Download Print this page

Ruijie RG-CS83-PD Series Configuration Manual

Ruijie RG-CS83-PD Series Configuration Manual

Hide thumbs Also See for RG-CS83-PD Series:

Hardware installation and reference manual (50 pages)

page of 2841

/ 2841
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual

Ruijie RG-CS83-PD Series Switches

CS83-PD_RGOS 12.5(4)B0707

Configuration Guide

Document Version: V1.0

Date: 2023.04.27

Copyright © 2023 Ruijie Networks

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the RG-CS83-PD Series and is the answer not in the manual?

Questions and answers

Summary of Contents for Ruijie RG-CS83-PD Series

Page 1 Ruijie RG-CS83-PD Series Switches CS83-PD_RGOS 12.5(4)B0707 Configuration Guide Document Version: V1.0 Date: 2023.04.27 Copyright © 2023 Ruijie Networks...
Page 2 All rights are reserved in this document and this statement. Any reproduction, excerption, backup, modification, transmission, translation or commercial use of this document or any portion of this document, in any form or by any means, without the prior written consent of Ruijie Networks is prohibited.
Page 3 Preface Intended Audience This document is intended for:  Network engineers  Technical support and servicing engineers  Network administrators Technical Support  Ruijie Networks Website: https://www.ruijienetworks.com/  Technical Support Website: https://ruijienetworks.com/support  Case Portal: https://caseportal.ruijienetworks.com  Community: https://community.ruijienetworks.com ...
Page 4 Warning An alert that calls attention to important rules and information that if not understood or followed can result in data loss or equipment damage. Caution An alert that calls attention to essential information that if not understood or followed can result in function failure or performance degradation.
Page 5 Basic Configuration CLI Configuration ZAM Configuration Basic Management Configuration RBAC Configuration Line Configuration File System Configuration USB Configuration HTTP Configuration Syslog Configuration Software Upgrade Configuration Uboot Configuration Rboot Configuration Time Range Configuration UFT Mode Management Configuration Supervisor Module Redundancy Configuration Hot Swapping Configuration Process Restarting Configuration Python Configuration...
Page 6 Configuration Guide Contents Contents 1 Configuring the CLI ..........................1 1.1 Introduction ..........................1 1.1.1 Accessing the CLI ......................1 1.1.2 Command Modes ......................1 1.1.3 System Help ........................3 1.1.4 Abbreviated Commands ....................4 1.1.5 No and Default Options of Commands ................4 1.1.6 Prompts for Incorrect Commands ..................
Page 7 Configuration Guide Configuring the CLI Configuring the CLI Introduction The command line interface (CLI) is a window for text instruction interaction between users and network devices. Users can enter commands in the CLI to configure and manage network devices. 1.1.1 Accessing the CLI Before using the CLI, you need to connect a terminal or PC to a network device.
Page 8 Configuration Guide Configuring the CLI Table 1-1 Description of the Command Modes (suppose that the name of the network device is "Device") Function Command Exit or Entering Next Access Method Prompt Description of the Mode Mode Mode A user enters Use this command Run the exit...
Page 9 Configuration Guide Configuring the CLI Function Command Exit or Entering Next Access Method Prompt Description of the Mode Mode Mode In global Run the configuration command or press Config-vlan mode, run the Ctrl+C to return to Use this command privileged EXEC vlan vlan-id (VLAN...
Page 10 Configuration Guide Configuring the CLI range Interface range command Note If a keyword is followed by a parameter value, the value range and description of this parameter are displayed as follows: Device(config)# interface vlan ? <1-4094> Vlan port number  Enter a question mark (?) after an incomplete string of a command keyword to list all command keywords starting with the string.
Page 11 Configuration Guide Configuring the CLI Most configuration commands have the default option. The default option is used to restore settings of a command to default values. Default values of most commands are used to disable this function. Therefore, in most cases, the function of the default option is the same as that of the option.
Page 12 Configuration Guide Configuring the CLI Specification The standard terminals, such as the VT100 series, support the direction keys. 1.1.8 Featured Editing When editing commands, you can use the keys or shortcut keys listed in the following table: Table 1-4 Description of Shortcut Keys Key or Function Description...
Page 13 Configuration Guide Configuring the CLI Note The default line width of terminals is 80 characters. 1.1.9 Searching and Filtering of the Show Command Output  To search specified content in the output of the show command, run the following command: Table 1-5 Searching for Specified Content in the Output of the show Command Command...
Page 14 Configuration Guide Configuring the CLI Table 1-7 Description of Usages of Special Characters in a Regular Expression Character Symbol Special Meaning Period Matches any single character. Plus sign Matches one or any sequence in a string. Caret Matches the start of a string. Underline Matches commas, brackets, start and end of a string, and spaces.
Page 15 Configuration Guide Configuring the CLI 2. System help regarding command aliases  The system provides help information for command aliases. An asterisk (*) is displayed in front of an alias in the following format: *command-alias=original-command For example, in privileged EXEC mode, the default command alias "s" represents the keyword show. If you enter "s?", help information of the keywords and aliases starting with "s"...
Page 16 Configuration Guide Configuring the CLI all current characters and then configure a unified character set encoding format. Upon word processing or Backspace deletion, you can run the show running-config command to check whether the configurations are correct. (To delete a Chinese character, you must press the Backspace key twice in the case of GBK, but must press the Backspace key three times in the case of UTF-8.) Configuration Task Summary CLI configuration includes the following tasks: All the configuration tasks below are optional.
Page 17 Configuration Guide Configuring the CLI (2) Enter the global configuration mode. configure terminal (3) Configure an alias to replace the front part of a command. alias mode command-alias original-command Default aliases are available for some commands in global configuration mode or privileged EXEC mode by default.
Page 18 Configuration Guide Configuring the CLI Monitoring Run the show command to check the running status of a configured function to verify the configuration effect. Table 1-8 Monitoring of the CLI Command Purpose show aliases [ mode ] Displays all command aliases or the command aliases in specific command mode.
Page 19 Configuration Guide Contents Contents 1 Configuring ZAM ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Restrictions and Guidelines ....................... 2 1.3 Configuring ZAM ........................2 1.3.1 Overview ........................2 1.3.2 Restrictions and Guidelines ................... 2 1.3.3 Prerequisites ........................
Page 20 Configuration Guide Configuring ZAM Configuring ZAM Introduction 1.1.1 Overview The zero automatic manager (ZAM) function enables the device to automatically download the software version, upgrade the device version, and apply configuration files when the device has no configuration and the network administrator is not in contact with the field devices.
Page 21 Configuration Guide Configuring ZAM ○ The device analyzes and deploys the IP address of the ZAM interface, and analyzes the content of Option 66 and Option 67. (3) TFTP According to the Python script file name and TFTP server IP address obtained at the DHCP stage, the device downloads the configuration script.
Page 22 Configuration Guide Configuring ZAM Table 1-1 Description of Folders to Be Created on the TFTP Server Folder Name Content Function xxxx.cfg: Indicates the configuration file of the device. The configuration file of each device is named after the sn value of the device and uses .cfg as the suffix.
Page 23 Configuration Guide Configuring ZAM Monitoring Run the show command to check the running status of a configured function to verify the configuration effect. Run the debug command to output debugging information. Caution The output debugging information occupies system resources. Therefore, disable the debugging function immediately after use.
Page 24 Configuration Guide Configuring ZAM 4. Procedure (1) Configure the DHCP server. Set the IP address of interface GigabitEthernet 0/1 of the DHCP server to 1.1.1.2/24. Dhcp_Server> enable Dhcp_Server# configure terminal Dhcp_Server(config)#interface gigabitEthernet 0/1 Dhcp_Server(config-if-GigabitEthernet 0/1)# ip address 1.1.1.2 255.255.255.0 Set the IP address of interface GigabitEthernet 0/2 of the DHCP server to 10.1.1.1/24. Dhcp_Server(config)#interface gigabitEthernet 0/2 Dhcp_Server(config-if-GigabitEthernet 0/2)# ip address 10.1.1.1 255.255.255.0 Enable the DHCP server function.
Page 25 Configuration Guide Configuring ZAM Thu May 13 15:47:47 2021 DEBUG: upload G1NQ7UW700483.POAP success Thu May 13 15:47:47 2021 DEBUG: begin to download G1NQ7UW700483.params ... Thu May 13 15:47:47 2021 DEBUG: execute download command: copy tftp://1.1.1.1/POAP_CFG/G1NQ7UW700483.params flash:/poap.tmp.params... Thu May 13 15:47:48 2021 DEBUG: download G1NQ7UW700483.params success Thu May 13 15:47:48 2021 DEBUG: parse image_name=57H_5PL4_0329.bin Thu May 13 15:47:48 2021 DEBUG: begin to download G1NQ7UW700483.cfg ...
Page 26 Configuration Guide Configuring ZAM Temp sub net mask: 255.255.255.0 DHCP Lease server: 10.1.1.1, state: 9 Inform-proc DHCP transaction id: 75cf492b Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs Next timer fires after: 43054 secs Retry count: 0 Client-ID: 01800588aba05d564C414E31 Run the show zam command to check the execution status of the ZAM function.
Page 27 Configuration Guide Configuring ZAM Configuring Automatic O&M Application Introduction 2.1.1 Overview Automatic O&M application is one of Zero-Touch Provisioning solutions. Different from the zero automatic manager (ZAM) function, it enables the device to automatically connect to the CWMP server, go online and apply configuration template after the device starts up.
Page 28 Configuration Guide Configuring ZAM ○ The automatic O&M application interface supports DHCP and the VLAN 1 interface enables dynamic IP application by default. ○ The DHCP server only configures one go-online method. Isolate DHCP servers through management networks to use different go-online methods. CWMP The device connects to the CWMP server address obtained at the DHCP stage and obtains device configuration template or custom configuration.
Page 29 Configuration Guide Configuring ZAM storm occurs on an interface, the device will automatically configure the shutdown command for the corresponding interface. 2.4.2 Restrictions and Guidelines The device enables the RLDP Warning policy to detect loops. The device disables loop detection guard automatically after the user enters the configuration mode. When a loop is detected, the device will automatically configure the shutdown command for the corresponding interface to remove the possible loop in the network.
Page 30 Configuration Guide Configuring ZAM 2. Topology Figure 2-2 ZAM Topology DHCP Server Device G 0/2 G 0/1 10.1.1.1/24 1.1.1.2/24 G 0/1 1.1.1.1/24 CWMP Server 3. Notes  Configure the DHCP server.  Configure the CWMP server.  Enable the ZTP function on the devices. 4.
Page 31 Configuration Guide Configuring ZAM (3) Starts the devices with ZTP. Delete the configuration files from the devices. Device# delete config.text Do you want to delete [flash:/config.text]? [Y/N]:y Delete success. Run the reload command to restart the devices. Device# reload Reload system?(Y/N)y 5.
Page 32 Configuration Guide Configuring ZAM Gi1/0/13 NONE Gi1/0/14 NONE Gi1/0/15 NONE Gi1/0/16 NONE Gi1/0/17 NONE Gi1/0/18 NONE Gi1/0/19 NONE Gi1/0/20 NONE Gi1/0/21 NONE Gi1/0/22 NONE Gi1/0/23 NONE Gi1/0/24 NONE Te1/0/25 NONE Te1/0/26 NONE Te1/0/27 NONE Te1/0/28 NONE Run the show amaint-app neighbor command to display neighbor information of the device.
Page 33 Configuration Guide Contents Contents 1 Configuring Basic Management ......................1 1.1 Overview ............................ 1 1.2 Basic Concepts .......................... 1 1.3 Protocol Specification ........................ 2 1.4 Configuration Task Summary ....................2 1.5 Configuring Basic System Parameters ..................3 1.5.1 Configuration Tasks ....................... 3 1.5.2 Configuring Connection to a Supervisor Module or Service Module ......
Page 34 Configuration Guide Contents 1.9.4 Configuring Automatic Configuration File Backup to a Remote Server ...... 13 1.9.5 Rolling Back System Configurations ................14 1.9.6 Saving Configuration....................15 1.10 Configuring a Restart Policy ....................15 1.10.1 Configuration Tasks ....................15 1.10.2 Configuring Immediate Restart .................. 15 1.10.3 Configuring Scheduled Restart ..................
Page 35 Configuration Guide Configuring Basic Management Configuring Basic Management Overview To reduce the inconvenience caused by on-site maintenance, IT devices are widely managed remotely. Even initial deployment can be carried out remotely. Remote management needs to consider the various operational needs of network administrators and the security of device management. A series of functions of basic management address security, maintenance and monitoring issues.
Page 36 Configuration Guide Configuring Basic Management Concept Description System information includes the system description, system power-on time, system System hardware and software versions, control-layer software version, and boot-layer software information version. Hardware information includes the physical device information as well as information about pluggable modules on the device.
Page 37 To facilitate management, you can configure a system name for each device to identify the device. The default system name is Ruijie, and acts as the default command prompt. The command prompt changes with the system name. A system name longer than 32 characters is truncated to keep only the first 32 characters.
Page 38 Configuring Basic Management (3) Configure a system name. hostname hostname The default host name is Ruijie. (4) Configure a command prompt. prompt prompt-string No CLI prompt is configured by default, and the system name is used as the command prompt.
Page 39 Configuration Guide Configuring Basic Management (8) Configure a prompt for user login authentication timeout. banner prompt-timeout c message c No prompt for user login authentication timeout is configured by default. (9) (Optional) Enter the line configuration mode. line [ console | vty ] first-line [ last-line ] (10) Configure a welcome prompt indicating that a user has entered the user EXEC mode of a line.
Page 40 Configuration Guide Configuring Basic Management The time zone is set as Universal Time Coordinated (UTC) by default. Enabling or Disabling a Specific Service 1. Overview When the system is running, you can dynamically adjust system services, including SSH server service, Telnet server service, SNMP agent service, and Web server service.
Page 41 Configuration Guide Configuring Basic Management Caution  If a privilege level is configured with both a password and a secret, the password does not take effect.  If no password is configured for a privileged user level, you do not need to input a password to enter this level.
Page 42 Configuration Guide Configuring Basic Management configure terminal (5) Configure a password. enable password level password-level ] | [ role role-name ] } { [ 0 ] password | 7 encrypted-password } Preamble spaces are allowed in front of the password but the spaces are ignored. Intermediate and trailing spaces are recognized.
Page 43 Configuration Guide Configuring Basic Management Configuring Telnet Login 1.8.1 Configuration Tasks Telnet login includes the following tasks:  Configuring Telnet Service  Configuring Telnet Access Security  Configuring Logging in to Other Devices through Telnet 1.8.2 Configuring Telnet Service 1. Overview As an application-layer protocol in the TCP/IP protocol suite, telnet provides the standard for remote login and virtual terminal communication on the Internet.
Page 44 Configuration Guide Configuring Basic Management RADIUS server can authenticate usernames and passwords and control users' permissions to manage the device. Thus, instead of using locally stored password information for authentication, the device sends encrypted user information to the RADIUS server for verification. The server configures unified usernames, passwords, shared passwords, and access policies of users to manage and control user access and improve the security of user information.
Page 45 Configuration Guide Configuring Basic Management (7) Configure the encryption type for line-based login. algorithm-type sha256 The default encryption type for line-based login is SHA256. (8) Configure an MD5/SHA-256 irreversible encrypted password for line-based login. secret { [ 0 ] password | { } encrypted-secret } No encrypted password is configured for line-based login by default.
Page 46 Configuration Guide Configuring Basic Management enable (2) Run the telnet command to log in to the telnet server. telnet ] { hostname | ipv4-address | ipv6-address } [ port-number ] [ /source ipv4-address | ipv6 ipv6-address | interface interface-type interface-name } ] [ mgmt-name ] (3) Run the do telnet...
Page 47 Configuration Guide Configuring Basic Management content according to the configuration sequence of the CLI commands. For some interactive commands, you must write the responses in the batch file to ensure that the commands are normally run.  The batch file must not exceed 128 KB in size; otherwise, it will fail to be executed. You can divide a large batch file into multiple files smaller than 128 KB in size each.
Page 48 Configuration Guide Configuring Basic Management 2. Restrictions and Guidelines  If no configuration file exists during command execution, an error is displayed.  If the configuration file is deleted after the configuration command takes effect, the system stops backing up the configuration file to the remote server after the preset time expires.
Page 49 Configuration Guide Configuring Basic Management  If an “Increased configuration:” message is displayed after rollback, the content after the message are configurations increasing from the checkpoint configurations. The message is displayed because some commands cannot be reversed or fail to be reversed. For details, see the command reference of specific functions, and manually reserve these commands.
Page 50 Configuration Guide Configuring Basic Management 2. Restrictions and Guidelines  A restart may interrupt services. Exercise caution.  If the device to be restarted is being upgraded, it does not perform the restart. 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Configure immediate device restart.
Page 51 Configuration Guide Configuring Basic Management 1.11 Monitoring and Maintenance Run the show commands to check the running status of a configured function to verify the configuration effect. Table 1-2 Monitoring and Maintenance of Basic Management Command Function clear checkpoint database Clear checkpoints and related data.
Page 52 Configuration Guide Configuring Basic Management Command Function show memory vsd vsd-id Display Virtual Storage Director (VSD) information. Display information about devices mounted on the show pci-bus Peripheral Component Interconnect (PCI) bus. show processes cpu detailed { process-id | Display details about a specific task. process-name } show processes cpu history...
Page 53 Configuration Guide Configuring Basic Management 2. Topology Figure 1-2 Configuring the Telnet Service 3. Notes  Establish a Telnet session to the remote device whose IPv4 address is 192.168.65.119.  Establish a Telnet session to the remote device whose IPv6 address is 2AAA:BBBB::CCCC. 4.
Page 54 Configuration Guide Configuring Basic Management  Configure MOTD information.  Configure login banner information.  Set the serial port baud rate to 57,600 bps. 2. Procedure (1) Configure the system time. Set the system time to June 20, 2003, 10:10:12. Hostname>...
Page 55 Configuration Guide Configuring Basic Management Connect to the local device through the console, telnet, or SSH, and check whether the login banner information is displayed before the CLI appears. Hostname# telnet 192.168.65.236 Notice: system will shutdown on July 6th Access for authorized users only. Please enter your password User Access Verification Password: ...
Page 56 Configuration Guide Contents Contents 1 Configuring RBAC ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Basic Concepts ......................1 1.2 Configuration Task Summary ....................2 1.3 Configuring a Feature Group ..................... 3 1.3.1 Overview ........................3 1.3.2 Restrictions and Guidelines ................... 3 1.3.3 Procedure ........................
Page 57 Configuration Guide Contents 1.5 Monitoring ..........................9 1.6 Configuration Examples ......................10 1.6.1 Configuring Role Permissions ..................10...
Page 58 Configuration Guide Configuring RBAC Configuring RBAC Introduction 1.1.1 Overview Role-based access control (RBAC) associates roles with permissions. Users are assigned with appropriate roles with -permissions. The authorization structure of user-role-permission is formed to simplify permission management. Roles are defined to complete various tasks, and a device administrator can predefine all the roles and their permissions.
Page 59 Configuration Guide Configuring RBAC VPN routing and forwarding (VRF): allowed to operate all VRF instances. ○ Level-0 role, assigned with the following permissions: Permission control: CLI commands: allowed to run the ping, ssh, telnet, traceroute, ssh-session, ○ commands. enable priv-0 Resource control: Interfaces: allowed to operate all interfaces.
Page 60 Configuration Guide Configuring RBAC (1) (Optional) Configuring a Feature Group Configuring Role Permissions Enabling the RBAC Function Configuring Roles Configuring Rule Permissions for a Role (Optional) Configuring Description of a Role (Optional) Prohibiting a Role from Operating All Interface Resources (Optional) Allowing a Role to Operate a Specific Interface Resource (Optional)
