H3C S5500-EI Series Configuration Manual
H3C S5500-EI Series Configuration Manual

H3C S5500-EI Series Configuration Manual

Layer 2 - lan switching
Hide thumbs Also See for S5500-EI Series:
Table of Contents

Advertisement

H3C S5500-SI/EI Series Ethernet Switches
Layer 2 - LAN Switching Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 2208
Document version: 6W100-20101224

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5500-EI Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for H3C S5500-EI Series

  • Page 1 H3C S5500-SI/EI Series Ethernet Switches Layer 2 - LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2208 Document version: 6W100-20101224...
  • Page 2 Copyright © 2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
  • Page 3 Preface The H3C S5500-SI/EI documentation set includes 10 configuration guides, which describe the software features for the H3C S5500-SI and S5500-EI Series Ethernet Switches, Release2208, and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 4 Configuration guide Added and modified features Loopback and null interface — configuration MAC address table — configuration MAC Information configuration — Added features: • Setting the LACP timeout interval Ethernet link aggregation configuration • Enabling local-first load sharing for link aggregation •...
  • Page 5 Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, { x | y | ... } from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical [ x | y | ...
  • Page 6 About the H3C S5500-SI/EI documentation set The H3C S5500-SI/EI documentation set includes: Category Documents Purposes Marketing brochures Describe product specifications and benefits. Provide an in-depth description of software Technology white papers features and technologies. Describes the appearances, features, PSR150-A [ PSR150-D ] Power...
  • Page 7 Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
  • Page 8: Table Of Contents

    Contents Ethernet interface configuration ·································································································································· 1 Ethernet interface overview ··············································································································································1 Ethernet interface naming conventions ··················································································································1 Configuring a Combo interface······························································································································1 Switchable link mode of Ethernet interfaces (available only on the S5500-EI) ·················································2 General Ethernet interface configuration························································································································2 Configuring basic settings of an Ethernet interface ······························································································2 Configuring the link mode of an Ethernet interface (available only on the S5500-EI) ·····································3 Configuring generic flow control on an Ethernet interface ··················································································4 Configuring link change suppression on an Ethernet interface···········································································4...
  • Page 9 MAC Information configuration ································································································································29 Overview········································································································································································· 29 Introduction to MAC Information ························································································································· 29 How MAC Information works ······························································································································ 29 Configuring MAC Information ······································································································································ 29 Enabling MAC Information globally ··················································································································· 29 Enabling MAC Information on an interface ······································································································· 30 Configuring MAC Information mode ·················································································································· 30 Configuring the interval for sending Syslog or trap messages·········································································...
  • Page 10 Protocols and standards ······································································································································· 72 MSTP configuration task list ·········································································································································· 72 Configuring MSTP ·························································································································································· 73 Configuring an MST region ································································································································· 73 Configuring the root bridge or a secondary root bridge·················································································· 74 Configuring the work mode of an MSTP device ································································································ 75 Configuring the priority of a device ····················································································································...
  • Page 11 Protocol-based VLAN configuration ···························································································································123 Introduction to protocol-based VLAN ················································································································123 Configuring a protocol-based VLAN·················································································································123 Protocol-based VLAN configuration example···································································································125 IP Subnet-based VLAN configuration ·························································································································127 Introduction ··························································································································································127 Configuring an IP subnet-based VLAN··············································································································128 Displaying and maintaining VLAN ····························································································································129 Super VLAN configuration (available only on the S5500-EI) ·············································································· 130 Overview·······································································································································································130 Configuring a super VLAN··········································································································································130 Displaying and maintaining super VLAN ··················································································································132...
  • Page 12 QinQ frame structure ··········································································································································171 Implementations of QinQ ···································································································································172 Modifying the TPID in a VLAN tag ····················································································································172 Protocols and standards ·····································································································································173 QinQ configuration task list········································································································································174 Configuring basic QinQ ·············································································································································174 Enabling basic QinQ··········································································································································174 Configuring VLAN transparent transmission ····································································································174 Configuring selective QinQ ········································································································································175 Configuring an outer VLAN tagging policy ·····································································································175 Configuring an inner-outer VLAN 802.1p priority mapping··········································································177 Configuring inner VLAN ID substitution (available only on the S5500-EI)····················································179...
  • Page 13 LLDP configuration examples ······································································································································223 Basic LLDP configuration example ·····················································································································223 CDP-compatible LLDP configuration example···································································································226 Service loopback group configuration (available only on the S5500-EI)··························································· 228 Overview·······································································································································································228 Functions of service loopback groups ···············································································································228 Service types of service loopback groups ········································································································228 Requirements on service loopback ports···········································································································228 States of service loopback ports ························································································································229 Configuring a service loopback group······················································································································230 Displaying and maintaining service loopback groups·····························································································230...
  • Page 14: Ethernet Interface Configuration

    • Ethernet interface overview Ethernet interface naming conventions The GE and 10-GE interfaces on the S5500-SI&S5500-EI series Ethernet switches are named in the format of interface-type A/B/C, where the following definitions apply: • If the switch does not support Intelligent Resilient Framework (IRF), A takes 1. If the switch support IRF, A represents the ID of the switch in an IRF virtual device.
  • Page 15: Switchable Link Mode Of Ethernet Interfaces (Available Only On The S5500

    Use the display interface command to find out, of the two physical ports that comprise a Combo • interface, which is the optical port and which is the electrical port. If the output includes “Media type is twisted pair, Port hardware type is 1000_BASE_T”, the current port is the electrical port; if the output includes “Media type is not sure, Port hardware type is No connector”, the current port is the optical port.
  • Page 16: Configuring The Link Mode Of An Ethernet Interface (Available Only On The S5500

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view — interface-number Optional By default, the description of an Change the description of the interface is the interface name description text interface followed by the “Interface” string, GigabitEthernet1/0/1 Interface for example.
  • Page 17: Configuring Generic Flow Control On An Ethernet Interface

    CAUTION: After you change the link mode of an Ethernet interface, all the settings of the Ethernet interface are • restored to their defaults under the new link mode. If you set the link mode of the active port of a Combo interface to Layer 3, you cannot activate the other •...
  • Page 18 To prevent physical link flapping from affecting system performance, configure link change suppression to delay the reporting of physical link state changes. When the delay expires, the interface reports any detected change. Link change suppression does not suppress administrative up or down events. When you shut down or bring up an interface with the shutdown or undo shutdown command, the interface reports the event to the upper layers immediately.
  • Page 19: Configuring Loopback Testing On An Ethernet Interface

    Configuring loopback testing on an Ethernet interface You can perform loopback testing on an Ethernet interface to check whether the interface functions properly. The Ethernet interface cannot forward data packets during the testing. Loopback testing falls into the following categories: Internal loopback testing, which tests all on-chip functions related to Ethernet interfaces.
  • Page 20: Setting The Statistics Polling Interval

    Setting the statistics polling interval Follow these steps to set the statistics polling interval on an Ethernet interface: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view — interface-number Optional Set the statistics polling interval on flow-interval interval The default interface statistics the Ethernet interface...
  • Page 21: Configuring A Layer 2 Ethernet Interface

    To do… Use the command… Remarks interface interface-type Enter Ethernet interface view — interface-number Required Enable the interface to accept jumboframe enable By default, an Ethernet interface accepts jumbo frames jumbo frames (up to 9216 bytes). Configuring a Layer 2 Ethernet interface Layer 2 Ethernet interface configuration task list Complete these tasks to configure an Ethernet interface operating in bridge mode: Task...
  • Page 22: Configuring A Mac Address For An Ethernet Port (Available Only On The S5500

    To do… Use the command… Remarks port group Optional By default, all Ethernet interfaces in a port group are up. To bring up all Shut down all Ethernet interfaces in shutdown Ethernet interfaces shut down the port group manually in a port group, use the undo shutdown command in port group view.
  • Page 23: Configuring Traffic Storm Protection

    As shown in 4, speed auto negotiation enables an Ethernet interface to negotiate with its peer for Figure the highest speed supported by both ends by default. You can narrow down the speed option list for negotiation. Figure 4 Speed auto negotiation application scenario All interfaces on the switch are operating in speed auto negotiation mode, with the highest speed of 1000 Mbps.
  • Page 24 Storm control, which enables you to shut down Ethernet interfaces or block traffic when monitored • traffic exceeds the traffic threshold. It also enables an interface to send trap or log messages when monitored traffic reaches a certain traffic threshold, depending on your configuration. For a particular type of traffic, configure either storm suppression or storm control, but not both.
  • Page 25 Configuring storm control on an Ethernet interface Storm control compares broadcast, multicast, and unknown unicast traffic regularly with their respective traffic thresholds on an Ethernet interface. For each type of traffic, storm control provides a lower threshold and a higher threshold. For management purposes, you can configure the interface to send threshold event traps and log messages when monitored traffic exceeds the upper threshold or falls below the lower threshold from the upper threshold.
  • Page 26: Enabling Single-Port Loopback Detection On An Ethernet Interface

    NOTE: For network stability, use the default or set a higher traffic polling interval. • Storm control uses a complete polling cycle to collect traffic data, and analyzes the data in the next cycle. • It takes an interface at least one polling interval and at most two polling interval to take a storm control action.
  • Page 27: Enabling Multi-Port Loopback Detection

    To do… Use the command… Remarks Use either command. Enter Ethernet interface interface-type interface view interface-number Enter To configure loopback detection Ethernet on one interface, enter Ethernet interface interface view. Enter port group port-group manual view or port To configure loopback detection view port-group-name group view...
  • Page 28: Setting The Mdi Mode Of An Ethernet Interface

    receives packets sent out Port 2, a multi-port loop occurs between the two interfaces, and Port 1 (the interface that receives the looped packets) is the looped interface. Multi-port loops may also cause broadcast storms. Figure 5 Network diagram for multi-port loopback detection Switch A Port 1 Port 2...
  • Page 29: Enabling Bridging On An Ethernet Interface

    Normal mode • • Auto mode A copper Ethernet interface uses an RJ-45 connector, which comprises eight pins, each playing a dedicated role. For example, pins 1 and 2 transmit signals, and pins 3 and 6 receive signals. The pin role varies by the following MDI modes: In normal mode, pins 1 and 2 are transmit pins, and pins 3 and 6 are receive pins.
  • Page 30: Testing The Cable Connection Of An Ethernet Interface

