Page 1 H3C S7500X Switch Series Comware 7 Layer 2—LAN Switching Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 7577P04 and later versions Document version: 6W100-20190315...
Page 2 The information in this document is subject to change without notice. All contents in this document, including statements, information, and recommendations, are believed to be accurate, but they are presented without warranty of any kind, express or implied. H3C shall not be liable for technical or editorial errors or omissions contained herein.
Page 3 Preface This configuration guide covers Layer 2 technologies and features used on a LAN switched network. This preface includes the following topics about the documentation: • Audience. • Conventions. • Documentation feedback. Audience This documentation is intended for: • Network planners. •...
Page 4 Symbols Convention Description An alert that calls attention to important information that if not understood or followed WARNING! can result in personal injury. An alert that calls attention to important information that if not understood or followed CAUTION: can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information.
Page 5 Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Page 6: Table Of Contents
Contents Configuring the MAC address table ······················································ 1 Overview ·································································································································· 1 How a MAC address entry is created ······················································································· 1 Types of MAC address entries ······························································································· 1 MAC address table configuration task list ························································································ 2 ...
Page 7: Configuring The Mac Address Table
Configuring the MAC address table Overview An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame, it uses the destination MAC address of the frame to look for a match in the MAC address table. •...
Page 8: Mac Address Table Configuration Task List
• Static entries—A static entry is manually added to forward frames with a specific destination MAC address out of the associated interface, and it never ages out. A static entry has higher priority than a dynamically learned one. • Dynamic entries—A dynamic entry can be manually configured or dynamically learned to forward frames with a specific destination MAC address out of the associated interface.
Page 9: Configuring Mac Address Entries
Configuring MAC address entries Configuration guidelines • You cannot add a dynamic MAC address entry if a learned entry already exists with a different outgoing interface for the MAC address. • The manually configured static, blackhole, and multiport unicast MAC address entries cannot survive a reboot if you do not save the configuration.
Page 10: Adding Or Modifying A Blackhole Mac Address Entry
Step Command Remarks • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number By default, no MAC address entry is configured on the interface. Add or modify a static or mac-address { dynamic | static } Make sure you have created the dynamic MAC address entry.
Page 11: Disabling Mac Address Learning
Configuring a multiport unicast MAC address entry globally Step Command Remarks Enter system view. system-view By default, no multiport unicast MAC address entry is configured mac-address multiport globally. Add or modify a multiport mac-address interface unicast MAC address entry. Make sure you have created the interface-list vlan vlan-id VLAN and assigned the interface to the VLAN.
Page 12: Disabling Mac Address Learning On Interfaces
Step Command Remarks mac-learning enable learning. learning is enabled. Disabling MAC address learning on interfaces When global MAC address learning is enabled, you can disable MAC address learning on a single interface. To disable MAC address learning on an interface: Step Command Remarks...
Page 13: Setting The Mac Learning Limit
An aging interval that is too long might cause the MAC address table to retain outdated entries. As a result, the MAC address table resources might be exhausted, and the MAC address table might fail to update its entries to accommodate the latest network changes. An interval that is too short might result in removal of valid entries, which would cause unnecessary floods and possibly affect the device performance.
Page 14: Setting The Mac Learning Limit For A Vlan
Step Command Remarks By default, the number of MAC Set the MAC learning limit on mac-address max-mac-count addresses that can be learned on the interface. count an interface is not limited. Setting the MAC learning limit for a VLAN You can limit the number of MAC addresses that can be learned for a VLAN. To configure the MAC learning limit for a VLAN: Step Command...
Page 15: Configuring The Device To Forward Unknown Frames After The Mac Learning Limit For A Vlan Is Reached
Step Command Remarks By default, the device can forward unknown frames received on an Configure the device to interface after the MAC learning forward unknown frames limit on the interface is reached. mac-address max-mac-count received on the interface enable-forwarding You cannot use the undo after the MAC learning limit mac-address max-mac-count on the interface is reached.
Page 16: Enabling Mac Address Synchronization
Step Command Remarks { high | low } to the interface. priority is used. Enabling MAC address synchronization (In standalone mode.) To avoid unnecessary floods and improve forwarding speed, make sure all cards have the same MAC address table. After you enable MAC address synchronization, each card advertises learned MAC address entries to other cards.
Page 17: Configuring Mac Address Move Notifications And Suppression
Figure 3 MAC address tables of devices when Client A roams to AP D To enable MAC address synchronization: Step Command Remarks Enter system view. system-view Enable MAC address mac-address mac-roaming By default, MAC address synchronization. enable synchronization is disabled. Configuring MAC address move notifications and suppression The outgoing interface for a MAC address entry learned on interface A is changed to interface B...
Page 18: Enabling Arp Fast Update For Mac Address Moves
Step Command Remarks Enter system view. system-view By default, MAC address move notifications are disabled. If you do not specify a detection interval, the default setting of 1 minute is used. Enable MAC address move After you execute this command, the notifications and optionally mac-address notification specify a MAC move...
Page 19: Disabling Static Source Check
Figure 4 ARP fast update application scenario To enable ARP fast update for MAC address moves: Step Command Remarks Enter system view. system-view Enable ARP fast update for mac-address mac-move By default, ARP fast update for MAC address moves. fast-update MAC address moves is disabled.
Page 20: Enabling Snmp Notifications For The Mac Address Table
Enabling SNMP notifications for the MAC address table To report critical MAC address move events to an NMS, enable SNMP notifications for the MAC address table. For MAC address move event notifications to be sent correctly, you must also configure SNMP on the device. When SNMP notifications are disabled for the MAC address table, the device sends the generated logs to the information center.
Page 21: Mac Address Table Configuration Example
MAC address table configuration example Network requirements As shown in Figure • Host A at MAC address 000f-e235-dc71 is connected to GigabitEthernet 1/0/1 of Device and belongs to VLAN 1. • Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also belongs to VLAN 1.
Page 22: Configuring Mac Information
Configuring MAC Information The MAC Information feature can generate syslog messages or SNMP notifications when MAC address entries are learned or deleted. You can use these messages to monitor user's leaving or joining the network and analyze network traffic. The MAC Information feature buffers the MAC change syslog messages or SNMP notifications in a queue.
Page 23: Setting The Mac Change Notification Interval
Setting the MAC change notification interval To prevent syslog messages or SNMP notifications from being sent too frequently, you can set the MAC change notification interval to a larger value. To set the MAC change notification interval: Step Command Remarks Enter system view.
Page 24: Configuration Procedure
correctly to the log host. The logging facility name and the severity level are configured by using the info-center loghost and info-center source commands, respectively. Configuration procedure Configure Device to send syslog messages to Host B: # Enable the information center. <Device>...
Page 25 Learns a new MAC address. Deletes an existing MAC address. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-address information enable added [Device-GigabitEthernet1/0/1] mac-address information enable deleted [Device-GigabitEthernet1/0/1] quit # Set the MAC Information queue length to 100. [Device] mac-address information queue-length 100 # Set the MAC change notification interval to 20 seconds.
Page 26 Contents Configuring Ethernet link aggregation ··················································· 1 Overview ·································································································································· 1 Aggregation group, member port, and aggregate interface ··························································· 1 Aggregation states of member ports in an aggregation group ························································ 2 Operational key ··················································································································· 2 Configuration types ··············································································································...
Page 27: Configuring Ethernet Link Aggregation
Configuring Ethernet link aggregation Overview Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an aggregate link. Link aggregation has the following benefits: • Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports.
Page 28: Aggregation States Of Member Ports In An Aggregation Group
Aggregation states of member ports in an aggregation group A member port in an aggregation group can be in any of the following aggregation states: • Selected—A Selected port can forward traffic. • Unselected—An Unselected port cannot forward traffic. • Individual—An Individual port can forward traffic as a normal physical port.
Page 29: Link Aggregation Modes
Feature Considerations • PVLAN port type (promiscuous, trunk promiscuous, host, or trunk secondary). • IP subnet-based VLAN configuration. • Protocol-based VLAN configuration. • VLAN tagging mode. For information about VLANs, see "Configuring VLANs." • Protocol configurations—Settings that do not affect the aggregation state of a member port even if they are different from those on the aggregate interface.
Page 30 NOTE: To identify the port numbers of aggregation member ports, execute the display link-aggregation verbose command and examine the Index field in the command output. Setting the aggregation state of each member port After the reference port is chosen, the system sets the aggregation state of each member port in the static aggregation group.
Page 31: Dynamic Link Aggregation
Dynamic link aggregation LACP Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP). LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each member port in a dynamic aggregation group can exchange information with its peer. When a member port receives an LACPDU, it compares the received information with information received on the other member ports.
Page 32 The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout intervals include the following types: • Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one LACPDU per second. • Long timeout interval—90 seconds.
Page 33: How Dynamic Link Aggregation Works
Figure 3 Automatic member interface assignment process An interface enabled with automatic link aggregation receives LACPDUs Does a preferred aggregation group exist? Does the reference port have the same peer information as the LACPDUs? Does an aggregation group matching the LACPDUs exist? Create a dynamic aggregation Assign the interface to the...
Page 34 A system ID contains the LACP system priority and the system MAC address. a. The two systems compare their LACP priority values. The lower the LACP priority, the smaller the system ID. If the LACP priority values are the same, the two systems proceed to step b. b.
Page 35 Figure 4 Setting the state of a member port in a dynamic aggregation group The system with the greater system ID can detect the aggregation state changes on the peer system. The system with the greater system ID sets the aggregation state of local member ports the same as their peer ports.
Page 36: Edge Aggregate Interface
Edge aggregate interface Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is configured only on the device. The device forwards traffic by using only one of the physical ports that are connected to the server. To improve link reliability, configure the aggregate interface as an edge aggregate interface.
Page 37: Configuration Restrictions And Guidelines
Figure 5 S-MLAG application scenario Configuration restrictions and guidelines The device supports a maximum of 1000 aggregation groups and 32 member ports per group. Ethernet link aggregation configuration task list Tasks at a glance (Required.) Configuring link aggregations: • Configuring a manual link aggregation •...
Page 38: Configuring A Manual Link Aggregation
Configuring a manual link aggregation Configuration restrictions and guidelines The following information describes restrictions and guidelines that you must follow when you configure link aggregations. Aggregation member interface restrictions • You cannot assign an interface to a Layer 2 aggregation group if any features in Table 4 configured on the interface.
Page 39: Configuring A Layer 2 Aggregation Group
Miscellaneous Deleting an aggregate interface also deletes its aggregation group and causes all member ports to leave the aggregation group. Configuring a Layer 2 aggregation group Configuring a Layer 2 static aggregation group Step Command Remarks Enter system view. system-view When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2...
Page 40: Configuring A Layer 3 Aggregation Group
Step Command Remarks the Bridge-Aggregation 1 interface. Configure the aggregation By default, an aggregation group group to operate in dynamic link-aggregation mode dynamic operates in static mode. mode. Exit to system view. quit Repeat these two substeps to Enter Layer 2 Ethernet assign more Layer 2 Ethernet interface view: interfaces to the aggregation...
Page 41 Step Command Remarks Enter Layer 3 Ethernet interface view: interface interface-type Repeat these two substeps to interface-number Assign an interface to the assign more Layer 3 Ethernet specified Layer 3 Assign the interface to the interfaces to the aggregation aggregation group. specified Layer 3 group.
Page 42: Configuring Automatic Link Aggregation
Step Command Remarks By default, the long LACP timeout interval (90 seconds) is used by the interface. To avoid traffic interruption during Set the short LACP timeout an ISSU, do not set the short interval (3 seconds) for the lacp period short LACP timeout interval before interface.
Page 43: Configuring An Aggregate Interface