Page 61 Configuration Guide Configuring RBAC Configuring Role Permissions 1.4.1 Overview This section describes how to create a user role and configure its operation permissions. After a user is authenticated to get a proper role, he has operation permissions. 1.4.2 Configuration Tasks User role permission configuration includes the following tasks: Enabling the RBAC Function Configuring Roles...
Page 62 Configuration Guide Configuring RBAC  Users can customize up to 64 roles and configure permissions for the roles. . 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Create a role and enter the role configuration mode. role name role-name By default, the system predefines 18 roles, including network-admin, network-operator, and priv-n (0–...
Page 63 Configuration Guide Configuring RBAC the character string config ; interface * is used to grant permissions over all commands in interface mode. ○ Use of asterisks. Each command segment contains at least one asterisk (*). An asterisk resides either in the middle or at both ends of a command segment.
Page 64 Configuration Guide Configuring RBAC (3) Enter the role configuration mode. role name role-name (4) Configure the description for a role. description description By default, a predefined role is provided with a default description with the user-defined role is provided with no description. 1.4.7 Prohibiting a Role from Operating All Interface Resources 1.
Page 65 Configuration Guide Configuring RBAC 1.4.9 Prohibiting a Role from Operating All VLAN Resources 1. Overview This section describes how to prohibit a role from creating, deleting or applying all VLAN resources. 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode.
Page 66 Configuration Guide Configuring RBAC (2) Enter the global configuration mode. configure terminal (3) Enter the role configuration mode. role name role-name (4) Prohibit a role from operating all VRF resources and enter the role VRF configuration mode. vrf policy deny By default, a role has the permission to operate all VRF resources.
Page 67 Configuration Guide Configuring RBAC Table 1-2 RBAC Monitoring Command Purpose show role name role-name ] Displays the information about a specific role or all roles. show role feature detail name Displays the basic information or details about a specific feature or feature-name ] all features.
Page 68 Configuration Guide Configuring RBAC ○ Operate all show commands. ○ Operate all read, write, and execution commands of features snmpd and syslogd. ○ Execute interface, VLAN and VRF commands, as well as all commands in corresponding modes. ○ Prohibit the role from operating all interface resources, but allow it to operate interface VLAN 1. ○...
Page 69 * permit command config;vrf definition * R:Read W:Write X:Execute Run any show command. DeviceA# show privilege Current privilege role is test Ruijie# show users Line User Host(s) Idle Location ---------------- ------------ -------------------- ---------- ------------------ * 1 vty 0 user idle 00:00:00 172.30.31.16...
Page 70 Configuration Guide Configuring RBAC Monitor logging: level debugging, 19 messages logged Buffer logging: level debugging, 46 messages logged Standard format:false Timestamp debug messages: datetime Timestamp log messages: datetime Sequence-number log messages: disable Sysname log messages: disable Count log messages: disable Trap logging: level informational, 46 message lines logged,0 fail Log Buffer (Total 1048576 Bytes): have written 4462 *Oct 16 07:23:17: %CLI-6-STARTUP: Cli server process startup.
Page 71 Configuration Guide Configuring RBAC DeviceA(config-vlan)# name test DeviceA(config-vlan)# exit DeviceA(config)# vlan 2 % User doesn't have sufficient privilege to execute this command. DeviceA(config)# vrf definition test DeviceA(config-vrf)# description test DeviceA(config-vrf)# exit DeviceA(config)# vrf definition test1 % User doesn't have sufficient privilege to execute this command. 6.
Page 72 Configuration Guide Contents Contents 1 Configuring Lines ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Configuration Task Summary ....................1 1.3 Configuring the Number of VTY Terminals ................1 1.3.1 Overview ........................1 1.3.2 Restrictions and Guidelines ...................
Page 73 Configuration Guide Configuring Lines Configuring Lines Introduction 1.1.1 Overview There are various types of terminal lines on network devices. You can group and manage terminal lines by types. Configurations of these terminal lines are called line configurations. On network devices, terminal lines are classified into multiple types such as CTY and virtual type terminal (VTY).
Page 74 Configuration Guide Configuring Lines Note  Remote connections include telnet, SSH, and session connections.  The allowed maximum number of VTY connections and the number of available VTY connections are separately managed. A remote connection is established successfully only when both conditions are met. 1.3.3 Procedure (1) Enter the privileged EXEC mode.
Page 75 When high-speed data processing devices communicate with low-speed data processing devices (for example, a printer communicates with a network port), you also need to enable flow control to prevent data loss. Ruijie general operating system (RGOS) provides the following two flow control modes: ○...
Page 76 Configuration Guide Configuring Lines (6) (Optional) Enable EXEC authorization for a line. authorization exec default | list-name } The EXEC authorization function is disabled by default. (7) Configure the access to the CLI through a line. exce Accessing the CLI through lines is enabled by default. (8) Configure line attributes.
Page 77 Configuration Guide Configuring Lines ○ Configure location description for a specific line. location location No location description is configured for a specific line by default. ○ Enable logging display on terminals. Monitor Logging display on terminals is disabled by default. ○...
Page 78 Configuration Guide Configuring Lines ○ Configure the flow control mode for asynchronous lines. flowcontrol hardware none software No flow control is configured for asynchronous lines by default. ○ Configure the parity bit for asynchronous lines. parity even none When using certain hardware (such as an asynchronous serial port and console port) for communication, you usually need to configure a parity bit.
Page 79 Configuration Guide Configuring Lines The default number of data bits per character for the current terminal in flow communication mode is 8. ○ Configure the character for exiting the current terminal. terminal escape-character escape-value The default character for exiting the current terminal is Ctrl+Shift+6 (ASCII value 30). ○...
Page 80 Configuration Guide Configuring Lines terminal stopbits The default number of stop bits in each byte transmitted through the current terminal is 2. ○ Configure the type of terminals simulated by the current terminal. terminal terminal-type terminal-type-string The default terminal type is vt100. ○...
Page 81 Configuration Guide Configuring Lines Table 1-1 Monitoring Command Purpose clear line console console-line-number Clears the connection status of a line. vty-line-number line-number clear history all-users Clears historical records. show line console console-line-number Displays the line configurations. vty-line-number line-number show history Displays historical command records of a line.
Page 82 Configuration Guide Configuring Lines Device> enable Device# configure terminal Device(config)# ip access-list standard acl1 Device(config-std-nacl)# permit 192.168.1.0 0.0.0.255 Device(config-std-nacl)# exit Device(config)# line v 0 6 Device(config-line)# access-class acl1 in Set the maximum number of VTY line users to 6. Device(config)# line v 0 6 Set the baud rate to 115200 bps.
Page 83 Configuration Guide Configuring Lines Device# show users Line User Host(s) Idle Location ---------------- ------------ -------------------- ---------- ------------------ * 0 con 0 idle 00:00:00 1 vty 0 Device idle 00:00:04 192.168.1.100 Run the show line vty command to display the line status of the console. Device# show line vty 1 Type speed...
Page 84 Configuration Guide Configuring Lines monitor history size 200 speed 115200 line vty 7 35 access-class acl1 in login...
Page 85 Configuration Guide Contents Contents 1 Configuring File System Management ....................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Basic Concepts ......................1 1.1.3 Way to Manage Files ..................... 2 1.2 Configuration Task Summary ....................2 1.3 Configuring a Directory ......................3 1.3.1 Displaying the Working Directory ...................
Page 86 Configuration Guide Contents 1.5 Monitoring ..........................6 1.6 Configuration Examples ......................7 1.6.1 Configuring Basic Features of File System Management ..........7...
Page 87 Configuration Guide Configuring File System Management Configuring File System Management Introduction 1.1.1 Overview Files required for running a device, including configuration files and system software, are saved in the storage media of the device. File system management refers to the management of directories and files in storage media, including creation, deletion, modification and viewing of files.
Page 88 Configuration Guide Configuring File System Management 1.1.3 Way to Manage Files To manage files, log in to the system directly or use File Transfer Protocol (FTP) or Trivial File Transfer Protocol (TFTP). Table 1-1 Way to Manage Files Way to Manage Files Application Scenario A device fails to access information, and you need to repair the device or Direct login to the system...
Page 89 Configuration Guide Configuring File System Management Configuring a Directory 1.3.1 Displaying the Working Directory 1. Overview This feature displays the complete path of the current working directory. 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Display the complete path of the current working directory. 1.3.2 Changing the Working Directory 1.
Page 90 Configuration Guide Configuring File System Management mkdir [ filesystem: ] directory 1.3.5 Deleting a Directory 1. Overview This feature deletes a directory. 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Delete an empty directory. rmdir [ filesystem: ] directory Configuring a File 1.4.1 Displaying File Content...
Page 91 Configuration Guide Configuring File System Management (2) Copy a file. copy source-url dstination-url 1.4.4 Renaming a File 1. Overview This feature renames a file. 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Rename a file or folder. rename source-url destination-url 1.4.5 Deleting a File...
Page 92 Configuration Guide Configuring File System Management erase usb0 1.4.8 Configuring Prompt Level 1. Overview This feature configures the prompt level for executing a file or folder.  When the prompt level is set to noisy, the system asks you to confirm all the files. ...
Page 93 Configuration Guide Configuring File System Management Configuration Examples 1.6.1 Configuring Basic Features of File System Management 1. Requirements Operate the files in the device after logging in to the device through the Console port or with a Telnet connection. 2. Notes ...
Page 94 Configuration Guide Configuring File System Management 4. Verification Enter the test directory. Device# cd test Display the current working path. Device# pwd flash:/test Display the files under the test directory. Device# dir Directory of flash:/test Number Properties Size Time Name ------ ---------- ---------- ------------------------ -------------------- -rw- 7.5k...
Page 95 Configuration Guide Contents Contents 1 Configuring USB..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.2 Configuration Task Summary ....................1 1.3 Using a USB Device ........................1 1.4 Ejecting a USB Device ....................... 2 1.5 Monitoring ..........................2 1.6 Configuration Examples ......................
Page 96 Configuration Guide Configuring USB Configuring USB Introduction 1.1.1 Overview Universal Serial Bus (USB) is an external bus standard. In this document, it refers to peripheral devices in line with the USB standard, such as USB flash drives. USB devices are hot-swappable. They serve to copy files (such as configuration files and log files) from a communication device or copy external data (such as system upgrade files) to an internal storage device.
Page 97 Configuration Guide Configuring USB ○ Enter the USB device partition. cd usb: [ directory ] The path name, if not specified, is the name of the root path of the USB device partition by default. ○ Copy files between file systems. copy source-url dstination-url When the file to be copied exists on the target URL, the target file system determines the action, for...
Page 98 Configuration Guide Configuring USB Table 1-1 Monitoring Command Purpose show usb Displays the information about the inserted USB device. Configuration Examples 1.6.1 Configuring USB Basic Features 1. Requirements Operate the files in the device as follows after logging in to the device through the Console port or with a Telnet connection.
Page 99 Configuration Guide Configuring USB Hostname# copy usb0:/config.txt flash:/ Copying: ! Accessing usb0:/config.txt finished, 1 bytes prepared Flushing data to flash:/config.txt... Flush data done (3) Remove the USB device. Hostnam# usb remove 0 OK, now you can pull out the device 0. 4.
Page 100 Configuration Guide Contents Contents 1 Configuring HTTP..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.1.3 Protocols and Standards ....................2 1.2 Configuration Task Summary ....................2 1.3 Configuring Basic Features ....................... 2 1.3.1 Overview ........................2 1.4 Configuring HTTP Upgrade .......................
Page 101 Configuration Guide Configuring HTTP Configuring HTTP Introduction 1.1.1 Overview The Hypertext Transfer Protocol (HTTP) is used to transmit Web page information on the Internet. It is at the application layer of the TCP/IP protocol stack. The transport layer adopts the connection-oriented Transmission Control Protocol (TCP).
Page 102 Configuration Guide Configuring HTTP Figure 1-1 Principle of HTTPS Service Caution To run HTTPS properly, a server must have a Public Key Infrastructure (PKI) certificate while a client may not. 3. HTTP Remote Upgrade Service The device is connected to a remote HTTP server as a client and upgrades local files by obtaining files from the server.
Page 103 Configuration Guide Configuring HTTP configured for each permission level.  By default, the system creates the account admin. The account cannot be deleted and only the password of the account can be changed. The administrator account admin corresponds to the level 0 privilege. Account admin owns all function privileges on the Web client and can edit other management accounts and authorize the accounts to access pages.
Page 104 Configuration Guide Configuring HTTP  The server address may not be configured because the local upgrade record file records the addresses of possible upgrade servers.  The server address does not support IPv6.  Run the http update server command to configure the server address and port number for HTTP upgrade. ...
Page 105 Configuration Examples 1.6.1 Configuring Basic Features of HTTP Service 1. Requirements To manage a Ruijie device in Web mode, log in to the device through a Web browser and configure related features. 2. Topology Figure 1-2 Topology for Basic Features of HTTP Service 3.
Page 106 Configuration Guide Configuring HTTP Hostname(config)# http port 8080 Set the HTTPS service port number to 4430. Hostname(config)# http secure-port 4430 Configure the HTTP authentication information. Hostname(config)# webmaster level 1 username test1 password 0 test_password1 5. Verification Run the ping command to check whether the L3 route between the server and the server is reachable. Hostname# ping 1.1.1.10 Sending 5, 100-byte ICMP Echoes to 1.1.1.10, timeout is 2 seconds: <...
Page 107 Configuration Guide Configuring HTTP 7. Common Errors If the HTTP service port is not the default port 80 or 443, you must enter a specific configured service port in the browser. Otherwise, you cannot access the device in Web mode. 1.6.2 Configuring Remote HTTP Upgrade 1.
Page 108 Configuration Guide Configuring HTTP Hostname(config)# enable service web-server Set the scheduled time for the device to start remote monitoring to 02:00. Hostname(config)# http update time daily 02:00 Configure the device to obtain upgrade files from the remote server. Hostname# http check-version Configure the device to download upgrade files from the server and update the device.
Page 109 Configuration Guide Contents Contents 1 Configuring Syslog ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Classification of System Logs ..................1 1.1.3 Levels of System Logs ....................1 1.1.4 Output Direction of System Logs ................... 2 1.1.5 RFC3164 Log Format ....................2 1.1.6 RFC5424 Log Format ....................
Page 110 Configuration Guide Contents 1.5 Configuring Log Reporting ....................... 13 1.5.1 Configuration Tasks ..................... 13 1.5.2 Restrictions and Guidelines ..................13 1.5.3 Configuring Level-based Log Reporting ..............13 1.5.4 Configuring Delayed Log Reporting ................14 1.5.5 Configuring Periodical Log Reporting ................15 1.6 Configuring System Log Monitoring ..................
Page 111 Configuration Guide Contents 1.9.3 Procedure ........................23 1.10 Configuring Performance Logging Function ................24 1.10.1 Overview ........................24 1.10.2 Restrictions and Guidelines ..................24 1.10.3 Procedure ........................24 1.11 Configuring Synchronization of User Input and Log Output ..........24 1.11.1 Overview ........................24 1.11.2 Restrictions and Guidelines ..................
Page 112 错误!未找到引用源。Configuring Syslog Configuration Guide Configuring Syslog Introduction 1.1.1 Overview If link status change or events such as receiving of exception packets and processing exception occur during the device running, a log packet in a fixed format is generated automatically. A log packet can be added with a timestamp and a sequence number, classified by the log priority, and output to the console, monitor terminal, log server, or other media.
Page 113 错误!未找到引用源。Configuring Syslog Configuration Guide Keyword Level Description notifications Indicates a common but important message that requires attention. informational Indicates an informational message. debugging Indicates debugging information. 1.1.4 Output Direction of System Logs System logs can be output to the console, monitor, server, buffer, and file. The default level and type of logs vary with the output direction.
Page 114 错误!未找到引用源。Configuring Syslog Configuration Guide 001233: *May 22 09:44:36: Ruijie %SYS-5-CONFIG_I: Configured from console by console 2. Server Direction When logs are output to the log server, the system logs are in the following format: <priority>seq no: *timestamp: sysname %module-level-mnemonic: content The log format is described below: <Priority>...
Page 115  timestamp The timestamp records the generation time of a system log to help you check and locate system events. Ruijie devices support two formats of system log timestamps: datetime and uptime. ○ Datetime format The complete datetime format is as follows: Mmm dd yyyy hh:mm:ss.msec...
Page 116 错误!未找到引用源。Configuring Syslog Configuration Guide Timestamp Parameter Description Parameter Name yyyy Year Indicates the year, not displayed by default. Hour Indicates the hour. Minute Indicates the minute. Second Indicates the second. msec Millisecond Indicates the millisecond. Note By default, the timestamp in the datetime format in system logs does not contain the year and milliseconds. You can run a command to display or hide the year and millisecond in the timestamp in the datetime format.
Page 117  timestamp The timestamp records the generation time of a system log to help you check and locate system events. Ruijie devices use the following uniform timestamp format when the RFC5424 logging function is enabled: YYYY-MM-DDTHH:MM:SS.SECFRACZ Table 1-6 describes each parameter.
Page 118 错误!未找到引用源。Configuring Syslog Configuration Guide Timestamp Parameter Parameter Name Description Hour Indicates the hour. Minute Indicates the minute. Second Indicates the second. SECFRAC Millisecond Indicates the millisecond (1–6 digits). End mark Time must end with "Z".  sysname (system name) This field indicates the name of the device that generates a log so that the log server can identify the host of such device.
Page 119 The enterprise ID is maintained by the Internet Assigned Numbers enterpriseID Enterprise ID Authority (IANA). The enterprise ID of Ruijie devices is 4881. You can query the enterprise ID at the official website of IANA. Parameter The parameter name is capitalized, and must be unique in the structured...
Page 120 错误!未找到引用源。Configuring Syslog Configuration Guide Note The two filtering modes are mutually exclusive, that is, you can configure only one filtering mode at a time.  Filtering Rule Two log filtering rules are available: ○ exact-match: If exact-match is selected, you must select all the three filtering options (log module, log level, and log mnemonic).
Page 121 错误!未找到引用源。Configuring Syslog Configuration Guide 1.1.9 Configuring System Log Monitoring System log monitoring means that the system monitors external connections to the device and records logs.  After user login/logout logging is enabled, the system records the user's connections to the device. The recorded information includes the login username and source address.
Page 122 错误!未找到引用源。Configuring Syslog Configuration Guide Configuring Basic Syslog Features 1.3.1 Overview This section describes how to enable the syslog function so that the system processes logs and users view the logs generated by the device. 1.3.2 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode.
Page 123 错误!未找到引用源。Configuring Syslog Configuration Guide 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) (Optional) Configure the timestamp format for system logs. service timestamps [ message-type [ uptime datetime msec year ] ] ] The system logs use the datetime timestamp format, and the timestamp does not contain the year and milliseconds by default.
Page 124 错误!未找到引用源。Configuring Syslog Configuration Guide 1.4.5 Configuring a Space Next to <pri> in the Log Format 1. Restrictions and Guidelines  if there is no special requirement, configure a space on the device that needs a space next to <pri> in the log format.
Page 125 错误!未找到引用源。Configuring Syslog Configuration Guide (2) Enter the global configuration mode. configure terminal (3) Set the system log format to the RFC5424 log format. service log-format rfc5424 (4) Configure a level-based log reporting policy. logging policy module module-name [ not-lesser-than ] policy-level direction buffer console...