    Testing the cable connection of an Ethernet interface NOTE: Optical interfaces do not support this feature. • If the link of an Ethernet interface is up, testing its cable connection will cause the link to come down and • then go up. You can test the cable connection of an Ethernet interface for a short or open circuit.
  • Page 31 To do… Use the command… Remarks display interface [ interface-type [ interface-number ] ] brief [ | { begin | exclude | include } regular-expression ] Display the summary of an Available in any view interface display interface [ interface-type ] brief down [ | { begin | exclude | include } regular-expression ] Display the statistics on the packets...
  • Page 32: Loopback And Null Interface Configuration

    Loopback and null interface configuration This chapter includes these sections: Loopback interface • Null interface • Displaying and maintaining loopback and null interfaces • Loopback interface Introduction to loopback interface A loopback interface is a software-only virtual interface. It delivers the following benefits. The physical layer state and link layer protocols of a loopback interface are always up unless the •...
  • Page 33: Null Interface

    To do… Use the command… Remarks enter Loopback interface view interface-number Optional Set a description for the loopback By default, the description of an description text interface interface is the interface name followed by the “Interface” string. Optional Shut down the loopback interface shutdown By default, a loopback interface is up once created.
  • Page 34: Displaying And Maintaining Loopback And Null Interfaces

    Displaying and maintaining loopback and null interfaces To do… Use the command… Remarks display interface loopback [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] Display information about Available in any view loopback interfaces display interface loopback interface-number [ brief ] [ | { begin | exclude | include } regular-expression ]...
  • Page 35: Mac Address Table Configuration

    MAC address table configuration This chapter includes these sections: Overview • Configuring the MAC address table • Displaying and maintaining MAC address tables • MAC address table configuration example • Overview Every Ethernet switch maintains a MAC address table for forwarding frames through unicast instead of broadcast.
  • Page 36: Types Of Mac Address Table Entries

    higher priority than dynamically learned ones, you can prevent hackers from stealing data using forged MAC addresses. Types of MAC address table entries A MAC address table can contain the following types of entries: Static entries, which are manually added and never age out. •...
  • Page 37: Manually Configuring Mac Address Table Entries

    Manually configuring MAC address table entries To fence off MAC address spoofing attacks and improve port security, you can manually add MAC address table entries to bind ports with MAC addresses. You can also configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.
  • Page 38 NOTE: Whether the learned MAC addresses will be removed after MAC address learning is disabled depends on the device model. Disabling MAC address learning on ports After enabling global MAC address learning, you may disable the function on a single port, or on all ports in a port group as needed.
  • Page 39: Configuring The Aging Timer For Dynamic Mac Address Entries

    NOTE: When MAC address learning is disabled, the learned MAC addresses remain valid until they age out. Configuring the aging timer for dynamic MAC address entries The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space.
  • Page 40: Displaying And Maintaining Mac Address Tables

    NOTE: Layer 2 aggregate interfaces do not support the mac-address max-mac-count command. • Do not configure the MAC learning limit on any member ports of an aggregation group. Otherwise, the • member ports cannot be selected. Displaying and maintaining MAC address tables To do…...
  • Page 41 000f-e235-dc71 Config static GigabitEthernet 1/0/1 NOAGED 1 mac address(es) found # Display information about the destination blackhole MAC address table. [Sysname] display mac-address blackhole MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000f-e235-abcd Blackhole NOAGED 1 mac address(es) found # View the aging time of dynamic MAC address entries.
  • Page 42: Mac Information Configuration

    MAC Information configuration This chapter includes these sections: Overview • Configuring MAC Information • MAC Information configuration example • Overview Introduction to MAC Information To monitor a network, you need to monitor users joining and leaving the network. Because a MAC address uniquely identifies a network user, you can monitor users joining and leaving a network by monitoring their MAC addresses.
  • Page 43: Enabling Mac Information On An Interface

    Enabling MAC Information on an interface Follow these steps to enable MAC Information on an interface: To do… Use the command… Remarks Enter system view system-view — Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required Enable MAC Information on the mac-address information enable interface { added | deleted }...
  • Page 44: Mac Information Configuration Example

    MAC Information configuration example Network requirements Host A is connected to a remote server (Server) through Device. • Enable MAC Information on GigabitEthernet 1/0/1 on Device. Device sends MAC address • changes in Syslog messages to Host B through GigabitEthernet 1/0/3. Host B analyzes and displays the Syslog messages.
  • Page 45: Ethernet Link Aggregation Configuration

    Ethernet link aggregation configuration This chapter includes these sections: Overview • Ethernet link aggregation configuration task list • Displaying and maintaining Ethernet link aggregation • Ethernet link aggregation configuration examples • Overview Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one logical link, called an aggregate link.
  • Page 46 NOTE: The rate of an aggregate interface equals the total rate of its member ports in the Selected state, and its duplex mode is the same as the selected member ports. For more information about the states of member ports in an aggregation group, see “Aggregation states of member ports in an aggregation group.”...
  • Page 47 This is how the LACP multi-active detection (MAD) mechanism of the Intelligent Extended LACP Resilient Framework (IRF) feature is implemented. An S5500-SI or S5500-EI series functions Ethernet switch can participate in LACP MAD either as an IRF member device or an intermediate device.
  • Page 48 Selected state. NOTE: The S5500-SI&S5500-EI series Ethernet switches support returning Marker Response PDUs only after dynamic link aggregation member ports receive Marker PDUs. Link aggregation modes Link aggregation has two modes: dynamic and static.
  • Page 49: Aggregating Links In Static Mode

    Aggregating links in static mode LACP is disabled on the member ports in a static aggregation group. You must manually maintain the aggregation state of the member ports. The static link aggregation procedure comprises: Selecting a reference port • Setting the aggregation state of each member port •...
  • Page 50: Aggregating Links In Dynamic Mode

    NOTE: To ensure stable aggregation state and service continuity, do not change port attributes or class-two • configurations on any member port. If a static aggregation group has reached the limit on Selected ports, any port joins the group is placed •...
  • Page 51 Figure 9 Set the state of a member port in a dynamic aggregation group Meanwhile, the system with the higher system ID, being aware of the aggregation state changes on the remote system, sets the aggregation state of local member ports the same as their peer ports. NOTE: To ensure stable aggregation state and service continuity, do not change port attributes or class-two •...
  • Page 52: Load Sharing Criteria For Link Aggregation Groups

    Load sharing criteria for link aggregation groups In a link aggregation group, traffic may be load-shared across the selected member ports based on a set of criteria, depending on your configuration. You can choose one of the following criteria or any combination of them for load sharing: MAC addresses •...
  • Page 53: Configuring A Static Aggregation Group

    NOTE: If a port is used as a reflector port for port mirroring, do not assign it to any aggregation group. For • Network Management and Monitoring Configuration more information about reflector ports, see the Guide To achieve better load sharing results for data traffic among the member ports of a link aggregation •...
  • Page 54: Configuring An Aggregate Interface

    To do... Use the command... Remarks Optional By default, the system LACP priority is 32768. Set the system LACP priority lacp system-priority system-priority Changing the system LACP priority may affect the aggregation state of the ports in a dynamic aggregation group.
  • Page 55: Configuring The Description Of An Aggregate Interface

    NOTE: In addition to the configurations listed above, most of the configurations that can be performed on Layer 2 Ethernet interfaces can also be performed on Layer 2 aggregate interfaces. Configuring the description of an aggregate interface You can configure the description of an aggregate interface for administration purposes such as describing the purpose of the interface.
  • Page 56: Shutting Down An Aggregate Interface

    Configuring a MAC address for an aggregate interface does not affect the normal forwarding of service packets. Follow these steps to configure a MAC Address for an aggregate interface: To do… Use the command… Remarks Enter system view system-view — interface bridge-aggregation Enter aggregate interface view —...
  • Page 57: Configuring Load Sharing For Link Aggregation Groups

    Configuring load sharing for link aggregation groups Configuring load sharing criteria for link aggregation groups You can determine how traffic is load-shared across a link aggregation group by configuring load sharing criteria. The criteria can be service port numbers, IP addresses, MAC addresses, receiving ports, or any combination.
  • Page 58: Enabling Local-First Load Sharing For Link Aggregation

    To do… Use the command… Remarks Enter aggregate interface interface bridge-aggregation — view interface-number Required Configure the load sharing link-aggregation load-sharing mode By default, an aggregation group uses criteria for the aggregation { destination-ip | destination-mac | the global link-aggregation load group source-ip | source-mac } * sharing criteria.
  • Page 59: Enabling Link-Aggregation Traffic Redirection

    Figure 10 Local-first link-aggregation load sharing Follow these steps to enable local-first load sharing for link aggregation: To do... Use the command... Remarks Enter system view system-view — Optional Enable local-first load-sharing for link-aggregation load-sharing link aggregation mode local-first Enabled by default. Enabling link-aggregation traffic redirection The link-aggregation traffic redirection function is available on IRF member devices.
  • Page 60: Displaying And Maintaining Ethernet Link Aggregation

    CAUTION: Link-aggregation traffic redirection applies only to dynamic link aggregation groups. • To prevent traffic interruption, enable link-aggregation traffic redirection on devices at both ends of the • aggregate link. To prevent packet loss that might occur at a reboot, disable both MSTP and link-aggregation traffic •...
  • Page 61: Layer 2 Static Aggregation Configuration Example

    NOTE: In an aggregation group, only ports that have the same port attributes and class-two configurations (see ”Configuration classes”) as the reference port (see “Reference port”) can operate as Selected ports. You must ensure that all member ports have the same port attributes and class-two configurations as the reference port.
  • Page 62 [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] quit # Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/2] quit [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/3] quit...
  • Page 63: Layer 2 Dynamic Aggregation Configuration Example

    The output shows that link aggregation group 1 is a load shared Layer 2 static aggregation group and it contains three Selected ports. # Display the global link-aggregation load sharing criteria on Device A. [DeviceA] display link-aggregation load-sharing mode Link-Aggregation Load-Sharing Mode: destination-mac address, source-mac address The output shows that all link aggregation groups created on the device perform load sharing based on source and destination MAC addresses.
  • Page 64 [DeviceA-vlan20] quit # Create Layer 2 aggregate interface Bridge-aggregation 1, and configure the link aggregation mode as dynamic. [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic # Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1 one at a time.
  • Page 65: Layer 2 Aggregation Load Sharing Configuration Example