• LACP MAD. • Maximum or minimum number of Selected ports. • Automatic member port assignment. • Ignoring port speed in setting the aggregation states of member ports. As a best practice, maintain consistency across S-MLAG devices in service feature configuration. Configuration prerequisites Configure the link aggregation settings other than S-MLAG settings on each S-MLAG device.
Page 44 Step Command Remarks Enter system view. system-view • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number Enter aggregate • interface or subinterface Enter Layer 3 aggregate view. interface or subinterface view: interface route-aggregation { interface-number | interface-number.subnumber } Configure the By default, the description of an description of the description text...
Page 45: Setting The Mtu For A Layer 3 Aggregate Interface
Step Command Remarks Bring up the interface. undo shutdown Setting the MTU for a Layer 3 aggregate interface The MTU of an interface affects IP packets fragmentation and reassembly on the interface. To set the MTU for a Layer 3 aggregate interface: Step Command Remarks...
Page 46: Setting The Expected Bandwidth For An Aggregate Interface
For an aggregation group, the maximum number of Selected ports must be equal to or higher than the minimum number of Selected ports. Configuration procedure To set the minimum and maximum numbers of Selected ports for an aggregation group: Step Command Remarks Enter system view.
Page 47: Shutting Down An Aggregate Interface
Step Command Remarks Enter system view. system-view • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number Enter aggregate interface • view. Enter Layer 3 aggregate interface view: interface route-aggregation interface-number Configure the aggregate By default, an aggregate interface interface as an edge lacp edge-port does not operate as an edge aggregate interface.
Page 48: Configuring Load Sharing For Link Aggregation Groups
Step Command Enter system view. system-view • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number • Enter aggregate interface view. Enter Layer 3 aggregate interface or subinterface view: interface route-aggregation { interface-number | interface-number.subnumber } Restore the default settings for the default aggregate interface.
Page 49 • Source MAC address. • Destination MAC address. • Source IP address and destination IP address. • Source IP address and source port. • Destination IP address and destination port. • Source IP address, source port, destination IP address, and destination port. •...
Page 50: Enabling Local-First Load Sharing For Link Aggregation
Step Command Remarks link-aggregation load-sharing mode { { destination-ip | By default, the load sharing Set the load sharing mode destination-mac | mpls-label1 | mode is the same as the global for the aggregation group. mpls-label2 | source-ip | load sharing mode. source-mac } * | flexible } Enabling local-first load sharing for link aggregation Overview...
Page 51: Enabling Bfd For An Aggregation Group
Configuration procedure Step Command Remarks Enter system view. system-view Enable local-first load By default, local-first load sharing link-aggregation load-sharing sharing for link aggregation is globally enabled for link mode local-first globally. aggregation. • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number Enter aggregate interface...
Page 52: Displaying And Maintaining Ethernet Link Aggregation
• As a best practice, do not configure a protocol to collaborate with BFD on a BFD-enabled aggregate interface. • Make sure the number of member ports in a BFD-enabled aggregation group is less than or identical to the number of BFD sessions supported by the device. If the aggregation group contains more member ports than the supported sessions, some Selected ports might change to the Unselected state.
Page 53: Ethernet Link Aggregation Configuration Examples
Task Command Clear LACP statistics for the specified link reset lacp statistics [ interface interface-list ] aggregation member ports. Clear statistics for the specified aggregate reset counters interface [ { bridge-aggregation | interfaces. route-aggregation } [ interface-number ] ] Ethernet link aggregation configuration examples Layer 2 static aggregation configuration example Network requirements On the network shown in...
Page 54: Layer 2 Dynamic Aggregation Configuration Example
# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/2] quit [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/3] quit # Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 10 and 20.
Page 55 Figure 8 Network diagram Configuration procedure Configure Device A: # Create VLAN 10, and assign the port GigabitEthernet 1/0/4 to VLAN 10. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] port gigabitethernet 1/0/4 [DeviceA-vlan10] quit # Create VLAN 20, and assign the port GigabitEthernet 1/0/5 to VLAN 20. [DeviceA] vlan 20 [DeviceA-vlan20] port gigabitethernet 1/0/5 [DeviceA-vlan20] quit...
Page 56: Layer 2 Aggregation Load Sharing Configuration Example
Verifying the configuration # Display detailed information about all aggregation groups on Device A. [DeviceA] display link-aggregation verbose Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Port Status: S -- Selected, U -- Unselected, I -- Individual Port: A -- Auto port, M -- Management port, R -- Reference port Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation, D -- Synchronization, E -- Collecting, F -- Distributing,...
Page 57 Figure 9 Network diagram Configuration procedure Configure Device A: # Create VLAN 10, and assign the port GigabitEthernet 1/0/5 to VLAN 10. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] port gigabitethernet 1/0/5 [DeviceA-vlan10] quit # Create VLAN 20, and assign the port GigabitEthernet 1/0/6 to VLAN 20. [DeviceA] vlan 20 [DeviceA-vlan20] port gigabitethernet 1/0/6 [DeviceA-vlan20] quit...
Page 58 # Configure Layer 2 aggregation group 2 to load share packets based on destination MAC addresses. [DeviceA-Bridge-Aggregation2] link-aggregation load-sharing mode destination-mac [DeviceA-Bridge-Aggregation2] quit # Assign ports GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to link aggregation group 2. [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 2 [DeviceA-GigabitEthernet1/0/3] quit [DeviceA] interface gigabitethernet 1/0/4...
Page 59: Layer 2 Edge Aggregate Interface Configuration Example
Bridge-Aggregation1 Load-Sharing Mode: source-mac address Bridge-Aggregation2 Load-Sharing Mode: destination-mac address The output shows that: • Link aggregation group 1 distributes packets based on source MAC addresses. • Link aggregation group 2 distributes packets based on destination MAC addresses. Layer 2 edge aggregate interface configuration example Network requirements As shown in Figure...
Page 60 D -- Synchronization, E -- Collecting, F -- Distributing, G -- Defaulted, H -- Expired Aggregate Interface: Bridge-Aggregation1 Creation Mode: Manual Aggregation Mode: Dynamic Loadsharing Type: Shar Management VLANs: None System ID: 0x8000, 000f-e267-6c6a Local: Port Status Priority Index Oper-Key Flag GE1/0/1 32768...
Page 61 [DeviceA-GigabitEthernet1/0/2] quit [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/3] quit Configure Device B in the same way Device A is configured. (Details not shown.) Verifying the configuration # Display detailed information about all aggregation groups on Device A. [DeviceA] display link-aggregation verbose Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Port Status: S -- Selected, U -- Unselected, I -- Individual...
Page 62 [DeviceA-Route-Aggregation1] quit # Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/2] quit [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/3] quit Configure Device B in the same way Device A is configured.
Page 63 Figure 13 Network diagram Configuration procedure Configure Device A: # Create Layer 2 aggregate interface Bridge-Aggregation 10, and set the link aggregation mode to dynamic. <DeviceA> system-view [DeviceA] interface bridge-aggregation 10 [DeviceA-Bridge-Aggregation10] link-aggregation mode dynamic [DeviceA-Bridge-Aggregation10] quit # Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 10. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 10 [DeviceA-GigabitEthernet1/0/1] quit...
Page 64 [DeviceB-GigabitEthernet1/0/1] port link-aggregation group 2 [DeviceB-GigabitEthernet1/0/1] quit Configure Device C: # Set the LACP system MAC address to 0001-0001-0001. <DeviceC> system-view [DeviceC] lacp system-mac 1-1-1 # Set the LACP system priority to 123. [DeviceC] lacp system-priority 123 # Set the LACP system number to 2. [DeviceC] lacp system-number 2 # Create Layer 2 aggregate interface Bridge-Aggregation 3, and set the link aggregation mode to dynamic.
Page 65 Aggregate Interface: Bridge-Aggregation10 Creation Mode: Manual Aggregation Mode: Dynamic Loadsharing Type: Shar Management VLANs: None System ID: 0x8000, 40fa-264f-0100 Local: Port Status Priority Index Oper-Key Flag GE1/0/1(R) 32768 {ACDEF} GE1/0/2 32768 {ACDEF} GE1/0/3 32768 {ACDEF} Remote: Actor Priority Index Oper-Key SystemID Flag GE1/0/1 32768...
Page 66 Contents Configuring DRNI ············································································· 1 DRNI overview ·························································································································· 1 DRNI network model ············································································································ 1 DRCP ······························································································································· 2 Keepalive and failover mechanism ·························································································· 2 MAD mechanism ················································································································· 2 DR system setup process ····································································································· 3 ...
Page 67: Configuring Drni
Configuring DRNI DRNI overview Distributed Resilient Network Interconnect (DRNI) virtualizes two physical devices into one system through multichassis link aggregation. DRNI network model As shown in Figure 1, DRNI virtualizes two devices into a distributed-relay (DR) system, which connects to the remote aggregation system through a multichassis aggregate link. To the remote aggregation system, the DR system is one device.
Page 68: Drcp
packets and data packets through the intra-portal link (IPL) established between them. A DR system has only one IPL. DR member devices use a keepalive link to monitor each other's state. For more information about the keepalive mechanism, see "Keepalive and failover mechanism."...
Page 69: Dr System Setup Process
When the IPL comes up, the secondary DR device starts a delay timer and begins to restore table entries (including MAC address entries and ARP entries) from the primary DR device. When the delay timer expires, the secondary DR device brings up all network interfaces. IMPORTANT: For correct keepalive detection, you must exclude the interfaces used for keepalive detection from the shutdown action by DRNI MAD.
Page 70: Configuration Consistency Check
Configuration consistency check During DR system setup, DR member devices exchange the configuration and perform configuration consistency check to verify their consistency in the following configurations: • Type 1 configuration—Settings that affect traffic forwarding of the DR system. If an inconsistency in type 1 configuration is detected, the secondary DR device shuts down its DR interfaces.
Page 71: Drni Failure Handling Mechanisms
Table 3 Global type 2 configuration Setting Details VLAN interfaces Up VLAN interfaces of which the VLANs contain the IPP. Passing tagged VLANs VLANs of which the IPP forwards tagged traffic or PVID of which the IPP forwards or passing PVID traffic.
Page 72: Protocols And Standards
In this situation, the primary DR device forwards all traffic for the DR system. When the IPP comes up, the secondary DR device does not bring up the network interfaces immediately. Instead, it starts a delay timer and begins to recover data from the primary DR device. When the delay timer expires, the secondary DR device brings up all network interfaces.
Page 73: Drni Configuration Restrictions And Guidelines
On a DRNI system, you can use only the following features: Category Features MAC address table. Layer 2 Ethernet link aggregation. Layer 2—LAN switching VLAN. Spanning tree. LLDP. Layer 3—IP services ARP. OSPF. Routing BGP. High availability VRRP. Network management and monitoring NTP.
Page 74: Configuring Dr System Settings
Setting the DR system number Setting the DR system priority Setting the DR role priority of the device Configuring DR keepalive settings Excluding an interface from the shutdown action by DRNI MAD Configuring DR keepalive packet parameters Setting the DR keepalive interval and timeout timer Configuring a DR interface Specifying a Layer 2 aggregate interface as the IPP (Optional.)
Page 75: Setting The Dr System Priority
Configuration procedure To set the DR system number: Step Command Remarks Enter system view. system-view drni system-number By default, the DR system number Set the DR system number. system-number is not set. Setting the DR system priority Overview A DR system uses its DR system priority as the system LACP priority to communicate with the remote aggregation system.
Page 76: Configuring Dr Keepalive Settings
Configuring DR keepalive settings Configuration restrictions and guidelines Use Layer 3 Ethernet interfaces or management Ethernet interfaces to set up the keepalive link. Make sure the two ends use the same keepalive settings. DR member devices check the peer keepalive settings for consistency. If an inconsistency is found, the device will prompt for configuration revision.
Page 77: Setting The Dr Keepalive Interval And Timeout Timer
Configuration restrictions and guidelines Make sure the DR member devices in a DR system use the same keepalive destination UDP port. Configuration procedure To configure DR keepalive packet parameters: Step Command Remarks Enter system view. system-view By default, the DR keepalive drni keepalive { ip | ipv6 } packet parameters are not destination { ipv4-address |...
Page 78: Specifying A Layer 2 Aggregate Interface As The Ipp
Configuration procedure To configure a DR interface: Step Command Enter system view. system-view Enter Layer 2 aggregate interface view. interface bridge-aggregation interface-number Assign the aggregate interface to a DR group. port drni group group-id Specifying a Layer 2 aggregate interface as the Configuration restrictions and guidelines A DR member device can have only one IPP.
Page 79: Disabling Configuration Consistency Check
Step Command Enter Layer 2 aggregate interface view. interface bridge-aggregation interface-number Specify the interface as the IPP. port drni intra-portal-port port-id Disabling configuration consistency check Overview To ensure that the DR system can operate correctly, DRNI by default performs configuration consistency check when the DR system is set up.
Page 80: Setting The Keepalive Hold Timer For Identifying The Cause Of Ipl Down Events
Setting the keepalive hold timer for identifying the cause of IPL down events Overview The keepalive hold timer starts when the IPL goes down. The keepalive hold timer specifies the amount of time that the device uses to identify the cause of an IPL down event. •...
Page 81: Setting The Data Restoration Interval