Page 126 错误!未找到引用源。Configuring Syslog Configuration Guide expires, all log files buffered in this period are sent to the log server at a time.  The flash space for buffering local log files on the device is limited. Therefore, up to eight log files are buffered on the device.
Page 127 错误!未找到引用源。Configuring Syslog Configuration Guide terminal. Otherwise, when the reporting timer expires, many performance statistics logs are displayed, increasing the burden on the device.  To ensure that the server collects all performance statistics logs from the device at the same time point, the timers of all statistical objects are restarted when you modify the interval of one statistic object.
Page 128 错误!未找到引用源。Configuring Syslog Configuration Guide logging. After this function is configured, the system displays related logs to notify the administrator of configuration changes.  User operations are logged when commands are configured and run. By default, the device does not generate operation logs when a user modifies the device configuration. If the 5424 log format is configured, that is, the service log-format rfc5424 command is configured, you need to configure the...
Page 129 错误!未找到引用源。Configuring Syslog Configuration Guide displayed, you can configure the level of logs to be displayed on different devices to reduce the logs displayed.  logging count command is run to enable the log statistics function in global configuration mode. After this function is enabled, the system records the number of times logs are generated by each module and the generation time of the last log.
Page 130 错误!未找到引用源。Configuring Syslog Configuration Guide (2) Enable log display on the current monitor terminal. terminal monitor Log display in the window of the monitor terminal is disable by default. (3) Enter the global configuration mode. configure terminal (4) (Optional) Configure the level of logs to be output to the monitor terminal. logging monitor [ severity-level ] The default level of logs that are displayed in the window of the monitor terminal is 7 (debugging...
Page 131 Configuration Guide specify multiple log servers, and logs are sent simultaneously to all these log servers.  Up to five log servers are configured for a Ruijie product.  When a domain name is entered to configure a log server, the logging hostname command is disabled.
Page 132 错误!未找到引用源。Configuring Syslog Configuration Guide 1.7.6 Configuring the Function of Writing System Logs into Log Files 1. Overview This section describes how to configure the function of writing system logs into log files so that the device can save generated system logs to the log files for viewing. Logs are saved in a log file buffer before being saved to the log file.
Page 133 错误!未找到引用源。Configuring Syslog Configuration Guide log file. 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Configure the parameters for the log file, into which logs are written. logging file { flash:filename | usb0:filename } [ max-file-size ] [ inform-level ] (4) Configure the number of log files.
Page 134 错误!未找到引用源。Configuring Syslog Configuration Guide (3) Configure the log filtering direction. The following configurations are optional. Select at least one of the configurations as actually needed. ○ Configure the log filtering direction. logging filter direction buffer file server terminal Logs sent to all the directions are filtered by default, namely, is set.
Page 135 错误!未找到引用源。Configuring Syslog Configuration Guide configure terminal (3) Enable the log redirection function. logging rd on (4) (Optional) Configure the rate limit on redirected logs. logging rd rate-limit number [ except [ severity-level ] ] The log redirection function limits the maximum number of logs to be redirected per second to 200 by default.
Page 136 错误!未找到引用源。Configuring Syslog Configuration Guide configure terminal (3) Synchronize user input and log output. logging synchronous Synchronization of user input and log output is disabled by default. 1.12 Monitoring Run the show commands to check the running status of a configured function to verify the configuration effect. Run the clear commands to clear information.
Page 137 错误!未找到引用源。Configuring Syslog Configuration Guide 3. Notes  Configure the L3 network reachable between the device and the server.  Enable logging.  Configure the log format. ○ Set the system log format to RFC3164 format. ○ Configure the log display format. ○...
Page 138 错误!未找到引用源。Configuring Syslog Configuration Guide Set the timestamp format to datetime and add the millisecond and year to the timestamp. Device(config)# service timestamps log datetime year msec Device(config)# service timestamps debug datetime year msec Add the system name to the system log format. Device(config)# service sysname Add the sequence number to the system log format.
Page 139 错误!未找到引用源。Configuring Syslog Configuration Guide Device(config)# logging server 10.1.1.1 Configure the size of the system logs to be written into the memory buffer to 128 KB (131072 bytes). Device(config)# logging buffered 131072 informational 5. Verification Run the ping command to check whether the L3 route between the server and the log server is reachable. Device# ping 10.1.1.1 Sending 5, 100-byte ICMP Echoes to 10.1.1.1, timeout is 2 seconds: <...
Page 140 错误!未找到引用源。Configuring Syslog Configuration Guide logging flash interval 600 logging console informational logging monitor informational logging server 10.1.1.1 logging performance switch interface VLAN 1 ip address 10.1.1.2 255.255.255.0 1.13.2 Configuring the RFC5424 Log Format 1. Requirements The network administrator can check system logs to learn about the operation status of the device, better understand and manage the device, or locate problems.
Page 141 错误!未找到引用源。Configuring Syslog Configuration Guide ○ Set the log filtering rule to single-match to filter the logs with a module name containing "SYS".  Configure the output direction of system logs. ○ Configure the function of writing system logs into a log file named syslog. ○...
Page 142 错误!未找到引用源。Configuring Syslog Configuration Guide Configure the output of system logs to the monitor terminal. Device(config)# logging monitor informational Device(config)# line vty 0 4 Device(config-line)# monitor (6) Synchronize user input and log output Device(config-line)# logging synchronous Device(config-line)# exit (7) Enable performance logging. Device(config)# logging performance switch (8) Configure system log filtering.
Page 143 错误!未找到引用源。Configuring Syslog Configuration Guide Statistic log messages: enable Statistic log messages to terminal: enable Delay-send log messages to terminal: enable Delay-send file name:syslog_ruijie, Current write index:0, Current send index:0, Cycle:7200 seconds Count log messages: enable Trap logging: level debugging, 84 message lines logged,10 fail logging to 10.1.1.100 Delay-send logging: 0 message lines logged logging to 10.1.1.1 by ftp...
Page 144 Configuration Guide Contents Contents 1 Configuring Software Upgrade ......................1 1.1 Introduction ..........................1 1.2 Restrictions and Guidelines ....................... 1 1.3 Principles of System Version Upgrade ..................1 1.4 Principles of Patch Version Upgrade ..................3 1.4.1 Basic Concepts ......................3 1.4.2 Patch Package Management ..................
Page 145 Configuration Guide Contents 1.9.1 Configuring Subsystem Upgrade ................. 10 1.9.2 Configuring Auto-sync Upgrade ................... 12 1.9.3 Installing a Patch Package ..................13 1.9.4 Uninstalling a Patch Package ..................16...
Page 146 Configuring Software Upgrade Introduction Adopting a modular structure, Ruijie General Operating System (RGOS) supports overall system upgrade and subsystem upgrade, as well as the upgrade through patches. The package management module of RGOS is used to install, query, and maintain components of the device. By upgrading the software of the device, users can install software that is more stable or contains more features in the system.
Page 147 Configuration Guide Configuring Software Upgrade 2. Upgrading/Degrading and Managing Subsystems Subsystem upgrade/degradation aims to update the software functions by replacing the subsystem components in the device with the ones in an installation package. Redundancy design is adopted for subsystems, so subsystems of the device are often not directly replaced with the subsystems in the package during upgrade/degradation.
Page 148 Configuration Guide Configuring Software Upgrade  Auto-sync upgrade check is performed in the following scenarios: ○ During upgrade, if no upgrade target is specified, the upgrade function module sends the upgrade package to all matched members (including boards, chassis, and VSU system) for auto-sync upgrade. ○...
Page 149 Configuration Guide Configuring Software Upgrade synchronizes the patch installed on the supervisor module to the new member. Thus, no resolved patch problem occurs even if synchronization is omitted. Patch auto-sync rules:  The subsystems comply with all the normal patch installation rules. ...
Page 150 Configuration Guide Configuring Software Upgrade Specification Generally a main package is released to upgrade box-type devices. Generally a rack package is released to upgrade rack-type devices. 2. Restrictions and Guidelines  To upgrade a main package of the device, download the installation package to the local device and run the upgrade command.
Page 151 Configuration Guide Configuring Software Upgrade 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Configure a version auto-sync policy. upgrade auto-sync policy none compatible coordinate (3) Configure the range of version auto-sync. upgrade auto-sync range (4) Configure the path of the upgrade package for version auto-sync. upgrade auto-sync package (5) Configure the status of the version auto-sync service.
Page 152 Configuration Guide Configuring Software Upgrade Caution The downloaded patch package cannot be renamed. The name of the patch package is used as the operation keyword for the subsequent patch activation, deactivation, and uninstallation.  The installed patch must be activated before it is used. You must activate the patch first temporarily and then permanently.
Page 153 Configuration Guide Configuring Software Upgrade click. Caution The downloaded patch package cannot be renamed. The name of the patch package name is used as the operation keyword for the subsequent patch activation, deactivation, and uninstallation. 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Activate the patch package by one click.
Page 154 Configuration Guide Configuring Software Upgrade Uninstall a patch. patch delete slot slot-id | slot all Monitoring Run the show commands to check the running status of a configured function to verify the configuration effect. Run the check commands to check information. Run the clear commands to clear information.
Page 155 Configuration Guide Configuring Software Upgrade Configuration Examples 1.9.1 Configuring Subsystem Upgrade 1. Requirements Upgrade a subsystem installation package to update all software in the device so that the overall software is enhanced and the known software bugs are fixed. Use Figure 1-1 as an example.
Page 156 : success (3) #Check the running version on the device. If the version information changes, the upgrade is successful. Hostname# show version System description : Ruijie 10G Ethernet Switch(S6120-20XS4VS2QXS) By Ruijie Networks System start time : 2020-11-23 13:13:59 System uptime : 0:00:03:36 System hardware version : 1.0B...
Page 157 Configuration Guide Configuring Software Upgrade System patch number : NA System serial number : 1234942570025 System boot version : 1.4.2(Master) 1.4.2(Slave) Module information: Slot 1/0 : RG-S6120-20XS4VS2QXS Hardware version : 1.0B Boot version : 1.4.2(Master) 1.4.2(Slave) Software version : S6120_RGOS 12.1(PL1) Serial number : 1234942570025 Slot 2/0 : RG-S6120-20XS4VS2QXS...
Page 158 Configuration Guide Configuring Software Upgrade auto-sync range : vsu auto-sync policy : coordinate auto-sync package : flash:install_file/S6120_install.bin Check version matching of device nodes. Hostname# check version Dev Slot State --- ---- ------------ Compatible Compatible 4. Common Errors  The url parameter in the command used for configuring auto-sync upgrade does not point to a valid upgrade package.
Page 159 Configuration Guide Configuring Software Upgrade Hostname# install add tftp//192.1.1.20/smu_rf_hot1002_0118.bin < The terminal is locked by patch moduleed by patch module > Press Ctrl+C to quit Operating, please wait for a moment..Operate finish! Operate result information: ------------------------------------- Slot Result Comment Success None Success...
Page 160 Configuration Guide Configuring Software Upgrade Operate finish! Operate result information: ------------------------------------- Success None Success None < The terminal is unlocked by patch module > #Run the patch running command to activate the hot patch permanently. Hostname# patch running < The terminal is locked by patch module > Operating, please wait for a moment...
Page 161 Configuration Guide Configuring Software Upgrade [Slot 2/0] Patch name : smu_rf_hot1002_0118 File name : smu_rf_hot1002_0118.bin Patch state : Install Patch flag : Hot Effective time Last patch 6. Common Errors  If you run the install commit command when a patch is not activated, an error is prompted. The install commit command takes effect only when the patch is in the active state.
Page 162 Configuration Guide Configuring Software Upgrade ------------------------------------- Slot Result Comment Success None Success None < The terminal is unlocked by patch module >  Run the patch command to uninstall a patch. #Run the patch deactive command to deactivate the patch. Hostname# patch deactive <...
Page 163 Configuration Guide Configuring Software Upgrade [Slot 2/0] [No Install information]...
Page 164 Configuration Guide Contents Contents 1 Configuring Uboot ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Accessing the Uboot Menu .................... 1 1.1.3 Downloading XModem ....................2 1.1.4 Running the Main Program .................... 2 1.1.5 Running the Rboot Program ..................2 1.1.6 Querying and Setting Other Functions ................
Page 165 Configuration Guide Configuring Uboot Configuring Uboot Introduction 1.1.1 Overview The Uboot menu includes all functions supported by the universal boot loader (Uboot), including booting the main program, booting Rboot, and updating Uboot or Rboot. 1.1.2 Accessing the Uboot Menu 1. Connecting to the Client Connect the COM port of a PC to the serial port of the device through a serial port cable, start the HyperTerminal, and configure the following settings: ...
Page 166 Configuration Guide Configuring Uboot Press Ctrl+Z to exit the current submenu and return to the previous-level menu. 1.1.3 Downloading XModem On the menu interface, select Upgrade bootloader. This is a submenu. After you access the submenu, the following information is displayed: ====== BootLoader Menu("Ctrl+Z"...
Page 167 Configuration Guide Configuring Uboot 1. Reload system. 2. Set baudrate. 3. Set default environment. 4. Set debug mode. 5. Run main without enable password. ************************************************ Press a key to run the command: 1. Showing the bootloader Version This function is used to display the version of the boot program on the current flash memory. (1) On the menu interface, select Show the bootloader version.
Page 168 Configuration Guide Configuring the SIMPLE CLI 5. Setting the Debugging Mode This is a submenu. After you access the submenu, the following information is displayed: ====== BootLoader Menu("Ctrl+Z" to upper level) ====== Set debug mode. ************************************************ 0. Debug switch On. 1.
Page 169 Configuration Guide Configuring the SIMPLE CLI help Dump command list OR show a command's details xmdown Download programs through XModem. runrboot Run rboot program. runmain Run main program. setbaud Set BOOT/BOOTLOADER baudrate tools. reload Reload tools. version Show current version information. quit Quit from CLI command line.
Page 170 After the setbaud command is run, the baud rate of the current device is changed and the changed baud rate is saved to the environmental variable partition of the flash memory. Enter the help setbaud command. The usage details of the setbaud command are displayed: ruijie#help setbaud Syntax: setbaud (-h | -m | -l) Usage Details:...
Page 171 Configuration Guide Contents Contents 1 Configuring Rboot ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Accessing the Rboot Menu .................... 1 1.1.3 Downloading Tftp utilities ....................2 1.1.4 Downloading X/Y/ZModem .................... 3 1.1.5 Running the Main Program .................... 6 1.1.6 Querying and Setting Other Functions ................
Page 172 Configuration Guide Configuring Rboot Configuring Rboot Introduction 1.1.1 Overview The Rboot menu includes all functions supported by Rboot, including booting the main program, updating the universal boot loader (Uboot), updating Rboot, and reinstalling the system. 1.1.2 Accessing the Rboot Menu 1.
Page 173 Configuration Guide Configuring Rboot Press a key to run the command: After the device displays the menu interface, select a menu item to select the corresponding function. Press the first character of the menu item to perform the function of the menu item. If the menu item is a submenu, the submenu is accessed.
Page 174 Configuration Guide Configuring Rboot 3. Upgrading the Main Program The function is used to parse a main program package and upgrade the main program. If the main program package contains Uboot or Rboot, Uboot or Rboot is upgraded depending on the version. (1) Start the TFTP server on the PC or supervisor module.
Page 175 Configuration Guide Configuring Rboot XModem utilities. ************************************************ X/Y/ZModem utilities. ************************************************ 0. XModem utilities. 1. YModem utilities. 2. ZModem utilities. 3. Local utilities. ************************************************ Press a key to run the command: 1. Upgrading XModem This function is used to download Uboot, BIOS, Rboot, main program, software package, or ROM through XMODEM and install it on the device.
Page 176 Configuration Guide Configuring Rboot 3. Upgrade the entire device by distribute package. 4. Burn the total FlashROM by this downloaded file. ************************************************ Press a key to run the command: (3) Select a required upgrade type. Note This menu is similar to the TFTP menu. For details, see the TFTP menu. (4) Select Transfer >...
Page 177 Configuration Guide Configuring Rboot ************************************************ 0. Upgrade uboot/bios program. 1. Upgrade rboot program. 2. Upgrade main program. 3. Upgrade the entire device by distribute package. 4. Burn the total FlashROM by this downloaded file. ************************************************ Press a key to run the command: (3) Select a required upgrade type.
Page 178 Configuration Guide Configuring Rboot The First MasterBoot Version: 1.3.13 The First SlaveBoot Version: 1.3.13 The First Rboot Version: 1.0.5 The Second MasterBoot Version: 1.3.13 The Second SlaveBoot Version: 1.3.13 The Second Rboot Version: 1.0.5 Note Some devices may not display all the six boot programs above and NA is displayed for the inexistent boot programs.
Page 179 Configuration Guide Configuring Rboot 5. Setting the Debugging Mode This is a submenu. After you access the submenu, the following information is displayed: ====== Rboot Menu (Ctrl+Z to upper level) ====== Set debug mode. ************************************************ 0. Debug switch On. 1. Debug switch Off. ************************************************ Press a key to run the command: Select Debug switch On to enable the debugging mode or select Debug switch Off to disable the debugging...
Page 180 Configuration Guide Configuring Rboot Clear Local GatewayIP config. Clear IP Netmask config.
Page 181 Configuration Guide Contents Contents 1 Configuring Time Range ........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Configuring Basic Features ....................... 1 1.2.1 Overview ........................1 1.2.2 Restrictions and Guidelines ................... 1 1.2.3 Procedure ........................2 1.3 Monitoring ..........................
Page 182 Configuration Guide Configuring Time Range Configuring Time Range Introduction 1.1.1 Overview Time range is a time control service. Users can create a time range and reference the time range in a service to control the time of the service. For example, to make an access control list (ACL) take effect in a time range within a week, configure a time range and associate the ACL with the time range.
Page 183 Configuration Guide Configuring Time Range 1.2.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Configure a time range. time-range time-range-name (4) (Optional) Configure effective time of the time range. Configure at least one of the following tasks. ○...
Page 184 Configuration Guide Configuring Time Range 3. Notes  First configure system time for the device. The effective time of an ACL is based on the system time of the device.  A time range cannot cross 0:00, that is, to create a time range from 22:00 to 7:00 the next day, create two time ranges.
Page 185 Configuration Guide Configuring Time Range Run the show access-lists command to display the ACL configurations. When the time of the device is in the time range time1, the displayed status of the ACL is active; when the time of the device is not in the effective time of ACL, the displayed status of the ACL is inactive.
Page 186 Configuration Guide Contents Contents 1 Configuring UFT Mode Management ....................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Restrictions and Guidelines ....................... 1 1.3 Configuring a UFT Mode ......................1 1.3.1 Overview ........................1 1.3.2 Restrictions and Guidelines ...................
Page 187 Configuration Guide Configuring UFT Mode Management Configuring UFT Mode Management Introduction 1.1.1 Overview The unified forwarding table (UFT) provides the function of dynamically allocating switch hardware forwarding entry resources so that users can select UFT modes to adapt to requirements of the scenarios. 1.1.2 Principles 1.
Page 188 Configuration Guide Configuring UFT Mode Management include but are not limited to the following: ○ The non-default UFT mode is saved before the device is upgraded. ○ The config.text file is manually deleted or modified. ○ The UFT mode modified in CLI is not saved. 1.3.3 Procedure (1) Enter the privileged EXEC mode.