    Interface Mode Ports Ports Type ------------------------------------------------------------------------------- BAGG1 0x8000, 000f-e2ff-0002 Shar The output shows that link aggregation group 1 is a load shared Layer 2 dynamic aggregation group and it contains three Selected ports. # Display the global link-aggregation load sharing criteria on Device A. [DeviceA] display link-aggregation load-sharing mode Link-Aggregation Load-Sharing Mode: destination-mac address, source-mac address...
  • Page 66 [DeviceA-vlan10] quit # Create VLAN 20, and assign port GigabitEthernet 1/0/6 to VLAN 20. <DeviceA> system-view [DeviceA] vlan 20 [DeviceA-vlan20] port gigabitethernet 1/0/6 [DeviceA-vlan20] quit # Create Layer 2 aggregate interface Bridge-Aggregation 1, and configure the load sharing criterion for the link aggregation group as the source MAC addresses of packets.
  • Page 67 [DeviceA-Bridge-Aggregation2] port link-type trunk [DeviceA-Bridge-Aggregation2] port trunk permit vlan 10 20 Please wait... Done. Configuring GigabitEthernet1/0/3... Done. Configuring GigabitEthernet1/0/4... Done. [DeviceA-Bridge-Aggregation2] quit Configure Device B Configure Device B as you configure Device A. Verify the configurations # Display the summary information about all aggregation groups on Device A. [DeviceA] display link-aggregation summary Aggregation Interface Type: BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation...
  • Page 68: Port Isolation Configuration

    VLAN resource demanding. To isolate Layer 2 traffic without using VLANs, H3C introduced the port isolation feature. To use the feature, you assign ports to a port isolation group. Ports in an isolation group are called isolated ports.
  • Page 69: Displaying And Maintaining Isolation Groups

    To do… Use the command… Remarks Required Assign the port or ports to port-isolate enable The isolation group does not contain any the isolation group ports by default. NOTE: If the switch fails to apply the port-isolate enable command to a Layer 2 aggregate interface, it does not assign any member port of the aggregate interface to the isolation group.
  • Page 70 Figure 14 Network diagram for port isolation configuration Configuration procedure # Assign ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 to isolation group 1. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-isolate enable [Device-GigabitEthernet1/0/1] quit [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] port-isolate enable [Device-GigabitEthernet1/0/2] quit [Device] interface gigabitethernet 1/0/3 [Device-GigabitEthernet1/0/3] port-isolate enable...
  • Page 71: Mstp Configuration

    MSTP configuration This chapter includes these sections: Introduction to STP • Introduction to RSTP • Introduction to MSTP • MSTP configuration task list • Displaying and maintaining MSTP • • MSTP configuration example As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy.
  • Page 72: Basic Concepts In Stp

    Root bridge ID: consisting of the priority and MAC address of the root bridge. • • Root path cost: the cost of the path to the root bridge denoted by the root identifier from the transmitting bridge. Designated bridge ID: consisting of the priority and MAC address of the designated bridge. •...
  • Page 73: How Stp Works

    Figure 15 A schematic diagram of designated bridges and designated ports Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree. How STP works STP has the following workflow: Initial state...
  • Page 74 Step Description • If the calculated configuration BPDU is superior, the device considers this port as the designated port, replaces the configuration BPDU on the port with the calculated configuration BPDU, and periodically sends out the calculated configuration BPDU. • If the configuration BPDU on the port is superior, the device blocks this port without updating its configuration BPDU.
  • Page 75 Figure 16 Network diagram for the STP algorithm As shown in 16, the priority of Device A, Device B, and Device C is 0, 1, and 2 respectively, and Figure the path costs among these links are 5, 10, and 4 respectively. Initial state of each device Table 10 Initial state of each device Device...
  • Page 76 Table 11 Comparison process and result on each device Configuration BPDU on Device Comparison process ports after comparison • Port A1 receives the configuration BPDU of Port B1 {1, 0, 1, Port B1}, finds that its existing configuration BPDU {0, 0, 0, Port A1} is superior to the received configuration BPDU, and discards the received one.
  • Page 77 Configuration BPDU on Device Comparison process ports after comparison • Port C1 receives the configuration BPDU of Port A2 {0, 0, 0, Port A2}, finds that the received configuration BPDU is • Port C1: {0, 0, 0, Port superior to its existing configuration BPDU {2, 0, 2, Port C1}, and updates its configuration BPDU.
  • Page 78 NOTE: 11, each configuration BPDU contains the following fields: root bridge ID, root path cost, Table designated bridge ID, and designated port ID. After the comparison processes described in Table 1 1, a spanning tree with Device A as the root bridge is established, and the topology is shown in Figure Figure 17 Topology of the final calculated spanning tree...
  • Page 79: Introduction To Rstp

    is likely to occur. For this reason, as a mechanism for state transition in STP, the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network. •...
  • Page 80: Basic Concepts In Mstp

    MSTP divides a switched network into multiple regions, each containing multiple spanning trees • that are independent of one another. • MSTP prunes a loop network into a loop-free tree avoiding proliferation and endless cycling of packets in a loop network. In addition, it provides multiple redundant paths for data forwarding supporting load balancing of VLAN data.
  • Page 81 Figure 19 Network diagram and topology of MST region 3 As shown in 18, a switched network comprises four MST regions, and each MST region comprises Figure four devices running MSTP. Figure 19 shows the networking topology of MST region 3. This section describes some basic concepts of MSTP.
  • Page 82 The common spanning tree (CST) is a single spanning tree that connects all MST regions in a switched network. If you regard each MST region as a device, the CST is a spanning tree calculated by these devices through STP or RSTP. For example, the blue lines in Figure 18 represent the CST.
  • Page 83 Figure 20 Port roles MSTP calculation involves these port roles: Root port: Forwards data for a non-root bridge to the root bridge. The root bridge does not have any • root port. Designated port: Forwards data to the downstream network segment or device. •...
  • Page 84: How Mstp Works

    NOTE: When in different MSTIs, a port can be in different states. A port state is not exclusively associated with a port role. Table 12 lists the port state(s) supported by each port role (“√” indicates that the port supports this state, and “—” indicates that the port does not support this state).
  • Page 85: Protocols And Standards

    Root guard • • BPDU guard Loop guard • TC-BPDU guard • • BPDU drop Protocols and standards MSTP is documented in: IEEE 802.1d: Media Access Control (MAC) Bridges • IEEE 802.1w: Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration •...
  • Page 86: Configuring Mstp

    Task Remarks Configuring path costs of ports Optional Configuring port priority Optional Configuring the link type of ports Optional Configuring the mode a port uses to recognize/send MSTP Optional packets Enabling the output of port state transition information Optional Enabling the MSTP feature Required Performing mCheck Optional...
  • Page 87: Configuring The Root Bridge Or A Secondary Root Bridge

    To do... Use the command... Remarks Optional Configure the MST region name region-name name The MST region name is the MAC address by default. Optional instance instance-id vlan vlan-list Use either command. Configure the VLAN-to-instance All VLANs in an MST region are mapping table mapped to the CIST (or MSTI 0) by vlan-mapping modulo modulo...
  • Page 88: Configuring The Work Mode Of An Mstp Device

    When the root bridge of an instance fails or is shut down, the secondary root bridge (if you have • specified one) can take over the role of the primary root bridge. However, if you specify a new primary root bridge for the instance then, the secondary root bridge will not become the root bridge. If you have specified multiple secondary root bridges for an instance, when the root bridge fails, MSTP will select the secondary root bridge with the lowest MAC address as the new root bridge.
  • Page 89: Configuring The Priority Of A Device

    To do... Use the command... Remarks Enter system view system-view — Required Configure the work mode of MSTP stp mode { stp | rstp | mstp } MSTP mode by default. Configuring the priority of a device Device priorities participate in spanning tree calculation. The priority of a device determines whether it can be elected as the root bridge of a spanning tree.
  • Page 90: Configuring The Network Diameter Of A Switched Network

    Max age ƒ 2 × (hello time + 1 second) • H3C does not recommend you to manually set the timers. Instead, you can use the stp bridge-diameter command to set the network diameter, and let the network automatically adjust the three timers according to the network size.
  • Page 91: Configuring The Timeout Factor

    If the max age is too long, the network may fail to timely detect link failures and fail to timely launch spanning tree calculations, reducing the auto-sensing capability of the network. H3C recommends that you use the default setting. Configuring the timeout factor The timeout factor is a parameter used to decide the timeout time in the following formula: Timeout time = timeout factor ×...
  • Page 92: Configuring The Maximum Port Rate

    By setting an appropriate maximum port rate, you can limit the rate at which the port sends BPDUs and prevent MSTP from using excessive network resources when the network becomes instable. H3C recommends that you use the default setting. Configuring ports as edge ports If a port directly connects to a user terminal rather than another device or a shared LAN segment, this port is regarded as an edge port.
  • Page 93: Configuring Path Costs Of Ports

    To do... Use the command... Remarks Required Configure the current ports as edge ports stp edged-port enable All ports are non-edge ports by default. NOTE: With BPDU guard disabled, when a port set as an edge port receives a BPDU from another port, it will •...
  • Page 94 Table 13 Mappings between the link speed and the path cost Path cost Link speed Port type IEEE IEEE 802.1t Private standard 802.1d-1998 — 65535 200,000,000 200,000 Single Port 2,000,000 2,000 Aggregate interface 1,000,000 1,800 containing 2 selected ports 10 Mbps Aggregate interface 666,666 1,600...
  • Page 95: Configuring Port Priority

    To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface interface interface-type view or Layer 2 aggregate Enter interface interface-number Required interface view view or port Use either command. group view port-group manual Enter port group view port-group-name Required stp [ instance instance-id ]...
  • Page 96: Configuring The Link Type Of Ports

    If the current port is a Layer 2 aggregate interface or if it works in full duplex mode, you can configure the link to which the current port connects as a point-to-point link. H3C recommends that you use the default setting, and let MSTP detect the link status automatically.
  • Page 97: Configuring The Mode A Port Uses To Recognize/Send Mstp Packets

    Configuring the mode a port uses to recognize/send MSTP packets A port can receive/send MSTP packets in the following formats: dot1s: 802.1s-compliant standard format, and • • legacy: Compatible format By default, the packet format recognition mode of a port is auto. The port automatically distinguishes the two MSTP packet formats, and determines the format of packets it will send based on the recognized format.
  • Page 98: Enabling The Mstp Feature

    To do... Use the command... Remarks Enter system view system-view — Required Enable output of port state stp port-log { all | instance transition information instance-id } Enabled by default. Enabling the MSTP feature You must enable MSTP for the device before any other MSTP-related configurations can take effect. Make this configuration on the root bridge and on the leaf nodes separately.
  • Page 99: Configuring Digest Snooping

    You can perform mCheck on a port through the following two approaches, which lead to the same result. Performing mCheck globally Follow these steps to perform global mCheck: To do... Use the command... Remarks Enter system view system-view — Perform mCheck stp mcheck Required Performing mCheck in interface view...
  • Page 100 You can only modify the region name and revision level. You must enable Digest Snooping both globally and on associated ports to make it take effect. H3C •...
  • Page 101: Configuring No Agreement Check