Setting the data restoration interval Overview The data restoration interval specifies the maximum amount of time for the secondary DR device to synchronize data with the primary DR device during DR system setup. Within the data restoration interval, the secondary DR device sets all network interfaces to DRNI MAD DOWN state, except for the following interfaces: •...
Page 82: Drni Configuration Examples
DRNI configuration examples Basic DRNI function configuration example Network requirements As shown in Figure 6, configure DRNI on Device A and Device B to establish a multichassis aggregate link with Device C. Figure 6 Network diagram Configuration procedure Configure Device A: # Configure DR system settings.
Page 83 # Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 3. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 3 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 3 [DeviceA-GigabitEthernet1/0/2] quit # Specify Bridge-Aggregation 3 as the IPP. [DeviceA] interface bridge-aggregation 3 [DeviceA-Bridge-Aggregation3] port drni intra-portal-port 1 [DeviceA-Bridge-Aggregation3] quit...
Page 84 [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-aggregation group 3 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-aggregation group 3 [DeviceB-GigabitEthernet1/0/2] quit # Specify Bridge-Aggregation 3 as the IPP. [DeviceB] interface bridge-aggregation 3 [DeviceB-Bridge-Aggregation3] port drni intra-portal-port 1 [DeviceB-Bridge-Aggregation3] quit # Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
Page 85 Source IP address: 1.1.1.2 Keepalive UDP port : 6400 Keepalive VPN name : N/A Keepalive interval : 1000 ms Keepalive timeout : 5 sec Keepalive hold time: 3 sec # Verify that the IPP and the DR interface are working correctly on Device A. [DeviceA] display drni summary Global consistency check : SUCCESS...
Page 86: Drni Layer 3 Forwarding Configuration Example
GE1/0/4 32768 {ACDEF} Remote: Actor Priority Index Oper-Key SystemID Flag GE1/0/1 32768 16387 40004 0x7b , 0001-0001-0001 {ACDEF} GE1/0/2 32768 16388 40004 0x7b , 0001-0001-0001 {ACDEF} GE1/0/3 32768 32771 40004 0x7b , 0001-0001-0001 {ACDEF} GE1/0/4 32768 32772 40004 0x7b , 0001-0001-0001 {ACDEF} DRNI Layer 3 forwarding configuration example Network requirements As shown in...
Page 87 # Set the link mode of GigabitEthernet 1/0/5 to Layer 3, and assign the interface an IP address. The IP address will be used as the source IP address of keepalive packets. [DeviceA] interface gigabitethernet 1/0/5 [DeviceA-GigabitEthernet1/0/5] port link-mode route [DeviceA-GigabitEthernet1/0/5] ip address 1.1.1.1 24 [DeviceA-GigabitEthernet1/0/5] quit # Exclude the interface used for DR keepalive detection (GigabitEthernet 1/0/5) from the...
Page 88 [DeviceA] interface bridge-aggregation 100 [DeviceA-Bridge-Aggregation100] port link-type trunk [DeviceA-Bridge-Aggregation100] port trunk permit vlan 100 [DeviceA-Bridge-Aggregation100] quit # Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101. [DeviceA] interface bridge-aggregation 101 [DeviceA-Bridge-Aggregation101] port link-type trunk [DeviceA-Bridge-Aggregation101] port trunk permit vlan 101 [DeviceA-Bridge-Aggregation101] quit # Set the link type of Bridge-Aggregation 125 to trunk, and assign it to VLAN 100 and VLAN...
Page 89 # Configure DR keepalive parameters. [DeviceB] drni keepalive ip destination 1.1.1.1 source 1.1.1.2 # Set the link mode of GigabitEthernet 1/0/5 to Layer 3, and assign the interface an IP address. The IP address will be used as the source IP address of keepalive packets. [DeviceB] interface gigabitethernet 1/0/5 [DeviceB-GigabitEthernet1/0/5] port link-mode route [DeviceB-GigabitEthernet1/0/5] ip address 1.1.1.2 24...
Page 90 [DeviceB-vlan101] quit # Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100. [DeviceB] interface bridge-aggregation 100 [DeviceB-Bridge-Aggregation100] port link-type trunk [DeviceB-Bridge-Aggregation100] port trunk permit vlan 100 [DeviceB-Bridge-Aggregation100] quit # Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101. [DeviceB] interface bridge-aggregation 101 [DeviceB-Bridge-Aggregation101] port link-type trunk [DeviceB-Bridge-Aggregation101] port trunk permit vlan 101...
Page 91 [DeviceC-if-range] port link-aggregation group 100 [DeviceC-if-range] quit # Create VLAN 100. [DeviceC] vlan 100 [DeviceC-vlan100] quit # Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100. [DeviceC] interface bridge-aggregation 100 [DeviceC-Bridge-Aggregation100] port link-type trunk [DeviceC-Bridge-Aggregation100] port trunk permit vlan 100 [DeviceC-Bridge-Aggregation100] quit # Set the link type of GigabitEthernet 1/0/3 to trunk, and assign it to VLAN 100.
Page 92 [DeviceD-GigabitEthernet1/0/3] port trunk permit vlan 101 [DeviceD-GigabitEthernet1/0/3] quit # Create VLAN-interface 101, and assign it an IP address. [DeviceD] interface vlan-interface 101 [DeviceD-vlan-interface101] ip address 20.1.1.3 24 [DeviceD-vlan-interface101] quit # Configure OSPF. [DeviceD] ospf [DeviceD-ospf-1] import-route direct [DeviceD-ospf-1] area 0 [DeviceD-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [DeviceD-ospf-1-area-0.0.0.0] quit [DeviceD-ospf-1] quit...
Page 93 Contents Configuring port isolation ··································································· 1 Restrictions and guidelines: Port isolation configuration······································································ 1 Assigning a port to an isolation group ····························································································· 1 Displaying and maintaining port isolation ························································································· 2 Port isolation configuration example ······························································································· 2 ...
Page 94: Configuring Port Isolation
Configuring port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. Ports in an isolation group cannot communicate with each other. However, they can communicate with ports outside the isolation group. Restrictions and guidelines: Port isolation configuration Follow these guidelines when you configure port isolation: •...
Page 95: Displaying And Maintaining Port Isolation
Step Command Remarks By default, the port is not in any isolation group. You can assign a port to only one Assign the port to the port-isolate enable group isolation group. If you execute the isolation group. group-id port-isolate enable group command multiple times, the most recent configuration takes effect.
Page 96: Verifying The Configuration
<Device> system-view [Device] port-isolate group 2 [Device-port-isolate-group2] quit # Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to isolation group [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-isolate enable group 2 [Device-GigabitEthernet1/0/1] quit [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] port-isolate enable group 2 [Device-GigabitEthernet1/0/2] quit [Device] interface gigabitethernet 1/0/3 [Device-GigabitEthernet1/0/3] port-isolate enable group 2...
Page 97 Contents Configuring VLANs ··········································································· 1 Overview ·································································································································· 1 VLAN frame encapsulation ···································································································· 1 Protocols and standards ······································································································· 2 Configuration restrictions and guidelines ························································································· 2 Configuring basic VLAN settings ··································································································· 2 Configuring VLAN interfaces ········································································································ 3 ...
Page 98 Automatically identifying IP phones through LLDP ···································································· 47 Advertising the voice VLAN information to IP phones ······································································· 47 IP phone access methods ·········································································································· 47 Connecting the host and the IP phone in series ······································································· 47 Connecting the IP phone to the device ···················································································...
Page 99: Configuring Vlans
Configuring VLANs Overview Ethernet is a family of shared-media LAN technologies based on the CSMA/CD mechanism. An Ethernet LAN is both a collision domain and a broadcast domain. Because the medium is shared, collisions and broadcasts are common in an Ethernet LAN. Typically, bridges and Layer 2 switches can reduce collisions in an Ethernet LAN.
Page 100: Protocols And Standards
TPID to a different value. For compatibility with a neighbor device, set the TPID value on the device to be the same as the neighbor device. • Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL and QoS Configuration Guide.
Page 101: Configuring Vlan Interfaces
Step Command Remarks format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100. NOTE: • As the system default VLAN, VLAN 1 cannot be created or deleted. •...
Page 102: Configuring Port-Based Vlans
Configuring port-based VLANs Introduction Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN. Port link type You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether the port can be assigned to multiple VLANs.
Page 103: Assigning An Access Port To A Vlan
Actions Access Trunk Hybrid tagged frame the PVID. • Drops the frame if its VLAN ID is different from the PVID. • Removes the tag and sends the frame if the frame carries the PVID tag and the Sends the frame if its VLAN is port belongs to the permitted on the port.
Page 104: Assigning A Trunk Port To A Vlan
Step Command Remarks access. access ports. (Optional.) Assign the By default, all access ports port access vlan vlan-id access port to a VLAN. belong to VLAN 1. Assigning a trunk port to a VLAN A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view. When you assign a trunk port to a VLAN, follow these restrictions and guidelines: •...
Page 105: Configuring Mac-Based Vlans
Step Command Remarks interface-number Set the port link type to By default, all ports are port link-type hybrid hybrid. access ports. By default, the hybrid port is an untagged member of the Assign the hybrid port port hybrid vlan vlan-id-list { tagged | VLAN to which the port to the specified VLANs.
Page 106 When a match is found, the port tags the packet with the matching VLAN ID. • For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the port. If the VLAN ID of the frame is permitted on the port, the port forwards the frame. If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Page 107 Figure 3 Flowchart for processing a frame in dynamic MAC-based VLAN assignment The port receives a frame Tagged frame ? Selects a VLAN for the Gets the source MAC frame Uses source MAC to match the MAC in MAC- to-VLAN entries MAC addresses VLAN ID match the Is the VLAN ID the primary VLAN ID and the...
Page 108: General Configuration Restrictions And Guidelines
Assigns the port that connects the user to the MAC-based VLAN. When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication, see Security Configuration Guide. General configuration restrictions and guidelines When you configure MAC-based VLANs, follow these restrictions and guideline: •...
Page 109 b. undo mac-vlan enable c. mac-vlan enable d. mac-vlan trigger enable • As a best practice to ensure correct operation of 802.1X and MAC authentication, do not use dynamic MAC-based VLAN assignment with 802.1X or MAC authentication. • As a best practice, do not both configure dynamic MAC-based VLAN assignment and disable MAC address learning on a port.
Page 110: Configuring Server-Assigned Mac-Based Vlan
Step Command Remarks By default, the system assigns (Optional.) Configure VLANs based on the MAC the system to assign address preferentially when VLANs based on the vlan precedence mac-vlan both the MAC-based VLAN and MAC address IP subnet-based VLAN are preferentially.
Page 111: Configuring Protocol-Based Vlans
Task Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, a VLAN is not associated with an IP subnet or IP address. Associate the VLAN ip-subnet-vlan [ ip-subnet-index ] ip with an IP subnet or A multicast subnet or a multicast ip-address [ mask ] IP address.
Page 112: Configuring A Vlan Group
The voice VLAN in automatic mode processes only tagged voice traffic. Do not configure a VLAN as both a protocol-based VLAN and a voice VLAN. To configure a protocol-based VLAN: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id protocol-vlan [ protocol-index ] { at | ipv4 Associate the VLAN...
Page 113: Enabling Packet Statistics For A Vlan
Enabling packet statistics for a VLAN When you need to examine or troubleshoot the network, you can enable packet statistics for a VLAN to monitor the total number of packets in the VLAN. The VLAN packet statistics include statistics on unicast, multicast, and broadcast packets.
Page 114: Vlan Configuration Examples
Task Command mode). slot-number ] VLAN configuration examples Port-based VLAN configuration example Network requirements As shown in Figure • Host A and Host C belong to Department A. VLAN 100 is assigned to Department A. • Host B and Host D belong to Department B. VLAN 200 is assigned to Department B. Configure port-based VLANs so that only hosts in the same department can communicate with each other.
Page 115: Mac-Based Vlan Configuration Example
Verifying the configuration # Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D. (Details not shown.) # Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C. (Details not shown.) # Verify that VLANs 100 and 200 are correctly configured on Device A.
Page 116 Figure 5 Network diagram Configuration procedure Configure Device A: # Create VLANs 100 and 200. <DeviceA> system-view [DeviceA] vlan 100 [DeviceA-vlan100] quit [DeviceA] vlan 200 [DeviceA-vlan200] quit # Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200, respectively.
Page 117: Ip Subnet-Based Vlan Configuration Example
<DeviceB> system-view [DeviceB] vlan 100 [DeviceB-vlan100] port gigabitethernet 1/0/3 [DeviceB-vlan100] quit # Create VLAN 200 and assign GigabitEthernet 1/0/4 to VLAN 200. [DeviceB] vlan 200 [DeviceB-vlan200] port gigabitethernet 1/0/4 [DeviceB-vlan200] quit # Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 100 and 200. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100 200...
Page 118 Figure 6 Network diagram Configuration procedure Configure Device C: # Associate IP subnet 192.168.5.0/24 with VLAN 100. <DeviceC> system-view [DeviceC] vlan 100 [DeviceC-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0 [DeviceC-vlan100] quit # Associate IP subnet 192.168.50.0/24 with VLAN 200. [DeviceC] vlan 200 [DeviceC-vlan200] ip-subnet-vlan ip 192.168.50.0 255.255.255.0 [DeviceC-vlan200] quit # Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLAN 100 as a tagged...
Page 119 [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] port link-type hybrid [DeviceC-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged # Associate GigabitEthernet 1/0/1 with the IP subnet-based VLANs 100 and 200. [DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 100 [DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 200 [DeviceC-GigabitEthernet1/0/1] quit Configure Device A and Device B to forward packets from VLANs 100 and 200, respectively.