Page 189 Configuration Guide Configuring UFT Mode Management convergence zone must be supported by a large MAC address table. Therefore, you need to set the UFT mode of switches in the small convergence zone to the bridge mode and adjust the forwarding entries to support the pure L2 mode to meet the requirement for the large-capacity MAC address table.
Page 190 Configuration Guide Contents Contents 1 Configuring Supervisor Module Redundancy ..................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Restrictions and Guidelines ....................... 3 1.3 Configuration Task Summary ....................3 1.4 Configuring RDND ........................3 1.4.1 Overview ........................
Page 191 Configuration Guide Configuring Supervisor Module Redundancy Configuring Supervisor Module Redundancy Introduction 1.1.1 Overview Redundancy (RDND) is a mechanism that improves device availability by backing up the operating status of services on the supervisor module (SM) in real time. On a network device with the control plane separated from the forwarding plane, the control plane runs on a SM and the forwarding plane runs on a line card.
Page 192 Configuration Guide Configuring Supervisor Module Redundancy During master-slave backup, the master device has three states as follows: ○ alone, namely alone state. In this state, only one device is running in the system or master/slave switchover is not completed and no redundancy is created between the new master device and the new slave device.
Page 193 Configuration Guide Configuring Supervisor Module Redundancy During the running of the device, two system configuration files exist: running-config, which is dynamically generated during running and changes with the service configuration; startup-config, which is imported during the startup of the device. The write command is run to write running-config into startup-config or copy...
Page 194 Configuration Guide Configuring Supervisor Module Redundancy 1.4.2 Configuring Manual Master/Slave Switchover 1. Overview If more than two devices exist in the system, you can manually perform master/slave switchover to change the slave device into the master device and select a new slave device from candidate devices (the original master device becomes a candidate device after reset).
Page 195 Configuration Guide Configuring Supervisor Module Redundancy (3) Enter the redundancy configuration mode. redundancy (4) Configure a period for automatically synchronizing configuration files. auto-sync time-period synchronization-interval-time The default period for automatically synchronizing configuration files is 1 hour. 1.4.4 Resetting Devices 1. Overview ...
Page 196 Configuration Guide Configuring Supervisor Module Redundancy Forcible master/slave switchover is enabled by default. Monitoring Run the show commands to check the running status of a configured function to verify the configuration effect. Table 1-1 RDND Monitoring Command Purpose show redundancy states Displays the current redundancy status of VSUs.
Page 197 Configuration Guide Contents Contents 1 Configuring Module Hot Swapping ....................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Working Principle ......................1 1.2 Configuration Task Summary ....................1 1.3 Clearing and Modifying Module/Device Configurations ............2 1.3.1 Overview ........................2 1.3.2 Procedure ........................
Page 198 Configuration Guide Configuring Module Hot Swapping Configuring Module Hot Swapping Introduction 1.1.1 Overview Module hot swapping is a maintenance function. With this function, users can insert or remove a module when a device is operating. The module hot swapping function supports automatic installation and information query of the High-Speed Inter-Chip (HSIC) on devices.
Page 199 Configuration Guide Configuring Module Hot Swapping Clearing and Modifying Module/Device Configurations 1.3.1 Overview In different circumstances, different configurations need to be cleared. The specific application scenarios are described as follows:  Clearing the configurations of a module; A user inserts a board card into a slot on a device. Later, the user removes the board card and deletes the configurations of the board card and its port because the board card is no longer used.
Page 200 Configuration Guide Configuring Module Hot Swapping Setting the Application Level of a Device 1.4.1 Overview This section describes how to set the application level for a device so that the administrator can intuitively learn the network layer to which the device belongs. Configurable application levels include the core layer, convergence layer, and access layer.
Page 201 Configuration Guide Configuring Module Hot Swapping Configuration Examples 1.6.1 Removing the Configuration of a VSU Member Device 1. Requirements A user used device 1 in a VSU as a member device before and remove the device from the VSU because of networking changes.
Page 202 Configuration Guide Contents Contents 1 Configuring Process Restarting ......................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Restrictions and Guidelines ....................... 1 1.3 Configuration Task Summary ....................1 1.4 Configuring RAS-CMDK ......................2 1.4.1 Overview ........................2 1.4.2 Restarting a Process of the Member Device in a Specified Slot on a Specified Device2 1.4.3 Starting a Process of the Member Device in a Specified Slot on a Specified Device ..
Page 203 Configuration Guide Configuring Configuring Process Restarting Introduction 1.1.1 Overview The command line interface (CLI) reboot process module (CMDK) provides a means of restarting a back-end process of a device on the CLI for users. Therefore, when the function of a service fails on a device, the user can restart a specified process of the member device in a specified slot on a specified device in a cluster rather than restart the device, to improve device availability.
Page 204 Configuration Guide Configuring Configuring RAS-CMDK 1.4.1 Overview The CLI CMDK provides a means of restarting a back-end process of a device on the CLI for users. Therefore, when the function of a service fails on a device, the user can restart a specified process of the member device in a specified slot on a specified device in a cluster rather than restart the device, to improve device availability.
Page 205 Configuration Guide Configuring 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Stop a process of the member device in a specified slot on a specified device. cmdk device device-id slot slot-id module module-name stop 1.4.5 Displaying Processes that can Be Restarted on the Member Device in a Specified Slot on a Specified Device 1.
Page 206 Configuration Guide Contents Contents 1 Configuring Python ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Restrictions and Guidelines ....................... 1 1.3 Configuring Basic Features ....................... 1 1.3.1 Overview ........................1 1.3.2 Procedure ........................1...
Page 207 Configuration Guide Configuring Python Configuring Python Introduction 1.1.1 Overview Python is an object-oriented interpretive computer programming language and is pure free software. Its source code and interpreter Cpython comply with GNU general public license (GPL) protocol. The Python shell component can debug and run Python scripts through CLI commands. 1.1.2 Principles 1.
Page 208 Configuration Guide Contents Contents 1 Configuring License Management ..................... 1 1.1 Introduction ..........................1 1.1.1 License Management Overview ..................1 1.1.2 Principles ........................1 1.2 Configuration Task Summary ....................3 1.3 Configuring License Management ..................... 3 1.3.1 Overview ........................3 1.3.2 Installing License File.....................
Page 209 A user needs to install a correct license file to use some extension functions of a device. The extension functions provided by Ruijie General Operating System (RGOS) include EVPN, MPLS, and FCoE . A user can use the general and extension functions of the RGOS only after obtaining a license.
Page 210 Use of License A license must be obtained from Ruijie's official website or marketing channel. It is device-specific. You log in to the website specified in the purchase voucher and provide the PAK and host ID to obtain the license file, which is directly downloaded or given through an email.
Page 211  License File Update If the existing license of the system fails to meet the feature requirements, you can visit Ruijie's website to purchase a desired license and then update the license file locally. ...
Page 212 Configuration Guide Configuring License Management 2. Restrictions and Guidelines  Ruijie provides a paper purchase voucher that contains a PAK when you purchase a license.  Log in to Ruijie's website and obtain a license file as prompted.  If you use a feature without being licensed, the CLI window displays a prompt, indicating that the feature is not licensed and is unavailable, and provides a website to download a license file.
Page 213 Configuration Guide Configuring License Management 2. Restrictions and Guidelines  Evaluation license files cannot be backed up.  Sufficient storage space is required to store backup license files. Generally, one license file is 4 KB to 10 KB.  Backup license files are normal files. ...
Page 214 Configuration Guide Configuring License Management 1.3.5 Updating License File 1. Overview This section describes how to update the license file for a feature of the system. Generally, this function is performed to update an evaluation license file into a temporary license file. 2.
Page 215 Configuration Guide Configuring License Management 1.3.7 Unbinding License 1. Overview If you want to unbind a license from a device on the license website, unbind the license on the device first. 2. Restrictions and Guidelines  Upon unbinding a license, you obtain a verification code, which is used to unbind the license on the license website.
Page 216 Virtualization Configuration VSU Configuration...
Page 217 Configuration Guide Contents Contents 1 Configuring VSU..........................1 1.1 Introduction ..........................1 1.1.1 Basic Concepts ......................1 1.1.2 VSU Application ......................4 1.1.3 VSU Topology ........................ 7 1.1.4 DAD ..........................9 1.1.5 Traffic Forwarding ......................11 1.1.6 System Management ....................12 1.1.7 System Upgrade ......................
Page 218 Configuration Guide Contents 1.6 Configuring AP-based DAD ..................... 17 1.6.1 Overview ........................17 1.6.2 Restrictions and Guidelines ..................17 1.6.3 Prerequisites ........................ 17 1.6.4 Procedure ........................17 1.7 Configuring the VSL ......................... 18 1.7.1 Overview ........................18 1.7.2 Restrictions and Guidelines ..................18 1.7.3 Prerequisites ........................
Page 219 Configuration Guide Contents 1.11.2 Configuring BFD-based DAD ..................25 1.11.3 Configuring AP-based DAD ..................28 1.12 Common Misconfigurations ....................32...
Page 220 Configuring VSU Introduction Virtual Switching Unit (VSU) is an N:1 network device technology independently developed by Ruijie. It simplifies the device operation & maintenance (O&M) and network topology by virtualizing multiple network devices into a single logical device for management and use. In addition, the VSU technology connects peripherals to different member devices in the VSU through aggregated links to achieve cross-device link redundancy and improve reliability and scalability of networks.
Page 221 Configuration Guide Configuring VSU 4. Device priority Priority is an attribute of a member device, and is used to elect a role. A higher priority indicates a higher probability of being elected as the active device. To elect a device as the active device, increase its priority. Member devices have two types of priorities.
Page 222 Configuration Guide Configuring VSU a neighbor within 5 minutes). In this case, the member device joins the VSU in hot mode, and the system does not switch active/standby role even if the member device has a higher priority than the active device in the current VSU.
Page 223 Configuration Guide Configuring VSU 1.1.2 VSU Application Compared with conventional networks, VSU has the following advantages:  Low cost: lightweight and dynamic network capacity expansion for protecting the equipment investment in the existing network, and reducing the construction cost.  Simple O&M: reduced management workload, simplified networking, and lowered O&M difficulty.
Page 224 Configuration Guide Configuring VSU Figure 1-3 Forwarding Capacity Expansion over VSU Figure 1-4 Bandwidth Expansion over VSU 2. Simplified management Simplified management is reflected in the following aspects:  Device: After multiple devices form a VSU, an administrator can manage them together, without connecting to them for separate configuration and management.
Page 225 Configuration Guide Configuring VSU Figure 1-5 Simplified Networking over VSU Distribution layer Access layer 3. Hot backup As shown in Figure 1-6, two switches form a VSU to provide the following redundancy to adapt to high reliability scenarios:  Device redundancy: redundancy between member devices in the VSU. Failure of the standby device does not affect the entire system, but failure of the active device makes the system switch to the standby device.
Page 226 Configuration Guide Configuring VSU Figure 1-7 Server Access Link Redundancy Acce ss la yer Server 1.1.3 VSU Topology A VSU supports linear topology and ring topology. 1. Linear topology As shown in Figure 1-8, devices are connected through a VSL to form a line, and this topology is therefore called linear topology.
Page 227 Configuration Guide Configuring VSU 3. Topology convergence During setup of the VSU, the management scope is determined through topology convergence. The process is as follows: (1) The member devices discover their neighbors through a topology discovery protocol to determine the list of devices included in the VSU.
Page 228 Configuration Guide Configuring VSU Figure 1-11 Topology Combination Topology comb inati on Note During topology combination of two VSUs, they must be elected. The VSU that fails the election automatically restarts and joins the other VSU in hot mode. 6. Topology conversion As shown in Figure 1-12, when one VSL-AP link is disconnected, the ring topology is converted into a linear...
Page 229 Configuration Guide Configuring VSU 1. Detection rules Determine the desired active device according to the following rules one by one: (1) The healthier device prevails. (A greater sum of bandwidths of up physical ports excluding the administration port and VSL port indicates a healthier device). (2) The global active device with a higher priority prevails.
Page 230 Active Active (origina l stan dby) Specification In the preceding topology, the upstream device must be a Ruijie device and can forward detection packets. 1.1.5 Traffic Forwarding 1. Cross-device Aggregation An AP binds multiple physical links to form a logical link. The VSU supports an AP across member devices. As...
Page 231 Configuration Guide Configuring VSU  Reserved bandwidth for the VSL: For cross-device AP traffic, the AP member of the same device is preferentially selected as the traffic egress, to avoid unnecessary traffic from being transmitted over the VSL.  Improved network reliability: If a device fails, a member port on a normal device still works properly. Table 1-1 lists the possible cross-device AP faults and their impact: Table 1-1...
Page 232 Configuration Guide Configuring VSU through the serial port of the standby device. You can also redirect to the master supervisor module of a device by running the session command. 2. Interface naming In VSU mode, the same slot ID may appear on multiple devices. Therefore, device ID (switch ID) is added to an interface name.
Page 233 Configuration Guide Configuring VSU  When the Switched Port Analyzer (SPAN) function is configured, a VSL port is used as neither the source port nor the destination port of SPAN. Configuration Task Summary The VSU configuration includes the following tasks: Setting Up a VSU Configuring BFD-based DAD (Optional) Configure...
Page 234 Configuration Guide Configuring VSU 1.4.4 Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal (3) Configure the VSU domain ID and enter the config-vs-domain configuration mode. switch virtual domain domain-id The default domain ID is 100. Only devices with the same domain ID can form a VSU.
Page 235 Configuration Guide Configuring VSU Configuring BFD-based DAD 1.5.1 Overview The BFD-based DAD is configured to prevent coexistence of two active devices. 1.5.2 Restrictions and Guidelines  BFD detection ports must be direct physical routed ports in different devices.  The configured port type is unlimited. DAD links are used to transmit only BFD packets and thus need less traffic.
Page 236 Configuration Guide Configuring VSU Enable the DAD function and specify the BFD-based detection method. dual-active detection bfd The DAD function is disabled by default. Configure a BFD detection port. dual-active bfd interface interface-type interface-number BFD detection port is configured by default. (9) (Optional) Configure the list of excluded ports for Recovery mode.
Page 237 Configuration Guide Configuring VSU dual-active interface interface-type interface-number [ vlan vlan-id ] No AP-based detection port is configured by default. When the aggregate port is a trunk port and the native VLAN is beyond the VLAN range allowed by the AP-based detection port, configure a detection VLAN for the AP-based detection port.
Page 238 Configuration Guide Configuring VSU  If a port is configured as an NLB reflex port, this port can be switched to a VSL member port only after the NLB reflex port configuration is deleted.  If the VSU topology is split when a VSL port is switched to a common port, the VSL port must not be deleted. You can disconnect the physical port before deleting the VSL port.
Page 239 Configuration Guide Configuring VSU 2. Restrictions and Guidelines All configuration commands take effect only after the device is restarted, except the device alias modification command, which takes effect immediately. 3. Prerequisites A VSU has been set up. 4. Procedure (1) Enter the privileged EXEC mode. enable Enter the global configuration mode.
Page 240 Configuration Guide Configuring VSU 2. Restrictions and Guidelines  By default, AP-based and ECMP-based Local Forward First (LFF) are enabled.  In VSU mode, the cross-device AP-based LFF and ECMP-based LFF over L3 ports are enabled by default. To set up a VSU with L3 switches, you are advised to configure the AP-based load balancing based on IP addresses (src-ip, dst-ip, and src-dst-ip).
Page 241 Configuration Guide Configuring VSU 1.8.6 Configuring Recovery Method for Recovery Mode 1. Overview This function disables the automatic restart function for the Recovery mode. 2. Restrictions and Guidelines If the automatic restart function is disabled, you must enable this function again or manually restart the device to recover the device in recovery mode.
Page 242 Configuration Guide Configuring VSU 1.10 Monitoring Run the show commands to check the running status of a configured function to verify the configuration effect. Table 1-2 VSU Monitoring Command Purpose show switch virtual topology config role Views the topology, configurations, roles, and balance forwarding and balancing policies of the running VSU.
Page 243 Configuration Guide Configuring VSU DeviceA(config-vs-domain)# switch crc errors 10 times 20 DeviceA(config-vs-domain))# exit DeviceA(config)# vsl-port DeviceA(config-vsl-port)# port-member interface tengigabitethernet 1/1 DeviceA(config-vsl-port)# port-member interface tengigabitethernet 1/2 DeviceA(config)# exit DeviceA# switch convert mode virtual (2) On Device B, set the domain ID to 100, device ID to 2, device priority to 100, VSU device name to Device B, and VSL ports to tenGigabitEthernet 1/1 and tenGigabitEthernet 1/2.
Page 244 Configuration Guide Configuring VSU switch convert mode virtual  Device B configuration file hostname DeviceB switch virtual domain 100 switch 2 switch 2 priority 100 switch 2 description DeviceB switch crc errors 10 times 20 port-member interface TenGigabitEthernet 0/1 port-member interface TenGigabitEthernet 0/2 switch convert mode virtual Common Errors ...
Page 245 Configuration Guide Configuring VSU Note As Device A and Device B form the VSU, the preceding configuration can be performed on either Device A or Device B. Device A is used as an example. 3. Procedure On Device A, configure GigabitEthernet 1/1/2 and GigabitEthernet 2/1/2 as routed ports, enable the BFD-based DAD, and set the BFD-based detection ports to GigabitEthernet 1/1/2 and GigabitEthernet 2/1/2.
Page 246 Configuration Guide Configuring VSU Log in to the console of Device B, and run the show switch virtual dual-active summary command to check whether the value of In dual-active recovery mode is Yes (Device B works in recovery mode). VSU-RECOVERY-2# show switch virtual dual-active summary BFD dual-active detection enabled: Yes Aggregateport dual-active detection enabled: No Interfaces excluded from shutdown in recovery mode:...
Page 247 Configuration Guide Configuring VSU dual-active detection bfd dual-active bfd interface GigabitEthernet 1/1/2 dual-active bfd interface GigabitEthernet 2/1/2 switch 2 switch 2 priority 90 switch 2 description DeviceB switch crc errors 10 times 20 port-member interface TenGigabitEthernet 0/1 port-member interface TenGigabitEthernet 0/2 switch convert mode virtual Common Errors ...
Page 248 Configuration Guide Configuring VSU  Configure the ports connecting Device C to Device A and Device B as the same AP group. Enable the function of forwarding AP-based DAD packets of this port group. Note As Device A and Device B form the VSU, the preceding configuration can be performed on either Device A or Device B.
Page 249 Configuration Guide Configuring VSU AggregatePort 1: UP GigabitEthernet 1/1/1: UP GigabitEthernet 1/2/1: UP GigabitEthernet 2/1/1: UP GigabitEthernet 2/2/1: UP Hostname_VSU-RECOVERY-2#sh switch virtual dual-active su BFD dual-active detection enabled: No Aggregateport dual-active detection enabled: Yes Interfaces excluded from shutdown in recovery mode: In dual-active recovery mode: Yes Hostname_VSU-RECOVERY-2#sh switch virtual Switch_id...
Page 250 Configuration Guide Configuring VSU switch 1 description DeviceA switch crc errors 10 times 20 port-member interface TenGigabitEthernet 0/1 port-member interface TenGigabitEthernet 0/2 switch convert mode virtual  Device B configuration file hostname DeviceB interface GigabitEthernet 1/1/1 port-group 1 interface GigabitEthernet 1/1/2 port-group 1 interface GigabitEthernet 2/1/1 port-group 1...