    Figure 21 Digest Snooping configuration Configuration procedure # Enable Digest Snooping on GigabitEthernet 1/0/1 of Device A and enable global Digest Snooping on Device A. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] stp config-digest-snooping [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] stp config-digest-snooping # Enable Digest Snooping on GigabitEthernet 1/0/1 of Device B and enable global Digest Snooping on Device B.
  • Page 102 Figure 22 Rapid state transition of an MSTP designated port Upstream device Downstream device (1) Proposal for rapid transition The root port blocks non-edge ports. The root port changes to the (2) Agreement forwarding state and sends an Agreement to the upstream device.
  • Page 103: Configuring Protection Functions

    To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface view or Layer 2 interface interface-type Enter interface aggregate interface interface-number Required or port group view Use either command. view port-group manual Enter port group view port-group-name Required Enable No Agreement Check...
  • Page 104 Enabling BPDU guard For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file servers. The access ports are configured as edge ports to allow rapid transition. When these ports receive configuration BPDUs, the system will automatically set these ports as non-edge ports and start a new spanning tree calculation process.
  • Page 105 To do... Use the command... Remarks Enter Ethernet interface interface interface-type view or Layer 2 aggregate Enter interface interface-number Required interface view view or port Use either command. group view port-group manual Enter port group view port-group-name Required Enable the root guard function for the port(s) stp root-protection Disabled by default.
  • Page 106: Displaying And Maintaining Mstp

    6 by default. period after it receives the first TC-BPDU NOTE: H3C does not recommend you to disable this feature. Enabling BPDU drop In an STP-enabled network, after receiving BPDUs, a device performs STP calculation according to the received BPDUs and forwards received BPDUs to other devices in the network. This allows malicious attackers to forge BPDUs to attack the network: By continuously sending forged BPDUs, they can make all the devices in the network perform STP calculations all the time.
  • Page 107: Mstp Configuration Example

    To do... Use the command... Remarks display stp bpdu-statistics [ interface interface-type interface-number [ instance Available in any view Display BPDU statistics on ports instance-id ] ] [ | { begin | exclude | include } regular-expression ] Display information about ports blocked display stp down-port [ | { begin | Available in any view by STP protection functions...
  • Page 108 Figure 25 Network diagram for MSTP configuration Configuration procedure VLAN and VLAN member port configuration Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B respectively, create VLAN 10, VLAN 20, and VLAN 40 on Device C, and create VLAN 20, VLAN 30, and VLAN 40 on Device D. Configure the ports on these devices as trunk ports and assign them to related VLANs.
  • Page 109 [DeviceB] stp region-configuration [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration. [DeviceB-mst-region] active region-configuration [DeviceB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [DeviceB] stp instance 3 root primary # Enable MSTP globally.
  • Page 110 # Enable MSTP globally. [DeviceD] stp enable Verifying the configurations You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A. [DeviceA] display stp brief MSTID Port...
  • Page 111 Figure 26 MSTIs mapped to different VLANs...
  • Page 112: Bpdu Tunneling Configuration

    BPDU tunneling configuration This chapter includes these sections: Introduction to BPDU tunneling • Configuring BPDU tunneling • BPDU tunneling configuration examples • Introduction to BPDU tunneling As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific tunnels across a service provider network.
  • Page 113: Bpdu Tunneling Implementation

    NOTE: Depending on the device models, H3C devices support BPDU tunneling for the following protocols: Cisco Discovery Protocol (CDP) • Device Link Detection Protocol (DLDP) • Ethernet Operation, Administration and Maintenance (EOAM) • GARP VLAN Registration Protocol (GVRP) • HW Group Management Protocol (HGMP) •...
  • Page 114: Configuring Bpdu Tunneling

    Figure 28 Network diagram for BPDU tunneling implementation PE 1 PE 2 ISP network BPDU tunnel CE 1 CE 2 User A network 1 User A network 2 As shown in 28, the upper part is the service provider network (ISP network), and the lower part Figure represents two geographically dispersed segments of a customer network: User A network 1 and User A network 2.
  • Page 115: Enabling Bpdu Tunneling

    Enabling BPDU tunneling You can enable BPDU tunneling for different protocols in different views. NOTE: Settings made in Ethernet interface view or Layer 2 aggregate interface view take effect only on the • current port. Settings made in port group view take effect on all ports in the port group. Before enabling BPDU tunneling for DLDP, EOAM, GVRP, HGMP, LLDP, or STP on a port, disable the •...
  • Page 116: Bpdu Tunneling Configuration Examples

    To do… Use the command… Remarks Optional Configure the destination multicast bpdu-tunnel tunnel-dmac MAC address for BPDUs mac-address 0x010F-E200-0003 by default. NOTE: For BPDUs to be recognized, the destination multicast MAC addresses configured for BPDU tunneling must be the same on the edge devices on the service provider network. BPDU tunneling configuration examples BPDU tunneling for STP configuration example Network requirements...
  • Page 117: Bpdu Tunneling For Pvst Configuration Example

    [PE1] interface gigabitethernet 1/0/1 [PE1-GigabitEthernet1/0/1] port access vlan 2 # Disable STP on GigabitEthernet 1/0/1, and then enable BPDU tunneling for STP on it. [PE1-GigabitEthernet1/0/1] undo stp enable [PE1-GigabitEthernet1/0/1] bpdu-tunnel dot1q stp Configuration on PE 2 # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0. <PE2>...
  • Page 118 <PE1> system-view [PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # Configure GigabitEthernet 1/0/1 as a trunk port and assign it to all VLANs. [PE1] interface gigabitethernet 1/0/1 [PE1-GigabitEthernet1/0/1] port link-type trunk [PE1-GigabitEthernet1/0/1] port trunk permit vlan all # Disable STP on GigabitEthernet 1/0/1, and then enable BPDU tunneling for STP and PVST on it. [PE1-GigabitEthernet1/0/1] undo stp enable [PE1-GigabitEthernet1/0/1] bpdu-tunnel dot1q stp [PE1-GigabitEthernet1/0/1] bpdu-tunnel dot1q pvst...
  • Page 119: Vlan Configuration

    VLAN configuration This chapter includes these sections: Introduction to VLAN • Configuring basic VLAN settings • Configuring basic settings of a VLAN interface • Port-based VLAN configuration • MAC-based VLAN configuration • • Protocol-based VLAN configuration IP Subnet-based VLAN configuration •...
  • Page 120: Vlan Fundamentals

    Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer • 2. To enable communication between VLANs, routers or Layer 3 switches are required. • Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance is much easier and more flexible.
  • Page 121: Types Of Vlan

    Types of VLAN You can implement VLAN based on the following criteria: Port • MAC address • Protocol • IP subnet • • Policy Other criteria • NOTE: • Ethernet Switches support port-based VLAN, MAC-based VLAN, protocol-based VLAN, and IP-based VLAN.
  • Page 122: Configuring Basic Settings Of A Vlan Interface

    NOTE: As the default VLAN, VLAN 1 cannot be created or removed. • You cannot manually create or remove VLANs reserved for special purposes. • Dynamic VLANs cannot be removed with the undo vlan command. • A VLAN with a QoS policy applied cannot be removed. •...
  • Page 123: Port-Based Vlan Configuration

    VLAN, see the chapter “Voice VLAN configuration.” • H3C recommends that you set the same default VLAN ID for the local and remote ports. Make sure that a port is assigned to its default VLAN. Otherwise, when the port receives frames tagged •...
  • Page 124: Assigning An Access Port To A Vlan

    Actions (in the inbound direction) Actions (in the outbound Port type direction) Untagged frame Tagged frame • Receive the frame if its VLAN ID is the same as the default VLAN ID. Tag the frame with the Remove the VLAN tag and send Access default VLAN tag.
  • Page 125: Assigning A Trunk Port To A Vlan

    To do… Use the command… Remarks Required Enter Ethernet interface interface-type Use either command. interface view interface-number • In Ethernet interface view, the subsequent configurations Enter interface apply to the current port. view (including • In port group view, the Ethernet interface Enter Layer 2 interface bridge-aggregation...
  • Page 126: Assigning A Hybrid Port To A Vlan

    To do… Use the command… Remarks Required Enter Ethernet interface interface-type Use either command. interface view interface-number Enter interface • In Ethernet interface view, the view (including subsequent configurations apply Ethernet to the current port. Enter Layer 2 interface view, •...
  • Page 127: Port-Based Vlan Configuration Example

    To do… Use the command… Remarks Required Enter Ethernet interface interface-type Use either command. Enter interface view interface-number interface • In Ethernet interface view, the view subsequent configurations apply (including to the current port. Enter Layer 2 Ethernet interface bridge-aggregation •...
  • Page 128 To ensure communication security and avoid broadcast storms, VLANs are configured in the • enterprise network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to Department A, and VLAN 200 is assigned to Department B. • Ensure that hosts within the same VLAN can communicate with each other.
  • Page 129: Mac-Based Vlan Configuration

    Description: protocol VLAN for IPv4 Name: VLAN 0100 Tagged Ports: GigabitEthernet1/0/3 Untagged Ports: GigabitEthernet1/0/1 [DeviceA-GigabitEthernet1/0/3] display vlan 200 VLAN ID: 200 VLAN Type: static Route Interface: not configured Description: protocol VLAN for IPv6 Name: VLAN 0200 Tagged Ports: GigabitEthernet1/0/3 Untagged Ports: GigabitEthernet1/0/2 MAC-based VLAN configuration Introduction to MAC-based VLAN...
  • Page 130: Configuring Mac-Based Vlan

    from its other ports, it cannot assign these ports to the corresponding VLAN. Approach 2 can solve this problem. In this approach, you must manually create MAC-to-VLAN mappings, enable MAC-based VLAN, and enable MAC-based dynamic port assignment. After that, the device can dynamically assign ports to static MAC-based VLANs based on the MAC addresses of received packets.
  • Page 131 NOTE: MAC-based VLANs are available only on hybrid ports. • Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user • access devices, do not enable this function together with link aggregation. After associate MAC addresses with a VLAN, if you specify the 802.1p priority value corresponding to •...
  • Page 132 NOTE: With MAC-based dynamic port assignment enabled, packets with unknown source MAC addresses are • sent to the CPU for processing. Because this packet processing mode has the highest priority, the configuration of MAC learning limit and disabling MAC address learning becomes invalid. When MAC-based dynamic port assignment is enabled, do not configure the two features.
  • Page 133: Mac-Based Vlan Configuration Example