Page 120 Figure 7 Network diagram VLAN 100 VLAN 200 IPv4 server IPv6 server GE1/0/3 GE1/0/4 GE1/0/1 GE1/0/2 Device L2 switch A L2 switch B IPv4 host A IPv6 host A IPv4 host B IPv6 host B VLAN 100 VLAN 200 VLAN 100 VLAN 200 Configuration procedure In this example, L2 Switch A and L2 Switch B use the factory configuration.
Page 121 # Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an untagged VLAN member. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port link-type hybrid [Device-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged # Associate GigabitEthernet 1/0/1 with the IPv4 and ARP protocol templates of VLAN 100 and the IPv6 protocol template of VLAN 200.
Page 122 IPv4 Active Ethernet II Etype 0x0806 Active IPv6 Active Interface: GigabitEthernet 1/0/2 VLAN ID Protocol index Protocol type Status IPv4 Active Ethernet II Etype 0x0806 Active IPv6 Active...
Page 123: Configuring Super Vlans
Configuring super VLANs Overview Hosts in a VLAN typically use IP addresses in the same subnet. For Layer 3 interoperability with other VLANs, you can create a VLAN interface for the VLAN and assign an IP address to it. This requires a large number of IP addresses.
Page 124: Configuring A Super Vlan
Configuring a super VLAN When you configure a super VLAN, follow these restrictions and guidelines: • Do not configure the VLAN of a MAC address-to-VLAN entry as a super VLAN. • Do not configure a VLAN as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or critical VLAN.
Page 125: Displaying And Maintaining Super Vlans
Step Command Remarks proxy ARP and ND, see Layer 3—IP Services Configuration Guide. For more information about local-proxy-arp enable and local-proxy-nd enable commands, see Layer 3—IP Services Command Reference. Displaying and maintaining super VLANs Execute display commands in any view. Task Command Display information about super VLANs and their...
Page 126: Verifying The Configuration
<DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit # Create VLAN-interface 10, and assign IP address 10.1.1.1/24 to it. [DeviceA] interface vlan-interface 10 [DeviceA-Vlan-interface10] ip address 10.1.1.1 255.255.255.0 # Enable local proxy ARP. [DeviceA-Vlan-interface10] local-proxy-arp enable [DeviceA-Vlan-interface10] quit # Create VLAN 2, and assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the VLAN. [DeviceA] vlan 2 [DeviceA-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 [DeviceA-vlan2] quit...
Page 127 VLAN type: Static It is a sub VLAN. Route interface: Configured Ipv4 address: 10.1.1.1 Ipv4 subnet mask: 255.255.255.0 Description: VLAN 0002 Name: VLAN 0002 Tagged ports: None Untagged ports: GigabitEthernet1/0/1 GigabitEthernet1/0/2 VLAN ID: 3 VLAN type: Static It is a sub VLAN. Route interface: Configured Ipv4 address: 10.1.1.1 Ipv4 subnet mask: 255.255.255.0...
Page 128: Configuring The Private Vlan
Configuring the private VLAN VLAN technology provides a method for isolating traffic from customers. At the access layer of a network, customer traffic must be isolated for security or accounting purposes. If VLANs are assigned on a per-user basis, a large number of VLANs will be required. The private VLAN feature saves VLAN resources.
Page 129: Configuration Restrictions And Guidelines
Associate the secondary VLANs with the primary VLAN. Configure the uplink and downlink ports: Configure the uplink port (for example, the port connecting L2 Device B to L3 Device A Figure − When the port allows only one primary VLAN, configure the port as a promiscuous port of the primary VLAN.
Page 130 Step Command Remarks Enter system view. system-view Create a VLAN and enter vlan vlan-id VLAN view. Configure the VLAN as a By default, a VLAN is not a private-vlan primary primary VLAN. primary VLAN. Return to system view. quit Create one or multiple vlan { vlan-id-list | all } secondary VLANs.
Page 131: Displaying And Maintaining The Private Vlan
Step Command Remarks 16. Return to system view. quit 17. Enter VLAN view of a vlan vlan-id secondary VLAN. 18. (Optional.) Enable Layer 2 By default, ports in the same • undo private-vlan isolated communication for ports in secondary VLAN can •...
Page 132 • On Device C, VLAN 6 is a primary VLAN that is associated with secondary VLANs 3 and 4. GigabitEthernet 1/0/5 is in VLAN 6. GigabitEthernet 1/0/3 is in VLAN 3. GigabitEthernet 1/0/4 is in VLAN 4. • Device A is aware of only VLAN 5 on Device B and VLAN 6 on Device C. Figure 10 Network diagram Configuration procedure This example describes the configurations on Device B and Device C.
Page 133 [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] port access vlan 3 [DeviceB-GigabitEthernet1/0/3] port private-vlan host [DeviceB-GigabitEthernet1/0/3] quit Configure Device C: # Configure VLAN 6 as a primary VLAN. <DeviceC> system-view [DeviceC] vlan 6 [DeviceC–vlan6] private-vlan primary [DeviceC–vlan6] quit # Create VLANs 3 and 4. [DeviceC] vlan 3 to 4 # Associate secondary VLANs 3 and 4 with primary VLAN 6.
Page 134: Trunk Promiscuous Port Configuration Example
VLAN ID: 2 VLAN type: Static Private VLAN type: Secondary Route interface: Not configured Description: VLAN 0002 Name: VLAN 0002 Tagged ports: None Untagged ports: GigabitEthernet1/0/2 GigabitEthernet1/0/5 VLAN ID: 3 VLAN type: Static Private VLAN type: Secondary Route interface: Not configured Description: VLAN 0003 Name: VLAN 0003 Tagged Ports:...
Page 135 Figure 11 Network diagram Device A VLAN 5 GE1/0/1 VLAN 10 GE1/0/1 Device B GE1/0/2 GE1/0/5 GE1/0/3 GE1/0/4 Host C Host D Host B Host A VLAN 6 VLAN 8 VLAN 3 VLAN 2 Configuration procedure Configure Device B: # Configure VLANs 5 and 10 as primary VLANs. <DeviceB>...
Page 136 # Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port. [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port access vlan 2 [DeviceB-GigabitEthernet1/0/2] port private-vlan host [DeviceB-GigabitEthernet1/0/2] quit # Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port. [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] port access vlan 3 [DeviceB-GigabitEthernet1/0/3] port private-vlan host...
Page 137: Trunk Promiscuous And Trunk Secondary Port Configuration Example
GigabitEthernet1/0/2 GigabitEthernet1/0/3 VLAN ID: 2 VLAN type: Static Private VLAN type: Secondary Route interface: Not configured Description: VLAN 0002 Name: VLAN 0002 Tagged ports: GigabitEthernet1/0/1 Untagged ports: GigabitEthernet1/0/2 VLAN ID: 3 VLAN type: Static Private VLAN type: Secondary Route interface: Not configured Description: VLAN 0003 Name: VLAN 0003 Tagged ports:...
Page 138 Figure 12 Network diagram Configuration procedure Configure Device A: # Configure VLANs 10 and 20 as primary VLANs. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] private-vlan primary [DeviceA-vlan10] quit [DeviceA] vlan 20 [DeviceA-vlan20] private-vlan primary [DeviceA-vlan20] quit # Create VLANs 11, 12, 21, and 22. [DeviceA] vlan 11 to 12 [DeviceA] vlan 21 to 22 # Associate secondary VLANs 11 and 12 with primary VLAN 10.
Page 139 [DeviceA] interface gigabitethernet 1/0/5 [DeviceA-GigabitEthernet1/0/5] port private-vlan 10 20 trunk promiscuous [DeviceA-GigabitEthernet1/0/5] quit # Assign downlink port GigabitEthernet 1/0/1 to VLAN 22 and configure the port as a host port. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port access vlan 22 [DeviceA-GigabitEthernet1/0/1] port private-vlan host [DeviceA-GigabitEthernet1/0/1] quit # Assign downlink port GigabitEthernet 1/0/3 to VLAN 12 and configure the port as a host port.
Page 140 [DeviceC-GigabitEthernet1/0/5] port link-type hybrid [DeviceC-GigabitEthernet1/0/5] port hybrid vlan 10 20 tagged [DeviceC-GigabitEthernet1/0/5] quit Verifying the configuration # Verify the primary VLAN configurations on Device A. The following output uses primary VLAN 10 as an example. [DeviceA] display private-vlan 10 Primary VLAN ID: 10 Secondary VLAN ID: 11-12 VLAN ID: 10 VLAN type: Static...
Page 141: Secondary Vlan Layer 3 Communication Configuration Example
• The host port (GigabitEthernet 1/0/3) is an untagged member of primary VLAN 10 and secondary VLAN 12. Secondary VLAN Layer 3 communication configuration example Network requirements As shown in Figure 13, configure the private VLAN feature to meet the following requirements: •...
Page 142 [DeviceA-GigabitEthernet1/0/2] port access vlan 2 [DeviceA-GigabitEthernet1/0/2] port private-vlan host [DeviceA-GigabitEthernet1/0/2] quit # Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port. [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port access vlan 3 [DeviceA-GigabitEthernet1/0/3] port private-vlan host [DeviceA-GigabitEthernet1/0/3] quit # Enable Layer 3 communication between secondary VLANs 2 and 3 that are associated with primary VLAN 10.
Page 143 GigabitEthernet1/0/1 GigabitEthernet1/0/2 VLAN ID: 3 VLAN type: Static Private VLAN type: Secondary Route interface: Configured IPv4 address: 192.168.1.1 IPv4 subnet mask: 255.255.255.0 Description: VLAN 0003 Name: VLAN 0003 Tagged ports: None Untagged ports: GigabitEthernet1/0/1 GigabitEthernet1/0/3 The Route interface field in the output is Configured, indicating that secondary VLANs 2 and 3 are interoperable at Layer 3.
Page 144: Configuring Voice Vlans
OUI address Vendor 0001-e300-0000 Siemens phone 0003-6b00-0000 Cisco phone 0004-0d00-0000 Avaya phone 000f-e200-0000 H3C Aolynk phone 0060-b900-0000 Philips/NEC phone 00d0-1e00-0000 Pingtel phone 00e0-7500-0000 Polycom phone 00e0-bb00-0000 3Com phone Typically, an OUI address refers to the first 24 bits of a MAC address (in binary notation) and is a globally unique identifier that IEEE assigns to a vendor.
Page 145: Automatically Identifying Ip Phones Through Lldp
Automatically identifying IP phones through LLDP If IP phones support LLDP, configure LLDP for automatic IP phone discovery on the device. The device can then automatically discover the peer through LLDP, and exchange LLDP TLVs with the peer. If the LLDP System Capabilities TLV received on a port indicates that the peer can act as a telephone, the device performs the following operations: Sends an LLDP TLV with the voice VLAN configuration to the peer.
Page 146: Connecting The Ip Phone To The Device
Figure 15 Connecting the host and IP phone in series Voice gateway Host IP phone Device Connecting the IP phone to the device As shown in Figure 16, IP phones are connected to the device without the presence of the host. Use this connection method when IP phones sends out untagged voice packets.
Page 147: Manual Mode
When the IP phone reboots, the port is reassigned to the voice VLAN to ensure the correct operation of the existing voice connections. The reassignment occurs automatically without being triggered by voice traffic as long as the voice VLAN operates correctly. Manual mode Use manual mode when only IP phones access the network through the device, as shown in Figure...
Page 148: Security Mode And Normal Mode Of Voice Vlans
If an IP phone sends out tagged voice traffic, and its access port is configured with 802.1X authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, VLAN IDs must be different for the following VLANs: • Voice VLAN. • PVID of the access port. •...
Page 149: Voice Vlan Configuration Restrictions And Guidelines
Voice VLAN configuration restrictions and guidelines Aggregate interfaces and member ports in an aggregation group do not support the voice VLAN feature. For information about aggregate interface and member ports, see "Configuring Ethernet link aggregation." Voice VLAN configuration task list Tasks at a glance (Required.) Configuring the QoS priority settings for voice traffic...
Page 150: Configuring A Port To Operate In Automatic Voice Vlan Assignment Mode
Configuring a port to operate in automatic voice VLAN assignment mode Configuration restrictions and guidelines When you configure a port to operate in automatic voice VLAN assignment mode, follow these restrictions and guidelines: • Do not configure a VLAN as both a voice VLAN and a protocol-based VLAN. A voice VLAN in automatic mode on a hybrid port processes only tagged incoming voice traffic.
Page 151: Configuring A Port To Operate In Manual Voice Vlan Assignment Mode
Step Command Remarks • port link-type trunk Configure the link type of • the port. port link-type hybrid Configure the port to By default, the automatic operate in automatic voice voice-vlan mode auto voice VLAN assignment mode VLAN assignment mode. is enabled.
Page 152: Enabling Lldp For Automatic Ip Phone Discovery
Step Command Remarks trunk port to a VLAN." PVID of the port. • For the hybrid port, see "Assigning a hybrid port to a VLAN." • For the trunk port, see "Assigning a (Optional.) Configure This step is required for trunk port to a VLAN."...
Page 153: Configuring Cdp To Advertise A Voice Vlan
Step Command Remarks voice VLAN ID. network-policy vlan-id voice VLAN ID is configured. For more information about the command, see Layer 2—LAN Switching Command Reference. For more information about (Optional.) Display the voice the command, see Layer display lldp local-information VLAN advertised by LLDP.
Page 154: Voice Vlan Configuration Examples
Task Command display voice-vlan state Display the voice VLAN state. Display OUI addresses on a device. display voice-vlan mac-address Voice VLAN configuration examples Automatic voice VLAN assignment mode configuration example Network requirements As shown in Figure 17, Device A transmits traffic from IP phones and hosts. For correct voice traffic transmission, perform the following tasks on Device A: •...
Page 155 OUI Address Mask Description 0001-e300-0000 ffff-ff00-0000 Siemens phone 0003-6b00-0000 ffff-ff00-0000 Cisco phone 0004-0d00-0000 ffff-ff00-0000 Avaya phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 0011-1100-0000 ffff-ff00-0000 IP phone A 0011-2200-0000 ffff-ff00-0000 IP phone B 0060-b900-0000 ffff-ff00-0000 Philips/NEC phone 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000...
Page 156: Manual Voice Vlan Assignment Mode Configuration Example
Manual voice VLAN assignment mode configuration example Network requirements As shown in Figure 18, IP phone A send untagged voice traffic. To enable GigabitEthernet 1/0/1 to transmit only voice packets, perform the following tasks on Device A: • Create VLAN 2. This VLAN will be used as a voice VLAN. •...
Page 157 [DeviceA] display voice-vlan mac-address OUI Address Mask Description 0001-e300-0000 ffff-ff00-0000 Siemens phone 0003-6b00-0000 ffff-ff00-0000 Cisco phone 0004-0d00-0000 ffff-ff00-0000 Avaya phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 0011-2200-0000 ffff-ff00-0000 test 0060-b900-0000 ffff-ff00-0000 Philips/NEC phone 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the voice VLAN state.
Page 158 Contents Configuring MVRP ············································································ 1 MRP ······································································································································· 1 MRP implementation ············································································································ 1 MRP messages ·················································································································· 1 MRP timers ························································································································ 3 MVRP registration modes ············································································································ 4 Protocols and standards ·············································································································· 4 MVRP configuration task list ········································································································· 4 ...
