. You are advised to configure
MAD immediately after the CSS is established successfully.
8.11.1 Configuring MAD

Background
MAD detects multiple master switches after a CSS splits.
NOTE
You are advised to configure MAD to minimize the impact of a CSS split on services.
Table 8-12 describes the MAD configuration process.
Table 8-12 MAD configuration process
No. Task Description Remarks
1 8.11.1.1 You can configure The direct and relay

Configuring MAD MAD in direct mode modes cannot be
in Direct Mode to perform MAD configured
through dedicated simultaneously in a
direct links between CSS.
member switches.
2 8.11.1.2 You can configure

Configuring MAD MAD in relay mode
in Relay Mode to perform MAD
through the relay
agent between
member switches.
3 8.11.1.3 (Optional) You can configure a -

Configuring reserved port to
Reserved Ports forward service
packets when a CSS
splits.
4 8.11.1.4 (Optional) You can restore a This configuration is

Restoring shutdown port to the recommended only
Shutdown Ports to Up state to allow the when the CSS in the
the Up State CSS in the Recovery Detect state fails.
state to work when
the CSS in the
Detect state fails.
8.11.1.1 Configuring MAD in Direct Mode
Context
Configure MAD in direct mode when member switches in a CSS have idle ports. Use
common cables to connect these ports and use the ports for MAD only.

NOTE
l The direct and relay modes cannot be configured simultaneously in a CSS.

l MAD in direct mode can only be configured on Layer 2 Ethernet ports in Up state.
l You can configure a maximum of four direct detection links for each member switch in a CSS to
improve detection reliability. Ensure that one direct detection link on each member switch in a CSS
works normally when multiple master switches coexist.
Procedure
Step 2 Run the interface interface-type interface-number command to enter the interface view.
Step 3 Run the mad detect mode direct command to configure MAD in direct mode.
By default, MAD in direct mode is disabled.
NOTE
l After MAD in direct mode is configured on a port, you cannot configure other services on the port.
l MAD packets are bridge protocol data units (BPDUs). If MAD is performed through dedicated direct
links between member switches and an intermediate device, configure port-based Layer 2 protocol
transparent transmission on the intermediate device. For details, see Configuring Interface-based Layer 2
Protocol Transparent Transmission.
l After MAD in direct mode is configured on an interface, the STP status of the interface becomes
Discarding, affecting the transmission of data packets and some protocol packets. Therefore, do not
configure other services on this interface.
----End
8.11.1.2 Configuring MAD in Relay Mode
Context
Configure MAD in relay mode when an Eth-Trunk is configured in a CSS. In relay mode, the
MAD relay detection is set on Eth-Trunk ports of the CSS, and the MAD relay function is
enabled on a relay agent. In contrast with the direct mode, the relay mode does not occupy
additional ports.
The relay mode can be implemented in two ways: configure a single switch as the MAD relay
agent or configure two CSS systems as MAD relay agents for each other.
NOTE
l The direct and relay modes cannot be configured simultaneously in a CSS.

l MAD is a Huawei proprietary protocol, and Huawei switches support the relay function.
l You can configure the relay mode on a maximum of four Eth-Trunks in a CSS to improve detection
reliability. Ensure that one Eth-Trunk in each CSS works normally when multiple master switches
coexist.
l You can configure a maximum of 64 Eth-Trunks on a relay agent to provide the relay function for
multiple CSS systems.
l When configuring MAD in relay mode, ensure that member switches in a CSS use different MAC
addresses. If they use the same MAC address, the proxy device cannot forward MAD packets.

Procedure
l Switch functioning as the relay device
– In the CSS
a. Run the system-view command to enter the system view.
b. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk interface
view.
c. Run the mad detect mode relay command to configure MAD in relay mode on the
Eth-Trunk.
By default, MAD in relay mode is disabled on the Eth-Trunk.
– On the specified relay device
b. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk interface
view.
c. Run the mad relay command to enable the relay function on the Eth-Trunk.
By default, the relay function is disabled on the Eth-Trunk.
l Two CSS systems functioning as relay of each other
– In each CSS
b. Run the mad domain domain-id command to specify the MAD domain ID for a
CSS.
By default, the MAD domain ID of a CSS is 0.
NOTE
Two CSS systems can function as proxy of each other to implement MAD. The two CSS
systems must be configured with different MAD domain IDs.
c. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk interface
view.
d. Run the mad relay command to enable the relay function on the Eth-Trunk.
By default, the relay function is disabled on the Eth-Trunk.
e. Run the mad detect mode relay command to configure MAD in relay mode on the
Eth-Trunk.
By default, MAD in relay mode is disabled on the Eth-Trunk.
----End
8.11.1.3 (Optional) Configuring Reserved Ports
Context
When MAD detects a CSS split, multiple CSS systems compete with each other. You must
shut down all service ports on member switches that fail in the competition, to avoid MAC
address or IP address conflict. The ports that only transparently transmit packets do not affect

network operations when a CSS splits. You can configure these ports as reserved ports to
ensure normal packet transmission on them. MAD does not shut down service transmission
on these ports when it detects a CSS split.
Procedure
Step 2 Run the mad exclude interface { interface-type interface-number1 [ to interface-type

interface-number2 ] } &<1-10> command to configure specified ports in a CSS as reserved
ports.
By default, only physical member ports of a CSS are reserved ports, and all service ports are
non-reserved ports.
----End
8.11.1.4 (Optional) Restoring Shutdown Ports to the Up State
Context
When MAD detects a CSS split, two member switches compete with each other. The switch
that wins the competition remains in the Detect state (normal working state) and the other
switch that fails in the competition enters the Recovery state (disabled state). In the Recovery
state, all the service ports except reserved ports on the switch are shut down, so the switch
does not forward service packets. You can restore shutdown ports to Up state so that the
switch in the Recovery state can work again. For example, if the switch in the Detect state
fails or is removed from the network before the CSS fault is rectified, restore the shutdown
ports on the switch in the Recovery state to the Up state, so that the switch in the Recovery
state can take over services from the original active switch. This minimizes the impact of a
CSS fault on services.
Procedure
Step 2 Run the mad restore command to restore shutdown ports to the Up state.
NOTE
You are advised not to run this command when the switch in the Detect state is working normally. Otherwise,
there will be multiple master switches on the network after the switch in the Recovery state is enabled.
----End
Procedure
l Run the display mad [ proxy | verbose ] command to view the MAD configuration.
----End
8.11.2 Configuring a System MAC Address

Context
The MAC address of the master switch is used as the system MAC address of the CSS when
the CSS is set up. If you restart the CSS or remove and replace an MPU in the CSS, the
system MAC address may change, resulting in service interruption. To avoid this problem, set
the system MAC address to the MAC address of a member switch which remains unchanged
after the CSS restarts.
Procedure
Step 2 Run the set css system-mac chassis chassis-id command to set the system MAC address of
the CSS to the MAC address of a member switch.
NOTE
If the specified MAC address is the same as the current system MAC address of the CSS, the
configuration takes effect immediately. Otherwise, you need to restart the CSS to make the configuration
take effect.
----End
8.11.3 Setting a Delay Time Before Service Ports Restore to the Up

State
Context
After a standby switch completes a restart, it synchronizes its configuration to the master
switch and restores all ports to the Up state. During the process, the CPU usage is very high.
To prevent service interruption caused by a high CPU usage, you can set the delay time before
service ports restore to the Up state.
Procedure
Step 2 Run the css standby port delay time command to set a delay time before service ports restore
to the Up state.
By default, the delay time is 0. That is, the ports restore to the Up state immediately after the
switch completes a restart.
----End
8.11.4 Enabling the CSS Port Error-Down Function (Applicable to

S9700 CSS Card Connection Mode)
Context
In a CSS, CSS ports may continuously receive CRC-error packets or alternate between Up
and Down states because CSS cards are swapped or the voltage is unstable. When this occurs,
data packets are dropped on the CSS ports. The CSS port error-down function shuts down a

CSS port if the number of CRC-error packets received per minute or the number of Up/Down
transitions on the CSS port in a specified period reaches the threshold.
NOTE
This function is supported only when a CSS is established by connecting the EH1D2VS08000 CSS
cards on the S9700s.
Procedure
Step 2 Run the css port error-down enable command to enable the CSS port error-down function.
By default, the CSS port error-down function is disabled.
Step 3 (Optional) Run the css port diagnose-mode crc { interval time | error-number number }
command to configure the CRC-error packet detection thresholds for CSS ports.
By default, the threshold on the period during which CRC-error packets are received on a
CSS port is 10 minutes, and the threshold on the number of CRC-error packets received per
minute is 10.
Step 4 (Optional) Run the css port diagnose-mode link-flap { interval time | threshold number }
command to configure the flapping detection thresholds for CSS ports.
By default, the threshold on the period during which a CSS port alternates between Up and
Down states is 10 minutes, and the threshold on the number of Up/Down transitions per
minute is 10.
Step 5 (Optional) Run the css port error-down auto-recovery interval time command to enable the
error-down recovery function for CSS ports.
By default, the error-down recovery function is disabled for CSS ports.
To enable CSS ports that are shut down by the error-down function to automatically go Up,
enable the error-down recovery function for CSS ports.
----End
8.11.5 Configuring the CSS Physical Port-Down Delay Function
Context
In long-distance clustering, there may be a transmission device between two devices in a CSS.
When an active/standby switchover is performed on the transmission device, physical
member ports on both ends will become Down, causing the CSS to split. After the CSS
physical port-Down delay function is configured, the event that physical member ports
become Down for a short period within 500 ms will not be reported to the control plane,
preventing the CSS from splitting.

l This command is valid only for service port clustering and requires service card models on
both ends to be ES1D2X16SFC0 (S7700) and EH1D2X16SFC0 (S9700).
l During the delay after which physical member ports become Down, if the configured
response time of 802.1ag, BFD, and MPLS_OAM is short, these protocols will flap. For
example, if the configured response time of BFD is within 100 ms, temporary packet loss
may cause BFD to flap.
l During the delay after which physical member ports become Down, some packets
forwarded between chassis will be lost.
Procedure
Step 2 Run the css link-down-delay command to configure the CSS physical port-Down delay
function.
By default, the CSS physical port-Down delay function is not configured.
----End
8.12 Maintaining the CSS
8.12.1 Monitoring the CSS Status
Context
You can monitor the CSS status to help locate faults.
Procedure
l Run the display css status [ saved ] command to check the CSS status.
l Run the display css channel [ chassis chassis-id | all ] command to check cluster link
connections and status.
The chassis and all parameters are unavailable if the CSS is established using CSS card
connections.
l Run the display css port [ port-id | all ] command to check status of CSS ports in CSS
card connection mode.
The all parameter is supported only when the S9700s set up a CSS in CSS card
connection mode.
NOTE
When two switches set up a CSS using CSS cards, you can monitor the packet forwarding status
by collecting statistics on packets forwarded on each CSS port. If the switch collects packet
statistics for a long time, much storage space will be used. In this situation, you can run the reset
counters css port [ port-id ] command in the user view to clear existing packet statistics.

l Run the display css css-port [ saved ] [ all | chassis chassis-id ] command to check the
configuration of logical CSS ports and physical member ports when the CSS is set up
through service port connections.
----End
8.12.2 Enabling/Disabling CSS Traps
Context
After you enable CSS traps on the switch, the switch sends trap messages to the network
management system (NMS) when the CSS status changes. By default, all CSS traps are
enabled. You can use commands to disable all or specified CSS traps. Then the switch no
longer sends these traps to the NMS.
To check the status (enabled or disabled) of CSS traps, run the display snmp-agent trap
feature-name css all command.
NOTE
Disabling the CSS traps is not recommended.
Procedure
l Enable CSS traps.
Run the snmp-agent trap enable feature-name css [ trap-name trap-name ] command
to enable a specified CSS trap or all CSS traps.
l Disable CSS traps.
Run the undo snmp-agent trap enable feature-name css [ trap-name trap-name ]
command to disable a specified CSS trap or all CSS traps.
----End
8.12.3 Performing a Master/Standby Switchover
Context
If you want to adjust the roles of member switches in a CSS or restore the roles of member
switches after a quick upgrade, you can perform a master/standby switchover to change a
standby switch to the new master switch.
Figure 8-32 shows how the roles in both chassis 1 and 2 change after a master/standby
switchover is triggered using commands.

Figure 8-32 Change of roles after a command-triggered master/standby switchover

Master/standby switchover
is triggered by a command

System standby
NOTE
Before running a command to perform a master/standby switchover, ensure that the master switch in the
CSS has two MPUs.
Procedure
Step 1 (Optional) Run the display switchover state command to check whether the CSS meets
requirements for a switchover.
Step 3 Run the slave switchover enable command to enable master/standby switchover.
By default, master/standby switchover is enabled.
Step 4 Run the slave switchover command to perform a master/standby switchover.
----End
8.12.4 Upgrading CSS Software
Context
Two methods are available to upgrade CSS software: system restart and quick upgrade.

Table 8-13 Comparison of system restart and quick upgrade

Upgrade Method Command Application Role Change
Scenario After the Upgrade
System restart reboot The system restart The switch with a

method is frequently higher CSS priority
used. This upgrade becomes the master
method causes switch. If switches
service interruption have the same CSS
for a relatively long priority, the switch
period of time and is with a smaller MAC
appropriate for use address becomes the
in scenarios master switch.
insensitive to the
service interruption
time.
Quick upgrade css fast upgrade The quick upgrade l The original
minimizes the standby switch
impact of the becomes the
upgrade on services. master switch.
This upgrade l The original
method is master switch
appropriate for use becomes the
in scenarios standby switch.
sensitive to the
service interruption
time.
NOTICE
To minimize traffic
loss during an
upgrade, bundle
uplinks and
downlinks of the CSS
to Eth-Trunks to
implement link
redundancy.
During a quick upgrade, if one of the following situations occurs, the upgrade will fail and
then the system automatically finishes version and patch rollback:
l Boards do not register for a long period during the upgrade of the standby chassis.
l Configurations cannot restored or backed up in a batch for a long period during the
upgrade of the standby chassis.
To view information about preceding quick upgrade failures, check the log CSSM/6/
FASTUPGRADEROLLBACK.
In CSS card clustering mode, if the quick upgrade fails, the standby chassis will roll back to
the old version and join the master chassis to set up a CSS. In service port clustering mode, if
the quick upgrade fails, the standby chassis will roll back to the old version and start, enter the
single-chassis CSS state, restart and then join the CSS after the boards on the standby chassis
register. The rollback process lasts at most 1 hour. During the rollback, ports and services on
the master chassis will be working normally, and the ports on the standby chassis will remain

Down. During the rollback, do not perform operations on the standby chassis hardware, for
example, install, remove, reset, or power off the boards on the standby chassis.
Procedure
Step 1 Load the new system software version to the master MPU of the CSS. For details on how to
load the file, see File Management.
Step 2 Run the startup system-software system-file all command to configure the software file
name all the MPUs use for next startup.
In this process, the system software is copied from the CSS master MPU to all the MPUs.
Step 3 Run the reboot command to upgrade the CSS using the system restart method.
Or:
Run the css fast upgrade command to quickly upgrade the CSS.
----End
8.12.5 Checking Connectivity of CSS Links (Applicable to S9700

CSS Card Connection Mode)
Context
If a cluster link is Up, but packet loss or error packets are found on the cluster link or the CSS
status is unstable, you can check connectivity of the cluster link to analyze the cause. By
performing a loopback test on a cluster link, you can determine whether the cluster link is
working normally.
The process of a loopback test on a CSS link is as follows:

1. Check the port status. If the tested port status is Down, perform a local loopback test and
export the test result.
2. If the tested port status is Up, perform a connectivity test on service packets. If all
service packets pass the test, export the test result and there is no need to perform a
loopback test. If some service packets fail the test, perform loopback tests including local
loopback test and remote loopback test.
– If both local and remote loopback tests succeed, export the test result.
– If the local loopback test fails, do not perform a remote loopback test, export the
test result directly, and give suggestions on recommended operations.
– If the local loopback test succeeds but the remote loopback test fails, export the test
result and give suggestions on recommended operations.
NOTE
l Cluster link connectivity check can be performed only in a CSS of S9700 switches set up using
EH1D2VS08000 CSS cards.
l When this command is executed on a CSS port to perform a loopback test on the CSS link, traffic on this
link is switched to other CSS links. Therefore, a loopback test can be performed only when at least two
links are available between the CSS cards. If bandwidth on the CSS links is low, performing a loopback
test may affect running services.

Procedure
Step 2 Run the css link port port test [ times times | package-size package-size | interval interval |
verbose ] * command to perform a loopback test on a cluster link and determine connectivity
of the cluster link according to the test result.
----End
8.13 Splitting a CSS
Context
If the current CSS system no longer transmits services, you can split the CSS into standalone
switches.
The procedure for splitting a CSS is as follows:
1. Back up the CSS configuration file.
2. Delete the system MAC address of the CSS if configured.
3. Disable the CSS function.
4. Restore physical member ports to service ports. (This step is required only in the service
port connection mode.)
5. Power off the switches and remove the cluster cables.
Procedure
Step 1 Back up the configuration file.
1. Run the save command to save the configuration.
2. Run the copy source-filename destination-filename all command to back up the
configuration file to the standby switch.
NOTE
Back up the current configuration file to the storage medium of the standby switch before you split the
CSS. You can use the configuration file when you set up a CSS next time.
Step 2 Delete the system MAC address of the CSS.

1. Run the system-view command to enter the system view.
2. Run the undo set css system-mac command to delete the system MAC address of the
CSS.
Step 3 Disable the CSS function.
Run the undo css enable all command to disable the CSS function on two member switches.
The switches restore to standalone switches after they restart.
Step 4 Restore physical member ports to service ports. (This step is required only in the service port
connection mode.)
Run the undo interface css-port port-id command to delete logical CSS ports on member
switches and restore physical member ports to service ports.

NOTE
l To restore a physical member port to a service port on a standalone switch, run the undo interface
css-port command.
l To restore a physical member port to a service port in a CSS, run the shutdown interface command
in the logical CSS port view to shut down the physical member port and then run the undo port
interface enable command.
Step 5 Power off the switches and remove the cluster cables.
You can also remove the cluster cables when the switches are running.
----End
8.14.1 Example for Establishing a CSS (Using CSS Cards)
An enterprise network requires high reliability on the core layer, but a simple network
structure is required to facilitate configuration and maintenance.
As shown in Figure 8-33, SwitchA and SwitchB at the core layer set up a CSS through CSS
card connections. SwitchA and SwitchB are the master switch and standby switch
respectively. Switches at the aggregation layer connect to the CSS through Eth-Trunks and the
CSS connects to the upstream network through an Eth-Trunk. In this example, the core
switches are the S9706 switches.

Figure 8-33 Networking with a CSS established
Network
Router
CSS
Core layer SwitchA SwitchB
Aggregation
layer
Switch Switch Switch Switch
CSS Link
Eth-Trunk
1. Install CSS cards on SwitchA and SwitchB, and connect cluster cables.
2. Set the connection mode to CSS card connection on SwitchA and SwitchB, and set their
CSS IDs and priorities to 1 and 2, 100 and 10 respectively so SwitchA has a higher
probability to be the master switch.
3. Enable the CSS function on SwitchA and then on SwitchB to ensure that SwitchA
4. Check whether a CSS is established successfully.
5. Configure downlink Eth-Trunks for the CSS to improve forwarding bandwidth and
reliability. (The detailed configuration is omitted in this example. For details about how
to configure Eth-Trunks, see 8.14.3 Example for Configuring Cluster Eth-Trunks.)
Procedure
Step 1 Install hardware.
Install CSS cards on SwitchA and SwitchB, and connect cluster cables. For details about how
to install the hardware, see 8.9.1 Installing Hardware.
Step 2 Configure the CSS ID, CSS priority, and CSS connection mode for SwitchA and SwitchB.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchA.

[SwitchA] set css mode css-card
[SwitchA] set css id 1
[SwitchA] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchB.
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10
# Check the CSS configuration.
NOTE
After the configuration is complete, run the display css status saved command to check the CSS
configuration.
# Check the CSS configuration on SwitchA.

[SwitchA] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
Step 3 Enable the CSS function.

# Enable the CSS function on SwitchA and restart SwitchA.
[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is
rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# View the indicator status.
If the MASTER indicator on a CSS card of SwitchA is steady on, the MPU with the CSS card
installed is the master MPU and SwitchA is the master switch.
If the MASTER indicator on a CSS card of SwitchB is off, SwitchB is the standby switch.
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchA> display device

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PWR2 - - Present - Unregistered - NA
FAN1 - - Present PowerOn Registered Abnormal NA
FAN2 - - Present - Unregistered - NA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If the command output displays card status of both member switches, the CSS is established
successfully.
# Check whether the cluster links are normal.

<SwitchA> display css channel
================================================================================
Num [SRUC HG] [VS08 Port(Status)] || [VS08 Port(Status)] [SRUC HG]
1 1/7 0/12 -- 1/7/0/1(UP 10G) ---||--- 2/7/0/1(UP 10G) -- 2/7 0/12
2 1/7 0/16 -- 1/7/0/2(UP 10G) ---||--- 2/7/0/2(UP 10G) -- 2/7 0/16
3 1/7 0/13 -- 1/7/0/3(UP 10G) ---||--- 2/7/0/3(UP 10G) -- 2/7 0/13
4 1/7 0/17 -- 1/7/0/4(UP 10G) ---||--- 2/7/0/4(UP 10G) -- 2/7 0/17
5 1/7 0/14 -- 1/7/0/5(UP 10G) ---||--- 2/8/0/5(UP 10G) -- 2/8 0/14
6 1/7 0/18 -- 1/7/0/6(UP 10G) ---||--- 2/8/0/6(UP 10G) -- 2/8 0/18
7 1/7 0/15 -- 1/7/0/7(UP 10G) ---||--- 2/8/0/7(UP 10G) -- 2/8 0/15
8 1/7 0/19 -- 1/7/0/8(UP 10G) ---||--- 2/8/0/8(UP 10G) -- 2/8 0/19
9 1/8 0/12 -- 1/8/0/1(UP 10G) ---||--- 2/8/0/1(UP 10G) -- 2/8 0/12
10 1/8 0/16 -- 1/8/0/2(UP 10G) ---||--- 2/8/0/2(UP 10G) -- 2/8 0/16
11 1/8 0/13 -- 1/8/0/3(UP 10G) ---||--- 2/8/0/3(UP 10G) -- 2/8 0/13
12 1/8 0/17 -- 1/8/0/4(UP 10G) ---||--- 2/8/0/4(UP 10G) -- 2/8 0/17
13 1/8 0/14 -- 1/8/0/5(UP 10G) ---||--- 2/7/0/5(UP 10G) -- 2/7 0/14
14 1/8 0/18 -- 1/8/0/6(UP 10G) ---||--- 2/7/0/6(UP 10G) -- 2/7 0/18
15 1/8 0/15 -- 1/8/0/7(UP 10G) ---||--- 2/7/0/7(UP 10G) -- 2/7 0/15
16 1/8 0/19 -- 1/8/0/8(UP 10G) ---||--- 2/7/0/8(UP 10G) -- 2/7 0/19
If all the cluster links are in Up state, the CSS has been established successfully.
Step 5 Configure downlink Eth-Trunks for the CSS. (The detailed configuration is omitted here.)
----End
Configuration Files
None
8.14.2 Example for Establishing a CSS (Using Service Port

Connections)

An enterprise network requires high reliability on the core layer, but a simple network
structure is required to facilitate configuration and management and reduce deployment costs.
As shown in Figure 8-34, SwitchA and SwitchB at the core layer set up a CSS through
service port connections. SwitchA and SwitchB are the master switch and standby switch
respectively. Switches at the aggregation layer connect to the CSS through Eth-Trunks and the
CSS connects to the upstream network through an Eth-Trunk. In this example, the core
switches are the S9706 switches.
Figure 8-34 Networking with a CSS established
Network
Router
CSS
XGE1/0/1~2 XGE1/0/1~2
Core layer SwitchA SwitchB
XGE2/0/1~2 XGE2/0/1~2
Aggregation
layer
Switch Switch Switch Switch
CSS Link
Eth-Trunk
1. Install service cards on SwitchA and SwitchB, and connect cluster cables. Connect four
service ports of two service cards on two switches to improve bandwidth and reliability.
2. Set the connection mode to service port connection on SwitchA and SwitchB, and set
their CSS IDs and priorities to 1 and 2, 100 and 10 respectively so SwitchA has a higher
probability to be the master switch.
3. Configure two logical CSS ports for SwitchA and SwitchB respectively and add two
physical member ports to each logical CSS port.
4. Enable the CSS function on SwitchA and then on SwitchB to ensure that SwitchA
5. Check whether a CSS is established successfully.