    Configuring dynamic MAC-based VLAN issuing To configure dynamic MAC-based VLAN issuing, first configure both the switch and the access authentication server. This subsection describes the configuration needed on the switch only. NOTE: After enabling MAC-based VLAN on the switch, you must configure related authentication settings on the Security access authentication server.
  • Page 134 Figure 36 Network diagram for MAC-based VLAN configuration VLAN 100 VLAN 200 Server1 Server2 IP: 1.1.1.1/24 IP: 1.1.2.1/24 GE1/0/14 GE1/0/13 GE1/0/4 GE1/0/3 Device B GE1/0/2 GE1/0/2 Device C Device A GE1/0/1 GE1/0/1 VLAN 100 VLAN 200 Laptop1 Laptop2 IP: 1.1.1.2/24 IP: 1.1.2.2/24 MAC: 000d-88f8-4e71 MAC: 0014-222c-aa69...
  • Page 135 [DeviceA-GigabitEthernet1/0/1] port link-type hybrid [DeviceA-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged Please wait... Done. [DeviceA-GigabitEthernet1/0/1] mac-vlan enable [DeviceA-GigabitEthernet1/0/1] quit # To enable the laptops to access Server 1 and Server 2, configure the uplink port GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200. [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 100 200...
  • Page 136: Protocol-Based Vlan Configuration

    Total MAC VLAN address count:2 Configuration guidelines MAC-based VLAN can be configured only on hybrid ports. MAC-based VLAN is typically configured on the downlink ports of access layer devices, and cannot be configured together with the link aggregation function. Protocol-based VLAN configuration Introduction to protocol-based VLAN NOTE: Protocol-based VLAN configuration applies to hybrid ports only.
  • Page 137 To do… Use the command… Remarks protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw | snap } | mode Create a protocol template for the { ethernetii etype etype-id | llc Required VLAN { dsap dsap-id [ ssap ssap-id ] |...
  • Page 138: Protocol-Based Vlan Configuration Example

    CAUTION: dsap-id ssap-id Do not configure both the arguments in the protocol-vlan command as 0xe0 or • 0xff when configuring the user-defined template for llc encapsulation. Otherwise, the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively. etype-id When you use the mode keyword to configure a user-defined protocol template, do not set •...
  • Page 139 Configuration consideration Create VLANs 100 and 200. Associate VLAN 100 with IPv4, and VLAN 200 with IPv6. Configure protocol-based VLANs to isolate IPv4 traffic and IPv6 traffic at Layer 2. Configuration procedure Configuration on Device # Create VLAN 100, and assign port GigabitEthernet 1/0/1 1 to VLAN 100. <Device>...
  • Page 140: Ip Subnet-Based Vlan Configuration

    Configure IPv4 Host A, IPv4 Host B, and IPv4 Server to be on the same network segment, 192.168.100.0/24 for example, and configure IPv6 Host A, IPv6 Host B, and IPv6 Server to be on the same network segment, 192.168.200.0/24 for example. Verification The hosts and the server in VLAN 100 can ping one another successfully.
  • Page 141: Configuring An Ip Subnet-Based Vlan

    Configuring an IP subnet-based VLAN NOTE: This feature is only applicable on hybrid ports. Follow these steps to configure an IP subnet-based VLAN: To do… Use the command… Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Required The IP network segment or IP Associate an IP subnet with the current...
  • Page 142: Displaying And Maintaining Vlan

    Displaying and maintaining VLAN To do... Use the command… Remarks display vlan [ vlan-id1 [ to vlan-id2 ] | all | Display VLAN information dynamic | reserved | static ] [ | { begin | Available in any view exclude | include } regular-expression ] display interface vlan-interface Display VLAN interface [ vlan-interface-id ] [ | { begin | exclude |...
  • Page 143: Super Vlan Configuration (Available Only On The S5500-Ei)

    Super VLAN configuration (available only on the S5500-EI) This chapter includes these sections: • Overview Configuring a super VLAN • Displaying and maintaining super VLAN • Super VLAN configuration example • Overview Super VLAN, also called “VLAN aggregation”, was introduced to save the IP address space. A super VLAN is associated with multiple sub-VLANs.
  • Page 144 NOTE: To configure more sub-VLANs, repeat these steps. Configuring a super VLAN Follow these steps to configure a super VLAN: To do… Use the command… Remarks Enter system view system-view — Required If the specified VLAN does not Enter VLAN view vlan vlan-id exist, this command creates the VLAN first, and then enters VLAN...
  • Page 145: Displaying And Maintaining Super Vlan

    • VLAN. However, only DHCP takes effect. Configuring VRRP for the VLAN interface of a super VLAN affects network performance. H3C does not • recommend you to configure this function in normal cases. For more information about VRRP, see the...
  • Page 146 Configuration procedure # Create VLAN 10, and configure its VLAN interface IP address as 10.0.0.1/24. <Sysname> system-view [Sysname] vlan 10 [Sysname-vlan10] interface vlan-interface 10 [Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0 # Enable local proxy ARP. [Sysname-Vlan-interface10] local-proxy-arp enable [Sysname-Vlan-interface10] quit # Create VLAN 2, and assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to it. [Sysname] vlan 2 [Sysname-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 [Sysname-vlan2] quit...
  • Page 147 VLAN ID: 2 VLAN Type: static It is a Sub VLAN. Route Interface: configured Ip Address: 10.0.0.1 Subnet Mask: 255.255.255.0 Description: VLAN 0002 Name: VLAN 0002 Tagged Ports: none Untagged Ports: GigabitEthernet1/0/1 GigabitEthernet1/0/2 VLAN ID: 3 VLAN Type: static It is a Sub VLAN. Route Interface: configured Ip Address: 10.0.0.1 Subnet Mask: 255.255.255.0...
  • Page 148: Isolate-User-Vlan Configuration

    Isolate-user-VLAN configuration This chapter includes these sections: Overview • Configuring isolate-user-VLAN • Displaying and maintaining isolate-user-VLAN • Isolate-user-VLAN configuration example • Overview An isolate-user-VLAN uses a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device. The following are the characteristics of the isolate-user-VLAN implementation: •...
  • Page 149: Configuring An Isolate-User-Vlan

    Configure the isolate-user-VLAN. Configure the secondary VLANs. Assign non-trunk ports to the isolate-user-VLAN and configure these ports as upstream ports. Assign non-trunk ports to each secondary VLAN and configure these ports as downstream ports. Associate the isolate-user-VLAN with the specified secondary VLANs. To enable users in the isolate-user-VLAN to communicate with other networks at Layer 3, configure VLAN interfaces for the isolate-user-VLAN and its secondary VLANs, and configure the gateway IP address for the isolate-user-VLAN interface.
  • Page 150: Configuring Secondary Vlans

    To do... Use the command Remarks • This configuration is optional when the isolate-user-VLAN operates at Layer 2. • This configuration is required Configure an IP address for the ip address ip-address { mask | when the isolate-user-VLAN isolate-user-VLAN interface mask-length } [ sub ] operates at Layer 3.
  • Page 151: Associating Secondary Vlans With An Isolate-User-Vlan

    To do… Use the command… Remarks • This configuration is optional when the isolate-user-VLAN operates at Layer 2. • This configuration is required Create a secondary VLAN interface interface vlan-interface when the isolate-user-VLAN and enter secondary VLAN interface vlan-interface-id operates at Layer 3. view The vlan-interface-id argument must take the secondary VLAN...
  • Page 152 Create isolate-user-VLAN 2 on Switch A and Switch B, and configure the IP addresses of the • isolate-user-VLAN interfaces as 202.38.160.1/24 and 202.38.160.2/24 respectively. • Configure GigabitEthernet 1/0/10 as an upstream port and GigabitEthernet 1/0/1 1 as a downstream port on Switch A and Switch B. Create secondary VLANs 20 and 40 on Switch A, Switch B, Switch C, and Switch D.
  • Page 153 # Configure port GigabitEthernet 1/0/1 as an upstream port. [SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port isolate-user-vlan promiscuous [SwitchA-GigabitEthernet1/0/1] quit # Create isolate-user-VLAN interface 2, and configure it with an IP address. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 # Enable local proxy ARP on isolate-user-VLAN interface 2.
  • Page 154 [SwitchA-GigabitEthernet1/0/11] port hybrid pvid vlan 20 # Configure port GigabitEthernet 1/0/1 1 as a downstream port. [SwitchA-GigabitEthernet1/0/11] port isolate-user-vlan host [SwitchA-GigabitEthernet1/0/11] quit # Associate secondary VLANs 20 and 40 with isolate-user-VLAN 2. [SwitchA] isolate-user-vlan 2 secondary 20 40 Configuration on Switch B # Create isolate-user-VLAN 2.
  • Page 155 [SwitchB-GigabitEthernet1/0/10] port link-type hybrid [SwitchB-GigabitEthernet1/0/10] port hybrid vlan 2 20 40 tagged [SwitchB-GigabitEthernet1/0/10] port hybrid pvid vlan 2 [SwitchB-GigabitEthernet1/0/10] quit # Configure GigabitEthernet 1/0/1 1 as a hybrid port, and configure it to send the packets from VLANs 2, 20, and 40 with VLAN tags kept. [SwitchB] interface GigabitEthernet 1/0/11 [SwitchB-GigabitEthernet1/0/11] port link-type hybrid [SwitchB-GigabitEthernet1/0/11] port hybrid vlan 2 20 40 tagged...
  • Page 156 # Configure GigabitEthernet 1/0/1 1 as a hybrid port, and configure it to send the packets from VLANs 2, 20, and 40 with VLAN tags kept. [SwitchC] interface GigabitEthernet 1/0/11 [SwitchC-GigabitEthernet1/0/11] port link-type hybrid [SwitchC-GigabitEthernet1/0/11] port hybrid vlan 2 20 40 tagged [SwitchC-GigabitEthernet1/0/11] quit Configuration on Switch D # Configure Switch D using the same instructions that you used to configure Switch C.
  • Page 157 GigabitEthernet1/0/1 # Display detailed information about VRRP group 1 on Switch A. [SwitchA-Vlan-interface2] display vrrp verbose IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 1 Interface Vlan-interface2 VRID Adver Timer Admin Status : Up State...
  • Page 158 Virtual IP : 202.38.160.111 Virtual MAC : 0000-5e00-0101 Master IP : 202.38.160.2 The output shows that Switch B is the master router in VRRP group 1, and Switch B forwards the packets from Host A to Host E after Switch A fails.
  • Page 159: Voice Vlan Configuration