Page 159: Configuring Mvrp
Configuring MVRP Multiple Registration Protocol (MRP) is an attribute registration protocol used to transmit attribute values. Multiple VLAN Registration Protocol (MVRP) is a typical MRP application. It synchronizes VLAN information among devices. MVRP propagates local VLAN information to other devices, receives VLAN information from other devices, and dynamically updates local VLAN information.
Page 160 Join message An MRP participant sends a Join message to request the peer participant to register attributes in the Join message. When receiving a Join message from the peer participant, an MRP participant performs the following tasks: • Registers the attributes in the Join message. •...
Page 161: Mrp Timers
LeaveAll message Each MRP participant starts its LeaveAll timer when starting up. When the timer expires, the MRP participant sends LeaveAll messages to the peer participant. Upon sending or receiving a LeaveAll message, the local participant starts the Leave timer. The local participant determines whether to send a Join message depending on its attribute status.
Page 162: Mvrp Registration Modes
• Effectively reduces the number of LeaveAll messages in the network. • Prevents the LeaveAll timer of a particular participant from always expiring first. MVRP registration modes VLAN information propagated by MVRP includes dynamic VLAN information from other devices and local static VLAN information.
Page 163: Configuration Prerequisites
receive undesired copies. For more information about port mirroring, see Network Management and Monitoring Configuration Guide. • MVRP takes effect only on trunk ports. For more information about trunk ports, see "Configuring VLANs." • Enabling MVRP on a Layer 2 aggregate interface takes effect on the aggregate interface and all Selected member ports in the link aggregation group.
Page 164: Setting Mrp Timers
Step Command Remarks Optional. Set an MVRP registration mvrp registration { fixed | The default setting is normal mode for the port. forbidden | normal } registration mode. Setting MRP timers To avoid frequent VLAN registrations and deregistrations, use the same MRP timers throughout the network.
Page 165: Enabling Gvrp Compatibility
Enabling GVRP compatibility Enable GVRP compatibility for MVRP when the peer device supports GVRP. Then, the local end can receive and send both MVRP and GVRP frames. When you enable GVRP compatibility, follow these restrictions and guidelines: • GVRP compatibility enables MVRP to work with STP or RSTP, but not MSTP. •...
Page 166: Configuration Procedure
Figure 2 Network diagram Device A Device B Permit: all VLANs GE1/0/3 GE1/0/3 VLAN 20 VLAN 10 Permit: all VLANs Permit: VLANs 20, 40 VLAN 10 MSTI 1 VLAN 20 MSTI 2 Other VLANs MSTI 0 Device C Device D MSTI 0 MSTI 1 MSTI 2...
Page 167 [DeviceA] mvrp global enable # Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable MVRP on port GigabitEthernet 1/0/1. [DeviceA-GigabitEthernet1/0/1] mvrp enable [DeviceA-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
Page 168 # Enable MVRP on GigabitEthernet 1/0/1. [DeviceB-GigabitEthernet1/0/1] mvrp enable [DeviceB-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs. [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan all # Enable MVRP on GigabitEthernet 1/0/2.
Page 169: Verifying The Configuration
[DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan all # Enable MVRP on GigabitEthernet 1/0/2. [DeviceC-GigabitEthernet1/0/2] mvrp enable [DeviceC-GigabitEthernet1/0/2] quit Configure Device D: # Enter MST region view. <DeviceD> system-view [DeviceD] stp region-configuration # Configure the MST region name, VLAN-to-instance mappings, and revision level. [DeviceD-mst-region] region-name example [DeviceD-mst-region] instance 1 vlan 10 [DeviceD-mst-region] instance 2 vlan 20...
Page 170 Running Status : Enabled Join Timer : 20 (centiseconds) Leave Timer : 60 (centiseconds) Periodic Timer : 100 (centiseconds) LeaveAll Timer : 1000 (centiseconds) Registration Type : Normal Registered VLANs : 1(default) Declared VLANs : 1(default), 10, 20 Propagated VLANs : 1(default) ----[GigabitEthernet1/0/2]---- Config...
Page 171 # Display local VLAN information on Device B. [DeviceB] display mvrp running-status -------[MVRP Global Info]------- Global Status : Enabled Compliance-GVRP : False ----[GigabitEthernet1/0/1]---- Config Status : Enabled Running Status : Enabled Join Timer : 20 (centiseconds) Leave Timer : 60 (centiseconds) Periodic Timer : 100 (centiseconds) LeaveAll Timer...
Page 172 Propagated VLANs : The output shows that the following events have occurred: • GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1 and VLAN 20, and propagated VLAN 1 through MVRP. • GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 10, declared VLAN 1 and VLAN 20, and propagated VLAN 1.
Page 173 • GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 20, declared VLAN 1 and VLAN 10, and propagated VLAN 1 and VLAN 20 through MVRP. # Display local VLAN information on Device D. [DeviceD] display mvrp running-status -------[MVRP Global Info]------- Global Status : Enabled Compliance-GVRP...
Page 174 [DeviceB-GigabitEthernet1/0/3] mvrp registration fixed [DeviceB-GigabitEthernet1/0/3] quit # Display local MVRP VLAN information on GigabitEthernet 1/0/3. [DeviceB] display mvrp running-status interface gigabitethernet 1/0/3 -------[MVRP Global Info]------- Global Status : Enabled Compliance-GVRP : False ----[GigabitEthernet1/0/3]---- Config Status : Enabled Running Status : Enabled Join Timer : 20 (centiseconds) Leave Timer...
Page 175 Contents Configuring QinQ ············································································· 1 Overview ·································································································································· 1 How QinQ works ················································································································· 1 QinQ implementations ·········································································································· 2 Protocols and standards ······································································································· 3 Restrictions and guidelines ·········································································································· 3 Enabling QinQ ··························································································································· 3 Configuring transparent transmission for VLANs ··············································································· 3 ...
Page 176: Configuring Qinq
Configuring QinQ This document uses the following terms: • CVLAN—Customer network VLANs, also called inner VLANs, refer to VLANs that a customer uses on the private network. • SVLAN—Service provider network VLANs, also called outer VLANs, refer to VLANs that a service provider uses to transmit VLAN tagged traffic for customers.
Page 177: Qinq Implementations
When a tagged Ethernet frame from CE 1 arrives at PE 1, the PE tags the frame with SVLAN 3. The double-tagged Ethernet frame travels over the service provider network until it arrives at PE 2. PE 2 removes the SVLAN tag of the frame, and then sends the frame to CE 4. Figure 2 Typical QinQ application scenario VLANs 1 to 20 VLANs 1 to 10...
Page 178: Protocols And Standards
Protocols and standards • IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local Area Networks • IEEE 802.1ad, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local Area Networks-Amendment 4: Provider Bridges Restrictions and guidelines When you configure QinQ, follow these restrictions and guidelines: •...
Page 179: Configuration Procedure
Configuring the TPID for VLAN tags TPID identifies a frame as an 802.1Q tagged frame. The TPID value varies by vendor. On an H3C device, the TPID in the 802.1Q tag added on a QinQ-enabled port is 0x8100 by default, in compliance with IEEE 802.1Q.
Page 180: Configuring The Tpid For Cvlan Tags
Protocol type Value 0x0800 IPv6 0x86dd PPPoE 0x8863/0x8864 MPLS 0x8847/0x8848 IPX/SPX 0x8137 IS-IS 0x8000 LACP 0x8809 LLDP 0x88cc 802.1X 0x888e 802.1ag 0x8902 Cluster 0x88a7 Reserved 0xfffd/0xfffe/0xffff Configuring the TPID for CVLAN tags Perform this task on the PE device. To configure the TPID value for CVLAN tags: Step Command Remarks...
Page 181: Displaying And Maintaining Qinq
• Copy the 802.1p priority in CVLAN tags to SVLAN tags. For more information about QoS policy commands, see ACL and QoS Command Reference. To set the 802.1p priority in SVLAN tags: Step Command Remarks Enter system view. system-view Create a traffic class and traffic classifier classifier-name [ operator By default, no traffic enter its view.
Page 182: Qinq Configuration Examples
Task Command display qinq [ interface interface-type Display QinQ-enabled ports. interface-number ] QinQ configuration examples Basic QinQ configuration example Network requirements As shown in Figure • The service provider assigns VLAN 100 to Company A's VLANs 10 through 70. • The service provider assigns VLAN 200 to Company B's VLANs 30 through 90.
Page 183 # Set the PVID of GigabitEthernet 1/0/1 to VLAN 100. [PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100 # Enable QinQ on GigabitEthernet 1/0/1. [PE1-GigabitEthernet1/0/1] qinq enable [PE1-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200. [PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] port link-type trunk [PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 200...
Page 184: Vlan Transparent Transmission Configuration Example
[PE2-GigabitEthernet1/0/3] quit Configure the devices between PE 1 and PE 2: # Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details not shown.) # Configure all ports on the forwarding path to allow frames from VLANs 100 and 200 to pass through without removing the VLAN tag.
Page 185 [PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] port link-type trunk [PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 3000 [PE1-GigabitEthernet1/0/2] quit Configure PE 2: # Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 100 and 3000. <PE2> system-view [PE2] interface gigabitethernet 1/0/1 [PE2-GigabitEthernet1/0/1] port link-type trunk [PE2-GigabitEthernet1/0/1] port trunk permit vlan 100 3000 # Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.
Page 186 Contents Configuring VLAN mapping ································································ 1 Overview ·································································································································· 1 VLAN mapping application scenarios ······················································································· 1 VLAN mapping implementations ····························································································· 3 VLAN mapping configuration task list ····························································································· 6 Configuring one-to-one VLAN mapping ··························································································· 7 Configuring many-to-one VLAN mapping ························································································...
Page 187: Configuring Vlan Mapping
Configuring VLAN mapping Overview VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. H3C provides the following types of VLAN mapping: • One-to-one VLAN mapping—Replaces one VLAN tag with another. • Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
Page 188 Figure 1 Application scenario of one-to-one and many-to-one VLAN mapping DHCP client VLAN 1 Home gateway VLAN 2 VLAN 1 -> VLAN 101 VLAN 2 -> VLAN 201 VLAN 3 VoIP VLAN 3 -> VLAN 301 Wiring-closet switch DHCP server VLAN 1 VLAN 1 ->...
Page 189: Vlan Mapping Implementations
Figure 2 Application scenario of one-to-two and two-to-two VLAN mapping Site 1 and Site 2 are in VLAN 2 and VLAN 3, respectively. The SP 1 network assigns SVLAN 10 to Site 1. The SP 2 network assigns SVLAN 20 to Site 2. When the packet from Site 1 arrives at PE 1, PE 1 tags the packet with SVLAN 10 by using one-to-two VLAN mapping.
Page 190 Figure 3 Basic VLAN mapping terms Network-side port Customer-side port Uplink traffic Downlink traffic One-to-one VLAN mapping As shown in Figure 4, one-to-one VLAN mapping is implemented on the customer-side port and replaces VLAN tags as follows: • Replaces the CVLAN with the SVLAN for the uplink traffic. •...
Page 191 Figure 5 Many-to-one VLAN mapping implementation One-to-two VLAN mapping As shown in Figure 6, one-to-two VLAN mapping is implemented on the customer-side port to add the SVLAN tag for the uplink traffic. For the downlink traffic to be correctly sent to the customer network, make sure the SVLAN tag is removed on the customer-side port before transmission.
Page 192: Vlan Mapping Configuration Task List
• Configure the customer-side port as a trunk port, assign it to the SVLAN, and set the port PVID to the SVLAN. • Configure the customer-side port as a hybrid port, assign it to the SVLAN as an untagged member, and set the port PVID to the SVLAN. Figure 7 Zero-to-two VLAN mapping implementation Two-to-two VLAN mapping As shown in...
Page 193: Configuring One-To-One Vlan Mapping
Tasks at a glance Remarks Configure one-to-one VLAN mapping on the Configuring one-to-one VLAN mapping wiring-closet switch, as shown in Figure Configuring many-to-one VLAN mapping • Configuring many-to-one VLAN mapping in a Configure many-to-one VLAN mapping on the network with dynamic IP address assignment campus switch, as shown in Figure •...
Page 194: Configuring Many-To-One Vlan Mapping
Configuring many-to-one VLAN mapping Configure many-to-one VLAN mapping on campus switches (see Figure 1) to transmit the same type of traffic from different users in one VLAN. Configuring many-to-one VLAN mapping in a network with dynamic IP address assignment In a network that uses dynamic address assignment, configure many-to-one VLAN mapping with DHCP snooping.
Page 195 Step Command Remarks By default, ARP detection is disabled. For more information about ARP detection Enable ARP detection. arp detection enable configuration commands, see Security Command Reference. Configuring the customer-side port Step Command Remarks Enter system view. system-view • Enter Layer 2 Ethernet interface view: interface interface-type Enter Layer 2 Ethernet...
Page 196: Configuring Many-To-One Vlan Mapping In A Network With Static Ip Address Assignment
Step Command Remarks • For the hybrid port: port hybrid vlan vlan-id-list tagged By default, all ports that Configure the port as a support DHCP snooping are dhcp snooping trust DHCP snooping trusted port. untrusted ports when DHCP snooping is enabled. Configure the port as an ARP By default, all ports are ARP arp detection trust...
Page 197 Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, ARP snooping is disabled. For more information about ARP Enable ARP snooping. arp snooping enable snooping commands, see Layer 3—IP Services Command Reference. Configuring the customer-side port Step Command Remarks...
Page 198: Configuring One-To-Two Vlan Mapping
Step Command Remarks hybrid: port link-type hybrid • For the trunk port: port trunk permit vlan vlan-id-list Assign the port to the • translated VLANs. For the hybrid port: port hybrid vlan vlan-id-list tagged Configure the port to use the original VLAN tags of the By default, the port does not many-to-one mapping to...
Page 199: Configuring Zero-To-Two Vlan Mapping