Page 251 Configuration Guide Configuring VSU port-group 1 interface GigabitEthernet 0/2 port-group 1 interface GigabitEthernet 0/3 port-group 1 interface GigabitEthernet 0/4 port-group 1 interface AggregatePort 1 dad relay enable 7. Common Errors  The AP detection port must be an aggregate port ...
Page 252 Interface Configuration Configuring Ethernet Interface Configuring Aggregate Port Configuring PoE...
Page 253 Configuration Guide Contents Contents 1 Configuring Ethernet Interface ......................1 1.1 Introduction ..........................1 1.1.1 Interface Classification ....................1 1.1.2 Interface Numbering Rules .................... 3 1.2 Configuration Task Summary ....................3 1.3 Configuring Common Features of Ethernet Interfaces .............. 4 1.3.1 Configuration Task Summary ..................
Page 254 Configuration Guide Contents 1.4.1 Configuration Task Summary ..................14 1.4.2 Configuring Information Collection Intervals of Optical Transceivers ......14 1.4.3 Configuring Alarm Detection for Optical Transceivers ..........15 1.5 Configuring Port Attributes of the Data Link Layer ..............16 1.5.1 Configuration Task Summary ..................16 1.5.2 Configuring the MAC Address of an Interface .............
Page 255 Configuration Guide Configuring Ethernet Interface Configuring Ethernet Interface Introduction Interfaces are important in implementing data switching on network devices. The company’s devices support two types of interfaces: physical ports and logical interfaces. A physical port is a hardware port on a device, such as the 100M Ethernet interface and Gigabit Ethernet interface.
Page 256 Configuration Guide Configuring Ethernet Interface Schematic Diagram of SVI Device A SVI20 SVI30 192.168.64.1 192.168.65.1 Host A Host B VLAN 20 VLAN 30  Loopback interface A loopback interface is a local Layer 3 logical interface simulated by software. The interface is always up. Packets sent to a loopback interface are processed on the device locally, including route information.
Page 257 Configuration Guide Configuring Ethernet Interface 1.1.2 Interface Numbering Rules Table 1-1 shows the numbering rules of physical ports on the devices supporting or not supporting daughter cards in the standalone mode or virtual switch unit (VSU) mode. Table 1-1 The Numbering Rules of Physical Ports Daughter Cards Stand-alone mode VSU mode...
Page 258 Configuration Guide Configuring Ethernet Interface ○ Configuring Interfaces in a Range ○ Configuring Interface Description ○ Configuring Routed Ports or Switch Ports ○ Configuring Interface Administrative Status ○ Configuring MTU of an Interface ○ Configuring Interface Bandwidth ○ Configuring the Flow Control Mode ○...
Page 259 Configuration Guide Configuring Ethernet Interface  Configuring Interface Bandwidth  Configuring the Flow Control Mode  Configuring the Duplex Mode of an Interface  Configuring the Auto Negotiation Mode  Configuring Protected Ports  Configuring Interface Traffic Statistics  Configuring SNMP Features for Interfaces ...
Page 260 Configuration Guide Configuring Ethernet Interface 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) (Optional) Configure a macro name for the interfaces to be configured in a batch. define interface-range macro-name interface-type interface-range-string The default macro name is not configured for the interfaces to be configured in a batch.
Page 261 Configuration Guide Configuring Ethernet Interface versa.  When a port is a member port of a Layer 2 link aggregation or an unauthenticated dot1x port, you cannot change the port type using the switchport command or the no switchport command. 3.
Page 262 Configuration Guide Configuring Ethernet Interface shutdown An interface is enabled by default. 1.3.6 Configuring MTU of an Interface 1. Overview The MTU is the length of the valid data segment in a frame. It does not include the Ethernet encapsulation overhead.
Page 263 Configuration Guide Configuring Ethernet Interface 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enter the interface configuration mode. interface interface-type interface-number (4) Configure the bandwidth for an interface. bandwidth bandwidth-value No default interface bandwidth is configured.
Page 264 Configuration Guide Configuring Ethernet Interface 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enter the interface configuration mode. interface interface-type interface-number (4) Configure the flow control mode of an interface. flowcontrol auto The flow control mode is disabled by default.
Page 265 Configuration Guide Configuring Ethernet Interface of its member ports. (All these member ports are Ethernet physical ports.) 2. Restrictions and Guidelines  Generally, if one of the interface rate, duplex mode, and flow control mode is set to auto, or the auto negotiation mode of an interface is on, the auto negotiation state of the interface is on, that is, the auto negotiation function of the interface is enabled.
Page 266 Configuration Guide Configuring Ethernet Interface configure terminal (3) (Optional) Block Layer 3 routing between protected ports. protected-ports route-deny Layer 3 routing is not blocked between protected ports by default. (4) Enter the interface configuration mode. interface interface-type interface-number (5) Configure a protected port. switchport protected No interface is configured as a protected port by default.
Page 267 Configuration Guide Configuring Ethernet Interface (2) Enter the global configuration mode. configure terminal (3) (Optional) Configure the collection interval for Ethernet interface statistics collection. ethernet-port counter sample-period [ interval ] The default collection interval of Ethernet interface statistics collection is five seconds. (4) Configure that the interface rate statistics include interframe gaps.
Page 268 Configuration Guide Configuring Ethernet Interface The interface index persistence feature is disabled on an interface by default. (4) Configure enhanced name display for interfaces. snmp-server if-name enhance The function is disabled by default. 1.3.14 After you run this command, save the configuration and restart the device to make the configuration take effect.
Page 269 Configuration Guide Configuring Ethernet Interface 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Configure the information collection interval of optical transceivers on Ethernet interfaces. ethernet-port fiber-info sample-period [ interval ] The default information collection interval of optical transceivers on Ethernet interfaces is five minutes.
Page 270 Configuration Guide Configuring Ethernet Interface Configuring Port Attributes of the Data Link Layer 1.5.1 Configuration Task Summary The following tasks are optional. Select them as required.  Configuring the MAC Address of an Interface Carrier-Delay Configuring for an Interface 1.5.2 Configuring the MAC Address of an Interface 1.
Page 271 Configuration Guide Configuring Ethernet Interface 1.6.2 Configuring the Carrier-Delay for an Interface 1. Overview The carrier-delay refers to the delay after which the data carrier detect (DCD) signal changes from down to up or from up to down. If the DCD status changes during the delay, the system will ignore this change to avoid negotiation at the upper data link layer.
Page 272 Configuration Guide Configuring Ethernet Interface configure terminal (3) Configure the port flapping protection function. physical-port dither protect The port flapping protection function is enabled by default. 1.6.4 Configuring Port Errdisable Recovery 1. Overview Some protocols support the port errdisable recovery function to ensure security and stability of the network. For example, in the port security protocol, when you enable port security and configure the maximum number of security addresses on the port, a port violation event will occur if the number of addresses learned on this port exceeds the maximum number of security addresses.
Page 273 Configuration Guide Configuring Ethernet Interface Table 1-2 Ethernet Interface Monitoring Command Purpose Displays all the statuses and configuration information show interfaces [ interface-type interface-number ] of a specified interface. show interfaces [ interface-type interface-number ] Displays the interface status. status show interfaces [ interface-type interface-number ] Displays detailed interface status information.
Page 274 Configuration Guide Configuring Ethernet Interface Command Purpose show interfaces usage down Displays the bandwidth usage of an interface. show interfaces interface-type interface-number usage Displays the status and statistics of the member ports show mgmt virtual of a virtual MGMT port. show interfaces [ interface-type interface-number ] Displays the basic information about the optical...
Page 275 Configuration Guide Configuring Ethernet Interface two SVIs.  Enable interface index persistence on the two devices.  Enable the link trap function on the two devices.  Configure the interface administrative status on the two devices. 4. Procedure Configure as follows on Device A. DeviceA>...
Page 276 Configuration Guide Configuring Ethernet Interface Carrier delay is 2 sec Rxload is 1/255, Txload is 1/255 Queue Transmitted packets Transmitted bytes Dropped packets Dropped bytes Switchport attributes: interface's description:"" lastchange time:0 Day:20 Hour:15 Minute:22 Second Priority is 0 admin medium-type is Copper, oper medium-type is Copper admin duplex mode is AUTO, oper duplex is Unknown admin speed is AUTO, oper speed is Unknown...
Page 277 Configuration Guide Configuring Ethernet Interface Hardware is GigabitEthernet Interface address is: no ip address, address is 00d0.f865.de9b (bia 00d0.f865.de9b) MTU 1500 bytes, BW 1000000 Kbit Encapsulation protocol is Bridge, loopback not set Keepalive interval is 10 sec , set Carrier delay is 2 sec Rxload is 1/255, Txload is 1/255 Queue Transmitted packets...
Page 278 Configuration Guide Configuring Ethernet Interface Rxload is 0/255, Txload is 0/255 1.8.2 Configuring Interconnection Interfaces 1. Requirements Interconnect two devices, and configure attributes of the device interfaces. 2. Topology Interconnection Interface Configuration Topology G0/1 Device C G0/2 SVI 1 : 192.168.1.3/24 G0/3 G0/1 G0/1...
Page 279 Configuration Guide Configuring Ethernet Interface DeviceB> enable DeviceB# configure terminal DeviceB(config)# interface GigabitEthernet 0/1 DeviceB(config-if-GigabitEthernet 0/1)# switchport mode trunk DeviceB(config-if-GigabitEthernet 0/1)# exit DeviceB(config)# interface GigabitEthernet 0/2 DeviceB(config-if-GigabitEthernet 0/2)# switchport mode trunk DeviceB(config-if-GigabitEthernet 0/2)# exit DeviceB(config)# interface vlan 1 DeviceB(config-if-VLAN 1)# ip address 192.168.1.2 255.255.255.0 DeviceB(config-if-VLAN 1)# exit DeviceB(config)# interface GigabitEthernet 0/3 DeviceB(config-if-GigabitEthernet 0/3)# no switchport...
Page 280 Configuration Guide Configuring Ethernet Interface DeviceA# show interfaces gigabitEthernet 0/1 Index(dec):1 (hex):1 GigabitEthernet 0/1 is UP , line protocol is UP Hardware is GigabitEthernet, address is 00d0.f865.de90 (bia 00d0.f865.de90) Interface address is: no ip address MTU 1500 bytes, BW 100000 Kbit Encapsulation protocol is Ethernet-II, loopback not set Keepalive interval is 10 sec , set Carrier delay is 2 sec...
Page 281 Configuration Guide Configuring Ethernet Interface Admin speed is AUTO, oper speed is 100M Flow control admin status is OFF, flow control oper status is OFF Admin negotiation mode is OFF, oper negotiation state is ON Storm Control: Broadcast is OFF, Multicast is OFF, Unicast is OFF Bridge attributes: Port-type: trunk Native vlan: 1...
Page 282 Configuration Guide Configuring Ethernet Interface DeviceD# show interfaces gigabitEthernet 0/1 Index(dec):1 (hex):1 GigabitEthernet 0/1 is UP , line protocol is UP Hardware is GigabitEthernet, address is 00d0.f865.de93 (bia 00d0.f865.de93) Interface address is: 192.168.2.1/24 MTU 1500 bytes, BW 100000 Kbit Encapsulation protocol is Ethernet-II, loopback not set Keepalive interval is 10 sec , set Carrier delay is 2 sec Ethernet attributes:...
Page 283 Configuration Guide Contents Contents 1 Configuring Aggregate Port ........................ 1 1.1 Introduction ..........................1 1.1.1 Basic Concepts ......................1 1.1.2 Load Balancing ......................4 1.1.3 Member Port BFD Detection ..................7 1.1.4 Protocols and Standards ....................7 1.2 Configuration Task Summary ....................7 1.3 Configuring Static APs .......................
Page 284 Configuration Guide Contents 1.7 Configuring an AP Capacity Mode ..................13 1.7.1 Overview ........................13 1.7.2 Restrictions and Guidelines ..................14 1.7.3 Procedure ........................14 1.8 Enabling BFD for AP Member Ports ..................14 1.8.1 Overview ........................14 1.8.2 Restrictions and Guidelines ..................14 1.8.3 Procedure ........................
Page 285 Configuration Guide Contents 1.12.7 Enabling BFD for Member Ports ................28 1.12.8 Configuring Interworking Between the Access Device and a Server with Two NICs over a Preferred LACP AP ...................... 31 1.12.9 Configuring Automatic Server Deployment over a Preferred LACP AP ....33 1.12.10 Configuring the Minimum Number of AP Member Ports (When the Number of AP Member Ports Is Less Than the Minimum Number) ............
Page 286 Configuration Guide Configuring Aggregate Port Configuring Aggregate Port Introduction An aggregate port (AP) is used to bundle multiple physical links into one logical link to increase the link bandwidth and improve connection reliability. 1.1.1 Basic Concepts An AP supports load balancing, that is, distributes load evenly among member links. Besides, an AP realizes link backup.
Page 287 Configuration Guide Configuring Aggregate Port After link aggregation, the LACP AP member ports periodically exchange LACPDUs. When a port does not receive an LACPDU in the specified time, a timeout occurs and the links are unbundled. In this case, the member ports cannot forward packets.
Page 288 Configuration Guide Configuring Aggregate Port  When a member port is Up and the link protocol is ready, the port can forward packets. The Up state is displayed. LACP AP member ports has the following three states:  When the link of a port is Down, the port cannot forward packets. The Down state is displayed. ...
Page 289 Configuration Guide Configuring Aggregate Port 8. LACP Port ID Each port has an independent LACP port priority, which is a configurable value. The port ID consists of the LACP port priority and port number. A smaller port priority indicates a higher priority of the port ID. If the port priorities are the same, a smaller port number indicates a higher priority of the port ID.
Page 290 Configuration Guide Configuring Aggregate Port  Source IP address + destination IP address  L4 source port number or L4 destination port number  L4 source port number + L4 destination port number  Source IP address + L4 source port number ...
Page 291 MPLS L2 VPN packets. 2. Hash Load Balancing Control Hash load balancing enables users to flexibly control load balancing in different scenarios. Currently, Ruijie adopts the following hash load balancing control functions: Hash disturbance factor: Traffic over APs is hashed for balancing. For two devices of the same type, the same path is calculated for load balancing for the same stream.
Page 292 Configuration Guide Configuring Aggregate Port 1.1.3 Member Port BFD Detection Bidirectional Forwarding Detection (BFD) is a protocol that delivers fast detection of path failures. According to RFC7130, LACP takes 3s to detect link failures even in short timeout mode. All the packets sent to the faulty link during the 3-second period will be dropped.
Page 293 Configuration Guide Configuring Aggregate Port  After a port is added to an AP, the attributes of the port are replaced by those of the AP.  After a port is removed from an AP, the attributes of the port before the adding to the AP are restored. ...
Page 294 Configuration Guide Configuring Aggregate Port Perform this configuration on an AP-enabled device. When an Ethernet port needs the aggregation function, create the corresponding Ethernet AP No AP is configured by default. Enter the interface configuration mode. interface interface-type interface-number Configure static AP member ports. port-group ap-number Perform this configuration on AP-enabled devices.
Page 295 Configuration Guide Configuring Aggregate Port 1.4.3 Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Enter the interface configuration mode. interface interface-type interface-number Configure LACP AP member ports. port-group key-number mode active passive By default, the Ethernet physical port does not belong to any LACP AP. (Optional) Configure the LACP system ID.
Page 296 Configuration Guide Configuring Aggregate Port Enabling LinkTrap 1.5.1 Overview Enable the system with LinkTrap to send LinkTrap messages when aggregation links are changed. 1.5.2 Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Enter the AP interface configuration mode. interface Aggregateport ap-interface-number (Optional) Configure the LinkTrap function of an AP.
Page 297 Configuration Guide Configuring Aggregate Port  The flexible hash function can be configured in global configuration mode or interface configuration mode of a specific AP. 1.6.3 Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal (Optional) Configure the global load balancing algorithm of an AP.
Page 298 Configuration Guide Configuring Aggregate Port trill field dst-mac egr-nick ing-nick l2-etype src-mac src-port Perform this configuration to specify the load balancing mode of TRILL packets. The load balancing mode of TRILL packets is a combination of src-mac, dst-mac, and vlan by default. (10) (Optional) Configure the load balancing mode of FCoE packets.
Page 299 Configuration Guide Configuring Aggregate Port 1.7.2 Restrictions and Guidelines  The system has a default AP capacity mode. You can run show aggregateport capacity to display the current capacity mode.  If the current configuration (maximum number of APs or the number of member ports in each AP) exceeds the capacity to be configured, the capacity mode configuration will fail.
Page 300 Configuration Guide Configuring Aggregate Port configure terminal (Optional) Configure BFD for AP member ports. aggregate bfd-detect { ipv4 source-ipv4-address destination-ipv4-address | ipv6 source-ipv6-address destination-ipv6-address } Enable BFD when you need to detect path failure on member ports in milliseconds. The flow on the faulty member port will be switched to other member port in case of link failure.
Page 301 Configuration Guide Configuring Aggregate Port Perform this configuration to specify the minimum number of the member ports of an AP aggregation group. The minimum number of member ports of an AP is 1 by default. (Optional) Configure the action triggered when the number of AP member ports is smaller than the minimum value.
Page 302 Configuration Guide Configuring Aggregate Port Perform this operation so that an LACP AP member port can forward packets normally when the LACP AP member port cannot perform LACP negotiation. The LACP independent port function is disabled by default. (Optional) Configure the timeout period of an LACP independent port. lacp individual-timeout period time Run this command to adjust the timeout period of an LACP independent port.
Page 303 Configuration Guide Configuring Aggregate Port Command Purpose debug lacp { cache-database ef-packet thread netconf pkt-agent Debugs LACP. pkt-statis pkt-thread packet | event | ha | realtime | stm | timer | all } 1.12 Configuration Examples 1.12.1 Configuring Static APs Requirements Create AP interconnection for two devices on the IPv4 network, and configure static APs.
Page 304 Configuration Guide Configuring Aggregate Port AggregatePort MaxPorts SwitchPort Mode Ports ------------- -------- ---------- ------ ----------------------------------- Enabled ACCESS Gi0/1,Gi0/2 DeviceB# show aggregateport summary AggregatePort MaxPorts SwitchPort Mode Ports ------------- -------- ---------- ------ ----------------------------------- Enabled ACCESS Gi0/1,Gi0/2 6. Configuration Files  Device A configuration file interface GigabitEthernet 0/1 port-group 3 interface GigabitEthernet 0/2...
Page 305 Configuration Guide Configuring Aggregate Port Notes  On Device A, set the LACP system priority to 4096.  Enable dynamic link aggregation on the GigabitEthernet0/1 and GigabitEthernet0/2 ports on Device A and add the ports to LACP AP 3.  On Device B, set the LACP system priority to 61440.
Page 306 Configuration Guide Configuring Aggregate Port DeviceB # show LACP summary 3 SystemId:32768,00d0.f8fb.0002 Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs. A - Device is in active mode. P - Device is in passive mode. Aggregate port 3: Local information: LACP port...
Page 307 Configuration Guide Configuring Aggregate Port 1.12.3 Enabling LinkTrap Requirements On the IPv4 network, create AP interconnection for two devices, configure static APs, and enable LinkTrap. Topology Figure 1-4 Topology for Enabling LinkTrap G2/1 G1/1 G2/2 G1/2 Device B Device A Notes ...
Page 308 Configuration Guide Configuring Aggregate Port no snmp trap link-status DeviceA# show run | include AggregatePort aggregateport member linktrap DeviceB# show run | include AggregatePort 3 Building configuration... Current configuration: 54 bytes interface AggregatePort 3 no snmp trap link-status DeviceB# show run | include AggregatePort aggregateport member linktrap 6.
Page 309 Configuration Guide Configuring Aggregate Port Topology Figure 1-5 Topology for Configuring a Load Balancing Mode Topology Notes  Add the GigabitEthernet 0/1 and GigabitEthernet 0/2 ports on Device A to static AP 3.  Add the GigabitEthernet 0/1 and GigabitEthernet 0/2 ports on Device B to static AP 3. ...
Page 310 Configuration Guide Configuring Aggregate Port interface GigabitEthernet 0/2 port-group 3 interface AggregatePort 3 aggregateport load-balance src-mac  Device B configuration file interface GigabitEthernet 0/1 port-group 3 interface GigabitEthernet 0/2 port-group 3 interface AggregatePort 3 aggregateport load-balance dst-mac Common Errors A user configures the factors ipv4, ipv6, fcoe, and on for enabling hash synchronization. However, no configuration is displayed when the user runs show running.
Page 311 Configuration Guide Configuring Aggregate Port  On Device A, configure the hash disturbance factor A.  On Device B, configure the hash disturbance factor B. Procedure Perform the following configuration on Device A: DeviceA# configure terminal DeviceA(config)# interface range GigabitEthernet 0/1-2 DeviceA(config-if-range)# port-group 3 DeviceA(config-if-range)# exit DeviceA(config)# load-balance-profile default...