6. Configure downlink Eth-Trunks for the CSS to improve forwarding bandwidth and
reliability. (The detailed configuration is omitted in this example. For details about how
to configure Eth-Trunks, see 8.14.3 Example for Configuring Cluster Eth-Trunks.)
Procedure
Step 1 Install hardware.
Install service cards on SwitchA and SwitchB, and connect cluster cables. For details about
how to install the hardware, see 8.10.1 Installing Hardware.
Step 2 Configure the CSS ID, CSS priority, and CSS connection mode for SwitchA and SwitchB.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and service port
connection for SwitchA. If the default CSS ID 1 is used, you do not need to set the CSS ID.
[SwitchA] set css mode lpu
[SwitchA] set css id 1
[SwitchA] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and service port
connection for SwitchB.
[SwitchB] set css mode lpu
[SwitchB] set css id 2
[SwitchB] set css priority 10
# Check the CSS configuration.
NOTE
After the configuration is complete, run the display css status saved command to check the CSS
configuration.
# Check the CSS configuration on SwitchA.

[SwitchA] display css status saved
------------------------------------------------------------------------------
1 1 Off LPU 100 Off
# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
------------------------------------------------------------------------------
1 2 Off LPU 10 Off
Step 3 Configure logical CSS ports.

# Configure service ports XGE1/0/1 and XGE1/0/2 on SwitchA as physical member ports and
add them to CSS port 1, and configure service ports XGE2/0/1 and XGE2/0/2 on SwitchA as
physical member ports and add them to CSS port 2.
[SwitchA] interface css-port 1
[SwitchA-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet
1/0/2 enable
[SwitchA-css-port1] quit
[SwitchA] interface css-port 2
[SwitchA-css-port2] port interface xgigabitethernet 2/0/1 to xgigabitethernet
2/0/2 enable
[SwitchA-css-port2] quit

# Configure service ports XGE1/0/1 and XGE1/0/2 on SwitchB as physical member ports and
add them to CSS port 1, and configure service ports XGE2/0/1 and XGE2/0/2 on SwitchB as
physical member ports and add them to CSS port 2.
[SwitchB] interface css-port 1
[SwitchB-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet
1/0/2 enable
[SwitchB-css-port1] quit
[SwitchB] interface css-port 2
[SwitchB-css-port2] port interface xgigabitethernet 2/0/1 to xgigabitethernet
2/0/2 enable
[SwitchB-css-port2] quit
NOTE
After the configuration is complete, run the display css css-port saved command to check whether the
ports are Up.
Step 4 Enable the CSS function.

# Enable the CSS function on SwitchA and restart SwitchA.
[SwitchA] css enable
rebooted. T
he next CSS mode is LPU. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
rebooted. T
he next CSS mode is LPU. Reboot now? [Y/N]:y

# View the indicator status.
If the ACT indicator on an MPU of SwitchA is steady green, the MPU is the master MPU of
the CSS, and SwitchA is the master in the CSS.
If the ACT indicator on an MPU of SwitchB is blinking green, the MPU is the standby MPU
of the CSS, and SwitchB is the standby switch in the CSS.
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchA> display device
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PWR2 - - Present - Unregistered - NA
FAN1 - - Present PowerOn Registered Abnormal NA
FAN2 - - Present - Unregistered - NA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


If the command output displays card status of both member switches, the CSS is established
successfully.
# Check whether the cluster link topology is the same as the actual hardware connection.
<SwitchA> display css channel all
CSS link-down-delay: 500ms
================================================================================
================================================================================
If the command output shows that the cluster link topology is the same as the actual hardware
connection, the CSS is established successfully.
Step 6 Configure downlink Eth-Trunks for the CSS. (The detailed configuration is omitted here.)
----End
Configuration Files
None
8.14.3 Example for Configuring Cluster Eth-Trunks

To simplify network structure and prevent network loops, core switches SwitchA and
SwitchB set up a CSS to connect to upstream and downstream devices. The customer wants to
expand the uplink bandwidth and requires that member switches in the CSS back up each
other to improve reliability.
As shown in Figure 8-35, a cluster Eth-Trunk can be configured for uplink ports of the CSS
to expand the uplink bandwidth. SwitchC and SwitchD are dual homed to the CSS to improve
reliability, and cluster Eth-Trunks can be configured for downlink ports of the CSS. In this
example, the upstream and downstream devices of the CSS are Huawei S series switches.

Figure 8-35 Networking for cluster Eth-Trunk configuration
1. Configure a cluster Eth-Trunk between the CSS and its upstream device and add physical
member ports to the Eth-Trunk to expand the uplink bandwidth.
2. Configure cluster Eth-Trunks between the CSS and its downstream devices and add
physical member ports to the Eth-Trunks, so that the member switches work in
redundancy mode to improve network reliability.
3. Enable Eth-Trunks to forward traffic from local ports first to improve forwarding
efficiency and reduce the load on the stack cable between member switches. When an
Eth-Trunk member port of a local device is working normally or when the traffic is not
heavy, traffic is forwarded preferentially through the local member port.
Procedure
Step 1 Configure an Eth-Trunk between the CSS and its upstream device.
# Configure an Eth-Trunk on the CSS and add uplink ports to the Eth-Trunk.

[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 10
[CSS-GigabitEthernet1/1/0/4] quit
# Configure an Eth-Trunk on SwitchE and add member ports to the Eth-Trunk.

[HUAWEI] sysname SwitchE
[SwitchE] interface eth-trunk 10
[SwitchE-Eth-Trunk10] quit
[SwitchE] interface gigabitethernet 1/0/1
[SwitchE-GigabitEthernet1/0/1] eth-trunk 10
[SwitchE-GigabitEthernet1/0/1] quit
[SwitchE] interface gigabitethernet 1/0/2
[SwitchE-GigabitEthernet1/0/2] eth-trunk 10
[SwitchE-GigabitEthernet1/0/2] quit
Step 2 Configure Eth-Trunks between the CSS and its downstream devices.
# Configure an Eth-Trunk on the CSS and add the downlink ports connected to SwitchC to the
Eth-Trunk.
# Configure an Eth-Trunk on SwitchC and add member ports to the Eth-Trunk.

[SwitchC] interface eth-trunk 20
[SwitchC-Eth-Trunk20] quit
[SwitchC-GigabitEthernet1/0/1] eth-trunk 20
[SwitchC-GigabitEthernet1/0/2] eth-trunk 20
# Configure an Eth-Trunk on the CSS and add the downlink ports connected to SwitchD to
the Eth-Trunk.
# Configure an Eth-Trunk on SwitchD and add member ports to the Eth-Trunk.

[HUAWEI] sysname SwitchD
[SwitchD] interface eth-trunk 30
[SwitchD-Eth-Trunk30] quit

[SwitchD] interface gigabitethernet 1/0/1

[SwitchD-GigabitEthernet1/0/1] eth-trunk 30
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] eth-trunk 30
[SwitchD-GigabitEthernet1/0/2] quit
Step 3 Enable local preferential forwarding on the Eth-Trunks. By default, local preferential
forwarding is enabled on an Eth-Trunk.
[CSS-Eth-Trunk10] local-preference enable
[CSS] quit

After the configuration is complete, run the display trunkmembership eth-trunk command
in any view to view information about Eth-Trunk member ports.
The command output shows information about member ports in Eth-Trunk 10.
<CSS> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Interface GigabitEthernet1/1/0/4, valid, operate up, weight=1

Interface GigabitEthernet2/1/0/4, valid, operate up, weight=1
----End
Configuration Files
l CSS configuration file
#
sysname CSS
#
interface Eth-Trunk10
#
#
#
interface GigabitEthernet1/1/0/3
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10

#
eth-trunk 20
#
return
l SwitchE configuration file

#
sysname SwitchE
#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname SwitchC
#
#
eth-trunk 20
#
eth-trunk 20
#
return
l SwitchD configuration file

#
sysname SwitchD
#
#
eth-trunk 30
#
eth-trunk 30
#
return
8.14.4 Example for Configuring MAD in Direct Mode
As shown in Figure 8-36, SwitchA and SwitchB set up a CSS.
MAD can be used to detect dual master switches with the same configuration on the network
to reduce the impact of a CSS split on the network.

Figure 8-36 Networking of MAD in direct mode
Network
CSS
GE1/2/0/0 GE2/10/0/0
SwitchA SwitchB
SwitchC SwitchD
CSS Link
MAD Link
Eth-Trunk
1. Configure MAD in direct mode on a specified port.
Procedure
Step 1 Configure MAD in direct mode on a specified port.
# Configure MAD in direct mode on GigabitEthernet1/1/0/5.

[HUAWEI] interface gigabitethernet 1/2/0/0
[HUAWEI-GigabitEthernet1/2/0/0] mad detect mode direct
Warning: This command will block the port, and no other configuration running on
this port is recommended. Continue?[Y/N]:y
[HUAWEI-GigabitEthernet1/2/0/0] quit
# Configure MAD in direct mode on GigabitEthernet2/1/0/5.

[HUAWEI-GigabitEthernet2/10/0/0] mad detect mode direct
Warning: This command will block the port, and no other configuration running on
this port is recommended. Continue?[Y/N]:y
[HUAWEI] quit


# Check detailed MAD configuration of the CSS.
<HUAWEI> display mad verbose
Current MAD domain: 0
Current MAD status: Detect
Mad direct detect interfaces configured:
GigabitEthernet1/2/0/0
Mad relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
40GE1/4/0/0
40GE1/4/0/1
40GE1/5/0/0
40GE1/5/0/1
40GE2/7/0/1
40GE2/7/0/0
40GE2/11/0/0
40GE2/11/0/1
Step 3 Verify the MAD function.

When the MAD function is configured and no service is deployed on the CSS, you can
manually split the CSS to verify whether the MAD configuration takes effect.
1. Check information about all the Up ports in the CSS. Based on the displayed
information, you can verify the MAD function after the CSS splits.
<HUAWEI> display interface brief | include up
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Ethernet0/0/0/0 up up 0.03% 0.01% 0 0
GigabitEthernet1/2/0/0 up up 0% 0% 0 0
NULL0 up up(s) 0% 0% 0 0
40GE1/4/0/0 up up 0% 0% 0 0
40GE1/4/0/1 up up 0% 0% 0 0
40GE1/5/0/0 up up 0% 0% 0 0
40GE1/5/0/1 up up 0% 0% 0 0
40GE2/7/0/0 up up 0% 0% 0 0
40GE2/7/0/1 up up 0% 0% 0 0
40GE2/11/0/0 up up 0% 0% 0 0
40GE2/11/0/1 up up 0% 0% 0 0
2. Enable the alarm function in the user view.

<HUAWEI> terminal monitor
<HUAWEI> terminal trapping
3. Make the CSS split by shutting down all the physical CSS ports or removing all the
cluster cables. (The following procedure shuts down all the physical CSS ports in a CSS
that is set up using service port connection mode.)
# Check information about the service ports used for CSS connection.


css-port1/1 2 40GE1/4/0/0 up
40GE1/4/0/1 up
(B)css-port1/2 2 40GE1/5/0/0 up
40GE1/5/0/1 up

css-port2/1 2 40GE2/7/0/1 up
40GE2/7/0/0 up
(B)css-port2/2 2 40GE2/11/0/0 up
40GE2/11/0/1 up
# Shut down the service ports used for CSS connection.

[HUAWEI] interface css-port 1/1
[HUAWEI-css-port1/1] shutdown interface 40GE1/4/0/0
[HUAWEI-css-port1/1] quit
Warning: Shutting down the last active CSS port in master chassis will cause
CSS split, Continue? [Y/N]:y
[HUAWEI-css-port1/2] return
4. Check whether the following alarm is displayed on the terminal screen: MAD/4/
MULTIACTIVEDETECTED(t):OID 1.3.6.1.4.1.2011.5.25.246.1.1 Multi-active scenario
is detected.
5. Check the CSS status, MAD information, and port status.
# Check the status of the CSS. The command output shows that the two-chassis CSS has
changed into a single-chassis CSS.
CSS Enable switch On
------------------------------------------------------------------------------
1 On Single LPU 100 Off
# Check MAD information in the current CSS (chassis 1). The command output shows
that the MAD status is Detect.
40GE1/4/0/0
40GE1/4/0/1
40GE1/5/0/0
40GE1/5/0/1
# Check information about Up ports in the current CSS (chassis 1). The command output
shows that the status of common service ports remains unchanged.
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down

(e): ETHOAM down

(dl): DLDP down
Ethernet0/0/0/0 up up 0.01% 0.01% 0 0
NULL0 up up(s) 0% 0% 0 0
6. Log in to chassis 2 through its serial port.
# Check MAD information in chassis 2. The command output shows that the MAD
status is Recovery.
Current MAD status: Recovery
40GE2/7/0/1
40GE2/7/0/0
40GE2/11/0/0
40GE2/11/0/1
# Check information about Up ports in chassis 2. The command output shows that all
ports in this chassis are Down.
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
NULL0 up up(s) 0% 0% 0 0
7. The preceding operations verify that the MAD function is configured successfully.
8. Restore all the physical member ports to the Up state or insert cluster cables to the ports,
and then configure services.
----End
Configuration Files
#
mad detect mode direct
#
mad detect mode direct
#
return
8.14.5 Example for Configuring MAD in Relay Mode

As shown in Figure 8-37, SwitchA and SwitchB set up a CSS and connect to the upstream
and downstream devices through Eth-Trunks.
MAD can be used to detect dual master switches with the same configuration on the network
to reduce the impact of a CSS split on the network.
Figure 8-37 Networking of MAD in relay mode
Network
CSS
SwitchA SwitchB
GE2/9/0/5
GE1/2/0/5
Eth-Trunk1
GE1/0/19
SwitchC GE1/0/21 SwitchD
CSS Link
MAD Link
Eth-Trunk
1. Configure SwitchC as the relay agent and configure MAD in relay mode on Eth-Trunk
member ports connected to SwitchC.
2. On SwitchC, configure the MAD relay function so that MAD packets can be forwarded
through the Eth-Trunk.
Procedure
Step 1 On the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] trunkport gigabitethernet 1/2/0/5
[HUAWEI-Eth-Trunk1] trunkport gigabitethernet 2/9/0/5

[HUAWEI-Eth-Trunk1] mad detect mode relay

[HUAWEI-Eth-Trunk1] quit
[HUAWEI] quit
Step 2 Configure the MAD relay function on SwitchC.

[SwitchC] interface eth-trunk 1
[SwitchC-Eth-Trunk1] trunkport gigabitethernet 1/0/19
[SwitchC-Eth-Trunk1] trunkport gigabitethernet 1/0/21
[SwitchC-Eth-Trunk1] mad relay
[SwitchC-Eth-Trunk1] quit
[SwitchC] quit

# Check detailed MAD configuration of the CSS.
Eth-Trunk1
40GE1/4/0/0
40GE1/4/0/1
40GE1/5/0/0
40GE1/5/0/1
40GE2/7/0/1
40GE2/7/0/0
40GE2/11/0/0
40GE2/11/0/1
# Check MAD relay configuration on SwitchC.

<SwitchC> display mad proxy
Mad relay interfaces configured:
Eth-Trunk1
Step 4 Verify the MAD function.

If no service is configured in the CSS after the MAD configuration is complete, trigger a CSS
split to verify whether the MAD function is configured successfully.
1. Check information about all the Up ports in the CSS. Based on the displayed
information, you can verify the MAD function after the CSS splits.
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
Eth-Trunk1 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.03% 0.01% 0 0
NULL0 up up(s) 0% 0% 0 0
40GE1/4/0/0 up up 0% 0% 0 0

40GE1/4/0/1 up up 0% 0% 0 0
40GE1/5/0/0 up up 0% 0% 0 0
40GE1/5/0/1 up up 0% 0% 0 0
40GE2/7/0/0 up up 0% 0% 0 0
40GE2/7/0/1 up up 0% 0% 0 0
40GE2/11/0/0 up up 0% 0% 0 0
40GE2/11/0/1 up up 0% 0% 0
0
2. Enable the alarm function in the user view.

<HUAWEI> terminal monitor
<HUAWEI> terminal trapping
3. Make the CSS split by shutting down all the physical CSS ports or removing all the
cluster cables. (The following procedure shuts down all the physical CSS ports in a CSS
that is set up using service port connection mode.)
# Check information about the service ports used for CSS connection.
css-port1/1 2 40GE1/4/0/0 up
40GE1/4/0/1 up
(B)css-port1/2 2 40GE1/5/0/0 up
40GE1/5/0/1 up

css-port2/1 2 40GE2/7/0/1 up
40GE2/7/0/0 up
(B)css-port2/2 2 40GE2/11/0/0 up
40GE2/11/0/1 up
# Shut down the service ports used for CSS connection.

[HUAWEI-css-port1/1] quit
Warning: Shutting down the last active CSS port in master chassis will cause
CSS split, Continue? [Y/N]:y
[HUAWEI-css-port1/2] return
4. Check whether the following alarm is displayed on the terminal screen: MAD/4/
MULTIACTIVEDETECTED(t):OID 1.3.6.1.4.1.2011.5.25.246.1.1 Multi-active scenario
is detected.
5. Check the CSS status, MAD information, and port status.
# Check the status of the CSS. The command output shows that the two-chassis CSS has
changed into a single-chassis CSS.
CSS Enable switch On
------------------------------------------------------------------------------
1 On Single LPU 100
Off
# Check MAD information in the current CSS (chassis 1). The command output shows
that the MAD status is Detect.


Eth-Trunk1
40GE1/4/0/0
40GE1/4/0/1
40GE1/5/0/0
40GE1/5/0/1
# Check information about Up ports in the current CSS (chassis 1). The command output
shows that the status of common service ports remains unchanged.
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
Eth-Trunk1 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.02% 0.01% 0 0
NULL0 up up(s) 0% 0% 0
0
6. Log in to chassis 2 through its serial port.
# Check MAD information in chassis 2. The command output shows that the MAD
status is Recovery.
Current MAD status: Recovery
Eth-Trunk1
40GE2/7/0/1
40GE2/7/0/0
40GE2/11/0/0
40GE2/11/0/1
# Check information about Up ports in chassis 2. The command output shows that all
ports in this chassis are Down.
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
NULL0 up up(s) 0% 0% 0
0

7. The preceding operations verify that the MAD function is configured successfully.
8. Restore all the physical member ports to the Up state or insert cluster cables to the ports,
and then configure services.
----End
Configuration Files
l CSS configuration file
#
eth-trunk 1
#
eth-trunk 1
#
mad detect mode relay
#
return

#
sysname SwitchC
#
eth-trunk 1
#
eth-trunk 1
#
mad relay
#
return
8.15 FAQ
8.15.1 How Can I Specify the Master Switch?
After you connect cluster cables between two member switches, set the CSS priority of the
intended master switch to a larger value and enable the CSS function on it first. This ensures
that the switch with the higher CSS priority becomes the master switch.
If you want the other switch in the CSS to be the master switch, run the slave switchover
command to perform a master/standby switchover if the original master switch has two
MPUs. If the original master switch has only one MPU, power off the switch, and power it on
after the standby switch is elected as the new master switch. If you specify a new master
switch when the CSS is running, services will be interrupted.
8.15.2 How Do I Know Which Switch Is the Master in a CSS?
You can know which switch is the master in a CSS by checking indicators or running
commands.
l Checking indicators

– CSS card clustering: If the MASTER indicator on a CSS card is steady green, the
MPU with the CSS card installed is the master MPU of the CSS, and the switch is
the master in the CSS.
– Service port clustering: If the ACT indicator on an MPU is steady green, the MPU
is the master MPU of the CSS, and the switch is the master in the CSS.
l Running commands
You can run the display device or display css status command to view the master
switch.
– If the display device command output contains information such as Chassis 1
(Master Switch), the switch is the master in the CSS.
– In the display css status command output, the CSS status field indicates the role of
the switch.
8.15.3 Can Switches of Different Series Set Up a CSS?

Switches of different series cannot set up a CSS. For example, the S9706 and S7706 cannot
set up a CSS.
Switches of the same series with different models can set up a CSS. For example, the S9706
and S9712 can set up a CSS.
8.15.4 Can the CSS Card Connection Mode and Service Port
Connection Mode Be Used Together on the S7700s or S9700s?
The CSS card connection mode and service port connection mode cannot be used together.
8.15.5 Can Switches Set Up a CSS if They Use Different Types of

MPUs?
l CSS card connection mode: The S7700 switches that use SRUAs or SRUBs can set up a
CSS, and the S9700 supports only SRUC.
l Service port connection mode: The S7700 switches that use SRUAs or SRUBs can set
up a CSS. A switch using SRUHs cannot set up a CSS with a switch using another
model of MPUs. That is, both the two chassis must use SRUHs. The S9700 supports
SRUC or SRUD.
Each chassis must be equipped with MPUs of the same model. If two chassis in a CSS use
MPUs of different models, the forwarding performance of the CSS depends on the MPU with
the lowest forwarding performance.
8.15.6 Can I Log In to a Cluster Through the Web NMS?

From V200R002C00, you can log in to a cluster through the web NMS to configure the
cluster.
8.15.7 How Do I Install a License File for a CSS?

Perform the following operations to install a license file for a CSS:

1. Apply for a license, which is bound to the ESN of a physical device.

a. Run the display license esn command to obtain the ESNs of two member switches
in the CSS.
b. Apply for one license using the two ESNs.
For details about how to apply for a license, see S Series Switch License Use
Guide.
How to install a license file for a CSS varies. For details, see the following table.
Table 8-14 Applying for a license

Applying for V200R009 and Later Versions Versions Earlier Than
and Loading a V200R009
License for
Two Devices
Before a CSS
Is Set Up
Both devices do Apply for a license using the ESNs The license must contain
not apply for of the two devices. the ESNs of the two
and install a devices. Therefore, you
license file. must apply for a new
license using the ESNs of
Both devices l If the control items of the two the two devices.
have applied for license files are the same, split
a license but do the CSS, load the two standalone
not have a devices with their respective
license loaded. licenses, and then set up a CSS
of the two devices again.
Alternatively, apply for a license
that contains the ESNs of the
two devices through the ESN
change process.
l If the control items of the two
license files are different, apply
for a license that contains the
ESNs of the two devices through
the ESN change process.
Only one device Apply for a license that contains the

has a license file ESNs of the two devices through the
installed. ESN change process.

Applying for V200R009 and Later Versions Versions Earlier Than

and Loading a V200R009
License for
Two Devices
Before a CSS
Is Set Up
The two devices l If the control items of the two

each have a license files are the same, you do
license file not need to apply for a new
installed. license. The existing licenses can
still be used after the two devices
set up a CSS.
l If the control items of the two
license files are different, apply
for a license that contains the
ESNs of the two devices through
the ESN change process.
2. Upload the obtained license to the system active MPU.

3. Run the license active command to activate the license. The standby switch will
synchronize with this license.
4. After the license file is installed successfully, you can run the display license command
to check license file information.
After the CSS splits, the license is still valid on the two member switches.
NOTE
l You must have permissions to perform operations on the license self-service system. For details about
rights and how to apply for rights, see the License Use Guide.
l The following provides more details about the license for a CSS:
l In versions earlier than V200R009, you must apply for one license for the two ESNs. If the license
has only the ESN of the master chassis, the license status is normal, and the license-controlled
features can take effect; however, the license status becomes Trial (with a 60-day trial period) after
an active/standby switchover. If the license has only the ESN of the standby chassis, the license
status is also Trial.
l In V200R009 and later versions, you can apply for one license for the two ESNs; alternatively, you
can apply for and install one license file for each of the two ESNs before setting up a CSS and
ensure that the control items of the two licenses are the same.
l If the control items of the license files on the master and standby chassis are the same, the
standby chassis uses its own license file without synchronizing with that of the master chassis.
The license file of the CSS can still be used after an active/standby switchover.
l If the control items of the license files on the master and standby chassis are different, the
standby chassis synchronizes its license file with that of the master chassis. If the license file
on the master chassis contains the ESN of the standby chassis, the license status of the
standby chassis is normal, and the license file of the CSS can still be used after an active/
standby switchover. If the license file on the master chassis does not contain the ESN of the
standby chassis, the ESN in the synchronized license file of the standby chassis is different
from that in the existing license file of the standby chassis. As a result, the license status of
the standby chassis becomes Trial (with a 60-day trial period). After an active/standby
switchover, the license status for the CSS becomes Trial.

8.15.8 How Do I Load a Patch for a Cluster?

To load a hot patch in the current version, perform the following operations.
1. Save the patch file to the root directory of the system active MPU.
2. Run the patch load filename all run command to load and run the patch.
3. After the patch is loaded, run the display patch-information command to view patch
information.
To specify the patch file for the next startup during a version upgrade or downgrade, perform
the following operations.
1. Save the patch file to the root directory of the system active MPU.
2. Run the copy source-filename destination-filename all command to save the patch file to
all MPUs.
3. Run the startup patch filename all command to specify the patch file for the next
startup.
4. Run the reboot command to restart the device.
5. After the device is restarted, run the display patch-information command to view patch
information.