Step Command Remarks port trunk permit vlan { vlan-id-list | all } • For the hybrid port: port hybrid vlan vlan-id-list untagged By default, no VLAN mapping is configured on an interface. Only one SVLAN tag can be vlan mapping nest { range added to packets from the Configure a one-to-two VLAN vlan-range-list | single vlan-id-list }...
Page 200: Configuring Two-To-Two Vlan Mapping
Step Command Remarks untagged b. port hybrid pvid vlan vlan-id vlan mapping untagged Configure a zero-to-two By default, no VLAN mapping nested-outer-vlan outer-vlan-id VLAN mapping. is configured on an interface. nested-inner-vlan inner-vlan-id Configuring two-to-two VLAN mapping Configure two-to-two VLAN mapping on the customer-side port of an edge device that connects two SP networks, for example, on PE 3 in Figure 2.
Page 201: Vlan Mapping Configuration Examples
VLAN mapping configuration examples One-to-one and many-to-one VLAN mapping configuration example Network requirements As shown in Figure • Each household subscribes to PC, VoD, and VoIP services, and obtains the IP address through DHCP. • On the home gateways, VLANs 1, 2, and 3 are assigned to PC, VoD, and VoIP traffic, respectively.
Page 202 Figure 9 Network diagram DHCP client VLAN 1 Home gateway VLAN 2 VLAN 1 -> VLAN 101 VLAN 2 -> VLAN 201 VLAN 3 VoIP VLAN 3 -> VLAN 301 GE1/0/1 GE1/0/3 Wiring-closet Switch A VLAN 1 GE1/0/2 VLAN 1 -> VLAN 102 DHCP server VLAN 2 ->...
Page 203 # Assign GigabitEthernet 1/0/1 to all original VLANs and translated VLANs. [SwitchA-GigabitEthernet1/0/1] port trunk permit vlan 1 2 3 101 201 301 # Configure one-to-one VLAN mappings on GigabitEthernet 1/0/1 to map VLANs 1, 2, and 3 to VLANs 101, 201, and 301, respectively. [SwitchA-GigabitEthernet1/0/1] vlan mapping 1 translated-vlan 101 [SwitchA-GigabitEthernet1/0/1] vlan mapping 2 translated-vlan 201 [SwitchA-GigabitEthernet1/0/1] vlan mapping 3 translated-vlan 301...
Page 204 [SwitchC-vlan203] vlan 303 [SwitchC-vlan303] arp detection enable [SwitchC-vlan303] vlan 104 [SwitchC-vlan104] arp detection enable [SwitchC-vlan104] vlan 204 [SwitchC-vlan204] arp detection enable [SwitchC-vlan204] vlan 304 [SwitchC-vlan304] arp detection enable [SwitchC-vlan304] vlan 501 [SwitchC-vlan501] arp detection enable [SwitchC-vlan501] vlan 502 [SwitchC-vlan502] arp detection enable [SwitchC-vlan502] vlan 503 [SwitchC-vlan503] arp detection enable [SwitchC-vlan503] quit...
Page 205 [SwitchC-GigabitEthernet1/0/3] port link-type trunk # Assign GigabitEthernet 1/0/3 to the translated VLANs. [SwitchC-GigabitEthernet1/0/3] port trunk permit vlan 501 to 503 # Configure GigabitEthernet 1/0/3 as a DHCP snooping trusted and ARP trusted port. [SwitchC-GigabitEthernet1/0/3] dhcp snooping trust [SwitchC-GigabitEthernet1/0/3] arp detection trust [SwitchC-GigabitEthernet1/0/3] quit Configure Switch D: # Create the translated VLANs.
Page 206: One-To-Two And Two-To-Two Vlan Mapping Configuration Example
One-to-two and two-to-two VLAN mapping configuration example Network requirements As shown in Figure • Two VPN A branches, Site 1 and Site 2, are in VLAN 5 and VLAN 6, respectively. • The two sites use different VPN access services from different service providers, SP 1 and SP •...
Page 207 # Configure the network-side port (GigabitEthernet 1/0/2) as a trunk port. [PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] port link-type trunk # Assign GigabitEthernet 1/0/2 to VLAN 100. [PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 [PE1-GigabitEthernet1/0/2] quit Configure PE 2: # Create VLAN 100. <PE2>...
Page 208 # Create VLANs 6 and 200. <PE4> system-view [PE4] vlan 6 [PE4-vlan6] quit [PE4] vlan 200 [PE4-vlan200] quit # Configure the network-side port (GigabitEthernet 1/0/1) as a trunk port. [PE4] interface gigabitethernet 1/0/1 [PE4-GigabitEthernet1/0/1] port link-type trunk # Assign GigabitEthernet 1/0/1 to VLAN 200. [PE4-GigabitEthernet1/0/1] port trunk permit vlan 200 [PE4-GigabitEthernet1/0/1] quit # Configure the customer-side port (GigabitEthernet 1/0/2) as a hybrid port.
Page 209 Contents Configuring loop detection ·································································· 1 Overview ·································································································································· 1 Loop detection mechanism ···································································································· 1 Loop detection interval ········································································································· 2 Loop protection actions ········································································································· 2 Port status auto recovery ······································································································ 2 Loop detection configuration task list ······························································································ 3 ...
Page 210: Configuring Loop Detection
Configuring loop detection Overview Incorrect network connections or configurations can create Layer 2 loops, which results in repeated transmission of broadcasts, multicasts, or unknown unicasts. The repeated transmissions can waste network resources and can paralyze networks. The loop detection mechanism immediately generates a log when a loop occurs so that you are promptly notified to adjust network connections and configurations.
Page 211: Loop Detection Interval
The inner frame header for loop detection contains the following fields: • Code—Protocol sub-type, which is 0x0001, indicating the loop detection protocol. • Version—Protocol version, which is always 0x0000. • Length—Length of the frame. The value includes the inner header, but excludes the Ethernet header.
Page 212: Loop Detection Configuration Task List
The device automatically shuts down the port. The device automatically sets the port to the forwarding state after the detection timer set by using the shutdown-interval command expires. For more information about the shutdown-interval command, see Fundamentals Command Reference. The device shuts down the port again if a loop is still detected on the port when the detection timer expires.
Page 213: Setting The Loop Protection Action
Setting the loop protection action You can set the loop protection action globally or on a per-port basis. The global setting applies to all ports. The per-port setting applies to individual ports. The per-port setting takes precedence over the global setting. Configuration restrictions and guidelines IMPORTANT: To avoid unexpected issues, do not specify the block action on ports when loop detection is enabled...
Page 214: Setting The Loop Detection Interval
Step Command Remarks By default, the device Set the loop protection action loopback-detection action generates a log but performs on the interface. shutdown no action on the port on which a loop is detected. Setting the loop detection interval With loop detection enabled, the device sends loop detection frames at the loopback detection interval.
Page 215: Configuration Procedure
Figure 3 Network diagram Device A GE1/0/1 GE1/0/2 Device B Device C VLAN 100 Configuration procedure Configure Device A: # Create VLAN 100, and globally enable loop detection for the VLAN. <DeviceA> system-view [DeviceA] vlan 100 [DeviceA-vlan100] quit [DeviceA] loopback-detection global enable vlan 100 # Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to VLAN 100.
Page 216 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100 [DeviceB-GigabitEthernet1/0/2] quit Configure Device C: # Create VLAN 100. <DeviceC> system-view [DeviceC] vlan 100 [DeviceC–vlan100] quit # Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to VLAN 100.
Page 217 The output shows that the device has removed the loops from GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 by shutting them down. # Display the status of GigabitEthernet 1/0/1 on devices, for example, Device A. [DeviceA] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: DOWN (Loop detection down) The output shows that GigabitEthernet 1/0/1 is already shut down by the loop detection module.
Page 218 Contents Configuring spanning tree protocols ····················································· 1 STP ········································································································································ 1 STP protocol frames ············································································································ 1 Basic concepts in STP ·········································································································· 3 Calculation process of the STP algorithm ················································································· 4 RSTP ···································································································································· 10 RSTP protocol frames ········································································································ 10 ...
Page 219 Enabling the spanning tree feature ······························································································ 38 Enabling the spanning tree feature in STP/RSTP/MSTP mode ···················································· 38 Enabling the spanning tree feature in PVST mode ···································································· 38 Performing mCheck ·················································································································· 39 Configuration restrictions and guidelines ················································································ 39 ...
Page 220: Stp
Configuring spanning tree protocols Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links and putting them in a standby state. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP).
Page 221 • Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d. • Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is 0x00. • BPDU type—Type of the BPDU. The value is 0x00 for a configuration BPDU. • Flags—An 8-bit field indicates the purpose of the BPDU.
Page 222: Basic Concepts In Stp
Basic concepts in STP Root bridge A tree network must have a root bridge. The entire network contains only one root bridge, and all the other bridges in the network are called leaf nodes. The root bridge is not permanent, but can change with changes of the network topology.
Page 223: Calculation Process Of The Stp Algorithm
Table 1 STP port states State Receives/sends BPDUs Learns MAC addresses Forwards user data Disabled Listening Learning Forwarding Blocking Receive Path cost Path cost is a reference value used for link selection in STP. To prune the network into a loop-free tree, STP calculates path costs to select the most robust links and block redundant links that are less robust.
Page 224 Step Description Considers this port as the designated port. Replaces the configuration BPDU on the port with the calculated configuration BPDU. Periodically sends the calculated configuration BPDU. • If the configuration BPDU on the port is superior, the device blocks this port without updating its configuration BPDU.
Page 225 Figure 4 The STP algorithm As shown in Figure 4, the priority values of Device A, Device B, and Device C are 0, 1, and 2, respectively. The path costs of links among the three devices are 5, 10, and 4. Device state initialization.
Page 226 Table 4 Comparison process and result on each device Configuration BPDU Device Comparison process on ports after comparison Port A1 performs the following operations: Receives the configuration BPDU of Port B1 {1, 0, 1, Port B1}. Determines that its existing configuration BPDU {0, 0, 0, Port A1} is superior to the received configuration BPDU.
Page 227 Configuration BPDU Device Comparison process on ports after comparison superior to its existing configuration BPDU {2, 0, 2, Port C1}. Updates its configuration BPDU. Port C2 performs the following operations: Receives the original configuration BPDU of Port B2 {1, 0, 1, Port B2}. Determines that the received configuration BPDU is superior to the existing configuration BPDU {2, 0, 2, Port C2}.
Page 228 Configuration BPDU Device Comparison process on ports after comparison the configuration BPDU unchanged. Port C1 does not forward data until a new event triggers a spanning tree calculation process: for example, the link between Device B and Device C is down. After the comparison processes described in Table 4, a spanning tree with Device A as the root...
Page 229: Rstp
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the change. However, the resulting new configuration BPDU cannot propagate throughout the network immediately. If the newly elected root ports and designated ports start to forward data immediately, a temporary loop will likely occur.
Page 230: How Rstp Works
• Alternate port—Acts as the backup port for a root port. When the root port is blocked, the alternate port takes over. • Backup port—Acts as the backup port of a designated port. When the designated port is invalid, the backup port becomes the new designated port. A loop occurs when two ports of the same spanning tree device are connected, so the device blocks one of the ports.
Page 231: Pvst
Because each VLAN runs RSTP independently, a spanning tree only serves its VLAN. A PVST-enabled H3C device can communicate with a third-party device that is running Rapid PVST or PVST. The PVST-enabled H3C device supports fast network convergence like RSTP when connected to PVST-enabled H3C devices or third-party devices enabled with Rapid PVST.
Page 232: Basic Concepts In Pvst
A port's link type determines the type of BPDUs the port sends. • An access port sends RSTP BPDUs. • A trunk or hybrid port sends RSTP BPDUs in the default VLAN and sends PVST BPDUs in other VLANs. Basic concepts in PVST PVST uses the same port roles and port states as RSTP for fast convergence.
Page 233: Mstp Protocol Frames
MSTP protocol frames Figure 8 shows the format of an MSTP BPDU. Figure 8 MSTP BPDU format The first 13 fields of an MSTP BPDU are the same as an RSTP BPDU. The other six fields are unique to MSTP. •...
Page 234: Basic Concepts In Mstp
Basic concepts in MSTP Figure 9 shows a switched network that contains four MST regions, each MST region containing four MSTP devices. Figure 10 shows the networking topology of MST region 3. Figure 9 Basic concepts in MSTP VLAN 1 MSTI 1 VLAN 1 MSTI 1...
Page 235 MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: • A spanning tree protocol enabled • Same region name •...
Page 236 • The regional root of MSTI 1 is Device B. • The regional root of MSTI 2 is Device C. • The regional root of MSTI 0 (also known as the IST) is Device A. Common root bridge The common root bridge is the root bridge of the CIST. Figure 9, the common root bridge is a device in MST region 1.
Page 237: How Mstp Works
CIST. However, that is not true with master ports. A master port on MSTIs is a root port on the CIST. Port states In MSTP, a port can be in one of the following states: • Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user traffic.
Page 238: Mstp Implementation On Devices
• Within an MST region, the frame is forwarded along the corresponding MSTI. • Between two MST regions, the frame is forwarded along the CST. MSTP implementation on devices MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for spanning tree calculation can identify STP and RSTP protocol frames.
Page 239 Root port rapid transition When a root port is blocked, the bridge will elect the alternate port with the highest priority as the new root port. If the new root port's peer is in the forwarding state, the new root port immediately transits to the forwarding state.