Page 312 Configuration Guide Configuring Aggregate Port interface GigabitEthernet 0/1 port-group 3 interface GigabitEthernet 0/2 port-group 3 Common Errors A user configures the factors ipv4, ipv6, and fcoe for enabling hash synchronization. However, no configuration is displayed when the user runs show running. This is because hash synchronization is enabled for some products by default.
Page 313 Configuration Guide Configuring Aggregate Port DeviceB(config)# aggregateport capacity mode 16*64 Verification show aggregateport capacity to check the AP capacity mode configuration. DeviceA# show aggregatePort capacity AggregatePort Capacity Information: Configuration Capacity Mode: 128*8. Effective Capacity Mode : 128*8. Available Capacity Mode : 128*8.
Page 314 Configuration Guide Configuring Aggregate Port Topology Figure 1-8 Topology for Enabling BFD for AP Member Ports Notes  Enable LACP for the GigabitEthernet 0/1 and GigabitEthernet 0/2 ports on Device A and add the ports to LACP AP 3.  Enable LACP for the GigabitEthernet 0/1 and GigabitEthernet 0/2 ports on Device B and add the ports to LACP AP 3.
Page 315 Configuration Guide Configuring Aggregate Port Current configuration: 54 bytes interface AggregatePort 3 no switchport ip address 1.0.0.1 255.255.255.0 aggregate bfd-detect ipv4 1.0.0.1 1.0.0.2 bfd interval 50 min_rx 50 multiplier 3 DeviceA# show interface aggregateport 3 … Aggregate Port Informations: Aggregate Number: 3 Nam“: “AggregatePor”...
Page 316 Configuration Guide Configuring Aggregate Port port-group 3 mode active interface AggregatePort 3 no switchport aggregate bfd-detect ipv4 1.0.0.1 1.0.0.2 ip address 1.0.0.1 255.255.255.0 bfd interval 50 min_rx 50 multiplier 3  Device B configuration file interface GigabitEthernet 0/1 no switchport port-group 3 mode active interface GigabitEthernet 0/2 no switchport...
Page 317 Configuration Guide Configuring Aggregate Port Topology Figure 1-9 Topology for Configuring Interworking Between the Access Device and a Server with Two NICs over a Preferred LACP AP NIC 2 Remote NIC 1 Access Server device Network device Notes  Enable LACP for the GigabitEthernet 0/1 and GigabitEthernet 0/2 ports on the access device and add the ports to LACP AP 3.
Page 318 Configuration Guide Configuring Aggregate Port Current configuration: 54 bytes interface GigabitEthernet 0/1 aggregateport primary-port portgroup 3 mode active DeviceA# show interface aggregateport 3 … Aggregate Port Informations: Aggregate Number: 3 Nam“: "AggregatePor” 3" Members: (count=2) Primary Port: GigabitEthernet 0/1 GigabitEthernet 0/1 Link Status: Up Lacp Status: bndl GigabitEthernet 0/2...
Page 319 Configuration Guide Configuring Aggregate Port Notes  Enable LACP for the GigabitEthernet 0/1 and GigabitEthernet 0/2 ports on Device A and add the ports to LACP AP 3.  Configure GigabitEthernet 0/1 on Device A as the preferred port. Procedure Create LACP AP 3.
Page 320 Configuration Guide Configuring Aggregate Port interface AggregatePort 3 1.12.10 Configuring the Minimum Number of AP Member Ports (When the Number of AP Member Ports Is Less Than the Minimum Number) Requirements On the IPv4 network, create AP interconnection for two devices, and configure a number of AP member ports less than the minimum number of AP Member ports.
Page 321 Configuration Guide Configuring Aggregate Port Verification Run show run to check whether the configuration is correct. show lacp summery to view the aggregation state of each AP member port. DeviceA# show LACP summary 3 System Id:32768, 00d0.f8fb.0001 Flags: –S - Device is requesting Slow LACPDUs –F - Device is requesting Fast LACPDUs.–A - Device is in active mode.
Page 322 Configuration Guide Configuring Aggregate Port interface AggregatePort 3 no switchport aggregateport member minimum 3 1.12.11 Configuring the Minimum Number of AP Member Ports (When the Number of AP Member Ports Is Not Less Than the Minimum Number) Requirements On the IPv4 network, create AP interconnection for two devices, and configure the number of AP member ports not less than the minimum number of AP Member ports.
Page 323 Configuration Guide Configuring Aggregate Port DeviceB(config-if-Aggregateport 3)# aggregateport member minimum 2 Verification Run show run to check whether the configuration is correct. show lacp summery to view the aggregation state of each AP member port. DeviceA# show LACP summary 3 System Id:32768,00d0.f8fb.0001 Flags: –S - Device is requesting Slow LACPDUs –F - Device is requesting Fast LACPDUs.–A - Device is in active mode.
Page 324 Configuration Guide Configuring Aggregate Port interface GigabitEthernet 0/1 no switchport port-group 3 mode active interface GigabitEthernet 0/2 no switchport port-group 3 mode active interface GigabitEthernet 0/3 no switchport port-group 3 mode active interface AggregatePort 3 no switchport aggregateport member minimum 2 1.12.12 Enabling the LACP Independent Port Function Requirements...
Page 325 Configuration Guide Configuring Aggregate Port Procedure Create an AP on Device A. DeviceA# configure terminal DeviceA(config)# interface range GigabitEthernet 0/1-2 DeviceA(config-if-range)# port-group 3 mode active DeviceA(config-if-range)# lacp individual-port enable DeviceA(config-if-range)# exit DeviceA(config)# interface aggregateport 3 DeviceA(config-if-Aggregateport 3)# switch access vlan 10 Verification show run to check whether the configuration is correct.
Page 326 Configuration Guide Contents Contents 1 Configuring PoE ..........................1 1.1 Introduction ..........................1 1.1.1 Basic Concepts ......................1 1.1.2 Power Supply Management for the PoE System ............1 1.1.3 Power Supply Management for PoE Ports ..............2 1.1.4 Auxiliary PoE Power Supply Functions ................3 1.1.5 LLDP Classification ......................
Page 327 Configuration Guide Contents 1.6 Configuring LLDP Classification ....................8 1.6.1 Overview ........................8 1.6.2 Restrictions and Guidelines ................... 8 1.6.3 Procedure ........................8 1.7 Configuring MCU Firmware Upgrade ..................8 1.7.1 Overview ........................8 1.7.2 Restrictions and Guidelines ................... 8 1.7.3 Procedure ........................
Page 328 PoE power supplies power the entire PoE system and are classified into external and internal power supplies. The box-type PoE devices of Ruijie are usually equipped with internal power supplies. Some products also support external power supplies. An external power supply is called a redundant power supply (RPS).
Page 329 PoE devices usually use the standard IEEE 802.3af and 802.3at in the industry. There are various types of PD devices in the practical application, and it is inevitable to find out some PoE devices not complying to the standards. To meet this end, Ruijie devices provide PoE-compatible commands to support non-standard PoE devices.
Page 330 Configuration Guide Configuring PoE port is still greater than the maximum power for 10 seconds, the port will be powered off again. This process repeats constantly. 1.1.4 Auxiliary PoE Power Supply Functions The PoE standard MIB (RFC3621) provides pethMainPseUsageThreshold to set the power alarm threshold of the system.
Page 331 Configuration Guide Configuring PoE Since the cable loss needs to be deducted from the power provided by the PSE, the allocated power is slightly higher than the maximum power requested by the PD. This function is enabled by default and takes effect only in auto mode.
Page 332 Configuration Guide Configuring PoE cause burning of peer devices due to incorrect power-on. Therefore, you need to run this command when PDs are connected to ports. 1.3.3 Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal (3) Configure the power supply management mode.
Page 333 Configuration Guide Configuring PoE 1.4.2 Restrictions and Guidelines  If you run the interface range command to configure the PoE function for ports in batches, the enabling or disabling of the PoE function for a port may affect the global power supply management because the range command is configured for ports one after another.
Page 334 Configuration Guide Configuring PoE Configuring Auxiliary PoE Power Supply Functions 1.5.1 Overview  Configure warning-power to display a warning when the power used by the system exceeds the alarm threshold.  Configure notification-control to control whether the system sends trap notifications in case of power change and port power-on/off.
Page 335 Configuration Guide Configuring PoE Configuring LLDP Classification 1.6.1 Overview  Configure class-lldp to support power supply and power negotiation through LLDP between a PoE device and PDs. 1.6.2 Restrictions and Guidelines  The system switches to the energy-saving mode. Enable the LLDP classification function in global configuration mode and verify that there is no max-power configuration on the port.
Page 336 Configuration Guide Configuring PoE (3) Upgrade the MCU. upgrade poe tmp:filename Monitoring This section describes the show commands used for checking the running status of a configured function to verify the configuration effect. Table 1-2 PoE Monitoring Command Purpose show poe interface Displays the PoE configuration and status of a specified port.
Page 337 Configuration Guide Configuring PoE DeviceA# show poe powersupply Device member Power management : energy-saving PSE total power : 125.0 W PSE total power consumption : 15.0 W PSE available power : 125.0 W PSE total remain power : 110.0 W PSE peak power : 15.0 W PSE average power...
Page 338 Configuration Guide Configuring PoE Max power : 15.4W Current power : 14.8 W Average power : 14.8 W Peak power : 14.8 W LLDP requested power : N/A LLDP allocated power : N/A Voltage : 53.5 V Current : 278 mA PD class Trouble cause : None...
Page 339 Configuration Guide Configuring PoE Procedure Perform the following configuration on Device A: DeviceA> enable DeviceA# configure terminal DeviceA(config)# poe class-lldp enable Verification Run the show poe interface gigabitEthernet command to check whether the load balancing algorithm configured for the AP is correct. DeviceA# show poe interface gigabitEthernet 0/1 Interface : gi0/1...
Page 340 Ethernet Switching Configuration Configuring MAC Address Configuring MAC Loopback Configuring VLAN Configuring MAC VLAN Configuring Protocol VLAN Configuring Private VLAN Configuring Super VLAN Configuring Voice VLAN Configuring GVRP Configuring QinQ Configuring MSTP Configuring ERPS Configuring LLDP...
Page 341 Configuration Guide Contents Contents 1 Configuring MAC Address ........................1 1.1 Introduction ..........................1 1.1.1 MAC Address Table ....................... 1 1.1.2 Classification of MAC Address Entries ................1 1.1.3 Generation of MAC Address Entries ................1 1.1.4 Update and Aging of MAC Address Entries ..............3 1.1.5 Protocols and Standards ....................
Page 342 Configuration Guide Contents 1.7 Configuring Aging Time of Dynamic MAC Address Entries ............7 1.8 Enabling MAC Address Flapping Detection and Protection ............8 1.8.1 Overview ........................8 1.8.2 Procedure ........................8 1.9 Configuring Reporting Interval of MAC Address Table Usage Alarms and MAC Address Table Usage Threshold ........................
Page 343 Configuration Guide Configuring MAC Address Configuring MAC Address Introduction A Media Access Control (MAC) address is used to identify the position of a device in a network. Generally, a MAC address consists of 12 hexadecimals and contains a total of 48 bits (six bytes). The first 24 bits are applied for by vendors from The Internet Engineering Task Force (IETF) and used to identify a network device manufacturer.
Page 344 Configuration Guide Configuring MAC Address 1. Automatic learning A device automatically generates a MAC address entry based on the source MAC address in a received packet. The learning procedure is as follows: (1) Initially, the MAC address table of Device A is empty. To send a packet to User C, User A sends the packet to the interface GigabitEthernet 0/1 of Device A.
Page 345 Configuration Guide Configuring MAC Address Figure 1-2 Automatically Learning MAC Address Entry II MAC Address Type Interface MAC A Dynamic G0/1 MAC C Dynamic G0/3 User C MAC C G0/1 User A Device A MAC A User B MAC B 2.
Page 346 Configuration Guide Configuring MAC Address Configuration Task Summary All the following configuration tasks are optional and may be selected as needed.  Configuring Static MAC Address Entries  Configuring Filtering MAC Address Entries  Disabling Dynamic MAC Address Learning ○ Disabling MAC Address Learning in Global Configuration Mode ○...
Page 347 Configuration Guide Configuring MAC Address Configuring Filtering MAC Address Entries 1.4.1 Overview To prohibit a user from sending and receiving packets in certain scenarios, you can add the MAC address of the user to a filtering MAC address entry. After the entry is configured, packets whose source or destination MAC address matches the MAC address in the filtering MAC address entry are directly discarded.
Page 348 Configuration Guide Configuring MAC Address 1.5.3 Disabling MAC Address Learning for an Interface 1. Overview If MAC address learning is enabled in global configuration mode, you can disable this function for a specific interface. 2. Restrictions and Guidelines  If 802.1X, IP Source Guard, or the port security function is configured on an interface, MAC address learning must be disabled for this interface.
Page 349 Configuration Guide Configuring MAC Address 1.6.2 Configuring Upper Limit of MAC Addresses Learned from an Interface 1. Overview You can configure the upper limit of MAC addresses learned from an interface and the packet forwarding rule to be used after the number of learned MAC addresses reaches the upper limit. 2.
Page 350 Configuration Guide Configuring MAC Address (2) Enter the global configuration mode. configure terminal (3) Configure the aging time of dynamic MAC addresses. mac-address-table aging-time time The aging time of dynamic MAC addresses is 300s by default. Enabling MAC Address Flapping Detection and Protection 1.8.1 Overview If a MAC address is learned from different interfaces in the same VLAN, MAC address flapping occurs.
Page 351 Configuration Guide Configuring MAC Address Configuring Reporting Interval of MAC Address Table Usage Alarms and MAC Address Table Usage Threshold 1.9.1 Overview When the usage of a MAC address table of a device exceeds the upper or lower limit, the device reports an alarm message.
Page 352 Configuration Guide Configuring MAC Address Figure 1-3 Application Scenario of the Function of MAC Address Entry Change Notification Administrator SNMP Trap User Device User As shown in Figure 1-3, when the device generates a notification for an added MAC address, a new user identified by the MAC address starts to use the network.
Page 353 Configuration Guide Configuring MAC Address mac-address-table notification interval interval The device sends MAC address entry change notifications at an interval of 1s by default. (7) (Optional) Configure the size of a history table for MAC address entry change notifications. mac-address-table notification history-size size The size of the history table for MAC address entry change notifications is 50 by default.
Page 354 Configuration Guide Configuring MAC Address show mac-address-table all Displays all types of addresses. show mac-address-table aging-time Displays the aging time for dynamic MAC addresses. show mac-address-table Displays the maximum number of dynamic MAC max-dynamic-mac-count addresses. show mac-address-table notification [ interface Displays the configurations and history table for MAC interface-type interface-number ] | history ]...
Page 355 Configuration Guide Configuring MAC Address Configure a protection policy to disable GigabitEthernet 0/1 upon MAC address flapping and set the priority of this interface to 5. DeviceA(config)# interface gigabitethernet 0/1 DeviceA(config)# (config-if-GigabitEthernet 0/1)# mac-address-table flapping action error-down DeviceA(config)# (config-if-GigabitEthernet 0/1)# mac-address-table flapping action priority 5 DeviceA(config)# (config-if-GigabitEthernet 0/1)# exit Configure a protection policy to disable GigabitEthernet 0/2 upon MAC address flapping and set the priority of...
Page 356 Configuration Guide Configuring MAC Address interface gigabitEthernet 0/2 mac-address-table flapping action error-down mac-address-table flapping action priority 1 1.12.2 Configuring the Function of MAC Address Change Notification 1. Requirements As shown in Figure 1-5, Device A is connected to devices of User A, User B, and User C, so that Device A records new MAC address entries learned from GigabitEthernet 0/1 and aged MAC address entries, sends MAC address entry change notifications to the specified NMS in SNMP Trap messages, and does not generate massive MAC address change information in a short time to prevent overusing network resources.
Page 357 Configuration Guide Configuring MAC Address Enable the function of MAC address entry change notification on GigabitEthernet 0/1 and enable the function of sending Trap messages upon MAC address addition or deletion. DeviceA(config)# interface gigabitethernet 0/1 DeviceA(config-if-GigabitEthernet 0/2)# snmp trap mac-notification added DeviceA(config-if-GigabitEthernet 0/2)# snmp trap mac-notification removed Set the SNMP host address to 192.168.1.1, SNMP version to SNMP v1 and community string to 123 to actively send MAC address Trap messages.
Page 358 Configuration Guide Configuring MAC Address snmp-server host 192.168.1.10 traps version 2c 7 $10$135$2c+O$ mac-notification snmp-server enable traps...
Page 359 Configuration Guide Contents Contents 1 Configuring MAC Loopback ....................... 1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.2 Configuring Basic Features ....................... 1 1.2.1 Overview ........................1 1.2.2 Procedure ........................1 1.3 Monitoring ..........................2...
Page 360 Configuration Guide Configuring MAC Loopback Configuring MAC Loopback Introduction 1.1.1 Overview Media Access Control (MAC) loopback refers to a case in which packets sent from a local end are transferred internally in the system and returned to the local end for interface self-loop. MAC loopback can be used to determine whether an Ethernet interface is faulty.
Page 361 Configuration Guide Configuring MAC Loopback interface ethernet-type interface-number ○ Enter the Layer 3 Ethernet interface configuration mode. interface ethernet-type interface-number (4) Configure an interface as a loopback interface, and enable MAC loopback on the interface. mac-loopback MAC loopback is disabled for an interface by default. (5) Disable MAC loopback after the test.
Page 362 Configuration Guide Contents Contents 1 Configuring VLAN..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Background and Functions .................... 1 1.1.3 Frame Format ........................ 2 1.1.4 Port Types and Link Types ..................... 2 1.1.5 VLAN Frame Processing Rules ..................3 1.1.6 Intra-VLAN Communication on One Device ..............
Page 363 Configuration Guide Contents 1.4.4 Configuring VLAN Names .................... 17 1.4.5 Configuring SVIs ......................17 1.5 Configuring Access Ports ......................18 1.5.1 Overview ........................18 1.5.2 Restrictions and Guidelines ..................18 1.5.3 Procedure (Interface Configuration Mode) ..............18 1.5.4 Procedure (VLAN Configuration Mode) ............... 19 1.6 Configuring Trunk Ports ......................
Page 364 Configuration Guide Configuring VLAN Configuring VLAN Introduction 1.1.1 Overview A virtual local area network (VLAN) is a logical network created by dividing a physical network. Every VLAN has an independent broadcast domain, and different VLANs are isolated in Layer 2. Devices on different VLANs can implement communication through Layer 3 devices or Layer 3 interfaces.
Page 365 Configuration Guide Configuring VLAN To realize Layer 3 communication between VLANs, a virtual interface is developed for an Layer 3 switch, based on the concept of router subinterfaces. The virtual interface is referred to as Switch Virtual Interface (SVI). In a Layer 3 switch, you can create an SVI and an SVI IP address for each VLAN. The SVI functions as a VLAN gateway to implement Layer 3 communication between VLANs.
Page 366 Configuration Guide Configuring VLAN Port Type Function A trunk port carries traffic for one native VLAN and multiple allowed VLANs. The frames Trunk forwarded by the trunk port from the native VLAN do not carry tags and the frames forwarded by the trunk port from allowed VLANs carry tags.
Page 367 Configuration Guide Configuring VLAN An L2 switch can forward packets to only ports that match allowed VLANs (other than the source port). An Layer 3 switch can determine an egress VLAN by querying the routing table in software and forward packets to a port that allows the egress VLAN.
Page 368 Configuration Guide Configuring VLAN Figure 1-2 An Example of Intra-VLAN Communication Within One Device Native VLAN：10 Allowed VLANs：10,20 Device A Device B （2） ARP Packet G0/1 Trunk G0/1 IPv4 Packet G0/2 G0/5 G0/4 G0/6 G0/3 VLAN 10 VLAN 20 VLAN 10 VLAN 20 PC a PC b...
Page 369 Configuration Guide Configuring VLAN Figure 1-3 Steps of Intra-VLAN Communication PC a Device A PC b (a MAC) G0/2 G0/3 (b MAC) (1.1.10.2/24) (1.1.10.3/24) ARP Table of PC a --------------------------------------------------------------- VLAN 10 （1） Protocol Address Age(min) Hardware Type Internet 1.1.10.3 None arpa Sends an...
Page 370 Configuration Guide Configuring VLAN Figure 1-4 The ARP Request Packet Sent by PC a for Requesting the MAC Address of PC b Device A forwards the ARP request packet. Device A searches for the port that allows VLAN 10, and broadcasts the ARP request to GigabitEthernet 0/1 and GigabitEthernet 0/3 except the source port GigabitEthernet 0/2, as shown in T3 in Figure 1-3.
Page 371 Configuration Guide Configuring VLAN Figure 1-6 The IPv4 Packet Sent from PC a to PC b Device A forwards the IPv4 packet. Upon receiving the packet from PC a, Device A refreshes the MAC address table based on the source IP address of PC a, queries the MAC address table and matches the destination MAC address of PC b, and forwards the packet (as shown in Figure...
Page 372 Configuration Guide Configuring VLAN Device A forwards the broadcast ARP request packet. As VLAN 10 is not the native VLAN of the trunk port GigabitEthernet 0/1, add a VLAN 10 tag to the packet and send the packet. When the GigabitEthernet 0/1 port of Device B receives the packet, the port finds that the packet carries a VLAN 10 tag and VLAN 10 is an allowed VLAN.
Page 373 Configuration Guide Configuring VLAN Figure 1-8 An Example of Inter-VLAN Communication Device A SVI 10 （4） SVI 20 (1.1.10.1/24) (1.1.20.1/24) Device B （4）（4） ARP Packet G0/1 Trunk G0/1 G0/2 IPv4 Packet （4） G0/5 G0/4 G0/6 G0/3 VLAN 10 VLAN 20 VLAN 10 VLAN 20 PC a...