Configuration Guide - Device Management 9 SVF Configuration
9 SVF Configuration
About This Chapter
This chapter describes how to configure Super Virtual Fabric (SVF) to simplify management
and configuration at the campus network access layer.
9.1 SVF Overview

9.2 Principles
9.4 Licensing Requirements and Limitations for SVF
9.6 Setting Up an SVF System
9.7 Configuring Services for an AS
9.8 Maintaining an SVF System
9.9 Splitting an SVF System
9.1 SVF Overview

The access layer of a traditional campus network has the following characteristics:
l A large number of access devices are distributed sparsely.
l Services are simple and configurations on different access devices are similar.
l The trend towards wired and wireless convergence grows.
Management and configuration of access devices are time-consuming due to the preceding
characteristics. Super Virtual Fabric (SVF) technology effectively simplifies management and
configuration of access devices.
SVF technology virtualizes aggregation and access devices into one logical device and allows
aggregation devices to manage and configure access devices, as shown in Figure 9-1.

Figure 9-1 SVF networking at the access layer
CSS
Aggregation
layer
Access layer
Wired access
Wireless access
Compared with the traditional access layer networking, the SVF networking has the following
advantages:
l Unified device management: SVF virtualizes aggregation and access devices into one
logical device and allows aggregation devices to manage and configure access devices.
l Unified configuration: SVF implements batch configuration of access devices based on
profiles, removing the need to configure access devices one by one.
l Unified user management: SVF manages wired and wireless access users in a unified
manner.
9.2 Principles
NOTE
In the following SVF principles, a switch functions as a wired access device (AS). When a wireless device
(AP) accesses an SVF system, the parent functions as a wireless access controller (AC). For details about the
SVF principles in wireless access, see S7700 and S9700 V200R008C00 Configuration Guide - WLAN-AC
Configuration Guide.
9.2.1 Roles in an SVF System

Figure 9-2 SVF-related concepts

CSS/Stack
Parent
1 3 Fabric port
2
Level-1 Layer2
Network
AS
5
AP
6 4
Client Level-2 Level-1
AS AS
AP AP
In Figure 9-2, an SVF system consists of the parent and client, which are connected through
fabric ports. For the roles in an SVF system, see Table 9-1.
Table 9-1 Roles in an SVF system

Role Definition
Parent A parent is an aggregation device that manages and configures

an SVF system.
Client Client refers to all access devices, including wired access

devices (ASs) and wireless access devices (AP). ASs are
classified into level-1 and level-2 ASs.
l AP: is a Wireless Local Area Network (WLAN) access
point that connects to wireless terminals. When APs access
an SVF system, the parent functions as an AC to control
and manage all the APs in the SVF system.
l Level-1 AS: is directly connected to the parent or is
connected to the parent across a Layer 2 network.
l Level-2 AS: is directly connected to a level-1 AS. When a
level-1 AS is connected to the parent across a Layer 2
network, level-2 ASs are not supported.
Fabric-port A fabric port is a logical port that connects the parent and a
level-1 AS or connects a level-1 AS and a level-2 AS. One or
more member ports can be added to a fabric port, and one
fabric port can connect to only one AS.
9.2.2 SVF Setup

Operations Performed by Different Roles During SVF Setup
Figure 9-3 SVF networking
Parent CSS/Stack
1 3 Fabric port
CAPWAP 2
link
Layer2
Level-1 Network
AS 5
AP
6 4
Level-2 Level-1
Client AS AS
AP AP
In Figure 9-3, SVF allows the parent and client to establish a Control And Provisioning of
Wireless Access Points (CAPWAP) link as the control channel for unified client configuration
and management. This process is similar to AP management by an AC in WLANs. During
SVF setup, some operations need to be performed on the parent and client to establish a
CAPWAP link.
The parent is directly connected to level-1 ASs, but level-1 ASs are not connected to level-2
ASs.
l N Role Operations
o.
1 Parent l Create a management VLAN for Layer 2 communication

with the client.
l Configure a DHCP address pool to allocate a management
IP address to the client.
l Create a CAPWAP source interface for communication
with the client.
l Enable the SVF function on the parent.
2 Fabric port l Parent-side fabric port (numbered 1 in Figure 9-3):

between the Manually add a physical member port of the level-1 AS to
parent and a the fabric port.
level-1 AS l Level-1 AS-side fabric port (numbered 2 in Figure 9-3):
Enable the level-1 AS and parent to automatically negotiate
a fabric port after the parent-side fabric port is configured.

N Role Operations
o.
3 Level-1 AS l Change to the client mode.

A switch in client mode has no independent configuration
file, and you cannot configure services on it directly. All
configurations are delivered to client switches from the
parent. If a switch has no configuration file and no input on
the console port, it performs auto-negotiation with the
parent to change its mode.
If the switch negotiating as the client is not connected to
the parent within 10 minutes after restarting, the switch
changes to the standalone mode again. You can also
forcibly change the switch from the client mode to
standalone mode.
l Obtain management VLAN information automatically
through the parent.
The parent is directly connected to level-1 ASs, and level-1 ASs are connected to level-2 ASs.
l N Role Operations
o.

with the client.
with the client.

parent and a the fabric port.
level-1 AS l Level-1 AS-side fabric port (numbered 2 in Figure 9-3):
Enable the level-1 AS and parent to automatically negotiate
a fabric port after the parent-side fabric port is configured.

N Role Operations
o.
3 Level-1 AS l Change to the client mode.

A switch in client mode has no independent configuration
file, and you cannot configure services on it directly. All
configurations are delivered to client switches from the
parent. If a switch has no configuration file and no input on
the console port, it performs auto-negotiation with the
parent to change its mode.
If the switch negotiating as the client is not connected to
the parent within 10 minutes after restarting, the switch
changes to the standalone mode again. You can also
forcibly change the switch from the client mode to
standalone mode.
through the parent.
4 Fabric port l Level-1 AS-side fabric port (numbered 5 in Figure 9-3):

between a On the parent, manually add a physical member port of the
level-1 AS and level-2 AS to the fabric port.
a level-2 AS l Level-2 AS-side fabric port (numbered 6 in Figure 9-3):
Enable the level-2 AS and level-1 AS to automatically
negotiate a fabric port.
5 Level-2 AS l Change to the client mode, similarly to the way a level-1

AS changes to the client mode.
through the parent.
The parent is connected to level-1 AS across a network.

l N Role Operations
o.

with the client.
with the client.

N Role Operations
o.

parent and a the fabric port, and change the fabric port to the indirect
level-1 AS connection mode.
l Level-1 AS-side fabric port (numbered 4 in Figure 9-3):
Manually add a physical member port that connects the
level-1 AS to the parent.
3 Level-1 AS l Manually force the level-1 AS to change to the client

mode.
l Configure a management VLAN on the level-1 AS, which
must be consistent with the management VLAN of the
parent.
SVF Setup Process

An SVF system goes through the following phases before being setting up:
1. Neighbor discovery: A parent sends information including the management VLAN to an
AS through neighbor discovery.
2. Device management: The AS obtains an IP address through DHCP and establishes a
Control And Provisioning of Wireless Access Points (CAPWAP) link with the parent and
registers with the parent.
3. Version management: The AS checks whether its software version is the same as that of
the parent. If not, the AS downloads the system software from the parent to upgrade and
synchronize its software version with that of the parent.
4. Topology management: The parent collects LLDP neighbor information of all ASs and
calculates the SVF topology.
5. Service configuration: In direct configuration mode, the parent sends service
configurations to ASs over CAPWAP links. In independent configuration mode, service
configurations are performed on ASs independently.

Figure 9-4 Flowchart for SVF setup
DHCP server is
deployed on
the parent
AS DHCP server Parent
1. Configure an IP address 1. Configure the

pool on the management management VLAN,
VLANIF interface. downlink fabric port,
and IP address for
2. The AS automatically discovers the management the management
VLAN and communicates with the parent at Layer 2. VLANIF interface.
3. The AS obtains an IP address from the IP address pool
Establish a control
of the management VLANIF interface.
channel
4. The AS obtains the IP address of the parent
functioning as the gateway through Option 43.
Synchronize the
version (optional) 5. The AS and parent establish a CAPWAP control channel.
Collect and calculate 6. The parent determines that the AS version needs to be updated.
the topology
7. The AS version is updated and then the AS restarts.
Deliver the
configuration 8. The AS reports topology information to the parent through the CAPWAP channel
9. The parent
generates the
Associate the topology and
policy (optional) determines port roles.
10. In direct configuration mode, the parent sends service configurations to ASs
over CAPWAP links. In independent configuration mode, service configurations are
performed on ASs independently
11. Users connect to the AS, and user entries are set up and synchronized on
the AS and parent through the CAPWAP channel.
12. The parent delivers the policy after users pass the authentication.
9.2.3 AS Service Configuration

In an SVF system, two AS service configuration modes are available: centralized mode and
independent mode.
Centralized Mode
In centralized mode, all service configurations for ASs are performed on the parent.
Therefore, which services can be configured on ASs depends on the services that can be
configured on the parent, but not depend on the services supported by a standalone access
switch. AS-supported services apply to most access switches.
In centralized mode, you can deliver service configurations to multiple ASs using profiles or
global batch configuration or configure a single AS directly. The global batch configuration
mode supports only a few functions. The following describes profile-based configuration and
direct configuration.
Profile-based Configuration
In profile-based configuration, service profiles on the parent are bound to specified device and
port groups to delivery service configurations to ASs. Profile-based configuration involves
two concepts:

l Device and Port Groups

If multiple ASs or ports in an SVF system need the same configurations, you can add
these ASs or ports to the same group for batch configuration. This improves the
configuration efficiency.
Table 9-2 lists the device and port group types in an SVF system.
Table 9-2 Groups supported in an SVF system

Group Type Member Type in Description
a Group
AS group AS An AS group is a set of ASs. The group

implements batch configuration of ASs with
the same global configuration. For example,
You can configure an AS administrator for the
ASs in an AS group.
AS port group Port that connects An AS port group is a set of AS ports that
an AS to a user connect to user terminals. The group
terminal implements batch configuration of AS ports
with the same configuration.
AP port group Port that connects An AP port group is a set of AS ports that
an AS to an AP connect to APs. All the ports that connect ASs
to APs need to be added to an AP port group.
l Service Profiles
A service profile is a set of service configurations. You can bind service profiles to
specified device and port groups to deliver the service profiles to corresponding ASs,
which then parse and execute services configured in the service profiles.
Table 9-3 lists the service profile types in an SVF system.
Table 9-3 SVF-supported service profiles

Service Profile Type Bound Object Description
AS administrator profile AS group An AS administrator

profile is used to configure
AS administrator services
and the rate limit for
outgoing ARP and DHCP
packets on an uplink fabric
port.
Network basic profile l AS port group A network basic profile is

l AP port group used to configure basic
services for AS ports, such
as VLANs.

Service Profile Type Bound Object Description
Network enhanced profile AS port group A network enhanced

profile is used to configure
enhanced services for AS
ports, such as the traffic
rate limit and DHCP
snooping.
User access profile AS port group A user access profile is

used to configure
authentication services for
user access (for example,
the authentication mode),
MAC address learning
limiting, and the rate limit
for incoming ARP and
DHCP packets on an AS
port.
Direct Configuration
Service configurations can be delivered to ASs through service profiles. Apart from this
method, you can also run the direct-command command on the parent to directly deliver
some service configurations to ASs.
9.2.4 SVF Management and Maintenance

After an SVF system is set up, access and aggregation devices are virtualized into one logical
device. An SVF system is a virtual system, in which the parent configures and manages all
member devices. The parent is managed and maintained as a common device. For example,
you can log in to the parent through the console port or management port and perform a
software upgrade. ASs are managed and maintained using commands on the parent. For
example, you can log in to ASs through console ports of ASs, restart ASs, upgrade ASs, load
and delete patches for ASs, and replace ASs.

NOTE
An SVF system can be configured and managed on a switch or eSight. Configuring and managing an SVF
system on eSight is visualized and more convenient. For the SVF configuration on eSight, see "SVF
Management" in the eSight V200R005C00 User Guide.
Table 9-4 lists SVF configuration tasks.

Table 9-4 SVF configuration task summary
Scenario Description Task
Connect level-1 and level-2 You can connect ASs to the 9.6.1 Connecting an AS to
ASs to the parent directly to parent directly to allow the Parent Directly
set up an SVF system. wired user terminals to
connect to an SVF system.
When only a small number
of user terminals exist, you
only need to configure
level-1 ASs. When a large
number of user terminals
exist, you can also configure
level-2 ASs.
Connect ASs to the parent You can connect ASs to the 9.6.2 Connecting an AS to
through a network to set up parent through a network to the Parent Through a
an SVF system. allow wired user terminals Network
to connect to an SVF
system.
Connect APs to the parent to SVF can implement unified 9.6.3 Connecting an AP to
set up an SVF system. management on wired an AS
access and wireless access.
You can connect APs to the
parent to allow wireless user
terminals to connect to an
SVF system. APs can
connect to the parent or
ASs.
9.4 Licensing Requirements and Limitations for SVF
9.4.1 Involved Network Elements

SVF networking involves the following components:
l Parent
l AS
l AP
9.4.2 Licensing Requirements

The SVF function on a parent requires a license.
The license controls only the SVF function but not the SVF service specifications and only
needs to be loaded on the parent.
For details about how to apply for a license, see S Series Switch License Use Guide.

9.4.3 Version Requirements

l When the parent version is earlier than V200R011C10, the AS version must be the same
as the parent version. Otherwise, this AS cannot go online. For example, if the parent
version is V200R010C00, the AS version must also be V200R010C00.
l When the parent version is V200R011C10 or later, the parent version and AS version
can be different, but the parent version must be higher than or the same as the AS version
and the AS version must also be V200R011C10 or later.
l APs must use the software version matching that of the parent. For details, see "WLAN
Service Configuration - Licensing Requirements and Limitations for the WLAN
Service" in the Configuration Guide - WLAN-AC.
l To check AP device types supported by the parent by default, run the display ap-type all
command on the parent. The following table lists supported parent and AS device
models.
Table 9-5 Supported parent and AS switch models

Version Supported Parent Switch Supported AS Switch Models
Models
V200R007C l S7703, S7706, S7712 S2750EI, S5700LI, S5700S-LI, S5720EI

00 l S9703, S9706, S9712
V200R008C l S7703, S7706, S7712 S2750EI, S5700LI, S5700S-LI, S5710-X-

00 l S9703, S9706, S9712 LI, S5720SI, S5720S-SI, S5720EI
V200R009C l S7703, S7706, S7712 S2720EI, S2750EI, S5700LI, S5700S-LI,

00 l S9703, S9706, S9712 S5710-X-LI, S5720SI, S5720S-SI,
S5720EI, S6720EI, S6720S-EI
V200R010C l S7703, S7706, S7712 l S2720EI, S2750EI, S5700LI, S5700S-

00 l S9703, S9706, S9712 LI, S5710-X-LI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5720EI,
S6720EI, S6720S-EI
l S600-E
V200R011C l S7703, S7706, S7712 l S2720EI, S2750EI, S5700LI, S5700S-

10 l S9703, S9706, S9712 LI, S5710-X-LI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5720EI, S5730SI,
S5730S-EI, S6720EI, S6720S-EI,
S6720LI, S6720S-LI, S6720SI, S6720S-
SI
l S600-E
9.4.4 Specifications

AS, AP, CAPWAP Link Specifications

Parent Maximum Maximum Maximum Number of
Number of ASs Number of APs CAPWAP Links
S9703 32 512 512
S9706, S9712 64 2048 2048
S7706, S7712 l Versions prior to 4096 2048

(The main V200R009C00:
control unit is 64
SRUE or l V200R009C00
SRUH.) and later
versions: 256
S7706, S7712 64 1024 1024

(The main
control unit is
SRUA or
SRUB.)
NOTE
In an SVF system, ASs and APs share the CAPWAP link specifications. That is, the maximum number of
ASs and APs cannot exceed the maximum number of CAPWAP links. For example, when an S9706 functions
as the parent in an SVF system and 64 ASs have connected to the SVF system, a maximum of 1984
(2048-64) APs can connect to the SVF system.
If DTLS encryption is configured for packets transmitted in a CAPWAP tunnel, recommendations on the
maximum number of ASs and APs supported on the parent are as follows:
l The maximum numbers of ASs and APs do not exceed 16 and 48 respectively.
l The preceding AS or AP specifications apply to scenarios where all ASs or APs go online. If both ASs
and APs go online, it is recommended that the value of AS*3+AP do not exceed the maximum number
of APs.
l When the number of ASs or APs exceeds the maximum value, a high CPU usage may occur, affecting
existing services.
AS Group/Port Group Specifications in Profile-based Configuration Mode

Group Type Maximum Bound Service Description
Number of Profile Type
Groups
AS group 16 AS administrator l An AS can be added to

profile only one AS group.
l An AS port group can
be bound to only one
AS administrator
profile.

Group Type Maximum Bound Service Description

Number of Profile Type
Groups
AS port group l 256 (versions l Network basic l A port can be added to

earlier than profile only one port group (an
V200R011C10) l Network AS port group or AP
l 512 enhanced port group).
(V200R011C10 profile l V200R007C00 and
and later l User access V200R008C00: All
versions) profile ports of an AS can be
assigned to a maximum
of 6 AS port groups in
total.
V200R009C00 and
later versions: All ports
of an AS can be
assigned to a maximum
of 32 AS port groups in
total.
l An AS port group can
be bound to a network
basic profile, network
enhanced profile, and
user access profile.
AP port group 1 Network basic l An AP port group can

profile be bound to only one
network basic profile.
Service Profile Specifications in Profile-based Configuration Mode

Service Profile Maximum Number of Service Profiles
Type
AS administrator 16
profile
Network basic l 256 (versions earlier than V200R011C10)

profile l 512 (V200R011C10 and later versions)
Network 16
enhanced profile
User access 16
profile

9.4.5 Service Configuration Supported on an AS

An AS supports different service configurations in different configuration modes, as described
in the following tables.
Centralized Mode (Batch Configuration: Functions Globally Delivered)

Function Description
Configure the SVF An SVF system supports two forwarding modes: centralized
forwarding mode. forwarding and distributed forwarding.
l In centralized forwarding mode, traffic forwarded by the local
AS and forwarded between ASs is sent to the parent for
forwarding.
l In distributed forwarding mode, an AS directly forwards local
traffic and the parent forwards traffic between ASs.
NOTE
l In centralized forwarding mode, ports of the ASs connected to the same
fabric port of the parent are isolated and so cannot communicate at
Layer 2, and need to have proxy ARP in the corresponding VLAN
configured using the arp-proxy inner-sub-vlan-proxy enable
command to communicate at Layer 3.
l After an AS goes offline, downlink ports of the AS are automatically
shut down. As a result, traffic of the AS attached network will be
interrupted.
By default, the forwarding mode of an SVF system is distributed
forwarding.
Configure the URL To improve web application security, data from untrustworthy
encoding function sources must be encoded before being sent to clients. URL
for an AS (This encoding is most commonly used in web applications. After URL
function is supported encoding is enabled for ASs, special characters in redirected URLs
in V200R009 and are converted to secure formats, preventing clients from mistaking
later versions). them for syntax signs or instructions and unexpectedly modifying
the original syntax. In this way, cross-site scripting attacks and
injection attacks are prevented. By default, URL encoding is
enabled in ASs. This function can be disabled using the portal url-
encode disable command.
Configure In addition to the configurations in service profiles, the parent

authentication-free delivers the configured Portal authentication-free rules to ASs.
rules. Authentication-free rules 0 to 127 can be delivered to ASs of the
S5720EI model; authentication-free rules 0 to 31 can be delivered
to ASs of other models; authentication-free rules outside the two
ranges will not be delivered to ASs.
Enable IGMP By default, IGMP snooping is disabled for service VLANs on an

snooping for a AS.
service VLAN on an
AS (This function is
supported in
V200R010 and later
versions).

Centralized Mode (Batch Configuration: Functions Delivered Using Profiles)

Function Sub-function Service
Device management Administrator User name and password of

the local administrator
Traffic policing Rate limit for outgoing ARP

and DHCP packets on an
uplink fabric port
Basic network service VLAN management Addition and removal of

ports to or from a VLAN
Configuration of the port

that connects an AS to an
AP
Voice VLAN based on

LLDP or CDP negotiation
Enhanced network service Basic QoS Trust 802.1p (This function

is not supported in
V200R011C10 and later
versions)
NOTE
In V200R011C10 and later
versions, the priority-trust
enable command cannot be
executed in the network
enhanced profile view to
configure the priority trust
function. When the S2720EI,
S2750EI, S5700LI, S5700S-
LI, S5710-X-LI, S5720LI,
S5720S-LI, S5720SI, or
S5720S-SI switches go online
as ASs, the parent delivers the
default trust 8021p
configuration. When other
switches go online as ASs, by
default, they use the default
trust 8021p configuration.
Therefore, the parent does not
need to deliver the
configuration.
Port security Broadcast, multicast, and

unknown unicast traffic
suppression on a port
Port rate limiting
STP edge port

Access security DHCP snooping, IPSG, and

DAI
Access service Access authentication 802.1x authentication, MAC

address authentication, and
Portal authentication
Access control MAC address learning

limiting
Maximum number of access

users on an AS port (This
function is supported in
V200R010 and later
versions)
Traffic policing Rate limit for incoming

ARP and DHCP packets on
an AS port
Centralized Mode (Single Configuration: Functions Delivered Using the direct-

command Command)
NOTE
The interface view cannot be the Eth-Trunk interface view.
Servic Format View Function Configuratio

e n
Catego Dependency
ry and
Restriction
Energy- port-auto-sleep enable Interfac Enables the This command

saving e view port sleeping cannot be
manage function on an configured on
ment electrical combo
interface. interfaces.
PoE poe force-power Interfac Enables -

e view forcible PoE
power supply
on an
interface.
poe legacy enable Interfac Enables an -

e view interface to
check
compatibility
of PDs.


e n
Catego Dependency
ry and
Restriction
poe priority { critical | high | Interfac Sets the power -

low } e view supply priority
of a PoE
interface.
poe af-inrush enable slot slot-id System Configures the -

view IEEE 802.3at-
compliant
device to
provide power
in accordance
with IEEE
802.3af.
poe high-inrush enable slot System Configures a -

slot-id view device to allow
high inrush
current during
power-on.
undo poe enable (supported in Interfac Disables the -

V200R011C10 and later e view PoE function
versions) on an
interface.
Etherne undo negotiation auto Interfac Configures an l This

t e view interface to command
interfac work in non- cannot be
es auto- configured
negotiation on combo
mode. interfaces.
After you run l Do not
the undo cancel the
direct- undo
command negotiation
command, the auto
interface command
works in auto when speed
negotiation { 10 | 100 |
mode. 1000 } or
duplex
{ full |
half } is
specified.


e n
Catego Dependency
ry and
Restriction
speed { 10 | 100 | 1000 } Interfac Sets the rate in l This

e view non-auto- command
negotiation cannot be
mode. configured
on combo
interfaces.
l Ensure that
the
interface
works in
non-auto-
negotiation
mode
before
configuring
this
command.


e n
Catego Dependency
ry and
Restriction
speed auto-negotiation Interfac Enables auto- l Support for

e view negotiation on this
a GE optical command
interface. varies
depending
on switch
models. For
details, see
the speed
auto-
negotiation
command
in the
Command
Reference -
Interface
Manageme
nt
Commands
- Ethernet
Interface
Configurati
on
Commands.
l Ensure that
the
interface
works in
auto-
negotiation
mode
before
configuring
this
command.


e n
Catego Dependency
ry and
Restriction
duplex { full | half } Interfac Sets the duplex l This

e view mode for an command
electrical cannot be
interface in configured
non-auto- on combo
negotiation interfaces.
mode. l Ensure that
the
interface
works in
non-auto-
negotiation
mode
before
configuring
this
command.
l When the
working
rate of a GE
electrical
interface is
1000
Mbit/s, the
interface
supports
only the
full duplex
mode.
loopback internal Interfac Configures a -

e view loopback
detection mode
on an
interface.
description description Interfac Configures the The

(supported in V200R011C10 and e view description for description
later versions) an interface. contains a
maximum of
52 characters.
Port port bridge enable Interfac Enables the -

bridge e view bridging
function on an
interface.


e n
Catego Dependency
ry and
Restriction
Voice voice-vlan mac-address mac- System Configures the -

VLAN address mask mask (supported in view OUI address of
V200R011C10 and later the voice
versions) VLAN.
LBDT loopback-detect enable Interfac Enables -

e view loopback
detection on an
interface.
loopback-detect packet vlan Interfac Enables If you

vlan-id e view loopback configure this
detection for a command
specified multiple times,
VLAN. loopback
detection is
enabled for
multiple
VLANs.
ARP arp speed-limit source-mac System Configures l Only the

rate maximum maximum view ARP rate S5720EI,
limiting limiting based S6720S-EI,
on source and
MAC S6720EI
addresses. support this
command.
l This
function
takes effect
only for
ARP
packets sent
to the CPU.
arp speed-limit source-ip System Configures This function

maximum maximum view ARP rate takes effect
limiting based only for ARP
on source IP packets sent to
addresses. the CPU.


e n
Catego Dependency
ry and
Restriction
Stack port interface { interface-type Stack Configures a Before

interface-number1 [ to interface- interface service restoring the
type interface-number2 ] } view: interface as a physical
enable (supported in V200R010 stack- physical member ports
and later versions) port member port that are added
member and adds it to a to a stack port
-id/port- stack port. in direct
id configuration
mode as
common
service
interfaces, you
do not need to
run the
shutdown
interface
command in
the stack
interface view.
stack slot slot-id priority System Sets a stack -

priority (supported in V200R010 view priority for a
and later versions) member switch
in a stack.


e n
Catego Dependency
ry and
Restriction
stack slot slot-id renumber new- System Changes the A stack ID

slot-id (supported in view stack ID of a cannot be
V200R011C10 and later specified changed in the
versions) member switch following
in a stack. situations:
NOTICE l The switch
If there are is a
services
standalone
running,
delivering this switch that
command may does not
cause service join any
interruptions stack.
and
configuration l The newly
loss. configured
Therefore, you stack ID is
are advised to an existing
deliver this stack ID of
command
a specified
when an AS is
unconfigured. member
switch in a
stack.
l Ports with
the
specified
slot-id have
been
configured
as member
ports of an
uplink
fabric port.
l Ports with
the
specified
slot-id have
been
configured
as member
ports of a
downlink
fabric port.