    Voice VLAN configuration This chapter includes these sections: Overview • Configuring a voice VLAN • Displaying and maintaining voice VLAN • Voice VLAN configuration examples • Overview As voice communication technologies grow more mature, voice devices are more and more widely deployed, especially on broadband networks, where voice traffic and data traffic often co-exist.
  • Page 160: Voice Vlan Assignment Modes

    NOTE: In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique • identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense. OUI addresses in this document are used by the system to determine whether a received packet is a voice packet.
  • Page 161 Figure 42 Only IP phones access the network Both modes forward tagged packets according to their tags. Table 15 Table 16 list the required configurations on ports of different link types in order for these ports to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment modes are configured.
  • Page 162: Security Mode And Normal Mode Of Voice Vlans

    Table 16 Required configurations on ports of different links types in order for the ports to support tagged voice traffic Voice VLAN Support for Port link type assignment untagged voice Configuration requirements mode traffic Automatic — Access Configure the default VLAN of the port as the Manual voice VLAN.
  • Page 163: Configuring A Voice Vlan

    MAC addresses checking. TIP: H3C does not recommend that you transmit both voice traffic and non-voice traffic in a voice VLAN. If you have to, ensure that the voice VLAN security mode is disabled.
  • Page 164: Configuring Qos Priority Settings For Voice Traffic On An Interface

    Configuring QoS priority settings for voice traffic on an interface In voice VLAN applications, you can improve the quality of voice traffic by configuring the appropriate QoS priority settings, including the Class of Service (CoS) and Differentiated Services Code Point (DSCP) values, for voice traffic.
  • Page 165: Configuring A Port To Operate In Manual Voice Vlan Assignment Mode

    To do... Use the command... Remarks For the default OUI addresses of different vendors, see Table interface interface-type Enter Ethernet interface view — interface-number Optional Automatic voice VLAN assignment Configure the port to operate in mode is enabled by default. automatic voice VLAN assignment voice vlan mode auto The voice VLAN assignment modes...
  • Page 166: Displaying And Maintaining Voice Vlan

    To do... Use the command... Remarks For how to assign an access port to Access port a VLAN, see the chapter “VLAN Assign the port configuration.” Use one of the three approaches. in manual voice For how to assign a trunk port to a After you assign an access port to VLAN Trunk port...
  • Page 167 The MAC address of IP phone B is 001 1-2200-0001. The phone connects to a downstream device • named PC B whose MAC address is 0022-2200-0002 and to GigabitEthernet 1/0/2 on Device A. • Device A uses voice VLAN 2 to transmit voice packets for IP phone A, and voice VLAN 3 to transmit voice packets for IP phone B.
  • Page 168: Manual Voice Vlan Assignment Mode Configuration Example

    [DeviceA-GigabitEthernet1/0/1] voice vlan 2 enable [DeviceA-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2. [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-type hybrid [DeviceA-GigabitEthernet1/0/2] voice vlan mode auto [DeviceA-GigabitEthernet1/0/2] voice vlan 3 enable Verification # Display the OUI addresses, OUI address masks, and description strings. <DeviceA>...
  • Page 169 Figure 44 Network diagram for manual voice VLAN assignment mode configuration Configuration procedure # Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.) <DeviceA> system-view [DeviceA] voice vlan security enable # Add a recognizable OUI address 001 1-2200-0000.
  • Page 170 # Display the current voice VLAN state. <DeviceA> display voice vlan state Maximum of Voice VLANs: 8 Current Voice VLANs: 1 Voice VLAN security mode: Security Voice VLAN aging time: 1440 minutes Voice VLAN enabled port and its mode: PORT VLAN MODE DSCP...
  • Page 171: Gvrp Configuration

    GVRP configuration The Generic Attribute Registration Protocol (GARP) provides a generic framework for devices in a bridged LAN, such as end stations and switches, to register and deregister attribute values. The GARP VLAN Registration Protocol (GVRP) is a GARP application that registers and deregisters VLAN attributes. GVRP is based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network.
  • Page 172 When a port receives a declaration for a VLAN attribute, it registers the VLAN attribute carried in • the declaration and joins the VLAN. • When a port receives a withdrawal for a VLAN attribute, it deregisters the VLAN attribute carried in the withdrawal and leaves the VLAN.
  • Page 173 A GARP participant may declare an attribute twice to ensure reliable transmission. The Join timer sets the interval between the two declarations. A GARP participant starts a Join timer when it declares an attribute value or receives a JoinIn message for the attribute value.
  • Page 174: Gvrp

    Table 18 Description on the GARP message fields Field Description Value GARP Protocol Data Unit –– GARP PDU Protocol identifier for GARP PDU 0x0001 Protocol ID One or multiple messages, each containing an attribute type and an –– Message attribute list Indicates the end of a GARP PDU 0x00 End mark...
  • Page 175: Protocols And Standards

    Fixed––Allows manual creation and registration of VLANs, prevents VLAN deregistration, and • registers all known VLANs on other ports on the trunk port. • Forbidden––Deregisters all VLANs (except VLAN 1) and prevents any further VLAN creation or registration on the trunk port. Protocols and standards IEEE 802.1Q, Virtual Bridged Local Area Networks •...
  • Page 176: Configuring Garp Timers

    To do… Use the command… Remarks Required By default, a trunk port is Assign the trunk ports to all VLANs port trunk permit vlan all assigned to VLAN 1 only. Required Enable GVRP on the ports gvrp Disabled by default Optional Configure the GVRP registration mode on the gvrp registration { fixed |...
  • Page 177: Displaying And Maintaining Gvrp

    To do… Use the command… Remarks Optional garp timer hold timer-value Configure the Hold timer 10 centiseconds by default Optional garp timer join timer-value Configure the Join timer 20 centiseconds by default Optional garp timer leave timer-value Configure the Leave timer 60 centiseconds by default As shown in 19, the value ranges for GARP timers are dependent on one another:...
  • Page 178: Gvrp Configuration Examples

    GVRP configuration examples GVRP normal registration mode configuration example Network requirements As shown in Figure Device A and Device B are connected through their GigabitEthernet 1/0/1 ports. • Enable GVRP and configure the normal registration mode on ports to enable the registration and •...
  • Page 179: Gvrp Fixed Registration Mode Configuration Example

    [DeviceB-vlan3] quit Verify the configuration Use the display gvrp local-vlan command to display the local VLAN information maintained by GVRP on ports. For example: # Display the local VLAN information maintained by GVRP on port GigabitEthernet 1/0/1 of Device A. [DeviceA] display gvrp local-vlan interface gigabitethernet 1/0/1 Following VLANs exist in GVRP local database: 1(default),2-3...
  • Page 180: Gvrp Forbidden Registration Mode Configuration Example

    [DeviceA] vlan 2 [DeviceA-vlan2] quit Configure Device B # Enable GVRP globally. <DeviceB> system-view [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, and assign it to all VLANs. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1, and set the GVRP registration mode to fixed on the port.
  • Page 181 Figure 49 Network diagram for GVRP forbidden registration mode configuration Configuration procedure Configure Device A # Enable GVRP globally. <DeviceA> system-view [DeviceA] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, and assign it to all VLANs. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1, and set the GVRP registration mode to forbidden on the port.
  • Page 182 According to the output, information about VLAN 1 is registered through GVRP, but static VLAN information of VLAN 2 on the local device and dynamic VLAN information of VLAN 3 on Device B are not. # Display the local VLAN information maintained by GVRP on port GigabitEthernet 1/0/1 of Device B. [DeviceB] display gvrp local-vlan interface gigabitethernet 1/0/1 Following VLANs exist in GVRP local database: 1(default)
  • Page 183: Qinq Configuration

    QinQ configuration This chapter includes these sections: Introduction to QinQ • QinQ configuration task list • Configuring basic QinQ • Configuring selective QinQ • Configuring the TPID value in VLAN tags • • QinQ configuration examples NOTE: inner VLANs” Throughout this document, customer network VLANs (CVLANs), also called “ , refer to the VLANs that a customer uses on the private network;...
  • Page 184: Qinq Frame Structure

    Figure 50 Typical QinQ application scenario Customer network A VLAN 1~10 Customer network A VLAN 1~10 VLAN 3 VLAN 3 Network VLAN 4 VLAN 4 Service provider network VLAN 1~20 VLAN 1~20 Customer network B Customer network B As shown in 50, customer network A has CVLANs 1 through 10, and customer network B has Figure CVLANs 1 through 20.
  • Page 185: Implementations Of Qinq

    QinQ packet is 1508 bytes, which comprises two four-byte VLAN tags and one 1500-byte standard Ethernet frame. Implementations of QinQ H3C provides the following QinQ implementations: basic QinQ and selective QinQ. Basic QinQ Basic QinQ enables a port to tag any incoming frames with its default VLAN tag, regardless of whether they have been tagged or not.
  • Page 186: Protocols And Standards

    Figure 52 VLAN tag structure of an Ethernet frame The switch determines whether a received frame carries a SVLAN or CVLAN tag by checking the TPID value. For example, if a frame carries a SVLAN tag with TPID value 0x9100 and a CVLAN tag with TPID value 0x8100, and the configured TPID value of the SVLAN tag is 0x9100 and that of the CVLAN tag is 0x8200, the switch considers that the frame carries only the SVLAN tag but not the CVLAN tag.
  • Page 187: Qinq Configuration Task List

    QinQ configuration task list Complete the follows tasks to configure QinQ: Task Remarks Enabling basic QinQ Required Configuring basic QinQ Configuring VLAN transparent transmission Optional Configuring an outer VLAN tagging policy Optional Configuring selective Configuring an inner-outer VLAN 802.1p priority mapping Optional QinQ Configuring inner VLAN ID substitution (available only on the...
  • Page 188: Configuring Selective Qinq

    Configuring an outer VLAN tagging policy in the port-based approach The S5500-SI and S5500-EI series switches support the configuration of basic QinQ and selective QinQ at the same time on a port and when the two features are both enabled on the port, frames that meet the selective QinQ condition are handled with selective QinQ on this port first, and the left frames are handled with basic QinQ.
  • Page 189 Configuring an outer VLAN tagging policy in the QoS policy-based approach (available only on the S5500-EI) You can configure an outer VLAN tagging policy on the S5500-EI series switches in the QoS policy-based approach. Configure an outer VLAN tagging policy in the QoS policy-based approach in the following workflow: Configure a class to match packets with certain tags.
  • Page 190: Configuring An Inner-Outer Vlan 802.1P Priority Mapping