Page 374 Configuration Guide Configuring VLAN Steps of inter-VLAN communication are shown in Figure 1-9. Figure 1-9 Steps of Inter-VLAN Communication Device A PC a PC c (g MAC) (a MAC) (c MAC) G0/2 G0/5 (IP 1.1.10.2/24) (IP 1.1.20.5/24) (Gateway 1.1.10.1) (Gateway 1.1.20.1) VLAN 10 VLAN 20 ARP and MAC Address Information of Device A...
Page 375 Configuration Guide Configuring VLAN PC a sends an ARP request packet to request the MAC address of the gateway. If PC a does not find the MAC address of the gateway IP address (1.1.10.1) as shown in T0 in Figure 1-9, PC a sends an ARP request packet encapsulated in an Ethernet broadcast frame (as shown in Figure 1-10) to the gateway as shown in T1 in...
Page 376 Configuration Guide Configuring VLAN Upon receiving the packet of PC a from GigabitEthernet 0/2 (as shown in Figure 1-12), Device A finds that the packet is untagged. Device A determines that the packet comes from VLAN 10 and updates the MAC address entry of PC a. The destination MAC address (gateway MAC address) is the gateway MAC address of the local device.
Page 377 Configuration Guide Configuring VLAN Figure 1-14 ARP Reply Packet Sent by PC c to the Gateway (6) The gateway forwards the IP packet. If Device A finds the MAC address of PC c in the routing table, it replaces the MAC address of PC a with the gateway MAC address and the gateway MAC address with the MAC address of PC c, and forwards the packet of PC a to PC c (as shown in Figure...
Page 378 Configuration Guide Configuring VLAN Private VLAN is a technology that can divide an L2 broadcast domain of a VLAN into multiple sub domains, and each sub domain is composed of one private VLAN pair: primary VLAN and secondary VLAN. This technology can increase the number of users that can be supported by an operator network and reduce waste of IP address resources.
Page 379 Configuration Guide Configuring VLAN ○ Creating and Configuring VLANs ○ ○ (Optional) Configuring VLAN Names ○ (Optional) Configuring SVIs (3) Configure a port type and add ports to a VLAN. Configure at least one of the following tasks. ○ Configuring Access Ports ○...
Page 380 Configuration Guide Configuring VLAN 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Create a VLAN and enter the VLAN configuration mode. vlan vlan-id Only VLAN 1 exists by default. 1.4.4 Configuring VLAN Names 1.
Page 381 Configuration Guide Configuring VLAN  To delete a VLAN with a created SVI, run the no interface vlan interface-number command to delete the SVI and then run the no vlan vlan-id command to delete the VLAN.  To configure an IPv4 address, see Configuring IPv4 Basics. ...
Page 382 Configuration Guide Configuring VLAN (3) Enter the interface configuration mode. ○ Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the Layer 2 link aggregation configuration mode. interface aggregateport interface-number | range aggregateport interface-range } (4) Configure the Layer 2 interface as an access port.
Page 383 Configuration Guide Configuring VLAN An access port belongs to VLAN 1 by default. Configuring Trunk Ports 1.6.1 Overview A trunk link can transmit traffic of multiple VLANs. To enable a port to transmit traffic of multiple VLANs, you can configure the port as a trunk port. You can configure a Layer 2 Ethernet interface or link aggregation as a trunk port.
Page 384 Configuration Guide Configuring VLAN (2) Enter the interface configuration mode. ○ Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the Layer 2 link aggregation configuration mode. interface aggregateport interface-number | range aggregateport interface-range } (3) Configure the L2 interface as a trunk port.
Page 385 Configuration Guide Configuring VLAN 1.7.3 Procedure (1) Create a VLAN. Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Create one VLAN or a group of VLANs as the native VLAN and allowed VLANs of the uplink port. vlan { vlan-id | range vlan-range } Only VLAN 1 exists by default.
Page 386 Configuration Guide Configuring VLAN 1.8.2 Restrictions and Guidelines  Before you configure the native VLAN and allowed VLANs for a hybrid port, create these VLANs first.  Run the no switchport mode command to restore the Layer 2 interface mode to the default configuration. Run the no switchport hybrid native vlan command to restore the native VLAN of the hybrid port to a...
Page 387 Configuration Guide Configuring VLAN Monitoring This section describes the show commands used for checking the running status of a configured function to verify the configuration effect. This section also describes the debug command used for outputting debugging information. Caution System resources are occupied when debugging information is output. Therefore, disable the debugging function immediately after use.
Page 388 Configuration Guide Configuring VLAN 2. Topology Figure 1-16 Typical Scenarios SVI 10:192.168.10.1/24 G0/1 SVI 20:192.168.20.1/24 Device D SVI 30:192.168.30.1/24 G0/2 G0/4 G0/3 Trunk G0/1 G0/1 G0/1 Device A Device B Device C G0/2-12 G0/13-24 VLAN 10 VLAN 20 VLAN 30 VLAN 20 G0/1 G0/1...
Page 389 Configuration Guide Configuring VLAN DeviceB# configure terminal DeviceB(config)# vlan range 10,20,30 DeviceB(config-vlan-range)# exit Create a VLAN on Devices C. DeviceC> enable DeviceC# configure terminal DeviceC(config)# vlan range 20,30 DeviceC(config-vlan-range)# exit (2) Configure IP addresses for the Layer 3 SVIs of the VLANs on Device D. DeviceD(config)# interface vlan 10 DeviceD(config-if-VLAN 10)# ip address 192.168.10.1 255.255.255.0 DeviceD(config-if-VLAN 10)# exit...
Page 390 Configuration Guide Configuring VLAN DeviceA(config-if-GigabitEthernet 0/1)# switchport mode trunk DeviceA(config-if-GigabitEthernet 0/1)# switchport trunk native vlan 1 DeviceA(config-if-GigabitEthernet 0/1)# switchport trunk allowed vlan all DeviceA(config-if-GigabitEthernet 0/1)# exit (5) Configure the downlink port of the access device as an access port and add the port to a specified VLAN. The following example configures the downlink port on Device A.
Page 391 Configuration Guide Configuring VLAN DeviceD# show interface description Interface Status Administrative Description ---------------------------------------- -------- -------------- ----------- GigabitEthernet 0/2 GigabitEthernet 0/3 GigabitEthernet 0/4 VLAN 10 VLAN 20 VLAN 30 (3) Run the show ip route command on Device D to display the direct route information of SVIs. # Packets whose destination IP address matches 192.168.10.0/24 are forwarded to VLAN 10.
Page 392 Configuration Guide Configuring VLAN Host2(config)# interface gigabitethernet 0/1 Host2(config-if-GigabitEthernet 0/1)# no switchport Host2(config-if-GigabitEthernet 0/1)# ip address 192.168.10.2 255.255.255.0 Configure the default gateway of Host 12 in VLAN 10 as 192.168.10.1, the IP address of the interface as 192.168.10.12, and the mask as 255.255.255.0. Host2>...
Page 393 Configuration Guide Configuring VLAN Hosts in the same VLAN (for example, VLAN 10) can ping each other. Host2# ping 192.168.10.12 Sending 5, 100-byte ICMP Echoes to 192.168.10.12, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms. Hosts in different VLANs can also ping each other.
Page 394 Configuration Guide Configuring VLAN configuration of Devices B and C, see the Device A configuration procedure. interface GigabitEthernet 0/1 switchport mode trunk interface GigabitEthernet 0/2 switchport switchport mode access switchport access vlan 10 … interface GigabitEthernet 0/12 switchport switchport mode access switchport access vlan 10 interface GigabitEthernet 0/13 switchport...
Page 395 Configuration Guide Contents Contents 1 Configuring MAC VLAN ........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Background and Function ....................1 1.1.3 Principles ........................1 1.1.4 MAC VLAN Rule ......................2 1.1.5 Protocols and Standards ....................3 1.2 Configuring MAC VLAN ......................
Page 396 Configuration Guide Configuring MAC VLAN Configuring MAC VLAN Introduction 1.1.1 Overview The media access control (MAC) virtual local area network (VLAN) is a VLAN assignment technology based on MAC addresses. When the physical location of an STA changes and causes a change in the access port of the STA, MAC VLAN can assign the STA to a specified VLAN based on the MAC address of the STA, freeing you to reconfigure a VLAN for the STA's current access port.
Page 397 Configuration Guide Configuring MAC VLAN If they do not match, the port will match the packet with packet-based VLAN assignment rules of the voice VLAN, subnet-based VLAN and protocol-based VLAN. If the untagged packet matches both the MAC VLAN rule and other packet-based VLAN assignment rules, the packet is redirected to the VLAN specified in the MAC VLAN rule.
Page 398 Configuration Guide Configuring MAC VLAN 1.1.5 Protocols and Standards IEEE 802.1Q: IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local Area Networks Configuring MAC VLAN 1.2.1 Overview You can configure a static MAC VLAN entry, create a mapping between a MAC address and a VLAN, and then configure a MAC VLAN on a port so that the MAC VLAN entry takes effect on the port.
Page 399 Configuration Guide Configuring MAC VLAN the voice VLAN rule. The packet trust mode of the QoS module is disabled by default. This causes the QoS module to change the priority of all packets to 0, and overwrites the packet priority modified by the MAC VLAN function. Run mls qos trust ip-precedence dscp...
Page 400 Configuration Guide Configuring MAC VLAN (6) The allowed untagged VLAN of the hybrid port is VLAN 1 by default.Configure the hybrid port to trust the CoS priority of packets. mls qos trust cos The default trust mode of a port is untrusted. (7) Enable the MAC VLAN function on the port.
Page 401 Configuration Guide Configuring MAC VLAN Configuration Examples 1.4.1 Configuring MAC VLAN 1. Requirements A company provide a temporary office place in a meeting room where public access ports are assigned to VLANs based on the MAC addresses of employees' portable PCs. Employee PCs connected to any port are automatically assigned to their respective department VLANs.
Page 402 Configuration Guide Configuring MAC VLAN 4. Procedure (1) Create VLANs. Configure VLAN 100 and VLAN 200 on Device D. DeviceD> enable DeviceD# configure terminal DeviceD(config)# vlan range 100,200 DeviceD(config-vlan-range)# exit Configure VLAN 100 and VLAN 200 on Device C. DeviceC> enable DeviceC# configure terminal DeviceC(config)# vlan rang 100,200 DeviceC(config-vlan-range)# exit...
Page 403 Configuration Guide Configuring MAC VLAN DeviceA(config)# interface range gigabitethernet 0/2-3 DeviceA(config-if-range)# switchport DeviceA(config-if-range)# switchport mode access DeviceA(config-if-range)# switchport access vlan 100 DeviceA(config-if-range)# end DeviceA# write Add the user ports GigabitEthernet 0/2–3 on Device B to VLAN 200. DeviceB(config)# interface range gigabitethernet 0/2-3 DeviceB(config-if-range)# switchport DeviceB(config-if-range)# switchport mode access DeviceB(config-if-range)# switchport access vlan 200...
Page 404 Configuration Guide Configuring MAC VLAN Port-type: hybrid Tagged vlan id: 2-99,101-199,201-4094 Untagged vlan id: 1,100,200 (3) Check static MAC VLAN entries on Device C. DeviceC# show mac-vlan static The following MAC VLAN address exist: S: Static D: Dynamic MAC ADDR MASK VLAN ID PRIO...
Page 405 Configuration Guide Configuring MAC VLAN Sending 5, 100-byte ICMP Echoes to 192.168.5.22, timeout is 2 seconds: < press Ctrl+C to break > ..Success rate is 0 percent (0/5). 6. Configuration Files  Device C configuration file vlan range 1,100,200 mac-vlan mac-address 54bf.645c.dd10 vlan 100 priority 1 mac-vlan mac-address 54bf.6450.dd20 mask ffff.ffff.fff0 vlan 200 priority 2 interface GigabitEthernet 0/1...
Page 406 Configuration Guide Configuring MAC VLAN interface GigabitEthernet 0/1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface GigabitEthernet 0/2 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface GigabitEthernet 0/3 switchport switchport mode trunk...
Page 407 Configuration Guide Contents Contents 1 Configuring Protocol-based VLAN ..................... 1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Subnet-based VLAN ...................... 1 1.1.3 Protocol-based VLAN ....................1 1.1.4 Principles ........................1 1.1.5 Protocols and Standards ....................2 1.2 Restrictions and Guidelines ....................... 2 1.3 Configuration Task Summary ....................
Page 408 Configuration Guide Contents 1.7.2 Configuring Protocol-based VLANs ................11...
Page 409 Configuration Guide Configuring Protocol-based VLAN Configuring Protocol-based VLAN Introduction 1.1.1 Overview Protocol-based VLAN is a VLAN technology based on protocol types. When a device receives a packet without a VLAN ID from a port, the device automatically forwards the packet to a VLAN specified in a user-defined rule if the packet matches the user-defined rule.
Page 410 Configuration Guide Configuring Protocol-based VLAN A MAC VLAN policy has the highest priority. A packet with the MAC address matching a MAC VLAN rule is assigned to the MAC VLAN specified in the rule. The MAC VLAN policy is unavailable to priority packets.
Page 411 Configuration Guide Configuring Protocol-based VLAN 1.4.2 Restrictions and Guidelines  The subnet-based VLAN function takes effect on trunk or hybrid ports only. You must configure a port as a trunk or hybrid port and then run the protocol-vlan ipv4 command to configure the subnet-based VLAN function.
Page 412 Configuration Guide Configuring Protocol-based VLAN switchport trunk allowed vlan vlan-list | remove vlan-list | except vlan-list | only vlan-list } The default allowed VLANs of the trunk port are VLANs 1 to 4094. ○ Configure an allowed VLAN list for the hybrid port. switchport hybrid allowed vlan tagged vlan-list | [...
Page 413 Configuration Guide Configuring Protocol-based VLAN (0x0806), CFM (0x8902), DECNET-IV (0x6003), DIAGNOSTIC (0x6005), EAPOL (0x888e), FC_ETH, HEX6000 (0x6000), HEX8042 (0x8042), IPv4 (0x0800), IPv6 (0x86DD), IPX (0x8137), LAT (0x6004), LAVC-SCA (0x6007), MAC_IN_MAC (0x88E7), MOP-CONSOLE (0x6002), MOP-DUMP (0x6001), MUMPS (0x6009), NETBIOS (0x8040), SNX-IDP (0x0600), VINES-ECHO (0x0baf), and X-25 (0x0805). ...
Page 414 Configuration Guide Configuring Protocol-based VLAN The default allowed VLANs of the hybrid port are untagged VLAN 1 and tagged VLANs 2 to 4094. (6) Configure protocol VLAN rules one by one on the interface so that packets that match the num rule are assigned to the VLAN specified by VLAN vlan-id.
Page 415 Configuration Guide Configuring Protocol-based VLAN 2. Topology Figure 1-2 Typical Network Topology of Subnet-based VLANs VLAN 3 VLAN 2 192.168.1.0/24 192.168.2.0/24 Host 11 Device A Hub A G0/1 G0/2 Host 21 G0/3 Office A Hub B Host 22 Host 14 Office B 192.168.2.0/24 and 192.168.1.0/24 3.
Page 416 Configuration Guide Configuring Protocol-based VLAN DeviceA(config)# interface gigabitethernet 0/2 DeviceA(config-if-GigabitEthernet 0/2)# switchport DeviceA(config-if-GigabitEthernet 0/2)# switchport access vlan 3 DeviceA(config-if-GigabitEthernet 0/2)# exit (3) Configure GigabitEthernet 0/3 that will run the subnet-based VLAN function as a hybrid port, and allow packets from the subnet-based VLANs to pass. DeviceA(config)# interface gigabitethernet 0/3 DeviceA(config-if-GigabitEthernet 0/3)# switchport DeviceA(config-if-GigabitEthernet 0/3)# switchport mode hybrid...
Page 417 Configuration Guide Configuring Protocol-based VLAN Host22(config-if-GigabitEthernet 0/1)# ip address 192.168.2.22/24 Host22(config-if-GigabitEthernet 0/1)# end Set the default gateway address of host 11 in VLAN 3 to 192.168.1.1, and the IP address to 192.168.1.11/24. Host11> enable Host11# configure terminal Host11(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1 Host11(config)# interface gigabitethernet 0/1 Host11(config-if-GigabitEthernet 0/1)# no switchport Host11(config-if-GigabitEthernet 0/1)# ip address 192.168.1.11/24...
Page 418 Configuration Guide Configuring Protocol-based VLAN Configure the IP addresses of the SVI gateways for VLAN 2 and VLAN 3 on device A to implement L3 connection between the VLANs. DeviceA> enable DeviceA# configure terminal DeviceA(config)# interface vlan 2 DeviceA(config-if-VLAN 2)# ip address 192.168.2.1/24 DeviceA(config-if-VLAN 2)# exit DeviceA(config)# interface vlan 3 DeviceA(config-if-VLAN 3)# ip address 192.168.1.1/24...
Page 419 Configuration Guide Configuring Protocol-based VLAN  The subnet-based VLAN function is disabled on a port.  Packets match a VLAN assignment policy with a higher priority (for example, MAC VLAN or voice VLAN) on the port, causing the failure of the subnet-based VLAN policy to take effect. 1.7.2 Configuring Protocol-based VLANs 1.
Page 420 Configuration Guide Configuring Protocol-based VLAN DeviceA(config)# vlan range 2-3 DeviceA(config-vlan)# exit (2) Configure protocol VLAN rules in global configuration mode. Apply rule 1 to IP packets whose Ethernet type is 0x0800. DeviceA(config)# protocol-vlan profile 1 ether-type 0x0800 Apply rule 2 to IPX packets whose Ethernet type is 0x8137. DeviceA(config)# protocol-vlan profile 2 ether-type 0x8137 (3) Configure ports that connect to servers as access ports and add the ports to different VLANs.
Page 421 Configuration Guide Configuring Protocol-based VLAN interface GigabitEthernet 0/1 switchport switchport mode access switchport access vlan 2 interface GigabitEthernet 0/2 switchport switchport mode access switchport access vlan 3 interface GigabitEthernet 0/3 switchport switchport mode hybrid switchport hybrid allowed vlan only tagged 1,4-4094 switchport hybrid allowed vlan add untagged 2-3 protocol-vlan profile 1 vlan 2 protocol-vlan profile 2 vlan 3...
Page 422 Configuration Guide Contents Contents 1 Configuring Private VLAN ........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Basic Concepts ......................1 1.1.3 Packet Forwarding Rules ....................3 1.2 Restrictions and Guidelines ....................... 4 1.3 Configuration Task Summary ....................5 1.4 Configuring PVLAN and L2 Association ..................
Page 423 Configuration Guide Contents 1.7.1 Overview ........................9 1.7.2 Restrictions and Guidelines ................... 9 1.7.3 Prerequisites ........................9 1.7.4 Procedure ........................9 1.8 Monitoring ..........................9 1.9 Configuration Examples ......................10 1.9.1 Configuring PVLAN Across L2 Devices ............... 10 1.9.2 Configuring PVLAN on a Single L3 Device ..............18...
Page 424 Configuration Guide Configuring Private VLAN Configuring Private VLAN Introduction 1.1.1 Overview Carriers hope to isolate users to authenticate and charge each user, avoid virus attacks and broadcast storms, and strengthen user security. VLANs are isolated at L2. If each user is assigned with a VLAN, the authentication, billing, and security requirements can be met.
Page 425 Configuration Guide Configuring Private VLAN Figure 1-1 Logic Diagram of PVLAN VLAN Private VLAN Allowed-VLANs for Trunk Port 1: Primary VLAN 2 SVI VLAN 2 VLAN 3,4,5,6 Layer-2 association Community Community Isolated VLAN3 VLAN4 VLAN5 VLAN6 VLAN 21 VLAN 22 VLAN 23 SVI VLAN3 SVI VLAN4...
Page 426 Configuration Guide Configuring Private VLAN 1.1.3 Packet Forwarding Rules Table 1-1 lists packet forwarding rules between ports in a PVLAN and VLAN tag changes. Table 1-1 Packet Forwarding Rules Between Different Types of Ports and VLAN Tag Changes Input Port Output Port Packet Forwarding Rules and VLAN Tag Changes Promiscuous Port...
Page 427 Configuration Guide Configuring Private VLAN Input Port Output Port Packet Forwarding Rules and VLAN Tag Changes public VLAN packet is unchanged. Isolated Trunk Port Unreachable Promiscuous Port Reachable, VLAN tag removed Reachable in the primary VLAN, VLAN tag removed Reachable in the same community VLAN, VLAN tag Community Port removed Unreachable in different community VLANs...
Page 428 Configuration Guide Configuring Private VLAN  You can run the show interface switchport command to display the interface type. If the Switchport field corresponding to the interface is enabled, this interface is an L2 interface. If the Switchport field corresponding to the interface is disabled, this interface is an L3 interface. ...
Page 429 Configuration Guide Configuring Private VLAN community VLANs. Therefore, each primary VLAN can be associated with one or more community VLANs.  isolated: configures a common VLAN as an isolated VLAN. A Private VLAN has only one isolated VLAN. Therefore, each primary VLAN can be associated with only one isolated VLAN. ...
Page 430 Configuration Guide Configuring Private VLAN Configuring an L3 Association for a PVLAN 1.5.1 Overview To enable hosts in a secondary VLAN domain to access an external network, configure an L3 SVI for the primary VLAN, configure an IP address for the SVI, and then configure an L3 association between the primary VLAN and the secondary VLAN on the SVI of the primary VLAN.
Page 431 Configuration Guide Configuring Private VLAN you can configure the user port as an isolated port and add the port to an isolated VLAN. If an enterprise has multiple hosts, you can configure the user ports as community ports and add the ports to a community VLAN. The host ports added to an isolated VLAN are isolated ports, and the host ports added to community VLANs are community ports.
Page 432 Configuration Guide Configuring Private VLAN Configuring a Promiscuous Port 1.7.1 Overview To enable a port connected to an external network or a server to be accessible to community ports and isolated ports, configure the port as a promiscuous port so that uplink and downlink packets can be normally forwarded. 1.7.2 Restrictions and Guidelines ...
Page 433 Configuration Guide Configuring Private VLAN Caution System resources are occupied when debugging information is output. Therefore, disable the debugging function immediately after use. Run the clear commands to clear information. Caution Running the clear commands may lose vital information and thus interrupt services. Table 1-2 Monitoring Command...
Page 434 Configuration Guide Configuring Private VLAN If an enterprise has only one host, allocate the host to an isolated VLAN and configure the port connected to the host as the host port of the isolated VLAN, to implement isolation of communication between hosts of different enterprises.
Page 435 Configuration Guide Configuring Private VLAN Configure an L2 association between the secondary VLANs (VLAN 100 and VLAN 101) and the primary VLAN 99 on Device A. DeviceA> enable DeviceA# configure terminal DeviceA(config)# vlan 100 DeviceA(config-vlan)# private-vlan community DeviceA(config-vlan)# exit DeviceA(config)# vlan 101 DeviceA(config-vlan)# private-vlan isolated DeviceA(config-vlan)# exit DeviceA(config)# vlan 99...