Centralized Mode (Configurable Commands After Logins to ASs Using the

attach-as Command or Console Port)
Commands that can be configured after you log in to an AS in centralized configuration mode
are mainly used for fault diagnosis.
l In the user view and diagnostic view, all commands are supported except the commands
listed in Table 9-6. Additionally, in V200R009 and earlier versions, the diagnostic view
can be displayed only after the diagnose-command command is executed in the user
view.
Table 9-6 Commands not supported in the user view and diagnostic view of ASs
Command View
configuration copy file file-name to User view

running
configuration copy startup to file file- User view

name
configuration exclusive User view
format drive User view
lldp clear neighbor [ interface interface- User view

type interface-number ]
local-user change-password User view
lock User view
startup patch patch-name [ slave-board | User view

slot slot-id ]
startup saved-configuration User view

configuration-file [ slot slot-id ]
startup system-software system-file [ all | User view

slave-board | slot slot-id ]
save [ all ] [ configuration-file ] User view
save logfile [ all ] User view
reboot [ fast | save diagnostic- User view

information ]
schedule reboot { at time | delay interval User view

[ force ] }
rollback User view
cli enable-config Diagnostic view
configuration datasync start script-file Diagnostic view

script-file { result-file result-file }

Command View
test-device port loopback slot { slot-id | Diagnostic view

interface { interface-type interface-
number1 [ to interface-type interface-
number2 ] } &<1-10> }
stack enable Diagnostic view

undo stack enable
undo startup system-software Diagnostic view
l Commands that are supported in other views are used for service diagnosis and fault
location. In V200R009 and earlier versions, the uni-mng diag-mode enable command
must be executed first to enable the diagnostic mode.
Table 9-7 Commands supported in other views

Command Function Configuration Notes
port-mirroring Binds a mirrored You are not advised to perform service

undo port- port to an configurations on Eth-Trunk member
mirroring observing port. ports of an AS that are bound to a fabric
port, as doing so may cause a failure of
SVF system setup.
traffic-mirror Configures the You are not advised to perform service

undo traffic-mirror traffic mirroring configurations on Eth-Trunk member
function. ports of an AS that are bound to a fabric
SVF system setup.
observe-port Configures an Generally, an observing port is dedicated

undo observe-port observing port. to monitoring forwarding of mirrored
traffic. Therefore, configuring an AS port
with service configurations as an
observing port is not recommended. If a
port has been configured as an observing
port, do not deliver service configurations
to this port through service profiles or the
direct-command command.
You are not advised to perform service
configurations on Eth-Trunk member
ports of an AS that are bound to a fabric
SVF system setup.

traffic-statistic Enables the traffic If you delete the traffic-statistic

undo traffic- statistics collection command that is delivered by the parent to
statistic function. an AS, you will fail to obtain traffic
statistics about the AS on the parent.
configurations on Eth-Trunk member
ports of an AS that are bound to a fabric
SVF system setup.
capture-packet Configures the You are not advised to perform service

packet header configurations on Eth-Trunk member
obtaining function. ports of an AS that are bound to a fabric
SVF system setup.
acl 2000-2999 Creates or deletes If the number of traffic policies on an AS

undo acl an ACL rule. reaches the upper limit, the parent fails to
2000-2999 deliver the IPSG or DAI configurations.
Run the display uni-mng commit-result
acl 3000-3998 profile command on the parent to check
undo acl the configuration delivery result. If the
3000-3998 command output shows that the
configuration delivery fails, run the
acl 4000-4997 display uni-mng execute-failed-record
undo acl profile as name as-name command to
4000-4997 check execution failure records after the
configuration is delivered to an AS. The
command output provides detailed
information about the delivery failure.
You can log in to the AS to check whether
the ACL resources are used up.
rule Creates an ACL -

undo rule rule.
interface Eth- Creates or deletes In V200R011C10 and later versions, you

Trunk an Eth-Trunk can only enter the Eth-Trunk interface
undo interface interface or view and cannot create or delete Eth-
Eth-Trunk displays the Eth- Trunk interfaces.
Trunk interface Do not delete Eth-Trunk0 or Eth-Trunk
view. interfaces that are bound to the downlink
fabric port from an AS.
interface Displays the GE -

GigabitEthernet interface view.
interface Displays the XGE -

XGigabitEthernet interface view.

interface Ethernet Displays the -

Ethernet interface
view.
interface MultiGE Displays the This command is only supported by

MultiGE interface S5720-14X-PWH-SI-AC, S5720-28X-
view. PWH-LI-AC, and S6720SI.
display Displays the device -

status or
configurations.
quit Returns to the -

upper-level view.
return Returns to the user -

view.
interface stack- Displays the stack -

port port view.
shutdown interface Shuts down/ This command is configured in the stack

undo shutdown restores a physical port view.
interface member port.
mad restore Restores all the -

blocked interfaces
of a standby switch
that enters the
Recovery state
after its stack
splits.
reset trace instance Clears all the -

(supported in diagnosis instances
V200R010 and on a device.
later versions)
save trace Saves diagnosis -

information information in the
(supported in buffer area as a
V200R010 and file.
later versions)

Commands Used for service -

starting with the diagnosis and
trace keyword executed in the
(supported in system view.
V200R010 and
later versions)
Commands
starting with the
undo trace
keyword
(supported in
V200R010 and
later versions)
Independent Mode (Configurable Commands After Logins to ASs Using the

attach-as Command or Console Port)
The independent mode has been supported since V200R010. In independent mode, the
commands listed in the following table can be configured on ASs. When configuring these
commands, pay attention to the following points:
l These commands vary depending on the AS device type. For details, see the command
reference of these devices.
l In independent mode, configuring some commands may cause an AS's failure to go
online. To prevent this problem, some commands listed in the following table are not
supported. If an unsupported command is executed on an AS, an error message is
displayed.
Function Command
Basic Configuration CLI Overview Commands
File Management Commands
System Startup Commands
Device Management Hardware Configuration Commands
Energy-saving Configuration Commands
PoE Configuration Commands
Stack Configuration Commands
Interface Management Basic Interface Configuration Commands
Ethernet Interface Configuration Commands
Logical Interface Configuration Commands
Ethernet Switching MAC Address Table Configuration Commands

Function Command
Link Aggregation Commands
VLAN Configuration Commands
VLAN Aggregation Configuration Commands
MUX VLAN Configuration Commands
Voice VLAN Configuration Commands
QinQ Configuration Commands
VLAN Mapping Configuration Commands
Loopback Detection Configuration Commands
Layer 2 Protocol Transparent Transmission

Commands
IP Service IPv4 Configuration Commands
ARP Configuration Commands
DHCP Policy VLAN Configuration Commands
Reliability DLDP Configuration Commands
MAC Swap Loopback Configuration Commands
User Access and Authentication AAA Configuration Commands
NAC Configuration Commands (Unified Mode)
Policy Association Configuration Commands
Security ACL Configuration Commands
Local Attack Defense Configuration Commands
Attack Defense Configuration Commands
MFF Configuration Commands
Traffic Suppression and Storm Control

Configuration Commands
ARP Security Configuration Commands
Port Security Configuration Commands
DHCP Snooping Configuration Commands
ND Snooping Configuration Commands
PPPoE+ Configuration Commands
IP Source Guard Configuration Commands
SAVI Configuration Commands

Function Command
MPAC Configuration Commands
QoS MQC Configuration Commands
Priority Mapping Commands
Traffic Policing, Traffic Shaping, and Interface-

based Rate Limiting Commands
Congestion Avoidance and Congestion

Management Commands
Filtering Configuration Commands
Redirection Configuration Commands
Statistics Configuration Commands
ACL-based Simplified Traffic Policy Commands
Network Management and Monitoring SNMP Configuration Commands
LLDP Configuration Commands
Service Diagnosis Configuration Commands
Mirroring Configuration Commands
Packet Obtaining Configuration Command
Ping and Tracert Configuration Commands
9.4.6 Restrictions on SVF Roles

Table 9-8 Constraints and restrictions on SVF roles
Role Constraints and Restrictions
Pare l The parent can be a standalone device, a stack system, or a cluster switch
nt system (CSS).
l ASs or APs connecting to an SVF system can be different models.

AS l When an AS is an S5700-10P-LI, S5700-10P-PWR-LI-AC,

S2720EI(V200R009C00 and V200R010C00) or S2750EI and Layer 3 hardware
forwarding for IPv4 packets has been enabled using the assign forward-mode
ipv4-hardware command in the system view before the AS joins an SVF
system, the AS cannot negotiate to join the SVF system if the AS directly
connects to the parent and the management VLAN cannot be configured if the
AS connects to the parent across a network.
To solve these problems, start the AS in standalone mode and run the undo
assign forward-mode command in the system view to disable Layer 3
hardware forwarding for IPv4 packets.
l If the AS is a stack set up using service ports and running V200R009C00 or a
later version, you need to configure the stack function on the AS and then
connect the AS to the SVF system.
l An AS can be a standalone device or a stack system of multiple devices. In
V200R008C00 and earlier versions, each AS can be a stack of up to three
member devices that are the same model and provide the same number of ports.
From V200R009C00, each AS can be a stack of up to five member devices that
are the same model and provide the same number or different numbers of ports.
l From V200R009C00, an AS can be a stack of the same device series but
different device models. If an AS is a stack, you can run the slot command to
modify the preconfigured device type. To determine which different device
models can set up a stack, see "Licensing Requirements and Limitations for
Stack" in Stack Configuration in the Configuration Guide - Device
Management.
l An AS cannot connect to a parent if the parent runs V200R009C00, and the AS
is a stack running V200R007C00 or V200R008C00 and has a member switch
with a stack ID larger than 2. To connect the AS to the parent, remove the
member switch with a stack ID larger than 2 from the stack, upgrade the stack
to V200R009C00 or a later version, and then connect the removed member
switch to the stack. This member switch will synchronize with the master
switch's configuration file and system software. Subsequently, the AS can
connect to the parent.
l Stack member switches connected using downlink service ports cannot join an
SVF system as ASs.
l In an SVF system, the last four ports of the S6720-32X-SI-32S-AC,
S6720-32X-LI-32S-AC, S6720S-32X-LI-32S-AC, S6720-16X-LI-16S-AC, and
S6720S-16X-LI-16S-AC are used as uplink ports. Therefore, a stack set up
using the last four ports can join an SVF system as an AS.

AP l If an AP has been connected to the parent before the SVF function is enabled,
the parent cannot collect topology information about the AP after the uni-
mnguni-mng command is used to enable the SVF function. You need to run the
commit { all | ap ap-id } command in the WLAN view to commit the AP
configuration. Subsequently, the parent can collect topology information about
the AP.
l From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
l If APs need to connect to an SVF system with an S9700/S7700 functioning as
the parent, X series cards must be installed on the parent to manage APs.
Fabri l Service ports of fixed switches are classified into uplink and downlink service
c ports. For details about uplink and downlink service ports, see the "Naming
port Conventions" section in the Hardware Description - Chassis.
l If downlink service ports of an AS are configured as member ports of an uplink
fabric port, all the downlink ports of the AS cannot be configured as stack
member ports.
l When GE optical interfaces are connected to XGE optical interfaces to connect
level-1 ASs to the parent or connect level-2 ASs to level-1 ASs, these interfaces
must use GE instead of XGE optical modules.
l When an AS connects to APs, all member ports of the Eth-Trunk bound to the
fabric port that connects the parent to the AS must be ports on X series cards or
ports on non-X series cards. Otherwise, APs cannot go online.
l In V200R008 and earlier versions, an AS can only connect to the upstream
parent or AS using fixed uplink ports or ports on an extension card. Since
V200R009, downlink service ports of an AS can also be connected to the
upstream parent or AS after you configure them as member ports of an
upstream fabric port using the uni-mng up-direction fabric-port member
interface interface-type interface-number [ to interface-number ] command.
l A downlink service port of an AS cannot be configured as a member port of
upstream and downstream fabric ports simultaneously. If this configuration is
performed, the AS will be unable to go online after a reboot. If the reset slot
command is executed in the slot of the AS, the AS will reset repeatedly.
l Ports on an AS subcard and uplink service port on an AS can only be used as
member ports of a fabric port or as stack member ports and cannot be used as
service ports.
l From V200R009C00, AS uplink ports can be used to connect to the parent or
level-1 AS or set up a stack and be configured as downlink fabric ports to
connect to other ASs.
l On the S6720EI, S6720S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI,
40GE ports and 10GE ports split from 40GE ports cannot be configured as
downlink fabric ports.
CAP l Configured CAPWAP tunnel parameters apply to the SVF system. To ensure
WAP that the CAPWAP tunnel of the SVF system works normally, you are advised to
retain the default CAPWAP tunnel parameters. For details on how to configure
CAPWAP tunnel parameters, see Configuring CAPWAP Tunnel Parameters.

9.4.7 Restrictions on an SVF System

Restrictions of Other Features
l The SVF function is mutually exclusive with the ISSU, EasyDeploy and USB-based
deployment functions.
l The SVF function can be enabled only when the NAC configuration mode is unified
mode. Therefore, the commands in NAC common mode cannot be configured in an SVF
system. For example, the guest VLAN commands in NAC common mode cannot be
configured in an SVF system.
l In an SVF system running V200R008C00 and earlier versions, you can run the
authentication free-rule command to control the network access right of NAC users
before they pass authentication. UCL-based group authorization is not supported for
NAC users.
l In an SVF system running V200R009C00 and later versions, you can run the free-rule
command to control the network access right of NAC users before they pass
authentication. UCL-based group authorization is not supported for NAC users.
l S2700&S5700&S6720&S600-E series switches support the built-in Portal server
function. After these switches join an SVF system, they do not support the built-in Portal
server function.
l The system automatically enables the STP and LLDP functions globally on the parent.
Pay attention to the following points when using the STP and LLDP functions in an SVF
system:
– The STP and LLDP functions cannot be disabled globally but can be disabled on
interfaces.
– The LLDP function cannot be disabled on member ports of a fabric port, ports
connected to APs, and AP uplink ports. Otherwise, SVF topology information
becomes inaccurate.
l After the SVF function is enabled, the parent changes STP to Rapid Spanning Tree
Protocol (RSTP) and sets the priority of instance 0 to 28672 using the stp instance 0
priority 28672 command. After the SVF function is disabled, the priority of instance 0
restores to the default value. When the SVF function is enabled or disabled, STP
recalculates the port roles and changes the interface status. Subsequently, traffic on the
interface is interrupted temporarily.
Restrictions After the SVF Function Is Enabled
l To perform MAD in an AS that is a stack, the multi-active detection (MAD) relay
function is automatically enabled on the Eth-Trunk to which a downlink fabric port is
bound, and the MAD function is automatically enabled on the Eth-Trunk to which an
uplink fabric port is bound. When the standby switch in an AS is removed, MAD cannot
be performed because the standby switch restarts automatically without saving the
configuration.
l To prevent the SVF function from being affected, do not perform the following
operations using MIBs:
– Modify the configurations automatically generated in an SVF system, including
STP configuration, LLDP configuration, and Eth-Trunk binding to a fabric port.
– Execute the commands shielded in an SVF system, including the commands used to
configure STP, LLDP, and member ports of a fabric port.
l On the parent, there is a delay in displaying the output of some commands (such as
patch delete all and patch load filename all [ active | run ]) executed on the ASs.

l In versions earlier than V200R011C10, Eth-Trunk can be manually created and deleted
on an AS in centralized mode. In V200R011C10 and later versions, Eth-Trunk cannot be
manually created and deleted on an AS in centralized mode and must be created and
deleted on the parent.
l In an SVF system, the maximum frame length allowed by interfaces cannot be
configured on an AS. Therefore, the maximum frame length is the default value 9216
(including the CRC field).
l After an AS goes online, a static ARP entry in which the IP address is the management
address of the parent is generated on the AS. Deleting the static ARP entry is not
allowed. Otherwise, the AS may be forcibly removed from the SVF system.
l Internal attacks in the management VLAN will cause an AS to go offline. You need to
identify the attack source and then shut down the attacked port or remove the port from
the management VLAN.
l After an AS goes offline, all downlink ports of the AS are shut down.
l When an AS goes offline and needs to go online again, and the AS configuration is
changed on the parent after the AS goes offline, the AS restarts and then goes online
again.
l After an AS is changed to the independent mode, it is recommended that you just add or
remove the fabric port of the AS to or from a VLAN. If you perform other configurations
on the fabric port, the AS may go offline. For details, see the description of the port
connect independent-as command.
When an AS connects to the parent across a Layer 2 network, pay attention to the
following points
l Automatic AS discovery is not supported, and fabric ports of the parent and AS need to
be manually configured.
l The indirectly-connected fabric port of the parent and configured uplink fabric port of
the AS do not support connection error check. The administrator needs to ensure the
connection correctness of the Eth-Trunk, and the AS can only connect to third-party
network devices through Eth-Trunks in manual load balancing mode.
l The administrator needs to ensure that the downlink fabric port of the parent and the
intermediate Layer 2 network are correctly configured, the SVF management VLAN and
service VLAN between the parent and AS are correctly connected, and the intermediate
network transparently transmits data traffic between the parent and AS. Therefore, the
intermediate network must be a pure Layer 2 network.
l The AS does not support the MAD function because this function requires that third-
party devices support the MAD relay function.
l In centralized forwarding mode, traffic from the network segment where the AS resides
may be forwarded by the intermediate network but not the parent.
l After the AS is configured to work in client mode, the AS can only be manually
configured to return to the standalone mode and must be restarted. If the AS is a stack,
new stack member devices will be automatically configured to work in client mode after
the AS is configured to work in client mode.

Table 9-9 Default SVF configuration

SVF function on the parent Disabled
Authentication for ASs Required
9.6 Setting Up an SVF System
9.6.1 Connecting an AS to the Parent Directly
Context
As shown in Figure 9-5, ASs in an SVF system are classified into level-1 and level-2 ASs.
When connecting ASs to the parent, you can connect a level-1 AS to the parent and then a
level-2 AS to the level-1 AS.
By default, you do not need to configure the ports that connect a level-1 AS to the parent and
a level-2 AS to the level-1 AS because ASs are plug-and-play. You only need to configure
fabric ports that connect the parent to a level-1 AS and a level-1 AS to a level-2 AS.
Figure 9-5 ASs connecting to the parent

CSS
Parent
Require manual
configuration
iStack
Do not need to
Level -1 AS
be configured
Level-2 AS
Before connecting an AS to the parent, complete the following task:
l Powering on the related devices and ensuring that they finish self check successfully
9.6.1.1 Configuring AS Access Parameters on the Parent

The following tasks are performed on the parent. You are advised to perform the tasks in the
following sequence.
9.6.1.1.1 (Optional) Configuring a Parent as a CSS
Context
An SVF system can use a single switch or a CSS of two switches as the parent. Using a CSS
of two switches can provide redundancy for the SVF system, improving reliability of the SVF
system.
NOTE
To ensure high reliability of an SVF system, you are advised to use a CSS of two switches as the parent.
Procedure
Step 1 For the procedure for and notes about configuring a CSS, see "CSS Configuration" in the
S7700&S9700 Series Ethernet Switches Configuration Guide - Device Management
Configuration.
----End
9.6.1.1.2 Enabling the SVF Function on the Parent
Context
Before setting up an SVF system, you must enable the SVF function on the parent, configure
the management VLAN for the SVF system, and configure DHCP on the parent so that the
parent and ASs can set up CAPWAP links.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DCHP is enabled on the parent.

Step 3 Run:
vlan batch vlan-id
The management VLAN is created for the SVF system. The management VLAN cannot be
configured as VLAN 1 or VLAN 4093.
Step 4 Run:
interface vlanif vlan-id
A VLANIF interface is created and the VLANIF interface view is displayed.

Step 5 Run:
ip address ip-address { mask | mask-length }
An IP address is configured for the VLANIF interface.

This address is used as the source address for setting up a CAPWAP link.
Step 6 Run:
dhcp select interface
The DHCP server function is configured to assign IP addresses from the interface address
pool to clients.
The DHCP server function enables an AS to obtain an IP address from the parent.
dhcp server option 43 ip-address ip-address
The parent is configured to send its IP address in the Option 43 field to an AS.
The parent can send its IP address in the Option 43 field to an AS. The IP address must be the
same as that configured in step 5.
If the Option 43 field is not configured, an AS obtains the IP address of the parent in
broadcast mode. If the Option 43 field is configured, an AS sets up a CAPWAP link with only
a specified IP address, and does not obtain the IP address of the parent in broadcast mode.
NOTE
To improve service reliability, you are advised to configure the parent to send its IP address in the Option 43
field to an AS.
Step 8 Run:
quit
Exit from the VLANIF interface view.

Step 9 Run:
capwap source interface vlanif vlan-id
The source interface on which the parent sets up a CAPWAP link with an AS is configured.
vlan-id must be consistent with that specified in step 4.
NOTE
You are not advised to configure other services except the preceding configurations in the management
VLAN and corresponding VLANIF interface of the SVF system. Otherwise, ASs or APs cannot go online
normally.
If the SVF function is enabled, only one source interface can be configured.
Step 10 Run:
authentication unified-mode
The NAC configuration mode is set to unified mode.

By default, the NAC configuration mode is unified mode.
When enabling the SVF function, ensure that the current and next startup NAC configuration
modes are the unified mode. You can run the display authentication mode command to
check the current and next startup NAC configuration modes. If the two modes are the unified
mode, this step is not required. If the modes are not the unified mode, change them to the
unified mode.

NOTE
After changing the NAC configuration mode, save the configuration and then restart the device to make the
configuration take effect.
Step 11 Run:
stp mode { rstp | stp }
The STP working mode is set to STP or RSTP.

By default, the STP working mode is MSTP.
When enabling the SVF function, ensure that the STP working mode is STP or RSTP. You
can run the display stp command to check the current STP working mode. If the mode is STP
or RSTP, ignore this step. If the mode is not STP or RSTP, set the STP working mode to STP
or RSTP.
Step 12 Run:
undo stp pathcost-standard
The default STP/RSTP port path cost algorithm is restored.

By default, IEEE 802.1t (dot1t) standard is used to calculate the STP/RSTP port path cost.
When enabling the SVF function, ensure that the default STP/RSTP port path cost algorithm
is used. You can run the display stp command to check the current STP/RSTP port path cost
algorithm. If the algorithm is not the default value, restore the default STP/RSTP port path
cost algorithm.
Step 13 Run:
undo bpdu-tunnel stp bridge role provider
The default device role on a transparent transmission network is restored.