    • NOTE: On the S5500-EI series switches, if you set the trusted packet priority type to 802.1p priority on a port with basic QinQ or selective QinQ enabled, the port automatically copies the 802.1p priority from the inner VLAN tag to the outer VLAN tag when adding the outer VLAN tag to each packet. The S5500-SI series switches do not process packets in this way.
  • Page 191 Follow these steps to mark the 802.1p priorities in outer VLAN tags according to the inner VLAN IDs or the 802.1p priorities in the inner VLAN tags: To do... Use the command... Remarks Enter system view system-view — Required traffic classifier classifier-name Create a class and enter class view By default, the operator of a class [ operator { and | or } ]...
  • Page 192: Configuring Inner Vlan Id Substitution (Available Only On The S5500

    To do... Use the command... Remarks Apply the QoS policy to the qos apply policy policy-name Required incoming traffic inbound Configuring inner VLAN ID substitution (available only on the S5500-EI) Basic QinQ does not change the inner VLAN ID when tagging the customer VLAN frame with an outer VLAN tag.
  • Page 193: Configuring The Tpid Value In Vlan Tags

    Configuring the TPID value in VLAN tags Configuring the TPID value on the S5500-EI Follow these steps to configure the TPID value: To do... Use the command... Remarks Enter system view system-view — Optional qinq ethernet-type By default, the TPID value is Configure the TPID value { customer-tag | service-tag } 0x8100.
  • Page 194 Customer A1, Customer A2, Customer B1 and Customer B2 are edge switches on the customer • network. • Third-party switches with a TPID value of 0x8200 are deployed between Provider A and Provider B. Make configuration to satisfy the following requirements: •...
  • Page 195 # Set the TPID value in the outer tag to 0x8200. [ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type service-tag 8200 NOTE: The previous command is available only on the S5500-EI series switches. For how to configure the TPID value on the S5500-SI series switches, see “Configuring the TPID value on the S5500-SI.”...
  • Page 196: Port-Based Selective Qinq Configuration Example

    NOTE: The previous command is available only on the S5500-EI series switches. For how to configure the TPID value on the S5500-SI series switches, see “Configuring the TPID value on the S5500-SI.” Configuration on third-party switches Configure the third-party switches between Provider A and Provider B as follows: configure the port connecting GigabitEthernet 1/0/3 of Provider A and that connecting GigabitEthernet 1/0/3 of Provider B to allow tagged frames of VLAN 10 and 50 to pass through.
  • Page 197 # Set the TPID value in the outer tag to 0x8200. [ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type service-tag 8200 NOTE: The previous command is available only on the S5500-EI series switches. For how to configure the TPID value on the S5500-SI series switches, see “Configuring the TPID value on the S5500-SI.”...
  • Page 198: Qos Policy-Based Selective Qinq Configuration Exampl (Available Only On The S5500

    # Set the TPID value in the outer tag to 0x8200. [ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type service-tag 8200 NOTE: The previous command is available only on the S5500-EI series switches. For how to configure the TPID value on the S5500-SI series switches, see “Configuring the TPID value on the S5500-SI.”...
  • Page 199 Frames of the VLANs other than VLAN 10 and VLAN 20 of Customer A can be forwarded to • Customer D across VLAN 3000 on the public network. Figure 55 Network diagram Configuration procedure NOTE: Make sure that the switches in the service provider network have been configured to allow QinQ packets to pass through.
  • Page 200 # Create a traffic behavior P1000 and configure the action of tagging frames with the outer VLAN tag 1000 for the traffic behavior. [ProviderA] traffic behavior P1000 [ProviderA-behavior-P1000] nest top-most vlan-id 1000 [ProviderA-behavior-P1000] quit # Create a class A20 to match frames of VLAN 20 of Customer A. [ProviderA] traffic classifier A20 [ProviderA-classifier-A20] if-match customer-vlan-id 20 [ProviderA-classifier-A20] quit...
  • Page 201 [ProviderB] interface gigabitethernet 1/0/1 [ProviderB-GigabitEthernet1/0/1] port link-type trunk [ProviderB-GigabitEthernet1/0/1] port trunk permit vlan 1000 2000 3000 # To enable interoperability with the third-party switches in the public network, set the TPID of the service provider network VLAN tags to 0x8200. The port tags the received frames with the outer VLAN tag whose TPID is 0x8200.
  • Page 202: Vlan Mapping Configuration (Available Only On The S5500-Ei)

    VLAN mapping configuration examples • VLAN mapping overview VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. The S5500-EI series switches provide the following types of VLAN mapping: • One-to-one VLAN mapping—Replaces one VLAN tag with another. You can use one-to-one VLAN mapping to sub-classify traffic from a particular VLAN for granular QoS control.
  • Page 203: Application Scenario Of Two-To-Two Vlan Mapping

    Figure 56 Application scenario of one-to-one and many-to-one VLAN mapping DHCP client VLAN 1 Home gateway VLAN 2 VLAN 1 - > VLAN 101 VLAN 2 - > VLAN 201 VLAN 3 VoIP VLAN 3 - > VLAN 301 Wiring - closet switch VLAN 1 VLAN 1 - >...
  • Page 204: Concepts And Terms

    Figure 57 Application scenario of two-to-two VLAN mapping Site 1 and Site 2 are respectively in VLAN 2 and VLAN 3. The VLAN assigned for VPN A is VLAN 10 in the SP 1 network and VLAN 20 in the SP 2 network. If Site 1 sends a packet to Site 2, the packet is processed on the way to its destination using the following workflow: When the packet tagged with VLAN 2 arrives at the edge of network SP 1, PE 1 tags the packet...
  • Page 205: Vlan Mapping Implementations

    Figure 58 Basic concepts of VLAN mapping Uplink traffic: Traffic transmitted from the customer network to the service provider network. • Downlink traffic: Traffic transmitted from the service provider network to the customer network. • • Network-side port: A port connected to the service provider network. Customer-side port: A port connected to the customer network.
  • Page 206 Figure 59 One-to-one VLAN mapping implementation Inbound uplink policy CVLAN Data SVLAN Data User network SP network CVLAN Data SVLAN Data Outbound downlink policy Network-side port Customer-side port Uplink traffic Downlink traffic Many-to-one VLAN mapping Implement many-to-one VLAN mapping through the following configurations, as shown in Figure Apply an uplink policy to the incoming traffic on the customer-side port to map different CVLAN IDs •...
  • Page 207: Configuring Vlan Mapping

    Figure 57 NOTE: When you are configuring VLAN mappings, H3C recommends that you configure the related ports to dynamically generate IP-MAC-port binding entries. The ports will filter packets according to the source IP and MAC addresses of the received packets to block illegal access and improve network security. For...
  • Page 208 Configuration prerequisites Create CVLANs and SVLANs, and plan CVLAN-SVLAN mappings. Configuring an uplink policy Follow these steps to configure an uplink policy to map each CVLAN to a unique SVLAN: To do... Use the command... Remarks Enter system view system-view —...
  • Page 209: Configuring Many-To-One Vlan Mapping

    Configuring the customer-side port Follow these steps to configure the customer-side port: To do... Use the command... Remarks Enter system view system-view — Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required Configure the port as a trunk port port link-type trunk The default link type of an Ethernet port is access.
  • Page 210 Task Description Configures VLAN and other settings required for many-to-one Configuring the customer-side port VLAN mapping (required). Configures VLAN and other settings required for many-to-one Configuring the network-side port VLAN mapping (required). Configuration prerequisites Before you configure many-to-one VLAN mapping, complete the following tasks: Make sure that all home users use DHCP to get IP addresses.
  • Page 211 To do... Use the command... Remarks Enter system view system-view — Create a class and enter class traffic classifier tcl-name operator view Required Configure multiple CVLANs as if-match customer-vlan-id Repeat these steps to configure one match criteria { vlan-id-list | vlan-id1 to vlan-id2 } class for each group of CVLANs.
  • Page 212: Configuring Two-To-Two Vlan Mapping

    To do... Use the command... Remarks Enter system view system-view — Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required Configure the port as a trunk port port link-type trunk The default link type of an Ethernet port is access. Required port trunk permit vlan { vlan-id-list Assign the port to SVLANs...
  • Page 213 Configuring an uplink policy for the customer-side port The uplink policy on the customer-side port modifies the SVLAN ID of incoming traffic. Follow these steps to configure an uplink policy for the customer-side port: To do... Use the command... Remarks Enter system view system-view —...
  • Page 214 To do... Use the command... Remarks CVLAN pair. Return to system view quit Create a QoS policy and enter QoS qos policy policy-name Required policy view Required classifier tcl-name behavior Repeat this step to create Associate the class with the behavior behavior-name other class-behavior associations.
  • Page 215: Vlan Mapping Configuration Examples

    To do... Use the command... Remarks interface interface-type Enter Ethernet interface view — interface-number Required Configure the port as a trunk port port link-type trunk The default link type of an Ethernet port is access. Required port trunk permit vlan { vlan-id-list Assign the port to the local SVLANs By default, a trunk port is in | all }...
  • Page 216 Because Switch C retains customer VLAN information, each type of traffic is still segregated by user, even though it appears to be transmitted in one VLAN. Figure 62 Network diagram for one-to-one and many-to-one VLAN mapping configuration DHCP client VLAN 1 Home gateway VLAN 2 VLAN 1 ->...
  • Page 217 [SwitchA-classifier-c1] if-match customer-vlan-id 1 [SwitchA-classifier-c1] traffic classifier c2 [SwitchA-classifier-c2] if-match customer-vlan-id 2 [SwitchA-classifier-c2] traffic classifier c3 [SwitchA-classifier-c3] if-match customer-vlan-id 3 [SwitchA-classifier-c3] quit [SwitchA] traffic behavior b1 [SwitchA-behavior-b1] remark service-vlan-id 101 [SwitchA-behavior-b1] traffic behavior b2 [SwitchA-behavior-b2] remark service-vlan-id 201 [SwitchA-behavior-b2] traffic behavior b3 [SwitchA-behavior-b3] remark service-vlan-id 301 [SwitchA-behavior-b3] traffic behavior b4 [SwitchA-behavior-b4] remark service-vlan-id 102...
  • Page 218 [SwitchA-behavior-b33] remark customer-vlan-id 3 [SwitchA-behavior-b33] quit [SwitchA] qos policy p11 [SwitchA-policy-p11] classifier c11 behavior b11 [SwitchA-policy-p11] classifier c22 behavior b22 [SwitchA-policy-p11] classifier c33 behavior b33 [SwitchA-policy-p11] quit [SwitchA] qos policy p22 [SwitchA-policy-p22] classifier c44 behavior b11 [SwitchA-policy-p22] classifier c55 behavior b22 [SwitchA-policy-p22] classifier c66 behavior b33 [SwitchA-policy-p22] quit # Assign customer-side port GigabitEthernet 1/0/1 to CVLANs 1 to 3, and SVLANs 101, 201, and 301,...
  • Page 219 # Enable DHCP snooping. <SwitchC> system-view [SwitchC] dhcp-snooping # Create the CVLANs and SVLANs, and enable ARP detection in each VLAN. [SwitchC] vlan 101 [SwitchC-vlan101] arp detection enable [SwitchC-vlan101] vlan 201 [SwitchC-vlan201] arp detection enable [SwitchC-vlan201] vlan 301 [SwitchC-vlan301] arp detection enable [SwitchC-vlan301] vlan 102 [SwitchC-vlan102] arp detection enable [SwitchC-vlan102] vlan 202...
  • Page 220 [SwitchC-classifier-c6] if-match customer-vlan-id 303 to 304 [SwitchC-classifier-c6] quit [SwitchC] traffic behavior b1 [SwitchC-behavior-b1] remark service-vlan-id 501 [SwitchC-behavior-b1] traffic behavior b2 [SwitchC-behavior-b2] remark service-vlan-id 502 [SwitchC-behavior-b2] traffic behavior b3 [SwitchC-behavior-b3] remark service-vlan-id 503 [SwitchC-behavior-b3] quit [SwitchC] qos policy p1 [SwitchC-policy-p1] classifier c1 behavior b1 mode dot1q-tag-manipulation [SwitchC-policy-p1] classifier c2 behavior b2 mode dot1q-tag-manipulation [SwitchC-policy-p1] classifier c3 behavior b3 mode dot1q-tag-manipulation [SwitchC-policy-p1] quit...
  • Page 221: Two-To-Two Vlan Mapping Configuration Example