Page 240: Protocols And Standards
Figure 14 P/A transition for RSTP and PVST • P/A transition for MSTP. In MSTP, an upstream bridge sets both the proposal and agreement flags in its BPDU. If a downstream bridge receives the BPDU and its receiving port is elected as the root port, the bridge blocks all the other ports except edge ports.
Page 241: Configuration Restrictions And Guidelines
Configuration restrictions and guidelines Compatibility with other features • In an IRF 3.1 system, the spanning tree feature is disabled by default on ports of PEXs. For more information about PEXs, see IRF 3.1 configuration in Virtual Technologies Configuration Guide. •...
Page 242: Stp Configuration Task List
STP configuration task list Tasks at a glance Configuring the root bridge: • (Required.) Setting the spanning tree mode • (Optional.) Configuring the root bridge or a secondary root bridge • (Optional.) Configuring the device priority • (Optional.) Configuring the network diameter of a switched network •...
Page 243: Pvst Configuration Task List
Tasks at a glance • (Optional.) Configuring edge ports • (Optional.) Configuring path costs of ports • (Optional.) Configuring the port priority • (Optional.) Configuring the port link type • (Optional.) Enabling outputting port state transition information • (Required.) Enabling the spanning tree feature (Optional.) Performing mCheck (Optional.)
Page 244: Mstp Configuration Task List
MSTP configuration task list Tasks at a glance Configuring the root bridge: • (Required.) Setting the spanning tree mode • (Required.) Configuring an MST region • (Optional.) Configuring the root bridge or a secondary root bridge • (Optional.) Configuring the device priority •...
Page 245: Configuring An Mst Region
• RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically transits to the STP mode when it receives STP BPDUs from the peer device. A port in this mode does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device. •...
Page 246: Configuring The Root Bridge Or A Secondary Root Bridge
Step Command Remarks name. address. • Use one of the commands. instance instance-id vlan Configure the vlan-id-list By default, all VLANs in an MST VLAN-to-instance mapping • region are mapped to the CIST (or vlan-mapping modulo table. MSTI 0). modulo Configure the MSTP revision The default setting is 0.
Page 247: Configuring The Device As A Secondary Root Bridge Of A Specific Spanning Tree
Step Command Remarks stp [ instance instance-list ] root primary Configuring the device as a secondary root bridge of a specific spanning tree Step Command Remarks Enter system view. system-view • In STP/RSTP mode: stp root secondary • In PVST mode: Configure the device as By default, the device is not a stp vlan vlan-id-list root...
Page 248: Configuring The Network Diameter Of A Switched Network
uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hops can no longer participate in spanning tree calculations, so the size of the MST region is limited. Make this configuration only on the root bridge.
Page 249: Configuration Restrictions And Guidelines
• Hello time—Interval at which the device sends configuration BPDUs to detect link failures. If the device does not receive configuration BPDUs within the timeout period, it recalculates the spanning tree. The formula for calculating the timeout period is timeout period = timeout factor × 3 ×...
Page 250: Setting The Timeout Factor
Step Command Remarks • In STP/RSTP/MSTP mode: stp timer max-age time Set the max age timer. • The default setting is 20 seconds. In PVST mode: stp vlan vlan-id-list timer max-age time Setting the timeout factor The timeout factor is a parameter used to decide the timeout period. The formula for calculating the timeout period is: timeout period = timeout factor ×...
Page 251: Configuring Edge Ports
Configuring edge ports If a port directly connects to a user terminal rather than another device or a shared LAN segment, this port is regarded as an edge port. When network topology change occurs, an edge port will not cause a temporary loop. Because a device does not determine whether a port is directly connected to a terminal, you must manually configure the port as an edge port.
Page 252 • dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998. • dot1t—The device calculates the default path cost for ports based on IEEE 802.1t. • legacy—The device calculates the default path cost for ports based on a private standard. When you specify a standard for the device to use when it calculates the default path cost, follow these guidelines: •...
Page 253 Path cost Link speed Port type IEEE Private IEEE 802.1t 802.1d-1998 standard ports Single port 20000 Aggregate interface containing two Selected 10000 ports Aggregate interface 1000 Mbps containing three Selected 6666 ports Aggregate interface containing four Selected 5000 ports Single port 2000 Aggregate interface containing two Selected...
Page 254: Configuring Path Costs Of Ports
Path cost Link speed Port type IEEE Private IEEE 802.1t 802.1d-1998 standard containing three Selected ports Aggregate interface containing four Selected ports Configuring path costs of ports When the path cost of a port changes, the system recalculates the role of the port and initiates a state transition.
Page 255: Configuring The Port Priority
[Sysname] interface gigabitethernet 1/0/3 [Sysname-GigabitEthernet1/0/3] stp vlan 20 to 30 cost 2000 Configuring the port priority The priority of a port is a factor that determines whether the port can be elected as the root port of a device. If all other conditions are the same, the port with the highest priority is elected as the root port.
Page 256: Configuring The Mode A Port Uses To Recognize And Send Mstp Frames
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 interface-number aggregate interface view. By default, the link type is auto stp point-to-point { auto | Configure the port link type. where the port automatically force-false | force-true } detects the link type.
Page 257: Enabling The Spanning Tree Feature
Step Command Remarks Enter system view. system-view • In STP/RSTP mode: stp port-log instance 0 • Enable outputting port In PVST mode: state transition By default, this feature is enabled. stp port-log vlan vlan-id-list information. • In MSTP mode: stp port-log { all | instance instance-list } Enabling the spanning tree feature You must enable the spanning tree feature for the device before any other spanning tree related...
Page 258: Configuration Restrictions And Guidelines
Step Command Remarks feature is enabled on all ports. Performing mCheck The mCheck feature enables user intervention in the port status transition process. When a port on an MSTP, RSTP, or PVST device connects to an STP device and receives STP BPDUs, the port automatically transits to the STP mode.
Page 259: Configuring Digest Snooping
The devices of different vendors in the same MST region cannot communicate with each other. To enable communication between an H3C device and a third-party device in the same MST region, enable Digest Snooping on the H3C device port connecting them.
Page 260: Configuration Procedure
Digest Snooping when the network is already working well. Configuration procedure Use this feature on when your H3C device is connected to a third-party device that uses its private key to calculate the configuration digest. To configure Digest Snooping:...
Page 261 Figure 16 Network diagram MST region Device C Root bridge Root port GE1/0/1 GE1/0/2 Designated port Blocked port Normal link GE1/0/1 GE1/0/1 Blocked link GE1/0/2 GE1/0/2 Device A Device B Configuration procedure # Enable Digest Snooping on GigabitEthernet 1/0/1 of Device A and enable global Digest Snooping on Device A.
Page 262: Configuration Prerequisites
Figure 17 Rapid state transition of an MSTP designated port Upstream device Downstream device (1) Proposal for rapid transition The root port blocks non-edge ports. The root port changes to the (2) Agreement forwarding state and sends an Agreement to the upstream device.
Page 263: Configuration Procedure
Configuration procedure Enable the No Agreement Check feature on the root port. To configure No Agreement Check: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 interface-number aggregate interface view. Enable No Agreement By default, No Agreement Check stp no-agreement-check Check.
Page 264: Configuration Restrictions And Guidelines
Figure 20 TC Snooping application scenario To avoid traffic interruption, you can enable TC Snooping on the IRF fabric. After receiving a TC-BPDU through a port, the IRF fabric updates MAC address table and ARP table entries associated with the port's VLAN. In this way, TC Snooping prevents topology change from interrupting traffic forwarding in the network.
Page 265: Configuring Bpdu Guard
• Loop guard • Port role restriction • TC-BPDU transmission restriction • TC-BPDU guard • BPDU drop • PVST BPDU guard • Dispute guard Configuring BPDU guard For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file servers.
Page 266: Enabling Root Guard
Step Command Remarks aggregate interface view. than other device or shared LAN segment. By default, BPDU guard is not configured on a per-edge port stp port bpdu-protection Configure BPDU guard. basis. The status of BPDU guard on { enable | disable } an interface is the same as the global BPDU status.
Page 267: Configuring Port Role Restriction
As a result, loops occur in the switched network. The loop guard feature can suppress the occurrence of such loops. The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives BPDUs, it transits its state. Otherwise, it stays in the discarding state to prevent temporary loops. When you configure loop guard, follow these restrictions and guidelines: •...
Page 268: Configuring Tc-Bpdu Transmission Restriction
Configuring TC-BPDU transmission restriction CAUTION: Enabling TC-BPDU transmission restriction on a port might cause the previous forwarding address table to fail to be updated when the topology changes. The topology change to the user access network might cause the forwarding address changes to the core network.
Page 269: Enabling Bpdu Drop
Enabling BPDU drop In a spanning tree network, every BPDU arriving at the device triggers an STP calculation process and is then forwarded to other devices in the network. Malicious attackers might use the vulnerability to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can make all devices in the network continue performing STP calculations.
Page 270 Figure 21 Dispute guard triggering scenario Dispute guard is Unidirectional link Normal condition triggered occurs Device A Device A Device A Root Root Root Port A1 Port A2 Port A1 Port A2 Port A1 Port A2 Port B1 Port B2 Port B1 Port B2 Port B1...
Page 271: Enabling The Device To Log Events Of Detecting Or Receiving Tc Bpdus
Enabling the device to log events of detecting or receiving TC BPDUs This feature allows the device to generate logs when it detects or receives TC BPDUs. This feature applies only to PVST mode. To enable the device to log events of detecting or receiving TC BPDUs: Step Command Remarks...
Page 272: Displaying And Maintaining The Spanning Tree
• In STP, MSTP, or RSTP mode, the snmp-agent trap enable stp command enables SNMP notifications for new-root election events. • In PVST mode, the snmp-agent trap enable stp enables SNMP notifications for spanning tree topology changes. To enable SNMP notifications for new-root election and topology change events: Step Command Remarks...
Page 273: Spanning Tree Configuration Example
Task Command chassis-number slot slot-number ] [ brief ] Display the MST region configuration information that display stp region-configuration has taken effect. Display the root bridge information of all MSTIs. display stp root Clear the spanning tree statistics. reset stp [ interface interface-list ] Spanning tree configuration example MSTP configuration example Network requirements...
Page 274 Configure the ports on these devices as trunk ports and assign them to related VLANs. Configure Device A: # Enter MST region view, and configure the MST region name as example. <DeviceA> system-view [DeviceA] stp region-configuration [DeviceA-mst-region] region-name example # Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively. [DeviceA-mst-region] instance 1 vlan 10 [DeviceA-mst-region] instance 3 vlan 30 [DeviceA-mst-region] instance 4 vlan 40...
Page 275 [DeviceC-mst-region] revision-level 0 # Activate MST region configuration. [DeviceC-mst-region] active region-configuration [DeviceC-mst-region] quit # Configure the Device C as the root bridge of MSTI 4. [DeviceC] stp instance 4 root primary # Enable the spanning tree feature globally. [DeviceC] stp global enable Configure Device D: # Enter MST region view, and configure the MST region name as example.
Page 276: Pvst Configuration Example
GigabitEthernet1/0/1 DESI FORWARDING NONE GigabitEthernet1/0/3 DESI FORWARDING NONE # Display brief spanning tree information on Device C. [DeviceC] display stp brief MST ID Port Role STP State Protection GigabitEthernet1/0/1 DESI FORWARDING NONE GigabitEthernet1/0/2 ROOT FORWARDING NONE GigabitEthernet1/0/3 DESI FORWARDING NONE GigabitEthernet1/0/1 ROOT FORWARDING...
Page 277 Configure PVST to meet the following requirements: • Frames of a VLAN are forwarded along the spanning trees of the VLAN. • VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated on the access layer devices. •...
Page 278 Configure Device C: # Set the spanning tree mode to PVST. <DeviceC> system-view [DeviceC] stp mode pvst # Configure the device as the root bridge of VLAN 40. [DeviceC] stp vlan 40 root primary # Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 40. [DeviceC] stp global enable [DeviceC] stp vlan 10 20 40 enable Configure Device D:...
Page 279: Pvst On Dr System Configuration Example
GigabitEthernet1/0/3 DESI FORWARDING NONE # Display brief spanning tree information on Device D. [DeviceD] display stp brief VLAN ID Port Role STP State Protection GigabitEthernet1/0/1 ALTE DISCARDING NONE GigabitEthernet1/0/2 ROOT FORWARDING NONE GigabitEthernet1/0/3 ALTE DISCARDING NONE GigabitEthernet1/0/1 ROOT FORWARDING NONE GigabitEthernet1/0/2 ALTE DISCARDING...
Page 280 NOTE: • As a best practice, do not connect ports on Device A and Device B that have the same port ID with each other, for example Layer 2 aggregate ports. Otherwise, when Device A and Device B communicate through the link, the spanning tree protocol determines that the device receives its own BPDUs.
Page 281 [DeviceC] stp vlan 10 20 enable Configure Device D: # Set the spanning tree mode to PVST. <DeviceD> system-view [DeviceD] stp mode pvst # Enable the spanning tree feature globally and in VLAN 20, and VLAN 30. [DeviceD] stp global enable [DeviceD] stp vlan 20 30 enable Verifying the configuration When the network is stable, you can use the display stp brief command to display brief spanning tree...
Page 282 Contents Configuring LLDP ············································································· 1 Overview ·································································································································· 1 Basic concepts ··················································································································· 1 Working mechanism ············································································································ 6 Collaboration with Track ······································································································· 7 Protocols and standards ······································································································· 7 LLDP configuration task list ·········································································································· 7 Performing basic LLDP configurations ····························································································...