By default, a device is a customer on a transparent transmission network.
When enabling the SVF function, ensure that the default device role on a transparent
transmission network is used. You can run the display bpdu-tunnel global config command
to check the current device role. If the default device role is used, ignore this step. If the
default device role is not used, restore the default device role.
Step 14 Run:
undo assign trunk
The default Eth-Trunk specifications are restored.

When enabling the SVF function, ensure that the default Eth-Trunk specifications are used,
including the number of Eth-Trunks and the number of member interfaces in each Eth-Trunk.
You can run the display trunk configuration command to check the default and configured
Eth-Trunk specifications. If they are consistent, ignore this step. If they are inconsistent,
restore the default Eth-Trunk specifications.
NOTE
After changing the Eth-Trunk specifications, save the configuration and then restart the device to make the
After the SVF function is enabled, changing the Eth-Trunk specifications is not allowed.
Step 15 Run:
undo stp process process-id
The MSTP process with a specified ID is deleted.

You can run the display current-configuration command to check whether the MSTP
process configuration exists. If so, perform this step to delete the configuration. If not, ignore
this step.
Step 16 Run:
aaa
The AAA view is displayed.
Step 17 Run:
service-scheme service-scheme-name
The service scheme view is displayed.
Step 18 Run:
undo remote-authorize
Remote authorization is disabled.
By default, remote authorization is not configured.
When enabling the SVF function, ensure that remote authorization is not configured. You can
run the display current-configuration command to check whether remote authorization is
configured. If remote authorization is not configured, ignore this step. If remote authorization
is configured, disable remote authorization.
Step 19 Run:
quit
Exit from the service scheme view.
Step 20 Run:
quit
Exit from the AAA view.
Step 21 Run:
uni-mng
The SVF function is enabled and the uni-mng view is displayed.
By default, SVF is disabled.

topology explore [ interval interval ]
The interval for collecting SVF network topology information is set.
By default, the interval for collecting SVF network topology information is 10 minutes. If
interval interval is not specified, SVF network topology collection is triggered immediately.
You can adjust the interval for collecting SVF network topology information based on SVF
network stability. When the network topology is stable, you can increase the interval or
disable periodic topology information collection. When the network topology is unstable, you
can shorten the interval.
----End
9.6.1.1.3 Configuring a Fabric Port That Connects the Parent to a Level-1 AS

Context
The parent connects to an AS through a fabric port. The parent-side fabric port needs to be
manually configured, while the AS-side fabric port is auto-negotiated between the AS and
parent.
A fabric port must be bound to an Eth-Trunk. Before binding a fabric port to an Eth-Trunk,
ensure that the Eth-Trunk is not created.
Procedure
Step 1 Run:
system-view

Step 2 Run:
uni-mng
The uni-mng view is displayed.

Step 3 Run:
interface fabric-port port-id
A fabric port is created and the fabric port view is displayed.

A maximum of 64 fabric ports can be created.
Step 4 Run:
port member-group interface eth-trunk trunk-id
The fabric port is bound to an Eth-Trunk.

A fabric port can be bound to only the Eth-Trunk that has not been created. When a fabric
port is bound to an Eth-Trunk, the system creates the Eth-Trunk.
description description
The description of a fabric port is configured.

By default, a fabric port does not have a description.
To facilitate fabric port management and identification, you can configure descriptions for
fabric ports. For example, you can describe the name of an AS that connects to a fabric port.
Step 6 Run:
quit
Exit from the fabric port view.

Step 7 Run:
quit
Exit from the uni-mng view.

Step 8 Run:

Step 9 Run:
eth-trunk trunk-id
The current interface is added to the Eth-Trunk.
You can perform steps 8 and 9 multiple times to add multiple interfaces to an Eth-Trunk.
After an Eth-Trunk is bound to a fabric port, the configuration of the Eth-Trunk will be
automatically generated according to the services configured on the AS to which the Eth-
Trunk is connected. For this reason, the Eth-Trunk interface view cannot be displayed.
NOTE
Before removing an Up member port from a fabric port, run the shutdown command in the interface view to
shut down the member port.
When a port joins a downlink fabric port of the parent, the port enters the blocking state. When the port
negotiates with the peer port successfully, the port is unblocked.
----End

l Run the display uni-mng interface fabric-port configuration [ parent | as name as-
name ] command to check the fabric port configuration.
l Run the display uni-mng interface fabric-port [ port-id ] state command to check the
fabric port status.
9.6.1.1.4 Pre-configuring an AS Name
Context
You can configure a name for an AS and use the name to uniquely identify the AS. This
configuration facilitates AS identification and management.
If no AS name is configured, system default name-device MAC address is used as the AS

name after the AS connects to an SVF system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name model as-model mac-address mac-address
An AS name is configured.
By default, an AS uses its system default name-device MAC address as its name after going
online.

NOTE
l Ensure that the model as-model and mac-address mac-address settings are consistent with the actual
settings.
l If no AS name is pre-configured before an AS goes online, you can also run this command to modify the
AS name after an AS goes online. In this situation, the AS must meet the following conditions:
1. The AS is not bound to any service profile.
2. The AS is not added to any AS group.
3. Ports of the AS are not added to any port group.
----End
9.6.1.1.5 (Optional) Configuring the Fabric Port That Connects a Level-1 AS to a Level-2
AS
Context
When a level-1 AS needs to connect to a level-2 AS, you need to configure a fabric port on
the level-1 AS to connect to the level-2 AS. A downlink port of a level-1 AS becomes Up
only after the parent finishes delivering the configuration. A level-2 AS begins to go online
only after the downlink port of the level-1 AS becomes Up.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
The AS view is displayed.
Step 4 Run:
down-direction fabric-port port-id member-group interface eth-trunk trunk-id
The fabric port that connects a level-1 AS to a level-2 AS is configured.
trunk-id specifies the Eth-Trunk to which the fabric port is bound.
Step 5 Run:
port eth-trunk trunk-id trunkmember interface interface-type interface-number1
[ to interface-number2 ]
Member ports are added to the Eth-Trunk to which the fabric port is bound.
Only downlink ports of the level-1 AS can be added to the Eth-Trunk.

NOTE
Before removing an Up member port from a fabric port, you must run the shutdown interface interface-type
interface-number command in the AS view to shut down the member port.
When a port joins a downlink fabric port of a level-1 AS, the port enters the blocking state. When the port
----End
9.6.1.1.6 Configuring AS Access Authentication
Context
An AS needs to be authenticated before connecting to an SVF system by default. An AS is
authenticated using a blacklist or whitelist. An AS in the blacklist cannot connect to an SVF
system, but an AS in the whitelist can connect to an SVF system. An AS that is neither in the
blacklist nor in the whitelist fails the authentication. You can run the confirm { all | mac-
address mac-address } command to allow all ASs or a specified AS to pass the
authentication.
You can also configure no authentication for ASs. In this situation, an AS can connect to an
SVF system regardless of whether it is in a blacklist or whitelist. Non-authentication has
security risks, while authentication is recommended.
Procedure
l Configure authentication when an AS connects to an SVF system.
a. Run:
system-view

b. Run:
as-auth
The AS authentication view is displayed.

c. Run:
undo auth-mode
Authentication is configured when an AS connects to an SVF system.

By default, authentication is required when an AS connects to an SVF system.
d. Run:
blacklist mac-address mac-address1 [ to mac-address2 ]
The blacklist for AS authentication is configured. A maximum of 128 MAC

addresses can be added to the blacklist.
e. Run:
whitelist mac-address mac-address1 [ to mac-address2 ]
The whitelist for AS authentication is configured. A maximum of 512 MAC

addresses can be added to the whitelist.
If there are ASs that are neither in the whitelist nor in the blacklist, you can run the
confirm { all | mac-address mac-address } command to allow all ASs or a
specified AS to pass the authentication.

l Configure no authentication when an AS connects to an SVF system.

a. Run:
system-view

b. Run:
as-auth

c. Run:
auth-mode none
No authentication is required when an AS connects to an SVF system.

----End

l Run the display as blacklist command to check the AS blacklist.
l Run the display as whitelist command to check the AS whitelist.
l Run the display as unauthorized record command to check the ASs that fail the
authentication.
9.6.1.1.7 (Optional) Configuring CAPWAP Tunnel Encryption
Context
The parent and an AS transmit management packets through a CAPWAP tunnel. To ensure
tunnel confidentiality and security, you can use Datagram Transport Layer Security (DTLS) to
encrypt packets transmitted in the CAPWAP tunnel.
The parent and AS encrypt packets transmitted in the CAPWAP tunnel using the pre-shared
key. That is, a key is pre-configured on the parent and AS. When the pre-shared keys of the
parent and AS are the same, the parent and AS can negotiate successfully and set up a
CAPWAP tunnel.
NOTE
The parent and an AS cannot support the HA and CAPWAP tunnel DTLS encryption functions
simultaneously. If the two functions are enabled simultaneously, the AS waits until the original CAPWAP
tunnel ages before it can re-establish a CAPWAP tunnel when an active/standby switchover occurs on the
parent, causing service interruption. When an active/standby switchover occurs on the AS, the AS needs to
re-establish a link and go online again, causing service interruption. Therefore, you are advised to disable
CAPWAP tunnel DTLS encryption in a networking with the HA function.
Procedure
l Configure a pre-shared key on the parent.
a. Run:
system-view

b. Run:

capwap dtls psk psk-value
A pre-shared key is configured on the parent.
The default pre-shared key for DTLS encryption is huawei_seccwp.

c. (Optional) Run:
capwap dtls psk-mandatory-match enable
An AS is allowed to establish a DTLS session with the parent using the default pre-
shared key.
By default, an AS uses the default pre-shared key to establish a DTLS session with
the parent.
When an AS is allowed to establish a DTLS session with the parent using the
default pre-shared key, the AS first uses the pre-shared key configured using the as
access dtls psk psk-value command to establish a DTLS session with the parent. If
the DTLS session cannot be established, the AS uses the default pre-shared key to
establish a DTLS session with the parent (it also uses the default pre-shared key).
d. Run:
capwap dtls control-link encrypt
CAPWAP tunnel DTLS encryption is enabled.
By default, CAPWAP tunnel DTLS encryption is disabled.
NOTE
When the parent switches the status of CAPWAP tunnel DTLS encryption, ASs connected to the
parent will restart.
When an AS is being upgraded, the parent cannot switch the status of CAPWAP tunnel DTLS
encryption.
l Configure a pre-shared key on an AS.
a. Run:
as access dtls psk psk-value
A pre-shared key is configured on an AS.
NOTE
When CAPWAP tunnel DTLS encryption is enabled on the parent and an AS has connected to the
parent, the pre-shared key is automatically delivered to the AS if the pre-shared key is modified
on the parent. You are advised not to repeatedly modify the pre-shared key in 10 minutes.
----End
9.6.1.1.8 (Optional) Pre-configuring the Stack ID for an AS
Context
When an AS is a stack of multiple member switches, the system pre-configures only stack ID
0 by default. You can only pre-configure services for the member switch with stack ID 0.
Before pre-configuring services for another member switch, pre-configure a stack ID for the
member switch.

The pre-configured stack ID does not affect the actual stack ID. For example, the pre-
configured stack ID is 0 (default value), but the actual stack IDs are 0 and 2. The actual stack
IDs remain 0 and 2 except that no services are configured on the device with stack ID 2.
NOTE
If an AS is a single device but its stack ID is not 0 and no stack ID is configured on the parent, the parent
changes the stack ID of the AS to 0 and restarts the AS when the AS connects to the parent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
Step 4 Run:
slot slot-id1 [ to slot-id2 ]
A stack ID is pre-configured for the AS.
By default, the pre-configured stack ID is 0.
----End
9.6.1.1.9 (Optional) Enabling ASs to Automatically Upgrade After Going Online
Context
During online automatic upgrade, an AS checks whether its software version is consistent
with that of the parent. If not, the AS searches for and downloads the system software from
the parent to upgrade its software version.
The AS first searches for the software version with the same V, R, C, and SPC versions as the
parent. If such version is unavailable, the AS searches for the software version with the same
V, R, and C versions as the parent and selects the one with the latest SPC version. If no
version meets the preceding requirements, the AS does not upgrade its software version.
Additionally, a version upgrade failure alarm is generated when the AS runs a software
version with a different V, R, or C version than the parent.
NOTE
l The files used to upgrade an AS must be saved in the root directory unimng/ of the parent.
l To upgrade an AS, you must configure the FTP or SFTP server function on the parent so that the AS can
download the related upgrade files from the parent.

Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
upgrade { local-ftp-server | local-sftp-server } username username password
password
The local file server is configured.
By default, no local file server is configured on the parent.
NOTE
l If the local file server is not configured, an AS cannot download upgrade files from the parent and so
cannot be upgraded.
l FTP has potential security risks, and so SFTP is recommended. If you want to use FTP, you are advised to
configure ACLs to improve security. For details, see Configure the FTP ACL.
l When the file server is an FTP server, the FTP service is automatically enabled and an FTP user is created
on the parent, removing the need to perform the FTP configuration. If the same user name has been
configured on the parent but the access type is not FTP, the system changes the access type of the user
name to FTP.
l When the file server type is set to SFTP, the SFTP service is not automatically enabled and no SFTP user
is created on the parent. You need to manually pre-configure SFTP on the parent.
For more details about the SFTP configuration, see "File Management" in the S7700 and S9700 Series
Switches Configuration Guide - Basic Configuration.
l After the upgrade { local-ftp-server | local-sftp-server } command is executed, the same user name and
password configuration is also generated in the AAA view. If you modify the configured local user
information (the user password for example) in AAA view, the version management function does not
take effect.
l If information about a user already exists in the AAA view, running this command to create the same user
will change the user password in the AAA view to the configured password and change the user level to
level 3. Changing the user password is allowed only when the user level of the user running this
command is higher or equal to the user level configured in the AAA view. Otherwise, the command does
not take effect.
l Running this command multiple times to create new users will delete previous user information. Previous
user information can be deleted only when the user level of the user running this command is higher or
equal to the user level configured in the AAA view. Otherwise, the command does not take effect.

as type as-type { system-software system-software | patch patch } *
Files to be loaded on an AS of the specified type are specified.
If files to be loaded on an AS are specified, the AS downloads the specified files when
connecting to an SVF system without searching for the upgrade files, even though the
matching system software version exists on the parent.
----End

9.6.1.2 Configuring Access Parameters on an AS
All the following tasks are performed on an AS according to networking requirements.
9.6.1.2.1 (Optional) Configuring an AS as a Stack
Context
In an SVF system, an AS can be a single switch or a stack of multiple switches. If an AS
needs to be configured as a stack, you must configure the stack on the AS and then connect
the AS to the SVF system.
Configuring an AS as a stack is optional. If no stack is required, skip this step.
NOTE
l An AS contains a maximum of three stack member switches of which the stack ID ranges from 0 to 2. If
the number of member switches exceeds 3 or the stack ID is larger than 2, the AS cannot go online to
connect to the SVF system.
l When a new member switch needs to join an AS that has connected to the SVF system, the switch with
the stack ID larger than 2 restarts repeatedly.
l Stack member switches in an AS must be the same model.
Procedure
Step 1 For the procedure for and notes about configuring a stack, see "Stack Configuration" in the
S7700 and S9700 Series Switches Configuration Guide - Device Management Configuration.
----End
9.6.1.2.2 (Optional) Configuring the Management MAC Address for an AS
Context
In a Super Virtual Fabric (SVF) system, each AS has a unique management MAC address to
identify itself. By default, an AS uses its system MAC address as the management MAC
address to connect to an SVF system. When the management MAC address of an AS conflicts
with that of another AS, you can run the as access manage-mac command to change the
management MAC address so as to prevent MAC address conflicts.
NOTE
Use of this command is not recommended when no MAC address conflict occurs.
When an AS is a stack of multiple devices:

l Before connecting an AS with the pre-configured name and MAC address to an SVF
system, you are advised to set up a stack for the AS and then configure the management
MAC address to be the same as the pre-configured MAC address.
When pre-configuring the name and MAC address of an AS, configure the MAC address
as the MAC address of the master switch in the stack. In this situation, the AS

management MAC address is the same as the pre-configured MAC address by default,
and no management MAC address needs to be configured.
l If the AS name and MAC address are configured after the AS connects to an SVF
system, the management MAC address does not need to be configured.
Procedure
Step 1 Run:
as access manage-mac mac-address
The AS management MAC address is configured.
By default, an AS uses the system MAC address as the management MAC address.
NOTE
This command can be used only before an AS connects an SVF system. If an AS has connected to an SVF
system, use of this command is not allowed.
----End
9.6.1.3 Connecting an AS to the Parent
Context
After the software configurations are complete, clear the AS configuration, restart the AS, and
then connect the AS and parent using cables. The AS then can connect to an SVF system.
NOTE
l An AS can connect to an SVF system only when it has no configuration file or input on the console port.
l If a device functions as a VLAN Central Management Protocol (VCMP) client and has synchronized
VLANs before connecting to an SVF system, you must run the reset vcmp command to clear VCMP
information and restart the device. In this manner, the device can function as an AS to connect to the SVF
system.
l Configuring the software and connecting cables can be performed in any sequence. That is, you can also
connect cables before configuring the software.
Procedure
l Run the display as { all | name as-name | mac-address mac-address | vpn-instance
information } command on the parent to check AS information.
l Run the display as { name as-name | mac-address mac-address } run-info command
on the parent to check the AS running status.
l Run the display uni-mng topology information [ by-name ] command on the parent to
check SVF network topology information.
----End
9.6.2 Connecting an AS to the Parent Through a Network

Context
As shown in Figure 9-6, when ASs connect to an SVF system through a Layer 2 network,
only level-1 ASs are supported and APs can connect to ASs.
The fabric-port that connects the parent to an AS through a Layer 2 network is called an
indirectly connected fabric port. Indirectly connected fabric ports on the parent and fabric
ports that connect ASs to an SVF system need to be manually configured.
Figure 9-6 ASs connecting to the parent through a network
CSS
Parent
Require manual
Layer2
Network
configuration
iStack
Level-1 AS
AP
Before connecting an AS to the parent through a network, complete the following task:
l Powering on the related devices and ensuring that they finish self check successfully
9.6.2.1 Configuring AS Access Parameters on the Parent
The following tasks are performed on the parent. You are advised to perform the tasks in the
following sequence.
9.6.2.1.1 (Optional) Configuring a Parent as a CSS
Context
An SVF system can use a single switch or a CSS of two switches as the parent. Using a CSS
of two switches can provide redundancy for the SVF system, improving reliability of the SVF
system.
NOTE
To ensure high reliability of an SVF system, you are advised to use a CSS of two switches as the parent.

Procedure
Step 1 For the procedure for and notes about configuring a CSS, see "CSS Configuration" in the
S7700&S9700 Series Ethernet Switches Configuration Guide - Device Management
Configuration.
----End
9.6.2.1.2 Enabling the SVF Function on the Parent
Context
Before setting up an SVF system, you must enable the SVF function on the parent, configure
the management VLAN for the SVF system, and configure DHCP on the parent so that the
parent and ASs can set up CAPWAP links.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DCHP is enabled on the parent.

Step 3 Run:
vlan batch vlan-id
The management VLAN is created for the SVF system. The management VLAN cannot be
configured as VLAN 1 or VLAN 4093.
Step 4 Run:
interface vlanif vlan-id
A VLANIF interface is created and the VLANIF interface view is displayed.

Step 5 Run:
ip address ip-address { mask | mask-length }
An IP address is configured for the VLANIF interface.

This address is used as the source address for setting up a CAPWAP link.
Step 6 Run:
The DHCP server function is configured to assign IP addresses from the interface address
pool to clients.
The DHCP server function enables an AS to obtain an IP address from the parent.
dhcp server option 43 ip-address ip-address
The parent is configured to send its IP address in the Option 43 field to an AS.

The parent can send its IP address in the Option 43 field to an AS. The IP address must be the
same as that configured in step 5.
If the Option 43 field is not configured, an AS obtains the IP address of the parent in
broadcast mode. If the Option 43 field is configured, an AS sets up a CAPWAP link with only
a specified IP address, and does not obtain the IP address of the parent in broadcast mode.
NOTE
To improve service reliability, you are advised to configure the parent to send its IP address in the Option 43
field to an AS.
Step 8 Run:
quit
Exit from the VLANIF interface view.

Step 9 Run:
capwap source interface vlanif vlan-id
The source interface on which the parent sets up a CAPWAP link with an AS is configured.
vlan-id must be consistent with that specified in step 4.
NOTE
You are not advised to configure other services except the preceding configurations in the management
VLAN and corresponding VLANIF interface of the SVF system. Otherwise, ASs or APs cannot go online
normally.
If the SVF function is enabled, only one source interface can be configured.
Step 10 Run:
authentication unified-mode
The NAC configuration mode is set to unified mode.

By default, the NAC configuration mode is unified mode.
When enabling the SVF function, ensure that the current and next startup NAC configuration
modes are the unified mode. You can run the display authentication mode command to
check the current and next startup NAC configuration modes. If the two modes are the unified
mode, this step is not required. If the modes are not the unified mode, change them to the
unified mode.
NOTE
After changing the NAC configuration mode, save the configuration and then restart the device to make the
Step 11 Run:
stp mode { rstp | stp }
The STP working mode is set to STP or RSTP.

By default, the STP working mode is MSTP.
When enabling the SVF function, ensure that the STP working mode is STP or RSTP. You
can run the display stp command to check the current STP working mode. If the mode is STP
or RSTP, ignore this step. If the mode is not STP or RSTP, set the STP working mode to STP
or RSTP.
Step 12 Run:
undo stp pathcost-standard

The default STP/RSTP port path cost algorithm is restored.

By default, IEEE 802.1t (dot1t) standard is used to calculate the STP/RSTP port path cost.
When enabling the SVF function, ensure that the default STP/RSTP port path cost algorithm
is used. You can run the display stp command to check the current STP/RSTP port path cost
algorithm. If the algorithm is not the default value, restore the default STP/RSTP port path
cost algorithm.
Step 13 Run:
undo bpdu-tunnel stp bridge role provider
The default device role on a transparent transmission network is restored.

By default, a device is a customer on a transparent transmission network.
When enabling the SVF function, ensure that the default device role on a transparent
transmission network is used. You can run the display bpdu-tunnel global config command
to check the current device role. If the default device role is used, ignore this step. If the
default device role is not used, restore the default device role.
Step 14 Run:
undo assign trunk
The default Eth-Trunk specifications are restored.

When enabling the SVF function, ensure that the default Eth-Trunk specifications are used,
including the number of Eth-Trunks and the number of member interfaces in each Eth-Trunk.
You can run the display trunk configuration command to check the default and configured
Eth-Trunk specifications. If they are consistent, ignore this step. If they are inconsistent,
restore the default Eth-Trunk specifications.
NOTE
After changing the Eth-Trunk specifications, save the configuration and then restart the device to make the
After the SVF function is enabled, changing the Eth-Trunk specifications is not allowed.
Step 15 Run:
undo stp process process-id
The MSTP process with a specified ID is deleted.

You can run the display current-configuration command to check whether the MSTP
process configuration exists. If so, perform this step to delete the configuration. If not, ignore
this step.
Step 16 Run:
aaa
The AAA view is displayed.

Step 17 Run:
service-scheme service-scheme-name
The service scheme view is displayed.

Step 18 Run:
undo remote-authorize
Remote authorization is disabled.

By default, remote authorization is not configured.

When enabling the SVF function, ensure that remote authorization is not configured. You can
run the display current-configuration command to check whether remote authorization is
configured. If remote authorization is not configured, ignore this step. If remote authorization
is configured, disable remote authorization.
Step 19 Run:
quit
Exit from the service scheme view.

Step 20 Run:
quit
Exit from the AAA view.

Step 21 Run:
uni-mng
The SVF function is enabled and the uni-mng view is displayed.

By default, SVF is disabled.
topology explore [ interval interval ]
The interval for collecting SVF network topology information is set.