    <SwitchD> system-view [SwitchD] dhcp-snooping # Assign port GigabitEthernet 1/0/1 to SVLANs 501 to 503. [SwitchD] interface gigabitethernet 1/0/1 [SwitchD-GigabitEthernet1/0/1] port link-type trunk [SwitchD-GigabitEthernet1/0/1] port trunk permit vlan 501 502 503 Two-to-two VLAN mapping configuration example Network requirements As shown in 63, two VPN A users, Site 1 and Site 2, are in VLAN 10 and VLAN 30 respectively.
  • Page 222 [PE2-GigabitEthernet1/0/1] port trunk permit vlan 100 [PE2-GigabitEthernet1/0/1] quit # Set port GigabitEthernet 1/0/2 as a trunk port, and assign it to VLAN 100. [PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] port link-type trunk [PE2-GigabitEthernet1/0/2] port trunk permit vlan 100 Configuring PE 3 # Configure an uplink policy down_uplink for customer-side port GigabitEthernet 1/0/1 to substitute SVLAN ID 200 for the SVLAN ID in the incoming traffic tagged with CVLAN 10 and SVLAN 100.
  • Page 223 # Set customer-side port GigabitEthernet 1/0/1 as a trunk port, assign it to VLAN 200, and apply uplink policy down_uplink to the incoming traffic and downlink policy down_downlink to the outgoing traffic on the port. [PE3] interface gigabitethernet 1/0/1 [PE3-GigabitEthernet1/0/1] port link-type trunk [PE3-GigabitEthernet1/0/1] port trunk permit vlan 200 [PE3-GigabitEthernet1/0/1] qos apply policy down_uplink inbound [PE3-GigabitEthernet1/0/1] qos apply policy down_downlink outbound...
  • Page 224: Lldp Configuration

    You can set an Ethernet port as a Layer 3 Ethernet interface by using the port link-mode route command (see the chapter “Ethernet interface configuration”). You can configure an Ethernet port as a Layer 3 Ethernet interface only on the S5500-EI series switches. •...
  • Page 225 Figure 64 Ethernet II-encapsulated LLDPDU format The fields in the frame are described in Table Table 21 Description of the fields in an Ethernet II-encapsulated LLDPDU Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
  • Page 226 Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is 0xAAAA-0300-0000-88CC Type for LLDP.
  • Page 227 Indicates protocols supported on the port. An LLDPDU can carry multiple Protocol Identity different TLVs of this type. NOTE: H3C S5500-SI&S5500-EI series Ethernet switches only support receiving protocol identity TLVs. • Layer 3 Ethernet ports do not support IEEE 802.1 organizationally specific TLVs. •...
  • Page 228: How Lldp Works

    NOTE: The Power Stateful Control TLV is defined in IEEE P802.3at D1.0. The later versions no longer support this TLV. H3C devices send this type of TLVs only after receiving them. LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management.
  • Page 229: Protocols And Standards

    When the LLDP operating mode of a port changes, its LLDP protocol state machine re-initializes. To prevent LLDP from being initialized too frequently during times of frequent operating mode change, you can configure a re-initialization delay. With this delay configured, a port must wait for the specified interval before it can initialize LLDP after the LLDP operating mode changes.
  • Page 230: Performing Basic Lldp Configuration

    NOTE: LLDP-related configurations made in Ethernet interface view take effect only on the current port, and • those made in port group view take effect on all ports in the current port group. The Layer 3 Ethernet interface is an Ethernet interface operating in route mode. You can set an Ethernet •...
  • Page 231: Setting The Lldp Re-Initialization Delay

    To do… Use the command… Remarks or port group view Enter port group view port-group manual port-group-name Optional lldp admin-status { disable | rx | tx | Set the LLDP operating mode txrx } TxRx by default Setting the LLDP re-initialization delay When LLDP operating mode changes on a port, the port initializes the protocol state machines after a certain delay.
  • Page 232: Configuring The Management Address And Its Encoding Format

    To do… Use the command… Remarks lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description | system-name } | Optional dot1-tlv { all | port-vlan-id | protocol-vlan-id [ vlan-id ] | vlan-name [ vlan-id ] } | dot3-tlv By default, all types of Configure the advertisable TLVs { all | link-aggregation | mac-physic |...
  • Page 233: Setting Other Lldp Parameters

    To do… Use the command… Remarks Optional By default, the management address is sent through LLDPDUs. • For a Layer 2 Ethernet port, the management address is the main IP address of the lowest-ID VLAN carried on the port. If Allow LLDP to advertise the none of the carried VLANs is management address in LLDPDUs and...
  • Page 234: Setting An Encapsulation Format For Lldpdus

    NOTE: To ensure that the LLDP neighbors can receive LLDPDUs to update information about the current device before it is aged out, configure both the LLDPDU transmit interval and delay to be less than the TTL. Setting an encapsulation format for LLDPDUs LLDPDUs can be encapsulated in the following formats: Ethernet II or SNAP frames.
  • Page 235: Configuration Prerequisites

    Configuration prerequisites Before you configure CDP compatibility, complete the following tasks: Globally enable LLDP. • Enable LLDP on the port connecting to an IP phone and configure the port to operate in TxRx mode. • Configuring CDP compatibility CDP-compatible LLDP operates in one of the follows modes: TxRx: The CDP packets can be transmitted and received.
  • Page 236: Displaying And Maintaining Lldp

    To do… Use the command… Remarks Enter Ethernet Enter Layer 2/Layer 3 interface interface-type interface-number Required interface view Ethernet interface view or port group Use either command. Enter port group view port-group manual port-group-name view Required Enable LLDP trapping lldp notification remote-change enable Disabled by default Quit to system view quit...
  • Page 237 Figure 67 Network diagram for basic LLDP configuration Configuration procedure Configure Switch A # Enable LLDP globally (you can skip this step because LLDP is enabled globally by default). <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx.
  • Page 238 Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [GigabitEthernet1/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s Number of neighbors: Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV : 0 Port 2 [GigabitEthernet1/0/2]:...
  • Page 239: Cdp-Compatible Lldp Configuration Example

    Polling interval : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [GigabitEthernet1/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s...
  • Page 240 [SwitchA-GigabitEthernet1/0/1] port link-type trunk [SwitchA-GigabitEthernet1/0/1] voice vlan 2 enable [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] voice vlan 2 enable [SwitchA-GigabitEthernet1/0/2] quit Configure CDP-compatible LLDP on Switch A # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [SwitchA] lldp enable [SwitchA] lldp compliance cdp # Enable LLDP (you can skip this step because LLDP is enabled on ports by default), configure LLDP to...
  • Page 241: Service Loopback Group Configuration (Available Only On The S5500-Ei)

    MPLS, supporting MPLS traffic • NOTE: The S5500-EI series switches only supports the service loopback group types of Tunnel. Requirements on service loopback ports Before assigning a port to a service loopback group, ensure the port meets the following requirements.
  • Page 242: States Of Service Loopback Ports

    The port is configured with only QoS and ACL settings, or physical settings such as rate and duplex • mode. • The port is not configured with MSTP, NDP, LLDP, 802.1X, MAC address authentication, port security mode, or IP source guard, or as the member port of an isolation group. The link type of the port is access.
  • Page 243: Configuring A Service Loopback Group

    Configuring a service loopback group Follow these steps to configure a service loopback group: To do… Use the command… Remarks Enter system view system-view — Create a service loopback service-loopback group number type group and specify its service Required tunnel type Enter Layer 2 Ethernet interface interface-type interface-number...
  • Page 244 <SwitchA> system-view [SwitchA] service-loopback group 1 type tunnel # Disable MSTP, NDP and LLDP on GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 and then assign them to service loopback group 1. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] undo stp enable [SwitchA-GigabitEthernet1/0/1] undo ndp enable [SwitchA-GigabitEthernet1/0/1] undo lldp enable [SwitchA-GigabitEthernet1/0/1] port service-loopback group 1 [SwitchA-GigabitEthernet1/0/1] quit...
  • Page 245: Index

    Index B C D E G I L M N O P Q S V Displaying and maintaining loopback and null interfaces,21 BPDU tunneling configuration examples,103 Displaying and maintaining MAC address tables,27 Displaying and maintaining MSTP,93 Displaying and maintaining service loopback Configuring a Layer 2 Ethernet interface,8 groups,230...
  • Page 246 MAC-based VLAN configuration,1 16 Performing basic LLDP configuration,217 MSTP configuration example,94 Port isolation configuration example,56 MSTP configuration task list,72 Port-based VLAN configuration,1 10 Protocol-based VLAN configuration,123 Null interface,20 QinQ configuration examples,180 QinQ configuration task list,174 Overview (LLDP),21 1 Overview (MAC address table),22 Overview (Super VLAN),130...

This manual is also suitable for:

S5500-si series

Table of Contents