Page 283: Configuring Lldp
Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform ensures that different types of network devices from different vendors can discover one another and exchange configuration. The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Page 284 LLDP frame formats LLDP sends device information in LLDP frames. LLDP frames are encapsulated in Ethernet II or Subnetwork Access Protocol (SNAP) frames. • LLDP frame encapsulated in Ethernet II Figure 2 Ethernet II-encapsulated LLDP frame Table 1 Fields in an Ethernet II-encapsulated LLDP frame Field Description MAC address to which the LLDP frame is advertised.
Page 285 Figure 3 SNAP-encapsulated LLDP frame Table 2 Fields in a SNAP-encapsulated LLDP frame Field Description MAC address to which the LLDP frame is advertised. It is the same as Destination MAC address that for Ethernet II-encapsulated LLDP frames. Source MAC address MAC address of the sending port.
Page 286 Table 3 Basic management TLVs Type Description Remarks Chassis ID Specifies the bridge MAC address of the sending device. Specifies the ID of the sending port: • If the LLDPDU carries LLDP-MED TLVs, the port ID Port ID Mandatory. TLV carries the MAC address of the sending port. •...
Page 287 NOTE: • H3C devices support only receiving protocol identity TLVs and VID usage digest TLVs. • Layer 3 Ethernet ports support only link aggregation TLVs. • IEEE 802.3 organizationally specific TLVs Table 5 IEEE 802.3 organizationally specific TLVs Type Description...
Page 288: Working Mechanism
Type Description Allows a network device or terminal device to advertise power Extended Power-via-MDI supply capability. This TLV is an extension of the Power Via MDI TLV. Hardware Revision Allows a terminal device to advertise its hardware version. Firmware Revision Allows a terminal device to advertise its firmware version.
Page 289: Collaboration With Track
the token bucket mechanism to rate limit LLDP frames. For more information about the token bucket mechanism, see ACL and QoS Configuration Guide. LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following cases: • A new LLDP frame is received and carries device information new to the local device. •...
Page 290: Performing Basic Lldp Configurations
Tasks at a glance • (Required.) Enabling LLDP • (Optional.) Setting the LLDP bridge mode • (Optional.) Setting the LLDP operating mode • (Optional.) Setting the LLDP reinitialization delay • (Optional.) Enabling LLDP polling • (Optional.) Configuring the advertisable TLVs •...
Page 291: Setting The Lldp Operating Mode
destination MAC addresses for these agents and transparently transmits the LLDP frames with other destination MAC addresses in the VLAN. • Service bridge mode—LLDP supports nearest bridge agents and nearest non-TPMR bridge agents. LLDP processes the LLDP frames with destination MAC addresses for these agents and transparently transmits the LLDP frames with other destination MAC addresses in the VLAN.
Page 292: Enabling Lldp Polling
Step Command Remarks Enter system view. system-view Set the LLDP reinitialization lldp timer reinit-delay delay The default setting is 2 seconds. delay. Enabling LLDP polling With LLDP polling enabled, a device periodically searches for local configuration changes. When the device detects a configuration change, it sends LLDP frames to inform neighboring devices of the change.
Page 293 Step Command Remarks interface-number ] } | dot1-tlv { all | LLDP TLVs: port-vlan-id | link-aggregation | dcbx Basic TLVs. | protocol-vlan-id [ vlan-id ] | Port VLAN ID TLVs vlan-name [ vlan-id ] | and link management-vid [ mvlan-id ] } | aggregation TLVs dot3-tlv { all | link-aggregation | in the IEEE 802.1...
Page 294 Step Command Remarks aggregation TLVs in the 802.1 organizationally specific TLV set. By default: • Nearest bridge agents can advertise the following types of LLDP TLVs: • lldp tlv-enable { basic-tlv { all | Basic TLVs. port-description | system-capability Link aggregation | system-description | system-name TLVs in the IEEE | management-address-tlv [ ipv6 ]...
Page 295: Configuring The Management Address And Its Encoding Format
Step Command Remarks • system-name } Nearest customer bridge agents can advertise only basic TLVs. Nearest bridge agents are not supported on Layer 3 aggregate interfaces. An LLDP-enabled IRF physical interface supports only the nearest bridge Configure the lldp tlv-enable basic-tlv agent.
Page 296: Setting Other Lldp Parameters
Step Command Remarks Ethernet interface view, interface-number management Ethernet interface view, or Layer 2/Layer 3 aggregate interface view. • In Layer 2 Ethernet interface view or management Ethernet interface view: lldp tlv-enable basic-tlv management-address-tlv [ ipv6 ] [ ip-address | interface loopback interface-number ] lldp agent...
Page 297: Setting An Encapsulation Format For Lldp Frames
As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be rounded down to 65535 seconds. To set LLDP parameters: Step Command Remarks Enter system view. system-view Set the TTL multiplier. lldp hold-multiplier value The default setting is 4.
Page 298: Disabling Lldp Pvid Inconsistency Check
Step Command Remarks lldp encapsulation snap Disabling LLDP PVID inconsistency check By default, when the system receives an LLDP packet, it compares the PVID value contained in packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log message will be printed to notify the user.
Page 299: Configuration Prerequisites
For more information about voice VLANs, see "Configuring voice VLANs." Configuration prerequisites Before you configure CDP compatibility, complete the following tasks: • Globally enable LLDP. • Enable LLDP on the port connecting to a CDP device. • Configure LLDP to operate in TxRx mode on the port. Configuration procedure CDP-compatible LLDP operates in one of the following modes: •...
Page 300: Configuring Mac Address Learning For Dcn
To configure LLDP trapping and LLDP-MED trapping: Step Command Remarks Enter system view. system-view Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, Layer interface interface-type interface-number 2/Layer 3 aggregate interface view, or IRF physical interface view. • In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:...
Page 301: Setting The Source Mac Address Of Lldp Frames
Configuring MAC address learning for DCN on a Layer 3 Ethernet interface (Optional.) Setting the source MAC address of LLDP frames Enabling the device to generate ARP or ND entries for received management address LLDP TLVs Setting the source MAC address of LLDP frames About setting the source MAC address of LLDP frames This feature allows you to set the source MAC address of LLDP frames to the MAC address of a VLAN interface or a Layer 3 Ethernet subinterface.
Page 302: Displaying And Maintaining Lldp
Procedure Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number By default, the device does not generate an ARP or ND entry when receiving a management address LLDP TLV. In Layer 3 Ethernet interface view, the vlan vlan-id option specifies the ID of a Layer 3 Ethernet Enable the device to...
Page 303: Lldp Configuration Examples
LLDP configuration examples Basic LLDP configuration example Network requirements As shown in Figure 5, enable LLDP globally on Switch A and Switch B to perform the following tasks: • Monitor the link between Switch A and Switch B on the NMS. •...
Page 304 [SwitchB-GigabitEthernet1/0/1] quit Verifying the configuration # Verify the following items: • GigabitEthernet 1/0/1 of Switch A connects to a MED device. • GigabitEthernet 1/0/2 of Switch A connects to a non-MED device. • Both ports operate in Rx mode, and they can receive LLDP frames but cannot send LLDP frames.
Page 305 Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No MED trap flag : No Polling interval : 0s Number of LLDP neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV : 21 Number of received unknown TLV : 3 LLDP agent nearest-nontpmr:...
Page 306 LLDP status information of port 1 [GigabitEthernet1/0/1]: LLDP agent nearest-bridge: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No MED trap flag : No Polling interval : 0s Number of LLDP neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV : 5...
Page 307 Number of sent optional TLV Number of received unknown TLV : 0 LLDP agent nearest-customer: Port status of LLDP : Enable Admin status : Disable Trap flag : No MED trap flag : No Polling interval : 0s Number of LLDP neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV...
Page 308 # Enable LLDP globally, and enable CDP compatibility globally. [SwitchA] lldp global enable [SwitchA] lldp compliance cdp # Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable # Configure LLDP to operate in TxRx mode on GigabitEthernet 1/0/1. [SwitchA-GigabitEthernet1/0/1] lldp admin-status txrx # Configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/1.
Page 309 Contents Configuring L2PT ············································································· 1 Overview ·································································································································· 1 Background ························································································································ 1 L2PT operating mechanism ··································································································· 2 L2PT restrictions and guidelines ···································································································· 3 L2PT configuration task list ·········································································································· 3 Enabling L2PT ·························································································································· 3 Restrictions and guidelines ····································································································...
Page 310: Configuring L2Pt
Layer 2 protocol calculation, which is transparent to the service provider network. • Isolates Layer 2 protocol packets from different customer networks through different VLANs. H3C devices support L2PT for the following protocols: • CDP. •...
Page 311: L2Pt Operating Mechanism
• PAgP. • PVST. • STP (including STP, RSTP, and MSTP). • UDLD. • VTP. L2PT operating mechanism As shown in Figure 2, L2PT operates as follows: • When a port of PE 1 receives a Layer 2 protocol packet from the customer network in a VLAN, it performs the following operations: Multicasts the packet out of all customer-facing ports in the VLAN except the receiving port.
Page 312: L2Pt Restrictions And Guidelines
Figure 3 L2PT network diagram L2PT restrictions and guidelines Configure L2PT only on PE devices. L2PT configuration task list Tasks at a glance (Required.) Enabling L2PT (Optional.) Setting the destination multicast MAC address for tunneled packets Enabling L2PT Restrictions and guidelines •...
Page 313: Enabling L2Pt For A Protocol
transmission between two CEs is not point-to-point. To ensure point-to-point transmission for the LACP or EOAM packets, you must configure other features (for example, VLAN). Enabling L2PT for a protocol Step Command Remarks Enter system view. system-view • Enter Layer 2 Ethernet interface view: interface interface-type interface-number •...
Page 314: L2Pt Configuration Examples
Task Command reset l2protocol statistics [ interface interface-type Clear L2PT statistics. interface-number ] L2PT configuration examples Configuring L2PT for STP Network requirements As shown in Figure 4, the MAC addresses of CE 1 and CE 2 are 00e0-fc02-5800 and 00e0-fc02-5802, respectively. MSTP is enabled in Customer A's network, and default MSTP settings are used.
Page 315: Configuring L2Pt For Lacp
[PE1-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 connected to the service provider network as a trunk port, and assign the port to all VLANs. [PE1] interface gigabitethernet 1/0/2 [PE1-GigabitEthernet1/0/2] port link-type trunk [PE1-GigabitEthernet1/0/2] port trunk permit vlan all [PE1-GigabitEthernet1/0/2] quit Configure PE 2 in the same way PE 1 is configured. (Details not shown.) Verifying the configuration # Verify that the root bridge of Customer A's network is CE 1.
Page 316 Set the PVIDs to VLAN 2 and VLAN 3 for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on PE 1, respectively. Configure PE 2 in the same way PE 1 is configured. Configure ports that connect to the CEs as trunk ports. •...
Page 317 [PE1-GigabitEthernet1/0/2] port link-mode bridge [PE1-GigabitEthernet1/0/2] port link-type trunk [PE1-GigabitEthernet1/0/2] port trunk permit vlan 3 [PE1-GigabitEthernet1/0/2] port trunk pvid vlan 3 # Enable QinQ on GigabitEthernet 1/0/2. [PE1-GigabitEthernet1/0/2] qinq enable # Enable L2PT for LACP on GigabitEthernet 1/0/2. [PE1-GigabitEthernet1/0/2] l2protocol lacp tunnel dot1q [PE1-GigabitEthernet1/0/2] quit Configure PE 2 in the same way PE 1 is configured.
Page 318 Illegal: 0 packet(s) Sent LACP Packets: 13 packet(s) [CE2] display link-aggregation member-port Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation, D -- Synchronization, E -- Collecting, F -- Distributing, G -- Defaulted, H -- Expired GigabitEthernet1/0/1: Aggregate Interface: Bridge-Aggregation1 Local: Port Number: 3 Port Priority: 32768...
Page 319 Contents Configuring service loopback groups ···················································· 1 Overview ·································································································································· 1 Configuration restrictions and guidelines ························································································· 1 Configuring a service loopback group ····························································································· 1 Displaying and maintaining service loopback groups ········································································· 2 Service loopback group configuration example ················································································· 2 ...
Page 320 Configuring service loopback groups Overview A service loopback group contains one or multiple Ethernet ports for looping packets sent out by the device back to the device. This feature must work with other features, such as GRE. A service loopback group provides one of the following services: •...
Page 321 Step Command Remarks By default, a port does not belong to any service loopback Assign the port to the service port service-loopback group group. loopback group. group-id You can assign multiple ports to a service loopback group. Displaying and maintaining service loopback groups Execute display commands in any view.

H3C S7500X Series Configuration Manual

Documentation Feedback

Configuring Ethernet Link Aggregation

Configuring Drni

Configuring Port Isolation

Table of Contents

Configuring Vlans

Configuring Super Vlans

Configuring the Private VLAN

Configuring Voice Vlans

Configuring Mvrp

Configuring Qinq

Configuring VLAN Mapping

Configuring Loop Detection

Table of Contents

Quick Links

Chapters

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C S7500X Series

Summary of Contents for H3C S7500X Series