By default, the interval for collecting SVF network topology information is 10 minutes. If
interval interval is not specified, SVF network topology collection is triggered immediately.
You can adjust the interval for collecting SVF network topology information based on SVF
network stability. When the network topology is stable, you can increase the interval or
disable periodic topology information collection. When the network topology is unstable, you
can shorten the interval.
----End
9.6.2.1.3 Configuring a Fabric Port That Connects the Parent to an AS Through a

Network
Context
The parent connects to an AS through a fabric port. When they connect through a network,
you must configure the indirect connection mode for the fabric port.
A fabric port must be bound to an Eth-Trunk. Before binding a fabric port to an Eth-Trunk,
ensure that the Eth-Trunk is not created.
Procedure
Step 1 Run:
system-view

Step 2 Run:

uni-mng
Step 3 Run:
interface fabric-port port-id
A fabric port is created and the fabric port view is displayed.
A maximum of 64 fabric ports can be created.
Step 4 Run:
port connect-type indirect
The indirect connection mode is configured for the fabric port.
The default connection mode of a fabric port is direct connection.
Step 5 Run:
port member-group interface eth-trunk trunk-id
The fabric port is bound to an Eth-Trunk.
A fabric port can be bound to only the Eth-Trunk that has not been created. When a fabric
port is bound to an Eth-Trunk, the system creates the Eth-Trunk.

description description
The description of the fabric port is configured.
By default, a fabric port does not have a description.
To facilitate fabric port management and identification, you can configure descriptions for
fabric ports. For example, you can describe the name of an AS that connects to a fabric port.
Step 7 Run:
quit
Exit from the fabric port view.
Step 8 Run:
quit
Exit from the uni-mng view.
Step 9 Run:
interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed. The Eth-Trunk is the one bound in step 5.
Step 10 Run:
The link type of the Eth-Trunk is set to hybrid.
Step 11 Run:
port hybrid tagged vlan vlan-id
The hybrid interface is added to a specified VLAN. The VLAN is the management VLAN
configured on the parent.

Step 12 Run:
stp root-protection
Root protection is enabled.

mode lacp
The Eth-Trunk is configured to work in LACP mode.
NOTE
The Eth-Trunk working mode configuration must be consistent on the member port in the indirectly
connected fabric port of the parent and the Layer 2 network port connected to the member port. If the Eth-
Trunk working mode on the Layer 2 network port is set to LACP, the Eth-Trunk working mode on the
member port must also be set to LACP.
Step 14 Run:
quit
The Eth-Trunk interface view is displayed.

Step 15 Run:

Step 16 Run:
eth-trunk trunk-id
The current interface is added to the Eth-Trunk.

You can perform steps 15 and 16 multiple times to add multiple interfaces to an Eth-Trunk.
NOTE
Before removing an Up member port from a fabric port, run the shutdown command in the interface view to
shut down the member port.
When a port joins a downlink fabric port of the parent, the port enters the blocking state. When the port
----End

l Run the display uni-mng interface fabric-port configuration [ parent | as name as-
name ] command to check the fabric port configuration.
l Run the display uni-mng interface fabric-port [ port-id ] state command to check the
fabric port status.
9.6.2.1.4 Pre-configuring an AS Name
Context
You can configure a name for an AS and use the name to uniquely identify the AS. This
configuration facilitates AS identification and management.
If no AS name is configured, system default name-device MAC address is used as the AS
name after the AS connects to an SVF system.

Procedure
Step 1 Run:
system-view

Step 2 Run:
uni-mng

Step 3 Run:
as name as-name model as-model mac-address mac-address
An AS name is configured.
By default, an AS uses its system default name-device MAC address as its name after going
online.
NOTE
l Ensure that the model as-model and mac-address mac-address settings are consistent with the actual
settings.
l If no AS name is pre-configured before an AS goes online, you can also run this command to modify the
AS name after an AS goes online. In this situation, the AS must meet the following conditions:
1. The AS is not bound to any service profile.
2. The AS is not added to any AS group.
3. Ports of the AS are not added to any port group.
----End
9.6.2.1.5 Configuring AS Access Authentication
Context
An AS needs to be authenticated before connecting to an SVF system by default. An AS is
authenticated using a blacklist or whitelist. An AS in the blacklist cannot connect to an SVF
system, but an AS in the whitelist can connect to an SVF system. An AS that is neither in the
blacklist nor in the whitelist fails the authentication. You can run the confirm { all | mac-
address mac-address } command to allow all ASs or a specified AS to pass the
authentication.
You can also configure no authentication for ASs. In this situation, an AS can connect to an
SVF system regardless of whether it is in a blacklist or whitelist. Non-authentication has
security risks, while authentication is recommended.
Procedure
l Configure authentication when an AS connects to an SVF system.
a. Run:
system-view

b. Run:
as-auth


c. Run:
undo auth-mode
Authentication is configured when an AS connects to an SVF system.

d. Run:
blacklist mac-address mac-address1 [ to mac-address2 ]
The blacklist for AS authentication is configured. A maximum of 128 MAC

addresses can be added to the blacklist.
e. Run:
whitelist mac-address mac-address1 [ to mac-address2 ]
The whitelist for AS authentication is configured. A maximum of 512 MAC

addresses can be added to the whitelist.
If there are ASs that are neither in the whitelist nor in the blacklist, you can run the
confirm { all | mac-address mac-address } command to allow all ASs or a
specified AS to pass the authentication.
l Configure no authentication when an AS connects to an SVF system.
a. Run:
system-view

b. Run:
as-auth

c. Run:
auth-mode none
No authentication is required when an AS connects to an SVF system.

----End

l Run the display as blacklist command to check the AS blacklist.
l Run the display as whitelist command to check the AS whitelist.
l Run the display as unauthorized record command to check the ASs that fail the
authentication.
9.6.2.1.6 (Optional) Configuring CAPWAP Tunnel Encryption
Context
The parent and an AS transmit management packets through a CAPWAP tunnel. To ensure
tunnel confidentiality and security, you can use Datagram Transport Layer Security (DTLS) to
encrypt packets transmitted in the CAPWAP tunnel.

The parent and AS encrypt packets transmitted in the CAPWAP tunnel using the pre-shared
key. That is, a key is pre-configured on the parent and AS. When the pre-shared keys of the
parent and AS are the same, the parent and AS can negotiate successfully and set up a
CAPWAP tunnel.
NOTE
The parent and an AS cannot support the HA and CAPWAP tunnel DTLS encryption functions
simultaneously. If the two functions are enabled simultaneously, the AS waits until the original CAPWAP
tunnel ages before it can re-establish a CAPWAP tunnel when an active/standby switchover occurs on the
parent, causing service interruption. When an active/standby switchover occurs on the AS, the AS needs to
re-establish a link and go online again, causing service interruption. Therefore, you are advised to disable
CAPWAP tunnel DTLS encryption in a networking with the HA function.
Procedure
l Configure a pre-shared key on the parent.
a. Run:
system-view

b. Run:
capwap dtls psk psk-value
A pre-shared key is configured on the parent.

c. (Optional) Run:
capwap dtls psk-mandatory-match enable
An AS is allowed to establish a DTLS session with the parent using the default pre-
shared key.
By default, an AS uses the default pre-shared key to establish a DTLS session with
the parent.
When an AS is allowed to establish a DTLS session with the parent using the
default pre-shared key, the AS first uses the pre-shared key configured using the as
access dtls psk psk-value command to establish a DTLS session with the parent. If
the DTLS session cannot be established, the AS uses the default pre-shared key to
establish a DTLS session with the parent (it also uses the default pre-shared key).
d. Run:
capwap dtls control-link encrypt
CAPWAP tunnel DTLS encryption is enabled.

By default, CAPWAP tunnel DTLS encryption is disabled.
NOTE
When the parent switches the status of CAPWAP tunnel DTLS encryption, ASs connected to the
parent will restart.
When an AS is being upgraded, the parent cannot switch the status of CAPWAP tunnel DTLS
encryption.
l Configure a pre-shared key on an AS.
a. Run:
as access dtls psk psk-value

A pre-shared key is configured on an AS.
NOTE
When CAPWAP tunnel DTLS encryption is enabled on the parent and an AS has connected to the
parent, the pre-shared key is automatically delivered to the AS if the pre-shared key is modified
on the parent. You are advised not to repeatedly modify the pre-shared key in 10 minutes.
----End
9.6.2.1.7 (Optional) Pre-configuring a Stack ID for an AS
Context
When an AS is a stack of multiple member switches, the system pre-configures only stack ID
0 by default. You can only pre-configure services for the member switch with stack ID 0.
Before pre-configuring services for another member switch, pre-configure a stack ID for the
member switch.
The pre-configured stack ID does not affect the actual stack ID. For example, the pre-
configured stack ID is 0 (default value), but the actual stack IDs are 0 and 2. The actual stack
IDs remain 0 and 2 except that no services are configured on the device with stack ID 2.
NOTE
When an AS connects to an SVF system across a network, the parent does not change the slot ID of the AS to
0 if the AS is a standalone device and has no stack ID pre-configured on the parent. When the slot ID of the
AS is valid (the slot ID is 1 or 2), the AS can join the SVF system and the configuration related to the slot ID
is automatically generated on the parent. When the slot ID of the AS is invalid (the slot ID is larger than 2),
the AS cannot join the SVF system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
Step 4 Run:
slot slot-id1 [ to slot-id2 ]
A stack ID is pre-configured for the AS.
By default, the pre-configured stack ID is 0.
----End

9.6.2.1.8 (Optional) Enabling ASs to Automatically Upgrade After Going Online
Context
During online automatic upgrade, an AS checks whether its software version is consistent
with that of the parent. If not, the AS searches for and downloads the system software from
the parent to upgrade its software version.
The AS first searches for the software version with the same V, R, C, and SPC versions as the
parent. If such version is unavailable, the AS searches for the software version with the same
V, R, and C versions as the parent and selects the one with the latest SPC version. If no
version meets the preceding requirements, the AS does not upgrade its software version.
Additionally, a version upgrade failure alarm is generated when the AS runs a software
version with a different V, R, or C version than the parent.
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
uni-mng

Step 3 Run:
password


NOTE
cannot be upgraded.
name to FTP.
take effect.
not take effect.

If files to be loaded on an AS are specified, the AS downloads the specified files when
connecting to an SVF system without searching for the upgrade files, even though the
matching system software version exists on the parent.
----End
9.6.2.2 Configuring Access Parameters on an AS
All the following tasks are performed on an AS according to networking requirements.
9.6.2.2.1 (Optional) Configuring an AS as a Stack
Context
In an SVF system, an AS can be a single switch or a stack of multiple switches. If an AS
needs to be configured as a stack, you must configure the stack on the AS and then connect
the AS to the SVF system.
Configuring an AS as a stack is optional. If no stack is required, skip this step.

NOTE
l An AS contains a maximum of three stack member switches of which the stack ID ranges from 0 to 2. If
the number of member switches exceeds 3 or the stack ID is larger than 2, the AS cannot go online to
connect to the SVF system.
l When a new member switch needs to join an AS that has connected to the SVF system, the switch with
the stack ID larger than 2 restarts repeatedly.
l Stack member switches in an AS must be the same model.
Procedure
Step 1 For the procedure for and notes about configuring a stack, see "Stack Configuration" in the
S7700 and S9700 Series Switches Configuration Guide - Device Management Configuration.
----End
9.6.2.2.2 (Optional) Configuring the Management MAC Address for an AS
Context
In a Super Virtual Fabric (SVF) system, each AS has a unique management MAC address to
identify itself. By default, an AS uses its system MAC address as the management MAC
address to connect to an SVF system. When the management MAC address of an AS conflicts
with that of another AS, you can run the as access manage-mac command to change the
management MAC address so as to prevent MAC address conflicts.
NOTE
Use of this command is not recommended when no MAC address conflict occurs.
When an AS is a stack of multiple devices:

l Before connecting an AS with the pre-configured name and MAC address to an SVF
system, you are advised to set up a stack for the AS and then configure the management
MAC address to be the same as the pre-configured MAC address.
When pre-configuring the name and MAC address of an AS, configure the MAC address
as the MAC address of the master switch in the stack. In this situation, the AS
management MAC address is the same as the pre-configured MAC address by default,
and no management MAC address needs to be configured.
l If the AS name and MAC address are configured after the AS connects to an SVF
system, the management MAC address does not need to be configured.
Procedure
Step 1 Run:
as access manage-mac mac-address
The AS management MAC address is configured.

By default, an AS uses the system MAC address as the management MAC address.
NOTE
This command can be used only before an AS connects an SVF system. If an AS has connected to an SVF
system, use of this command is not allowed.
----End

9.6.2.2.3 Configuring a Management VLAN and Fabric Port for an AS
Context
When an AS connects to an SVF system through a Layer 2 network, you must configure the
device to work in client mode, configure a management VLAN and an uplink fabric port for
the AS, and add member ports to the fabric port.
NOTE
l The management VLAN of the AS must be consistent with the management VLAN configured on the
parent.
l The VCMP role switching command is mutually exclusive with the command that configures a device to
work in client mode. If the current device is not a silent switch in a VCMP domain, the device cannot be
configured to work in client mode. You must run the vcmp role silent command in the system view to set
the VCMP role of the device to silent. After a device is configured to work in client mode, the VCMP
role switching command cannot be executed. That is, the device cannot change from the silent role to
another role.
l The command that configures the stack ID is mutually exclusive with the command that configures a
member port for a fabric port:
l After the stack slot slot-id renumber new-slot-id command is executed in a specified slot, the port
in the slot cannot be configured as a member port of a fabric port.
l After a port in a slot is configured as a member port of a fabric port, the stack ID of the slot cannot
be configured using the stack slot slot-id renumber new-slot-id command.
l You need to configure a member port of a fabric port according to the network configuration. A member
port needs to be reconfigured if the stack ID changes because the stack changes, for example, the stacking
function is disabled, or existing stack IDs conflict after member devices are added to the stack.
Procedure
Step 1 (Optional) Set the role of the device in a VCMP domain to silent.
1. Run:
system-view

2. Run:
vcmp role silent
The role of the device in a VCMP domain is set to silent.

3. Run:
quit
Exit from the system view.
Step 2 Run:
uni-mng enable mng-vlan vlan-id
The device is configured to work in client mode and a management VLAN is configured.
Step 3 Run:
uni-mng enable fabric-port member interface interface-type interface-number
A member port is configured for the uplink fabric port that connects an AS to the parent
through a network.

By default, no member port is configured for an uplink fabric port that connects an AS to the
parent through a network.
NOTE
l You can run this command multiple times to add multiple member ports to the fabric port. A maximum of
eight member ports can be added to a fabric port.
l Member ports of a fabric port are added to Eth-Trunk0 by default.
l Only AS uplink ports or ports provided by an extended card can be added to uplink fabric ports.
l Ports used to set up a stack cannot be configured as member ports of a fabric port.
Step 4 Clear the AS configuration and restart the AS.
----End
9.6.2.3 Connecting an AS to the Parent
Context
After the software configuration is complete, connect the AS and parent to a Layer 2 network
so that the AS can connect to the SVF system.
NOTE
l An AS can connect to an SVF system only when it has no configuration file or input on the console port.
l Configuring the software and connecting cables can be performed in any sequence. That is, you can also
connect cables before configuring the software.
l The administrator needs to ensure that the downlink fabric port of the parent and the intermediate Layer 2
network are correctly configured, the SVF management VLAN and service VLAN between the parent
and AS are correctly connected, and the intermediate network transparently transmits data traffic between
the parent and AS. Therefore, the intermediate network must be a pure Layer 2 network.
Procedure
----End
9.6.3 Connecting an AP to an AS
Context
In an SVF system, the parent functions as an AC to manage APs in a centralized manner. As
shown in Figure 9-7, APs can connect to the parent, level-1 AS, and level-2 AS.

Figure 9-7 APs connecting to an SVF system
CSS
Parent
Layer2
Level-1 AS Level-1 AS Network
AP
Level-2 AS AP
Level-1 AS
AP
AP
When an AP connects to the parent, the access configuration performed on the parent is the
same as that on an AC. For details about connecting an AP to an AC, see the S7700 and
S9700 Series Switches Configuration Guide - WLAN-AC Configuration.
When an AP needs to connect to an AS, you must add the port that connects the AS to the AP
to an AP port group.
NOTE
l If APs need to connect to an SVF system with an S9700, or S7700 functioning as the parent, X1E cards
must be configured on the parent.
l When an S9700/S7700 functions as the parent and APs connect to a non-X1E card, you must add the non-
X1E card and X1E card of the parent to the same WLAN work group. By default, all interface cards
automatically join the default WLAN work group named default. For details, see Connecting AP to a
Non-X1E Interface Card.
l If an AP has connected to the parent before the SVF function is enabled, the parent cannot collect
topology information about the AP after the uni-mng command is used to enable the SVF function. You
need to run the commit { all | ap ap-id } command in the WLAN view to commit the AP configuration.
Subsequently, the parent can collect topology information about the AP.
Procedure
Step 1 For the procedure for connecting an AS to the parent, see 9.6.1 Connecting an AS to the
Parent Directly or 9.6.2 Connecting an AS to the Parent Through a Network.
Step 2 Run:
system-view
Step 3 Run:
uni-mng

Step 4 Run:
port-group connect-ap name group-name
An AP port group is created and the AP port group view is displayed.
You can create only one AP port group.
Step 5 Add the ports that connect ASs to APs to the AP port group.
l Run:
as name as-name interface { { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> | all }
Ports of the AS with a specified name are added to the AP port group.
l Run:
as name-include string interface all
Ports of ASs of which the name contains a specified string are added to the AP port
group.
Step 6 Run:
quit
Exit from the AP port group view.
Step 7 Run:
commit as { name as-name | all }
The configuration is committed.
Step 8 Other AP connection configurations or service configurations, for example, the AP

authentication mode and AP profiles, are the same as those performed when an AP connects
to an AC. For details, see S7700 and S9700 Series Switches Configuration Guide - WLAN-
AC Configuration.
----End
9.7 Configuring Services for an AS
Context
Two methods are available for delivering service configurations to ASs.
l Service profiles: The configuration on the parent can be delivered to ASs through service
profiles. After service profiles are delivered to an AS, the AS parses and executes the
services configured in the service profiles. The AS service configuration through service
profiles includes two modes: the pre-configured or non-pre-configured mode.
– Pre-configured mode: Before an AS connects to an SVF system, pre-configure
service profiles, bind them to the AS, save the configuration of the parent, and then
run the commit as { name as-name | all } command to commit the configuration.
When the AS connects to the SVF system, the configurations in service profiles are
automatically delivered to the AS.
– Non-pre-configured mode: After an AS connects to an SVF system, configure
service profiles, bind them to the AS, and then run the commit as { name as-name |
all } command to commit the configuration so that the configurations in service
profiles can be delivered to the AS.

l Direct configuration: You can run the direct-command command on the parent to
directly deliver some service configurations to ASs.
9.7.1 (Optional) Configuring the Forwarding Mode for an SVF

System
Context
An SVF system has two packet forwarding modes:
l In centralized forwarding mode, traffic forwarded by the local AS and forwarded
between ASs is sent to the parent for forwarding.
NOTE
In centralized forwarding mode, ports of the ASs connected to the same fabric port of the parent are
isolated and so cannot communicate at Layer 2, and need to have proxy ARP in the corresponding
VLAN configured using the arp-proxy inner-sub-vlan-proxy enable command to communicate at
Layer 3.
l In distributed forwarding mode, an AS directly forwards local traffic and the parent
forwards traffic between ASs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
forward-mode centralized
The forwarding mode of the SVF system is set to centralized forwarding.
By default, the forwarding mode of an SVF system is distributed forwarding.
Step 4 Run:
The configuration is delivered to a specified AS or all ASs.
After changing the forwarding mode of an SVF system, you need to commit the configuration
to deliver the configuration to an AS.
----End
9.7.2 Configuring Service Profiles

Context
In an SVF system, the parent delivers the configuration to ASs using service profiles. Service
profiles are a set of service configurations. After service profiles are delivered to an AS, the
AS parses and executes the services configured in the service profiles.
Table 9-10 lists the configurable services on an AS.
Table 9-10 AS-supported configurable services

Device management Administrator User name and password of

the local administrator
Traffic policing Rate limit for outgoing ARP

and DHCP packets on an
uplink fabric port
Basic network service VLAN management Addition and removal of

ports to or from a VLAN
Configuration of the port

that connects an AS to an
AP
Voice VLAN based on

LLDP or CDP negotiation
Enhanced network service Basic QoS Trust 802.1p
Port security Broadcast, multicast, and

unknown unicast traffic
suppression on a port
Port rate limiting
STP edge port
Access security DHCP snooping, IPSG, and

DAI
Access service Access authentication Dot1x authentication, MAC

address authentication, and
Portal authentication
Access control MAC address learning

limiting
Traffic policing Rate limit for incoming

ARP and DHCP packets on
an AS port

Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Create service profiles and configure services in the service profiles.
Create Service Configure Services Service Description
Profile in Service Profiles
AS administrator user user-name Configure the user name and

profile password password password required for AS logins.
as-admin-profile traffic-limit outbound Configure the rate limit for outgoing
name profile-name { arp | dhcp } cir cir- ARP and DHCP packets on an uplink
value fabric port.
By default, the rate limits for outgoing
ARP packets and DHCP packets are
32 kbit/s and 128 kbit/s respectively
on an AS uplink fabric port.
Network basic profile user-vlan vlan-id Configure the default VLAN on an

network-basic-profile interface.
name profile-name pass-vlan { vlan-id1 Configure allowed VLANs on an
[ to vlan-id2 ] } interface. A maximum of 16 allowed
&<1-10> VLANs can be configured on each AS
port.
voice-vlan vlan-id Configure a voice VLAN on an

interface.
NOTE
When configuring a voice VLAN on an
AS port, ensure that IP phones connected
to the AS port support LLDP and have
LLDP enabled.
Network enhanced unicast-suppression Configure unknown unicast traffic

profile packets packets-per- suppression on an interface.
network-enhanced- second To prevent broadcast storms, you can
profile name profile- run the unicast-suppression
name command to configure the maximum
number of unknown unicast packets
that can pass through a port. When the
unknown unicast traffic rate reaches
the rate limit, the system discards
excess unknown unicast packets to
control the traffic volume within a
proper range.


multicast-suppression Configure multicast traffic

packets packets-per- suppression on an interface.
second To prevent broadcast storms, you can
run the multicast-suppression
command to configure the maximum
number of multicast packets that can
pass through a port. When the
multicast traffic rate reaches the
maximum value, the system discards
excess multicast packets to control the
traffic volume within a proper range.
broadcast- Configure broadcast traffic

suppression packets suppression on an interface.
packets-per-second To prevent broadcast storms, you can
run the broadcast-suppression
command to configure the maximum
number of broadcast packets that can
pass through a port. When the
broadcast traffic rate reaches the
maximum value, the system discards
excess broadcast packets to control the
traffic volume within a proper range.
dhcp snooping enable Enable DHCP snooping on an

interface.
You can run the dhcp snooping
enable command to enable DHCP
snooping on a port so as to improve
DHCP security.
ip source check user- Enable IP packet checking on an

bind enable interface.
When attackers steal authorized users'
IP addresses or MAC addresses to
send packets to access or attack
networks, authorized users cannot
obtain stable and secure network
services. After configuring IP packet
checking on a device, the device
checks received IP packets against the
binding table to prevent such attacks.
NOTE
Before running this command, you must
run the dhcp snooping enable command.


arp anti-attack check Configure dynamic ARP inspection

user-bind enable (DAI) on an interface.
You can configure DAI to prevent
Man in The Middle (MITM) attacks
and theft on authorized user
information. When a device receives
an ARP packet, it compares the source
IP address, source MAC address,
interface number, and VLAN ID of
the ARP packet with DHCP snooping
binding entries. If the ARP packet
matches a binding entry, the device
allows the packet to pass through. If
the ARP packet does not match any
binding entry, the device discards the
packet.
NOTE
Before running this command, you must
run the dhcp snooping enable command.
priority-trust enable Configure the priority trust function

on an interface.
After the priority trust function is
configured on a port, the port searches
the priority mapping table based on
802.1p priorities in packets, tags the
packets with the mapping internal
priority, and then sends the packets to
queues based on the internal priority.
rate-limit cir-value Configure traffic rate limiting on an

interface.
If user traffic is not limited,
continuous burst data from numerous
users can make the network
congested. You can configure traffic
rate limiting in inbound direction on
an interface to limit traffic entering
from the interface within a specified
range.


user-access-port Configure an interface as an edge

enable interface.
Ports connected to a Layer 2 STP
network do not need to participate in
spanning tree calculation. If these
ports participate in the calculation, the
network topology convergence speed
is affected and the status changes of
these ports may cause network
flapping. After these ports are
configured as edge ports, they do not
participate in spanning tree
calculation. This configuration speeds
up network topology convergence and
enhances network stability.
User access profile authentication Configure the user access

user-access-profile { dot1x | mac-auth | authentication mode.
name profile-name portal } * To control network access rights of
users using NAC, you need to enable
one or more of three NAC
authentication modes on interfaces.
If Portal authentication is deployed in
an SVF system, you must run the
user-access web-server server-name
command to specify the Portal server
profile used in Portal authentication in
the Portal access profile view.
Additionally, only one Portal server
profile can be configured in a Portal
access profile.
You can set the user access
authentication mode in one user
access profile only.
mac-limit maximum Configure MAC address learning

max-num limiting on an interface.
To control the number of access users
and protect the MAC address table
against attacks, you can limit the
maximum number of MAC addresses
that can be learned on an interface.
NOTE
In the user access profile view, the
authentication { dot1x | mac-auth |
portal } * and mac-limit maximum max-
num commands are mutually exclusive
and cannot be configured simultaneously.


traffic-limit inbound Configure the rate limit for incoming

{ arp | dhcp } cir cir- ARP and DHCP packets on an AS
value port.
By default, the forwarding rate of
incoming ARP and DHCP packets on
an AS port is not limited.
NOTE
l This command and the authentication
{ dot1x | mac-auth | portal } *
command cannot be both run in the
user access profile view.
l Do not run the traffic-limit inbound
dhcp and dhcp snooping enable
(network enhanced profile view)
commands simultaneously on the
same port; otherwise, the traffic-limit
inbound dhcp command does not
take effect. On an AS of the S2750EI,
S5700LI, S5700S-LI, S5720SI,
S5720S-SI, or S5710-X-LI model,
running the dhcp snooping enable
command on any port may cause the
traffic-limit inbound dhcp command
unable to take effect on all ports. You
are advised to shut down the attacked
port after detecting DoS attacks.
l Do not run the traffic-limit inbound
arp and arp anti-attack check user-
bind enable (network enhanced
profile view) commands
simultaneously on the same port.
Otherwise, the traffic-limit inbound
arp command may not take effect. On
an AS of the S2750EI, S5700LI,
S5700S-LI, S5720SI, S5720S-SI, or
S5710-X-LI model, running the arp
anti-attack check user-bind enable
command on any port may cause the
traffic-limit inbound arp command
unable to take effect on all ports. You
are advised to shut down the attacked
port after detecting DoS attacks.
By default, no service profile is created, and no service is configured in new service profiles.
Step 4 Run:
quit
Exit from the profile view.

Step 5 Create a group and bind it to service profiles.

Create a Group Add Members to Bind a Group to a Description
a Group Service Profile
AS group l as name as- as-admin-profile An AS group can be

as-group name name profile-name bound to only one
group-name Add an AS with AS administrator
a specified name. profile.
l as name-include
string
Add ASs of
which the name
contains a
specified string.
AS port group l as name as- l network-basic- l An AS port

port-group name name interface profile profile- group can be
group-name { { interface-type name bound to a
interface- l network- network basic
number1 [ to enhanced- profile, network
interface- profile profile- enhanced profile,
number2 ] } name and user access
&<1-10> | all } profile.
l user-access-
Add ports of a profile name l Ports of an AS
specified AS. profile-name can be added to a
l as name-include maximum of six
string interface different AS port
all groups.
AP port group Add ports of ASs network-basic- l An AP port

port-group of which the profile profile-name group can be
connect-ap name name contains a bound to only
group-name specified string. one network
basic profile.
l When an AP port
group is bound to
a network basic
profile, only the
pass-vlan { vlan-
id1 [ to vlan-
id2 ] } &<1-10>
command takes
effect in the
network basic
profile view.
By default, no group is created in the system, and new groups have no members and are not
bound to service profiles.
Step 6 Run:
quit

Exit from the group view.

Step 7 Run:

After configuring service profiles and binding them to an AS group or port group, you must
run this command to commit the configuration so that the configuration can be delivered to
ASs.
NOTE
When an AS goes offline and then goes online again, the AS restarts if the global configuration of the AS is
changed on the parent and the changed configuration is committed.
----End

l Run the display uni-mng as-group [ name group-name | verbose ] command to check
information about a specified AS group.
l Run the display uni-mng port-group [ name group-name | verbose ] command to
check information about a specified port group.
l Run the display uni-mng profile [ { as-admin | network-basic | network-enhanced |
user-access } [ name profile-name ] ] command to check information about service
profiles.
l Run the display uni-mng profile as name as-name [ interface interface-type interface-
number ] command to check the configuration generated after an AS is bound to service
profiles.
l Run the display uni-mng commit-result profile command to check the configuration
delivery result.
l Run the display uni-mng execute-failed-record profile as name as-name command to
check execution failure records after the configuration is delivered to an AS.
9.7.3 Directly Delivering Service Configurations to ASs
Context
Service configurations can be delivered to ASs through service profiles. Apart from this
method, you can also run the direct-command command on the parent to deliver some
service configurations directly to ASs.
Table 9-11 lists the commands that can be directly delivered to ASs.

Table 9-11 Commands that can be directly delivered to ASs

e n
Catego Dependency
ry and
Restriction
Energy- port-auto-sleep enable Interfac Enables the This command

saving e view port sleeping cannot be
manage function on an configured on
ment electrical combo
interface. interfaces.
PoE poe force-power Interfac Enables -

e view forcible PoE
power supply
on an
interface.
poe legacy enable Interfac Enables an -

e view interface to
check
compatibility
of PDs.
poe priority { critical | high | Interfac Sets the power -

low } e view supply priority
of a PoE
interface.
poe af-inrush enable slot slot-id System Configures the -

view IEEE 802.3at-
compliant
device to
provide power
in accordance
with IEEE
802.3af.
poe high-inrush enable slot System Configures a -

slot-id view device to allow
high inrush
current during
power-on.


e n
Catego Dependency
ry and
Restriction
Etherne undo negotiation auto Interfac Configures an l This

t e view interface to command
interfac work in non- cannot be
es auto configured
negotiation on combo
mode. interfaces.
After you run l Do not
the undo cancel the
direct- undo
command negotiation
command, the auto
interface command
works in auto when speed
negotiation { 10 | 100 |
mode. 1000 } or
duplex
{ full |
half } is
specified.
speed { 10 | 100 | 1000 } Interfac Sets the rate in l This

e view non-auto command
negotiation cannot be
mode. configured
on combo
interfaces.
l Ensure that
the
interface
works in
non-auto
negotiation
mode
before you
configure
this
command.


e n
Catego Dependency
ry and
Restriction
speed auto-negotiation Interfac Enables auto- l This

e view negotiation on command
a GE optical cannot be
interface. configured
on combo
interfaces.
l Ensure that
the
interface
works in
auto-
negotiation
mode
before you
configure
this
command.
l The GE
optical
interfaces
on the
S5700LI do
not support
this
command.


e n
Catego Dependency
ry and
Restriction
duplex { full | half } Interfac Sets the duplex l This

e view mode for an command
electrical cannot be
interface in configured
non-auto on combo
negotiation interfaces.
mode. l Ensure that
the
interface
works in
non-auto
negotiation
mode
before you
configure
this
command.
l When the
working
rate of a GE
electrical
interface is
1000
Mbit/s, the
interface
supports
only the
full duplex
mode.
loopback internal Interfac Configures a -

e view loopback
detection mode
on an
interface.
Port port bridge enable Interfac Enables the -

bridge e view bridging
function on an
interface.
LBDT loopback-detect enable Interfac Enables -

e view loopback
detection on an
interface.


e n
Catego Dependency
ry and
Restriction
loopback-detect packet vlan Interfac Enables If you

vlan-id e view loopback configure this
detection for a command
specified multiple times,
VLAN. loopback
detection is
enabled for
multiple
VLANs.
ARP arp speed-limit source-mac System Configures l Only the

rate maximum maximum view ARP rate S5720EI
limiting limiting based supports
on source this
MAC command.
addresses. l The value
of
maximum
maximum
ranges from
0 to 256.
l This
function
takes effect
only for
ARP
packets sent
to the CPU.
arp speed-limit source-ip System Configures l The value

maximum maximum view ARP rate of
limiting based maximum
on source IP maximum
addresses. ranges from
0 to 256.
l This
function
takes effect
only for
ARP
packets sent
to the CPU.

NOTE
l When you configure a directly delivered command on the parent, enter the complete and correct
command instead of the abbreviated form. No info message is displayed for confirming your input.
l A directly delivered command supports the help and typeahead functions but not real-time check during
input. The system checks the input only after you complete typing a command and press Enter. No
detailed description is provided in help information. If you fail to configure a command for an AS, an info
message is displayed.
l When you configure a directly delivered command, the AS to which the command is to be delivered must
be online. If you need to specify a port or slot-id in a command, the corresponding member device must
be available. If the AS is offline, run the clear direct-command command to delete the completed
configuration on the parent.
l If a port has the configuration directly delivered using commands, the port cannot be configured as a
member port of the Eth-Trunk to which a fabric port is bound. If a port has been configured as a member
port of the Eth-Trunk to which a fabric port is bound, the configuration cannot be directly delivered to the
port using commands.
l Directly delivering configuration using commands and delivering configuration using service profiles are
mutually exclusive and cannot be performed simultaneously.
Procedure
Step 1 Run:
system-view

Step 2 Run:
uni-mng

Step 3 Run:
as name as-name

Step 4 Run:
direct-command view { system | interface-type interface-number } command command-
text
A command is directly delivered to an AS.

----End

l Run the display uni-mng commit-result as-direct-config command to check the
configuration delivery result.
l Run the display uni-mng execute-failed-record as-direct-config as name as-name
command to check execution failure records after the configuration is delivered to an
AS.
9.7.4 Configuring User Authenticate-Free Rules
Context
In addition to the configurations in service profiles, the parent delivers the configured Portal
authentication-free rules to ASs. Authentication-free rules 0 to 127 can be delivered to ASs of

the S5720EI model; authentication-free rules 0 to 31 can be delivered to ASs of other models;
authentication-free rules outside the two ranges will not be delivered to ASs.
Procedure
Step 1 Configure authentication-free rules. For details, see "Configuring Basic NAC Functions" in
the S7700 and S9700 Series Switches Configuration Guide - NAC Configuration (Unified
Mode).
NOTE
You cannot specify the interface parameter when the parent delivers authentication-free rules to an AS.
Step 2 Run:
system-view
Step 3 Run:
uni-mng
Step 4 Run:
After configuring authentication-free rules, you need to commit the configuration to deliver
the configuration to an AS.
----End

l Run the display uni-mng commit-result free-rule command to check the configuration
delivery result.
9.8 Maintaining an SVF System
9.8.1 Monitoring the SVF System Running Status
Context
You can monitor the running status of an SVF system to ensure normal system operations and
locate faults.
Procedure
l Run the display as access configuration command on an AS to check the AS access
configuration.


l Run the display uni-mng as name as-name interface brief command on the parent to
check brief information about AS ports.
----End
9.8.2 Upgrading an Online AS
Context
You can upgrade the software of an AS connected to an SVF system.
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
uni-mng

Step 3 Run:
password


NOTE
cannot be upgraded.
name to FTP.
take effect.
not take effect.
Step 4 Run:

You can run the as type command multiple times to specify different files for different types
of ASs.
Step 5 Upgrade an AS.
l Run:
upgrade as name as-name [ reload [ in time ] ]
An AS with a specified name is upgraded.

l Run:
upgrade as name-include string [ reload [ in time ] ]
ASs of which the name contains a specified string are upgraded.

l Run:
upgrade as type as-type [ reload [ in time ] ]
An AS of a specified type is upgraded.

l Run:
upgrade as all [ reload [ in time ] ]
All ASs are upgraded.

NOTE
l The system software file name or patch file name specified using the as type command cannot be the
same as the current or next startup system software file or patch file of an AS. Otherwise, the AS cannot
be upgraded using the upgrade as command.
l If reload is not specified during the upgrade of an AS:
– If you specify patch patch but not system-software system-software in the as type command, the
patch file is activated online immediately.
– If you specify both patch patch and system-software system-software in the as type command and
the specified system software file version is the version running on the AS, the patch file is
activated online immediately.
– If you specify both patchpatch and system-softwaresystem-software in the as type command and
the specified system software file version is earlier or later than the version running on the AS, the
specified system software file and patch file will be set as next startup files.
l If reload is specified but in time is not specified, the AS restarts immediately after downloading upgrade
files.
l If reload and in time are specified, the AS restarts at the time specified by time.
----End
9.8.3 Restarting an AS
Context
When an AS is upgraded or working abnormally, you can restart the AS.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as reset { all | name as-name }
A specified AS or all ASs are restarted.
----End
9.8.4 Replacing an AS
Context
In an SVF system, each AS is identified by its MAC address by default. When a new device is
used to replace an AS, the SVF system considers the new device as a new AS because their
MAC addresses are different. As a result, the new AS does not inherit services on the
previous AS.

You can enable AS automatic replacement to solve this problem. When an AS is replaced by a
new device connected to the same fabric port, the SVF system replaces the AS MAC address
with the MAC address of the new device in the configuration. Consequently, the new device
can inherit services on the AS.
NOTE
l An AS can only be replaced by a device of the same model. If the new device is a different model, the
SVF system considers it as a new AS, which then cannot inherit services on the previous AS.
l Only a standalone AS can be replaced, and a stacked AS cannot be replaced.
l AS automatic replacement is not supported when an AS connects to the parent through a network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
uni-mng

Step 3 Run:
as auto-replace enable
AS automatic replacement is enabled.

Step 4 Replace the existing AS with a new AS. The two ASs connect to the same fabric port.
----End
9.8.5 Logging In to an AS and Running Diagnostic Commands
Context
In addition to logging in to an AS through the console port, you can log in to the AS from the
parent. After logging in to the AS, you can enter the user or diagnostic view but cannot enter
the system view or perform service configurations: such as restart the AS or specify the
startup file.
NOTE
l Before logging in to an AS from the parent, you need to bind an AS administrator profile to the AS and
configure a user name and password for the AS.
l After an AS user name and password are configured, you need to enter the correct user name and
password when logging in to an AS through the console port. When you log in to an AS from the parent
using the attach as name as-name command, you can log in to the AS without entering the user name or
password.
l When no AS user name and password are configured, you need to enter the default password
admin@huawei.com when logging in to an AS through the console port.
The default password has security risks. You are advised to change the login password.
To facilitate maintenance and provide more fault diagnosis measures, you can run the
diagnose-command command in the user view to directly enter the diagnostic view and
perform diagnostic commands.

Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Configure an AS administrator profile and bind it to an AS.

1. Run:
as-admin-profile name profile-name
An AS administrator profile is created and the AS administrator profile view is

displayed.
2. Run:
user user-name password password
An AS administrator is configured.
3. Run:
quit
Exit from the AS administrator profile view.

4. Run:
as-group name group-name
An AS group is created and the AS group view is displayed.

5. Add ASs to the AS group.
– Run:
as name as-name
An AS with a specified name is added to the AS group.

– Run:
as name-include string
ASs of which the name contains a specified string are added to the AS group.
6. Run:
as-admin-profile profile-name
The AS administrator profile is bound to the AS group.

7. Run:
quit
Exit from the AS group view.
Step 4 Run:
The configuration is delivered to a specified AS or all ASs.
After configuring service profiles and binding them to an AS, you must run this command to
commit the configuration so that the configuration can be delivered to the AS.

Step 5 Run:
attach as name as-name
Log in to an AS from the parent.
Step 6 Run:
diagnose-command
Enter the diagnostic view from the user view.
----End
9.8.6 Enabling the Diagnostic Mode on an AS
Context
After enabling the diagnostic mode on an AS, you can run the system-view command on the
AS to enter the system view. In the system view, you can run some commands (for example,
the mirroring and packet header obtaining functions) as shown in Table 9-12 to help locate
AS faults. Table 9-12 lists these commands. For details on the command format, parameters,
view, and description, see the command reference of the ASs. You are advised to run these
commands under instruction of Huawei technical support personnel.
Table 9-12 Commands that can be configured on an AS after the diagnostic mode is enabled
port-mirroring Binds a mirrored You are not advised to perform service

undo port-mirroring port to an observing configurations on Eth-Trunk member ports
port. of an AS that are bound to a fabric port.
traffic-mirror Configures the You are not advised to perform service

undo traffic-mirror traffic mirroring configurations on Eth-Trunk member ports
function. of an AS that are bound to a fabric port.
observe-port Configures an You are not advised to configure a port with

undo observe-port observing port. service configurations on an AS as an
observing port. If a port has been configured
as an observing port, do not deliver service
configurations to this port through service
profiles or the direct-command command.
configurations on Eth-Trunk member ports
of an AS that are bound to a fabric port.
traffic-statistic Enables the traffic If you delete the traffic-statistic command

undo traffic-statistic statistics collection that is delivered by the parent to an AS, you
function. will fail to obtain traffic statistics about the
AS on the parent.
configurations on Eth-Trunk member ports
of an AS that are bound to a fabric port.

capture-packet Configures the You are not advised to perform service

packet header configurations on Eth-Trunk member ports
obtaining function. of an AS that are bound to a fabric port.
acl 2000-2999 Creates or deletes an If the number of traffic policies on an AS

undo acl 2000-2999 ACL rule. reaches the upper limit, the parent may fail
to deliver the IPSG or DAI configurations.
acl 3000-3998 Run the display uni-mng commit-result
undo acl 3000-3998 profile command on the parent to check the
configuration delivery result. If the
acl 4000-4997 command output shows that the
undo acl 4000-4997 configuration delivery fails, run the display
uni-mng execute-failed-record profile as
name as-name command to check execution
failure records after the configuration is
delivered to an AS. The command output
provides detailed information about the
delivery failure. You can log in to the AS to
check whether the ACL resources are used
up.
rule Creates an ACL -

undo rule rule.
interface Eth-Trunk Creates or deletes an Do not delete Eth-Trunk0 or Eth-Trunk

undo interface Eth- Eth-Trunk interface interfaces that are bound to the downlink
Trunk or displays the Eth- fabric port from an AS.
Trunk interface
view.
interface Displays the GE -

GigabitEthernet interface view.
interface Displays the XGE -

XGigabitEthernet interface view.
interface Ethernet Displays the -

Ethernet interface
view.
display Displays the device -

status or
configurations.
quit Returns to the -

upper-level view.
return Returns to the user -

view.

Procedure
l Log in to an AS and run the uni-mng diag-mode enable command to enable the
diagnostic mode on the AS.
----End

l On an AS, run the display uni-mng diag-mode information command to check
whether the diagnostic mode is enabled.
9.8.7 Disabling an AS Port
Context
In an SVF system, you cannot directly enter the interface view on an AS and disable the
interface. You need to run the shutdown interface interface-type interface-number command
on the parent to disable the specified AS port.
NOTE
Running this command can disable only an AS downlink port but not an AS uplink port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
Step 4 Run:
shutdown interface interface-type interface-number
The specified port is disabled on the AS.
----End
9.8.8 Clearing Packet Statistics in an SVF System
Context
Before collecting AS Discovery packet statistics in an SVF system, clear the existing statistics
and then run the display uni-mng as-discover packet statistics interface fabric-port port-id
command to check AS Discovery packet statistics.

Procedure
Step 1 Run the reset uni-mng as-discover packet statistics interface fabric-port port-id command
to clear AS Discovery packet statistics.
----End
9.9 Splitting an SVF System
Context
If an SVF system does not need to transmit services and needs to be split, perform the
following operations to split the SVF system:
1. Back up the SVF configuration file on the parent in case the SVF system needs to be set
up again.
2. Remove the cables between ASs and the parent. Log in to ASs and run the undo uni-
mng enable command in the user view to restore the ASs to the standalone mode. After
this command is executed, the AS restarts.
3. Delete the SVF configuration on the parent.
9.10.1 Example for Configuring SVF to Deploy a Wired Campus

Network Access Layer (Using Commands)
A new wired campus network has many access devices. The widely distributed access devices
complicate management and configuration of the access layer. Unified management and
configuration of access devices are required to reduce the management cost.
As shown in Figure 9-8, two aggregation switches set up a CSS and function as the parent to
connect to multiple ASs.
In this example, the S7700 functions as the parent, the S5700-28P-LI functions as a level-1
AS, and the S2750-28TP-EI functions as a level-2 AS.

Figure 9-8 Configuring a wired campus network access layer
CSS
Parent
GE1/1/0/1-GE1/1/0/3 GE2/1/0/1-GE2/1/0/3
GE0/0/27-GE0/0/28 GE0/0/27 GE0/0/27-GE0/0/28

GE0/0/28
Level-1 AS as1 as2 as3
S5700-28P-LI
GE0/0/23-GE0/0/24 GE0/0/23-GE0/0/24
GE0/0/1-GE0/0/2 GE0/0/1-GE0/0/2
Level-2 AS
S2750-28TP-EI as4 as5
1. Configure the parent as a CSS to ensure high reliability of the SVF system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters, including the AS name, authentication mode, and
fabric ports that connect the parent to level-1 ASs and level-1 ASs to level-2 ASs.
4. Connect the parent to level-1 ASs and level-1 ASs to level-2 ASs using cables.
5. Configure service profiles and bind them to ASs.
Procedure
Step 1 Configure two switches in the parent to set up a CSS. For the procedure for and notes about
setting up a CSS, see "Stack Configuration" in the S7700&S9700 Series Ethernet Switches
Configuration Guide - Device Management Configuration.
Step 2 Log in to the CSS and enable the SVF function.
# Configure the management VLAN in the SVF system and enable the SVF function on the
parent.
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11
[HUAWEI] stp mode rstp
[HUAWEI] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP
calculation may be triggered and service traffic will be affected. Continue?
[Y/N]:y

Step 3 Configure AS access parameters.
# Configure a name for each AS.

[HUAWEI-um] as name as1 model S5700-28P-LI-AC mac-address 0200-0000-0011
[HUAWEI-um-as-as1] quit
[HUAWEI-um] as name as4 model S2750-28TP-EI-AC mac-address 0200-0000-0044
# Configure fabric ports that connect the parent to level-1 ASs. The following uses fabric port
1 that connects the parent to AS 1 as an example.
[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
The configurations of fabric ports 2 and 3 that connect the parent to AS 2 and AS 3
respectively are similar to the configuration of fabric port 1, and are not mentioned here.
# Configure the fabric ports that connect level-1 ASs to level-2 ASs.
[HUAWEI] uni-mng
[HUAWEI-um] as name as1
[HUAWEI-um-as-as1] down-direction fabric-port 4 member-group interface eth-trunk 4
[HUAWEI-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet 0/0/23
to 0/0/24
[HUAWEI-um] as name as3
[HUAWEI-um-as-as3] down-direction fabric-port 5 member-group interface eth-trunk 5
[HUAWEI-um-as-as3] port eth-trunk 5 trunkmember interface gigabitethernet 0/0/23
to 0/0/24
[HUAWEI-um] quit
# Configure ASs to be authenticated using a whitelist when they connect to the SVF system.
[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] quit
Step 4 Connect the parent to level-1 ASs and level-1 ASs to level-2 ASs using cables.
# Clear the configurations of ASs, restart the ASs, and then connect the parent to level-1 ASs
and level-1 ASs to level-2 ASs using cables. Subsequently, an SVF system is set up.
NOTE
Before connecting an AS to the parent, ensure that the AS has no configuration file and no input on the
console port.

# After connecting cables, run the display as all command to check whether ASs have
connected to the SVF system.
[HUAWEI] display as all
Total: 5, Normal: 5, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5700-P-LI 0200-0000-0011 192.168.11.254 normal as1
1 S5700-P-LI 0200-0000-0022 192.168.11.253 normal as2
2 S5700-P-LI 0200-0000-0033 192.168.11.252 normal as3
3 S2750-EI 0200-0000-0044 192.168.11.251 normal as4
4 S2750-EI 0200-0000-0055 192.168.11.250 normal as5
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS has
Step 5 Configure service profiles and bind them to ASs.
# Configure an AS administrator profile and bind it to all ASs.

[HUAWEI] uni-mng
[HUAWEI-um] as-admin-profile name admin_profile
[HUAWEI-um-as-admin-admin_profile] user asuser password hello@123
[HUAWEI-um-as-admin-admin_profile] quit
[HUAWEI-um] as-group name admin_group
[HUAWEI-um-as-group-admin_group] as name-include as
[HUAWEI-um-as-group-admin_group] as-admin-profile admin_profile
[HUAWEI-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to AS ports.

[HUAWEI-um] network-basic-profile name basic_profile_1
[HUAWEI-um-net-basic-basic_profile_1] user-vlan 10
[HUAWEI-um-net-basic-basic_profile_1] quit
[HUAWEI-um] port-group name port_group_1
[HUAWEI-um-portgroup-port_group_1] as name as1 interface all
[HUAWEI-um-portgroup-port_group_1] network-basic-profile basic_profile_1
[HUAWEI-um-portgroup-port_group_1] quit
# Configure a user access profile and bind it to all AS ports.

[HUAWEI-um] user-access-profile name access_profile
[HUAWEI-um-user-access-access_profile] authentication dot1x
[HUAWEI-um-user-access-access_profile] quit
[HUAWEI-um-portgroup-port_group_1] user-access-profile access_profile
# Commit the configuration to deliver the configurations in service profiles to ASs.

[HUAWEI-um] commit as all
Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
# Run the display uni-mng commit-result profile command to check whether the
configurations in service profiles have been delivered to ASs.

[HUAWEI-um] display uni-mng commit-result profile

Result of profile:
--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute Result
--------------------------------------------------------------------------------
as1 2014-08-25 22:29:18 Success/Success
--------------------------------------------------------------------------------
When the Commit/Execute Result field in the command output displays Success/Success for
an AS, the configurations in service profiles have been delivered to the AS.
----End
Configuration Files
l SVF system configuration file
#
vlan batch 11
#
stp mode rstp
stp instance 0 priority 28672
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
dhcp server option 43 ip-address 192.168.11.1
#
port hybrid tagged vlan 1 10 to 11
stp root-protection
authentication control-point open
authentication dot1x
mode lacp
mad relay
#
port hybrid tagged vlan 1 10 to 11
stp root-protection
mode lacp
mad relay
#
port hybrid tagged vlan 1 11 20
stp root-protection
mode lacp
mad relay
#
eth-trunk 1
#
eth-trunk 2
#

eth-trunk 3
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
capwap source interface vlanif11
#
wlan
wlan ap lldp enable
wlan work-group default
#
as-auth
whitelist mac-address 0200-0000-0011
#
uni-mng
as name as1 model S5700-28P-LI-AC mac-address 0200-0000-0011
down-direction fabric-port 4 member-group interface Eth-Trunk 4
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/23
down-direction fabric-port 5 member-group interface Eth-Trunk 5
as name as4 model S2750-28TP-EI-AC mac-address 0200-0000-0044
interface fabric-port 1
port member-group interface Eth-Trunk 1
as-admin-profile name admin_profile
user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%#
network-basic-profile name basic_profile_1
user-vlan 10
user-vlan 20
user-access-profile name access_profile
as-group name admin_group
as-admin-profile admin_profile
as name as1
as name as2
as name as3
as name as4
as name as5
port-group name port_group_1
network-basic-profile basic_profile_1
user-access-profile access_profile
as name as1 interface GigabitEthernet 0/0/1 to 0/0/22
as name as4 interface Ethernet 0/0/1 to 0/0/24

#
return
9.10.2 Example for Configuring SVF to Deploy a Wired and

Wireless Converged Campus Network Access Layer (Using
Commands)
A new campus network has a large number of wired and wireless access devices. The widely
distributed access devices complicate management and configuration of the access layer.
Unified management and configuration of wired and wireless access devices are required to
reduce the management cost.
As shown in Figure 9-9, two aggregation switches set up a CSS and function as the parent to
connect to multiple ASs and APs.
In this example, the S7700 functions as the parent, the S5700-28P-LI functions as an AS, and
the AP5010DN-AGN functions as an AP.
Figure 9-9 Configuring a wired and wireless converged campus network access layer
CSS
Parent
GE1/1/0/1-GE1/1/0/3 GE2/1/0/1-GE2/1/0/3
GE0/0/27-GE0/0/28 GE0/0/27 GE0/0/27-GE0/0/28

GE0/0/28
S5700-28P-LI
GE0/0/24 GE0/0/24
ap1 ap2
AP5010DN-AGN AP5010DN-AGN
1. Configure wired access devices to enable ASs to connect to the SVF system successfully.
2. Configure the ports that connect ASs to APs to enable wireless access devices to connect
to the SVF system successfully.

NOTE
l X1E cards must be installed on the parent.

l If APs connect to a non-X1E card, you must add the non-X1E card and X1E card of the parent to the
same WLAN work group. By default, all interface cards automatically join the default WLAN work
group named default.
l When an AS connects to APs, all member ports of the Eth-Trunk bound to the fabric port that connects
the parent to the AS must be ports on X1E cards or ports on non-X1E cards. Otherwise, APs cannot go
online. In this example, cards connecting AS 1 and AS 3 must all be X1E cards or non-X1E cards.
Procedure
Step 1 Connect ASs to the parent.
1. Configure two switches in the parent to set up a CSS. For the procedure for and notes
about setting up a CSS, see "Stack Configuration" in the S7700&S9700 Series Ethernet
Switches Configuration Guide - Device Management Configuration.
2. Log in to the CSS and enable the SVF function.
# Configure the management VLAN in the SVF system and enable the SVF function on
the parent.
[HUAWEI] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs.
STP calculation may be triggered and service traffic will be affected.
Continue? [Y/N]:y
3. Configure AS access parameters.

# Configure fabric ports that connect the parent to level-1 ASs. The following uses fabric
port 1 that connects the parent to AS 1 as an example.
[HUAWEI-um] quit
The configurations of fabric ports 2 and 3 that connect the parent to AS 2 and AS 3
respectively are similar to the configuration of fabric port 1, and are not mentioned here.

# Configure ASs to be authenticated using a whitelist when they connect to the SVF
system.
[HUAWEI] as-auth
4. Connect ASs to the parent using cables.

# Clear the configurations of ASs, restart the ASs, and then connect ASs to the parent
using cables. Subsequently, an SVF system is set up.
NOTE
console port.
------------------------------------------------------------------------------
--
------------------------------------------------------------------------------
--
0 S5700-P-LI 0200-0000-0011 192.168.11.254 normal as1
1 S5700-P-LI 0200-0000-0022 192.168.11.253 normal as2
2 S5700-P-LI 0200-0000-0033 192.168.11.252 normal as3
------------------------------------------------------------------------------
--
Step 2 Connect APs to ASs.

1. Configure the ports that connect ASs to APs.
# Add the ports that connect ASs to APs to an AP port group.
[HUAWEI] uni-mng
[HUAWEI-um] port-group connect-ap name ap
[HUAWEI-um-portgroup-ap-ap] as name as1 interface gigabitethernet 0/0/24
[HUAWEI-um-portgroup-ap-ap] as name as3 interface gigabitethernet 0/0/24
[HUAWEI-um-portgroup-ap-ap] quit
[HUAWEI-um] quit
2. Configure AP access parameters.

# Configure ID for each AP.
[HUAWEI] wlan
[HUAWEI-wlan-view] ap id 1 ap-type ap5010dn-agn mac ac85-3da6-a420
[HUAWEI-wlan-ap-1] quit
[HUAWEI-wlan-view] ap id 2 ap-type ap5010dn-agn mac 1051-7225-80a0
[HUAWEI-wlan-ap-2] quit
# Configure no authentication for APs to connect to an SVF system.

[HUAWEI-wlan-view] ap-auth-mode no-auth
[HUAWEI-wlan-view] quit
3. Power on APs and connect APs to ASs using cables.

# After connecting cables, run the display ap all command to check whether APs have
[HUAWEI] display ap all
All AP(s) information:

Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP5010DN-AGN ac85-3da6-a420 0/0 normal ap-1
2 AP5010DN-AGN 1051-7225-80a0 0/0 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
----End
Configuration Files
#
vlan batch 11
#
stp mode rstp
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
#
port hybrid tagged vlan 1 11
stp root-protection
mode lacp
mad relay
#
stp root-protection
mode lacp
mad relay
#
stp root-protection
mode lacp
mad relay
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
eth-trunk 1
#

eth-trunk 2
#
eth-trunk 3
#
#
wlan
wlan ap lldp enable
ap-auth-mode no-auth
ap id 1 type-id 30 mac ac85-3da6-a420 sn 2102355547W0E3000316
ap id 2 type-id 30 mac 1051-7225-80a0 sn 2102355547W0E1232287
wlan work-group default
#
as-auth
#
uni-mng
port-group connect-ap name ap
as name as1 interface GigabitEthernet 0/0/24
as name as3 interface GigabitEthernet 0/0/24
#
return
9.10.3 Example for Configuring an SVF System Across a Layer 2

Network on a Wired Campus Network Access Layer (Using
Commands)
A new wired campus network has many access devices. The widely distributed access devices
complicate management and configuration of the access layer. Unified management and
configuration of access devices are required to reduce the management cost.
As shown in Figure 9-10, two aggregation switches set up a CSS, which then functions as the
parent to connect to multiple ASs.
In this example, the S7700 functions as the parent, and S5700-28P-LI and S2750-28TP-EI
function as ASs.
NOTE
The administrator needs to ensure that the downlink fabric port of the parent and the intermediate Layer 2
network are correctly configured, the SVF management VLAN and service VLAN between the parent and
AS are correctly connected, and the intermediate network transparently transmits data traffic between the
parent and AS. Therefore, the intermediate network must be a pure Layer 2 network.

Figure 9-10 Configuring an SVF system across a Layer 2 network on a wired campus
network access layer
CSS
Parent
GE1/1/0/1～GE1/1/0/2 GE2/1/0/1～GE2/1/0/2
Layer2 Network
GE0/0/27～GE0/0/28 GE0/0/1～GE0/0/2
S5700-28P-LI S2750-28TP-EI
as1 as2
1. Configure the parent as a CSS to ensure high reliability of the SVF system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters on the parent, including the AS name, authentication
mode, and fabric port that connects the parent to an AS.
NOTE
If the parent connects to multiple devices on the Layer 2 intermediate network, on the parent, you
need to configure a different fabric port to connect to each intermediate device and bind each
fabric port to a different Eth-Trunk. If the parent connects to only one device on the Layer 2
intermediate network, on the parent, you need to configure only one fabric port and bind this fabric
port to one Eth-Trunk. In this example, if the parent connects to only one device on the Layer 2
intermediate network, on the parent, you need to configure only one fabric port (Fabric-port1) and
bind this fabric port to one Eth-Trunk (Eth-Trunk1).
4. Configure an uplink fabric port that connects an AS to the parent.
5. Connect the parent and ASs to the Layer 2 network using cables. Clear the
configurations of ASs and restart the ASs.
6. Configure service profiles and bind them to ASs.
Procedure
Step 1 Configure two switches in the parent to set up a CSS. For the procedure and notes for
configuring a CSS, see "CSS Configuration" in the S7700&S9700 Series Ethernet Switches
Configuration Guide - Device Management Configuration.
Step 2 Log in to the CSS and enable the SVF function.
# Configure the management VLAN in the SVF system and enable the SVF function on the
parent.

[HUAWEI] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP
calculation may be triggered and service traffic will be affected. Continue?
[Y/N]:y
Step 3 Configure AS access parameters on the parent.

# Configure fabric ports that connect the parent to ASs.

NOTE
The Eth-Trunk working mode configuration must be consistent on the member port in the indirectly
connected fabric port of the parent and the Layer 2 network port connected to the member port. If the Eth-
Trunk working mode on the Layer 2 network port is set to LACP, the Eth-Trunk working mode on the
member port must also be set to LACP.
[HUAWEI-um-fabric-port-1] port connect-type indirect
[HUAWEI-um] quit
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] port link-type hybrid
[HUAWEI-Eth-Trunk1] port hybrid tagged vlan 11
[HUAWEI-Eth-Trunk1] stp root-protection
[HUAWEI-Eth-Trunk1] mode lacp //In this example, the Eth-Trunk working mode
on the Layer 2 network interface is set to LACP.
[HUAWEI-Eth-Trunk1] quit
The configuration of fabric port 2 that connects the parent to AS 2 is similar to the
configuration of fabric port 1, and is not mentioned here.
# Configure ASs to be authenticated using a whitelist when they connect to the SVF system.
[HUAWEI] as-auth
Step 4 Configure an uplink fabric port that connects an AS to the parent.

# Set the role of the device in a VCMP domain to silent.
[HUAWEI] vcmp role silent
[HUAWEI] quit

# Configure an uplink fabric port that connects AS 1 to the parent.

<HUAWEI> uni-mng enable mng-vlan 11
<HUAWEI> uni-mng enable fabric-port member interface gigabitethernet 0/0/27
# Configure an uplink fabric port that connects AS 2 to the parent.

<HUAWEI> uni-mng enable mng-vlan 11
Step 5 Clear the configurations of ASs and restart the ASs. Connect the parent and ASs to the Layer
2 network using cables.
# Clear the configurations of ASs, restart the ASs, and then connect the parent and ASs to the
Layer 2 network using cables. Subsequently, an SVF system is set up.
NOTE
console port.
# After connecting cables, run the display as all command to check whether ASs have
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 S5700-P-LI 0200-0000-0011 192.168.11.254 normal as1
1 S2750-EI 0200-0000-0022 192.168.11.250 normal as2
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS has
Step 6 Configure service profiles and bind them to ASs.
# Configure an AS administrator profile and bind it to all ASs.

[HUAWEI] uni-mng
[HUAWEI-um] as-admin-profile name admin_profile
[HUAWEI-um-as-admin-admin_profile] user asuser password hello@123
[HUAWEI-um-as-admin-admin_profile] quit
[HUAWEI-um] as-group name admin_group
[HUAWEI-um-as-group-admin_group] as name-include as
[HUAWEI-um-as-group-admin_group] as-admin-profile admin_profile
[HUAWEI-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to AS ports.

# Configure a user access profile and bind it to all AS ports.

[HUAWEI-um] user-access-profile name access_profile

[HUAWEI-um-user-access-access_profile] authentication dot1x
[HUAWEI-um-user-access-access_profile] quit
# Commit the configuration to deliver the configurations in service profiles to ASs.

# Run the display uni-mng commit-result profile command to check whether the
configurations in service profiles have been delivered to ASs.
[HUAWEI-um] display uni-mng commit-result profile
Result of profile:
--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute Result
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
When the Commit/Execute Result field in the command output displays Success/Success for
an AS, the configurations in service profiles have been delivered to the AS.
----End
Configuration Files
#
vlan batch 11
#
stp mode rstp
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
#
port hybrid tagged vlan 11
stp root-protection
mode lacp
#
port hybrid tagged vlan 11
stp root-protection
mode lacp
#
eth-trunk 1
#
eth-trunk 2
#

eth-trunk 1
#
eth-trunk 2
#
#
as-auth
#
uni-mng
as-admin-profile name admin_profile
user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%#
user-vlan 10
user-vlan 20
user-access-profile name access_profile
as-group name admin_group
as-admin-profile admin_profile
as name as1
as name as2
#
return
9.10.4 Example for Configuring the Access Layer for a Wired

Campus Network Using eSight
Prerequisites
l Devices have been added to eSight, and can successfully communicate with eSight.
l Telnet parameters have been configured on eSight.
l The LLDP protocol has been enabled on SVF-capable devices.
Company M has constructed a wired campus network on which many access devices are
deployed sparsely. It is difficult to manage and configure these access devices. The network
administrator Jack requires that he can uniformly manage and configure the access devices to
reduce management costs.
As shown in Figure 9-11, two switches at the aggregation layer form a cluster and function as
the parent devices to connect to multiple access switches (ASs).

In this example, the S7712, S5700-28P-LI, and S2750-28TP-EI are used as the parent device,
level-1 AS, and level-2 AS respectively.
Figure 9-11 Configuring the access layer for a wired campus network
Parent CSS
S7712
GE1/1/0/1 to GE1/1/0/3 GE2/1/0/1 to GE2/1/0/3
GE0/0/27 to GE0/0/28 GE0/0/27 GE0/0/27 to GE0/0/28

GE0/0/28
S5700-28P-LI
GE0/0/23 to GE0/0/24 GE0/0/23 to GE0/0/24
GE0/0/1 to GE0/0/2 GE0/0/1 to GE0/0/2

Level-2 AS
S2750-28TP-EI as4 as5
1. Configure CSS on the parent devices to ensure high reliability of the super virtual fabric
(SVF) system.
2. Configure SVF system capabilities.
a. Create an SVF enabling template to enable SVF on the parent and configure the
SVF client management IP address pool, file server, and forwarding mode.
b. Create an AS predeployment template to predeploy ASs on the SVF parent before
powering on them and add the ASs to a whitelist. After the ASs are powered on, the
SVF parent permits the ASs to access the SVF network.
c. Create a level-1 AS fabric port template to set parameters for the fabric ports that
connect the SVF parent to level-1 ASs.
d. Create a level-2 AS fabric port template to set parameters for the fabric ports that
connect level-1 ASs to level-2 ASs.
e. Create a system configuration matrix to deploy the template instances to the SVF
parent.
3. Clear the configurations of ASs, restart the ASs, and then connect the parent to level-1
ASs and level-1 ASs to level-2 ASs using cables.
4. Configure SVF service capabilities.
a. Create port groups.
b. Create user interface VLAN templates to set pass VLANs for user-side ports.
c. Create a user interface service template to set network security parameters for user-
side ports.
d. Create a service configuration matrix to deploy the template instances to the port
groups.

Data Plan
Table 9-13 Device group

Group Name Device Name Device IP
SVF Parent SVF-S77 10.137.217.203
Table 9-14 Port group

Group Name Device Port
PortGroup1 as1 ALL
PortGroup1 as2 ALL
PortGroup1 as4 ALL
PortGroup2 as3 ALL
PortGroup2 as5 ALL
Table 9-15 SVF enabling template

Instance Name VLAN ID IP Address Mask
Temp1 11 192.168.11.1 24
Table 9-16 AS predeployement template

Instance AS Name AS Type MAC Address Whether the
Name AS Is Added
to Whitelist
ASTemp as1 S5700-28P-LI-AC 0200-0000-0011 Yes
as2 S5700-28P-LI-AC 0200-0000-0022 Yes
as3 S5700-28P-LI-AC 0200-0000-0033 Yes
as4 S2750-28TP-EI- 0200-0000-0044 Yes

AC
as5 S2750-28TP-EI- 0200-0000-0055 Yes

AC

Table 9-17 Level-1 AS fabric port template
Instance Name Fabric Port ID Eth-Trunk ID GE Interface

Number
ParentToL1as 1 1 1/1/0/1
1 1 2/1/0/1
2 2 1/1/0/2
2 2 2/1/0/2
3 3 1/1/0/3
3 3 2/1/0/3
Table 9-18 Level-2 AS fabric port template
Instance AS Name Fabric Port Eth-Trunk ID GE Interface

Name ID Number
L2AS 1 4 4 0/0/23
1 4 4 0/0/24
3 5 5 0/0/23
3 5 5 0/0/24
Table 9-19 User interface VLAN template
Instance Name Default VLAN
VLAN10 10
VLAN20 20
Table 9-20 User interface service template
Instance Name User Access Port
AccessTemp ON
Procedure
Step 1 For details on how to set up a cluster on the two switches that function as the parent devices,
see "CSS Configuration" in the S7700&S9700 Series Ethernet Switches Configuration Guide
- Device Management.

Step 2 Create a template instance and enable SVF on the parent device.
1. Choose Configuration > Configuration Management > Service Configuration
Management from the main menu.
2. Choose Template Management > Predefined from the navigation tree, choose SVF
Device Templates > SVF System Config > Enable SVF in Template, and click
Create.
3. Set Instance Name to Temp1, set VLAN ID, IP Address, and Mask in the Configure
SVF Client Management Address Pool area to 11, 192.168.11.1, and 24 respectively,
and click Confirm. The Enable SVF template is displayed on the page.

Step 3 Create a template instance and set AS access parameters.

Device Templates > SVF System Config > AS PreDeploy in Template, and click
Create.
2. Set Instance Name to ASTemp and set other parameters as shown in the following
figure.

Step 4 Create a template instance Level-1 AS Fabric Port.

Device Templates > SVF System Config > Level-1 AS Fabric Port in Template, and
click Create.
2. Set Instance Name to ParentToL1as, set other parameters as shown in the following
figure, and click Confirm. The Level-1 AS Fabric Port template is displayed on the
page.
Step 5 Create a template instance Level-2 AS Fabric Port.

Device Templates > SVF System Config > Level-2 AS Fabric Port in Template, and
click Create.

2. Set Instance Name to L2AS, set other parameters as shown in the following figure, and
click Confirm. The Level-2 AS Fabric Port template is displayed on the page.
Step 6 Deploy the template instances to the parent device.

1. Choose Service Config > SVF System Config from the navigation tree. The default
service configuration matrix is displayed.
2. Click next to Resources and select SVF-S77 as the default SVF Parent.
3. In the service configuration matrix, place the mouse in each blank cell, click to
select the created template instances one by one, and click Confirm.

4. In the system configuration matrix, place the mouse in the lower right corner of each cell
with a template instance, and click to deploy the template instance to the parent
device.
Step 7 After logging in to each AS through the CLI, you can run the reset saved-configuration
command to delete the AS configuration and then run the reboot command to restart the AS.
If a message is displayed asking whether you want to save the configuration, select N. And
then connect the parent to level-1 ASs and level-1 ASs to level-2 ASs using cables.
Step 8 Create port groups.
1. Choose Resource > Resource Management > Equipment Resources from the main
menu. Device resources on the entire network are displayed on the page.
2. Click in the upper right corner of the page and set IP Address to 10.137.217.203.
The SVF device with the specified IP address is displayed on the page.
3. Click the device name link in Name to access the NE Manager of the device.
4. Choose SVF Feature > AS Port from the navigation tree, and click Create Group.

5. Set Group Name to PortGroup1, and click Confirm.

6. Set Group Name to PortGroup2, and click Confirm.
7. Enter as1 in the AS Name search box and click Search. Select all the ports of as1, click
Set Group, and select PortGroup1.
8. Repeat the preceding step to add ports of as2 and as4 to PortGroup1, and ports of as3
and as5 to PortGroup2.
Step 9 Create user interface VLAN templates.

1. Choose Configuration > Configuration Management > Service Configuration

Management from the main menu.
Device Templates > SVF Service Config > User Interface VLAN in Template, and
click Create.
3. Set Instance Name to VLAN10, set other parameters as shown in the following figure,
and click Confirm. The user interface VLAN template VLAN10 is displayed on the
page.
4. Click Create, set Instance Name to VLAN20, set other parameters as shown in the
following figure, and click Confirm. The user interface VLAN template VLAN20 is
displayed on the page.
Step 10 Create a user interface service template.

Device Templates > SVF Service Config > User Interface Service in Template, and
click Create.

2. Set Instance Name to AccessTemp, set other parameters as shown in the following
figure, and click Confirm. The user interface service template AccessTemp is displayed
on the page.
Step 11 Deploy the SVF user interface VLAN and service templates to port groups.
1. Choose Service Config > SVF Port Config from the navigation tree. The default
service configuration matrix is displayed.
2. Click next to Resources, select PortGroup1 and PortGroup2, and click Confirm.
3. In the service configuration matrix, place the mouse in each blank cell, click to
select the created template instances one by one, and click Confirm.

4. In the service configuration matrix, place the mouse in the lower right corner of each cell
with a template instance, and click to deploy the template instance to the port group.
----End
Result
After the SVF access layer configuration is complete, verify the configuration as follows:
l Choose Monitor > Topology > Topology Management from the main menu. The SVF
topology is displayed. Double-click the icon to view the layout in

the SVF system.
l Choose Resource > Resource Management > Access Users Management from the
main menu. You can view the list of online users on the page that is displayed.

S7700 and S9700 V200R008C00 Configuration Guide - Device Management PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

S7700 and S9700 V200R008C00 Configuration Guide - Device Management PDF

Hochgeladen von

Copyright:

Verfügbare Formate

S7700 and S9700 Series Switches

Configuration Guide - Device

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. i

About This Document

This document is intended for:

l Data configuration engineers

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. ii

NOTE Calls attention to important information,

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. iii

– When configuring a password, the cipher text is recommended. To ensure device

Product Software Versions Matching NMS Versions

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. iv

S7700 and S9700 Product NMS

V200R008C00 eSight V300R003C20

Changes in Issue 07 (2017-11-30) V200R008C00

Mistakes in the document are corrected.

Changes in Issue 06 (2017-07-30) V200R008C00

Mistakes in the document are corrected.

Changes in Issue 05 (2017-04-30) V200R008C00

Mistakes in the document are corrected.

Changes in Issue 04 (2017-01-10) V200R008C00

Mistakes in the document are corrected.

Changes in Issue 03 (2016-10-30) V200R008C00

Mistakes in the document are corrected.

Changes in Issue 02 (2015-10-23) V200R008C00

Some contents are modified according to updates in the product.

Changes in Issue 01 (2015-07-31) V200R008C00

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. v

About This Document.....................................................................................................................ii

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. vi

1.1.6.3 What Can I Do If the Optical Power Is Low or High?........................................................................................... 26

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. vii

3 Information Center Configuration...........................................................................................78

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. viii

3.5.1.9 Configuring the Device to Output Logs to a Log File............................................................................................96

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. ix

4.4 Licensing Requirements and Limitations for NTP.....................................................................................................141

5 Ethernet Clock Synchronization Configuration..................................................................175

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. x

6 Energy-Saving Management................................................................................................... 218

7 PoE Configuration..................................................................................................................... 229

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. xi

8 CSS Configuration.................................................................................................................... 249

Issue 07 (2017-11-30) Copyright © Huawei Technologies Co., Ltd. xii

8.11 Configuring Enhanced CSS Functions..................................................................................................................... 310

9 SVF Configuration.................................................................................................................... 348