Page 436 Configuration Guide Configuring Private VLAN DeviceA(config-if-GigabitEthernet 0/4)# switchport DeviceA(config-if-GigabitEthernet 0/4)# switchport mode private-vlan host DeviceA(config-if-GigabitEthernet 0/4)# switchport private-vlan host-association 99 101 DeviceA(config-if-GigabitEthernet 0/4)# exit Configure the ports of Device B connected to hosts as host ports and associate the ports with PVLAN pairs to add the ports to the secondary VLANs.
Page 437 Configuration Guide Configuring Private VLAN (6) Configure the downlink port GigabitEthernet 0/1 of the gateway as a trunk port and set the native VLAN of this port to the primary VLAN. GW> enable GW# configure terminal GW(config)# interface gigabitethernet 0/1 GW(config-if-GigabitEthernet 0/1)# switchport GW(config-if-GigabitEthernet 0/1)# switchport mode trunk GW(config-if-GigabitEthernet 0/1)# switchport trunk native vlan 99...
Page 438 Configuration Guide Configuring Private VLAN Host10# configure terminal Host10(config)# interface gigabitethernet 0/1 Host10(config-if-GigabitEthernet 0/1)# no switchport Host10(config-if-GigabitEthernet 0/1)# ip address 192.168.99.10 255.255.255.0 Configure an IP address and a mask for host 11 in the community VLAN. Host11> enable Host11# configure terminal Host11(config)# interface gigabitethernet 0/1 Host11(config-if-GigabitEthernet 0/1)# no switchport Host11(config-if-GigabitEthernet 0/1)# ip address 192.168.99.11 255.255.255.0...
Page 439 Configuration Guide Configuring Private VLAN Hosts in the same community VLAN can communicate with each other even if the PVLAN is configured across devices. Host10# ping 192.168.99.11 Sending 5, 100-byte ICMP Echoes to 192.168.99.11, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms.
Page 440 Configuration Guide Configuring Private VLAN private-vlan community vlan 101 private-vlan isolated interface GigabitEthernet 0/1 switchport switchport mode private-vlan promiscuous switchport private-vlan mapping 99 add 100-101 interface GigabitEthernet 0/2 switchport switchport mode private-vlan host switchport private-vlan host-association 99 100 interface GigabitEthernet 0/3 switchport switchport mode private-vlan host switchport private-vlan host-association 99 100...
Page 441 Configuration Guide Configuring Private VLAN switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface GigabitEthernet 0/2 switchport switchport mode private-vlan host switchport private-vlan host-association 99 101 interface GigabitEthernet 0/3 switchport switchport mode private-vlan host switchport private-vlan host-association 99 100 ...
Page 442 Configuration Guide Configuring Private VLAN isolated VLAN 30.  Configure the SVI gateway (for example, 192.168.2.1/24) of the PVLAN on the L3 device A and configure the mappings between the primary VLAN and the secondary VLANs on the Layer 3. Then, all enterprise hosts can communicate with the external network through this gateway address.
Page 443 Configuration Guide Configuring Private VLAN DeviceA(config-vlan)# exit DeviceA(config)# vlan 30 DeviceA(config-vlan)# private-vlan isolated DeviceA(config-vlan)# exit DeviceA(config)# vlan 2 DeviceA(config-vlan)# private-vlan primary DeviceA(config-vlan)# private-vlan association 10,20,30 DeviceA(config-vlan)# exit (2) Configure the ports connected to hosts as host ports and associate the ports with the primary VLAN and secondary VLANs to add the ports to the secondary VLANs.
Page 444 Configuration Guide Configuring Private VLAN DeviceA(config-if-VLAN 2)# private-vlan mapping 10,20,30 DeviceA(config-if-VLAN 2)# end DeviceA# write 5. Verification (1) Check whether the PVLAN and port configurations are correct. DeviceA# show vlan private-vlan VLAN Type Status Routed Ports Associated VLANs ----- --------- ------- ------- ------------ ------------------- primary active...
Page 445 Configuration Guide Configuring Private VLAN Sending 5, 100-byte ICMP Echoes to 192.168.2.21, timeout is 2 seconds: < press Ctrl+C to break > ..Success rate is 0 percent (0/5). Hosts in an isolated VLAN cannot communicate with each other (the specific process is omitted). Hosts in a community VLAN cannot communicate with hosts in an isolated VLAN (the specific process is omitted).
Page 446 Configuration Guide Configuring Private VLAN interface GigabitEthernet 0/5 switchport switchport mode private-vlan host switchport private-vlan host-association 2 30 interface GigabitEthernet 0/6 switchport switchport mode private-vlan host switchport private-vlan host-association 2 30 interface GigabitEthernet 0/7 switchport switchport mode private-vlan promiscuous switchport private-vlan mapping 2 add 10,20,30 interface GigabitEthernet 0/8 switchport switchport mode private-vlan promiscuous...
Page 447 Configuration Guide Contents Contents 1 Configuring Super VLAN ........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Background and Function ....................1 1.1.3 Principles ........................3 1.2 Configuration Task Summary ....................5 1.3 Configuring Layer 2 Association for a Super VLAN ..............6 1.3.1 Overview ........................
Page 448 Configuration Guide Contents 1.7 Monitoring ..........................9 1.8 Configuration Examples ......................10 1.8.1 Configuring Super VLAN ..................... 10...
Page 449 Configuration Guide Configuring Super VLAN Configuring Super VLAN Introduction 1.1.1 Overview Super virtual local area network (VLAN), also referred to as VLAN aggregation, is a VLAN assignment method. A common VLAN corresponds to a subnet and is used to complete Layer 3 communication with another VLAN based on a gateway IP address.
Page 450 Configuration Guide Configuring Super VLAN Subnet mask (/26): 255.255.255.192 = 11111111.11111111.11111111.11000000 Network obtained logical "AND" operation binary format: 192.168.1.64 11000000.10101000.00000001.01000000 Gateway IP address: 192.168.1.65 = 11000000.10101000.00000001.01000001 Subnet-directed broadcast IP address: 192.168.1.127 = 11000000.10101000.00000001.01111111 Host IP address: 192.168.1.66 to 192.168.1.126 (44 hosts must be assigned with 61 addresses, and therefore 17 addresses are wasted) ...
Page 451 Configuration Guide Configuring Super VLAN Each sub VLAN is an independent broadcast domain, and is isolated from other sub VLANs at Layer 2. A sub VLAN belongs to only one super VLAN. No SVI can be created in a sub VLAN, which can contain only physical ports.
Page 452 Configuration Guide Configuring Super VLAN (1) The source host determines that the destination host is in the same subnet as the source host but the destination MAC address is unknown. The source host broadcasts an ARP request to request the destination MAC address.
Page 453 Configuration Guide Configuring Super VLAN (5) The switch learns the following mapping of the destination host: "IP address – MAC address – sub VLAN – port". The switch replaces the destination MAC address with the gateway MAC address and sends the unicast ARP reply to the source host.
Page 454 Configuration Guide Configuring Super VLAN Configuring Layer 2 Association for a Super VLAN 1.3.1 Overview You can configure a common VLAN as a super VLAN, configure other common VLANs as sub VLANs, and add the sub VLANs to the super VLAN. A sub VLAN is a broadcast domain, hosts in a sub VLAN can make Layer 2 communication with each other but are Layer 2 isolated from hosts outside the sub VLAN.
Page 455 Configuration Guide Configuring Super VLAN vlan { vlan-id | range vlan-range } Only VLAN 1 exists by default. Return to the global configuration mode. exit (2) Create a common VLAN to be configured as a super VLAN and enter the VLAN configuration mode. vlan vlan-id Only VLAN 1 exists by default.
Page 456 Configuration Guide Configuring Super VLAN 1.4.3 Procedure (1) Configure a gateway for a super VLAN. Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Create an SVI for the super VLAN and enter the SVI configuration mode. interface vlan interface-number No SVI exists in a VLAN by default.
Page 457 Configuration Guide Configuring Super VLAN the sub VLAN cannot communicate with an external network. Therefore, you are not advised to configure an IP address range for a sub VLAN if DHCP is used to dynamically assign IP addresses to hosts. 1.5.3 Procedure (1) Enter the privileged EXEC mode.
Page 458 Configuration Guide Configuring Super VLAN Caution System resources are occupied when debugging information is output. Therefore, disable the debugging function immediately after use. You can run the clear commands to clear information. Caution Running the clear commands may lose vital information and thus interrupt services. Table 1-1 Monitoring Command...
Page 459 Configuration Guide Configuring Super VLAN Super VLAN 2 SVI :192.168.1.1/24 Sub VLAN 10,20,30 Device A G0/1 G0/2 G0/3 Sub VLAN 10 Sub VLAN 20 Sub VLAN 30 G0/1 G0/1 G0/1 Device B Device C Device D VLAN 10 VLAN 20 VLAN 30 G0/2 G0/3...
Page 460 Configuration Guide Configuring Super VLAN DeviceA(config)# vlan 30 DeviceA(config-vlan)# subvlan-address-range 192.168.1.110 192.168.1.150 DeviceA(config-vlan)# exit (5) Configure GigabitEthernet 0/1, 0/2, and 0/3 as trunk ports, and add them to the sub VLANs. DeviceA(config)# interface range gigabitethernet 0/1,0/2,0/3 DeviceA(config-if-range)# switchport DeviceA(config-if-range)# switchport mode trunk DeviceA(config-if-range)# end DeviceA(config-if-range)# switchport trunk native vlan 1 DeviceA(config-if-range)# switchport trunk allowed vlan all...
Page 461 Configuration Guide Configuring Super VLAN On host 11 in sub VLAN 10, set the default gateway address to the gateway IP address of the super VLAN 192.168.1.1 and the IP address in the IP address range of the sub VLAN (that is, 192.168.1.10 to 192.168.1.50).
Page 462 Configuration Guide Configuring Super VLAN Sending 5, 100-byte ICMP Echoes to 192.168.1.51, timeout is 2 seconds: < press Ctrl+C to break > ..Success rate is 0 percent (0/5). Delete the gateway IP address of super VLAN 2, and verify that host 60 (192.168.1.60/24) cannot ping host 10 (192.168.1.10/24).
Page 463 Configuration Guide Configuring Super VLAN switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface VLAN 2 ip address 192.168.1.1 255.255.255.0  Device B configuration file vlan range 1,10 interface GigabitEthernet 0/1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface GigabitEthernet 0/2...
Page 464 Configuration Guide Configuring Super VLAN interface GigabitEthernet 0/1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094! interface GigabitEthernet 0/2 switchport switchport mode access switchport access vlan 30 interface GigabitEthernet 0/3 switchport switchport mode access switchport access vlan 30 7.
Page 465 Configuration Guide Contents Contents 1 Configuring Voice VLAN ........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Background and Function ....................1 1.1.3 Identifying Voice Traffic ....................1 1.1.4 Work Mode of the Voice VLAN ..................2 1.1.5 Selection of the Work Mode ................... 3 1.1.6 Security Mode of Voice VLAN ..................
Page 466 Configuration Guide Contents 1.6.4 Procedure ........................10 1.7 Configuration Aging Time for a Voice VLAN ................10 1.7.1 Overview ........................10 1.7.2 Restrictions and Guidelines ..................10 1.7.3 Procedure ........................11 1.8 Configuring Security Mode for a Voice VLAN ................. 11 1.8.1 Overview ........................
Page 467 Configuration Guide Contents 1.12 Configuring LLDP to Deliver a Voice VLAN Policy ..............15 1.12.1 Overview ........................15 1.12.2 Restrictions and Guidelines ..................15 1.12.3 Prerequisites ......................16 1.12.4 Procedure ........................16 1.13 Monitoring ..........................17 1.14 Configuration Examples ......................17 1.14.1 Configuring a Port to Transmit Tagged Voice Traffic in Automatic Mode ....
Page 468 Configuration Guide Configuring Voice VLAN Configuring Voice VLAN Introduction 1.1.1 Overview A voice virtual local area network (VLAN) is a VLAN dedicated to voice traffic of users. The voice VLAN technology constrains data traffic and voice traffic in the data VLAN and the voice VLAN, respectively, to prevent mutual interference between voice calls and data services and improve call quality.
Page 469 Configuration Guide Configuring Voice VLAN If a VoIP telephone supports LLDP, it automatically sends an LLDP packet when it goes online. This device can capture the LLDP packet and identify the device capability field in the packet. If the capability is "telephone", the device identifies the voice device as a VoIP telephone.
Page 470 Configuration Guide Configuring Voice VLAN  Static MAC addresses do not age. Therefore, you are not advised to configure OUIs as static MAC addresses in automatic mode. 2. Manual Mode If only a VoIP telephone is connected to a device port, the port transmits only voice packets. The administrator can manually add the port to a voice VLAN or remove the port from the voice VLAN.
Page 471 Configuration Guide Configuring Voice VLAN If a voice VLAN ID is configured for a VoIP telephone, the VoIP telephone sends and receives only tagged voice traffic based on the configuration. If no voice VLAN ID is configured for a VoIP telephone, the VoIP telephone sends and receives only untagged voice traffic.
Page 472 Configuration Guide Configuring Voice VLAN Port Type Mode Supported Work Mode and Configuration Requirement Access The access ports, promiscuous ports of PVLAN, and host ports do not Promiscuous support tagged voice traffic. Host Table 1-2 Work Modes for Untagged Voice Traffic If the voice traffic is untagged, the device supports only the manual mode.
Page 473 Configuration Guide Configuring Voice VLAN Figure 1-3 Work Mode Selection Trunk/Hybrid VolP /Uplink Port Data Telephone Message Native VLAN Voice VLAN Tagged Voice Auto mode Message Trunk/Hybrid VolP /Uplink Port Data Telephone Message Native VLAN Voice VLAN Tagged Voice Manual mode Message Access/Trunk VolP...
Page 474 Configuration Guide Configuring Voice VLAN Uplink port, PVLAN Host port and Promiscuous port), but not on the aggregate interface or Layer 3 interface.  You can use the show interface switchport command to view the interface type. If the Switchport field corresponding to the interface is "enabled", it means that the interface is a Layer 2 interface.
Page 475 Configuration Guide Configuring Voice VLAN automatic mode, the trunk and hybrid ports can process only tagged voice traffic. Therefore, do not configure a VLAN as a protocol VLAN and a voice VLAN at the same time. ○ If the 802.1x automatic VLAN hopping function is enabled on an access port, do not configure the VLAN ID delivered by 802.1x as the voice VLAN ID to ensure that the function works properly.
Page 476 Configuration Guide Configuring Voice VLAN 1.5.2 Restrictions and Guidelines  The OUI of the voice VLAN cannot be a multicast address, and the configured mask should not contain non-consecutive 1's.  mac-address indicates the source MAC address in a voice packet. oui-mask indicates the valid length of an OUI, which is expressed by a mask.
Page 477 Configuration Guide Configuring Voice VLAN 1.6.2 Restrictions and Guidelines  To restore the QoS and DSCP values to default values, you can run the no voice vlan cos no voice vlan dscp command in global configuration mode.  cos-value indicates the CoS value of voice traffic in a voice VLAN. The value range is from 0 to 7, and the default value is 6.
Page 478 Configuration Guide Configuring Voice VLAN 1.7.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Configure aging time of a voice VLAN. voice vlan aging The default aging time of a voice VLAN is 1440 minutes.
Page 479 Configuration Guide Configuring Voice VLAN the port identifies voice traffic, you cannot manually add the port to or delete the port from the voice VLAN by using commands.  If a port does not transmit packet data of a voice VLAN, remove the voice VLAN from the allowed VLAN list of the port.
Page 480 Configuration Guide Configuring Voice VLAN Configure the VLAN used for transmitting common packets as a native VLAN of the user port to transmit untagged common packets. switchport trunk native vlan data-vlan-id The default native VLAN of a trunk port is VLAN 1. Configure an allowed VLAN list for the user port, add the data VLAN to the list, and exclude the voice VLAN from the list.
Page 481 Configuration Guide Configuring Voice VLAN configure terminal Create a VLAN to transmit common packets. vlan data-vlan-id Only VLAN 1 exists by default. Return to the global configuration mode. exit (2) Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } (3) Configure the user port as a trunk port.
Page 482 Configuration Guide Configuring Voice VLAN 1.11.3 Prerequisites Configure a voice VLAN. 1.11.4 Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } Configure the user port as an access port.
Page 483 Configuration Guide Configuring Voice VLAN policy or enter the LLDP network policy configuration mode of a policy. profile-num indicates the ID of an LLDP network policy. The value range is from 1 to 1024.  After entering the LLDP network policy configuration mode, you can run the { voice voice-signaling vlan...
Page 484 Configuration Guide Configuring Voice VLAN Enter the Layer 2 Ethernet interface configuration mode. interface ethernet-type interface-number Configure the interface to allow advertising the Network Policy TLV. lldp tlv-enable med-tlv network-policy profile profile-num The port is allowed to advertise the Network Policy TLV by default. 1.13 Monitoring Run the show commands to check the running status of a configured function to verify the configuration effect.
Page 485 Configuration Guide Configuring Voice VLAN The PC is connected to the network through the VoIP telephone in serial mode and the PC sends untagged data traffic. The data traffic of the PC is isolated from the voice traffic of the VoIP telephone. 2.
Page 486 Configuration Guide Configuring Voice VLAN DeviceA(config)# voice vlan cos 5 DeviceA(config)# voice vlan dscp 40 (4) Set the aging time of the voice VLAN to 1000 minutes. This configuration is required in automatic mode only. DeviceA(config)# voice vlan aging 1000 (5) Enable the security mode of the voice VLAN.
Page 487 Configuration Guide Configuring Voice VLAN DeviceA# show voice vlan Voice Vlan status: ENABLE Voice Vlan ID Voice Vlan security mode: Security Voice Vlan aging time: 1000 minutes Voice Vlan cos Voice Vlan dscp : 40 Current voice vlan enabled port mode: PORT MODE -------------------- ----------...
Page 488 Configuration Guide Configuring Voice VLAN mls qos trust cos interface GigabitEthernet 0/2 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 7. Common Errors  When a voice VLAN works in automatic mode, the voice VLAN is not removed from the allowed VLAN list of the port.
Page 489 Configuration Guide Configuring Voice VLAN DeviceA> enable DeviceA# configure terminal DeviceA(config)# vlan 2 DeviceA(config-vlan)# exit DeviceA(config)# voice vlan 2 (2) Set the CoS value to 5 and the DSCP value to 40 for voice traffic of the voice VLAN. DeviceA(config)# voice vlan cos 5 DeviceA(config)# voice vlan dscp 40 (3) Set the OUI for identifying voice packets to 0012.3400.0000, mask to ffff.ff00.0000, and vendor to B on the device.
Page 490 Configuration Guide Configuring Voice VLAN Voice Vlan dscp : 40 Current voice vlan enabled port mode: PORT MODE -------------------- ---------- Gi0/1 MANUAL Check the voice VLAN OUI of the device. DeviceA# show voice vlan oui Mask Description 0012.3400.0000 ffff.ff00.0000 Check port configuration. DeviceA(config)#show interface swithport Interface Switchport Mode...
Page 491 Configuration Guide Configuring Voice VLAN 1.14.3 Configuring Isolation of Untagged Voice Traffic from Data Traffic 1. Requirements A PC is connected to a VoIP telephone and the VoIP telephone is connected to device A. The VoIP telephone automatically obtains an IP address and sends untagged voice traffic. The PC sends untagged data traffic. To ensure quality of voice calls, the voice data must be transmitted in the dedicated voice VLAN 2 and this voice VLAN cannot transmit non-voice data.
Page 492 Configuration Guide Configuring Voice VLAN (4) Create data VLAN 3 to transmit common data. DeviceA(config)# vlan 3 DeviceA(config-vlan)# exit (5) Configure GigabitEthernet 0/1 as a hybrid port and data VLAN 3 as a native VLAN. In this way, the device sends untagged packets of data VLAN 3 and untagged packets of voice VLAN 2 to the user port.
Page 493 Configuration Guide Configuring Voice VLAN PORT MODE -------------------- ---------- Gi0/1 MANUAL Check the OUI of the voice device. DeviceA# show voice vlan oui Mask Description --------------- --------------- ------------------------------ 0012.3400.0000 ffff.ff00.0000 B Check the MAC VLAN entries. DeviceA# show mac-vlan all The following MAC VLAN address exist: S: Static D: Dynamic...
Page 494 Configuration Guide Contents Contents 1 Configuring GVRP ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Background and Function ....................1 1.1.3 Principles ........................1 1.1.4 Basic Concepts ......................3 1.1.5 Packet Format ........................ 4 1.1.6 Protocols and Standards ....................6 1.2 Configuration Task Summary ....................
Page 495 Configuration Guide Contents 1.7 Configuration Examples ......................13 1.7.1 Configuring Basic Functions of GVRP ................. 13 1.7.2 Configuring GVRP BPDU Tunnels................18...
Page 496 Configuration Guide Configuring GVRP Configuring GVRP Introduction Overview Generic Attribute Registration Protocol (GARP) VLAN registration protocol (GVRP) is a protocol for dynamically configuring virtual local area network (VLAN) attributes. It propagates VLAN attributes through protocol packets, and implements automatic registration and deregistration of VLANs on an IEEE 802.1Q trunk port. Background and Function A network is huge and complex.
Page 497 Configuration Guide Configuring GVRP The destination MAC address of a message packet is the specific multicast MAC address. After GVRP is enabled, the trunk port can recognize GVRP packets from other devices and obtain the VLAN registration or deregistration information by parsing the packets. If the registration mode is Normal, the port will create and join a VLAN dynamically, or the port will exit the VLAN and update the local VLAN registration information dynamically.
Page 498 Configuration Guide Configuring GVRP Basic Concepts 1. Static and Dynamic VLANs  A manually created or deleted VLAN is a static VLAN.  A VLAN dynamically created or deleted through GVRP is a dynamic VLAN. The protocol state machine controls the process that a port joins or exits a dynamic VLAN. Only the trunk port that has received a GVRP registration or deregistration declaration can join or exit the dynamic VLAN created by GVRP;...
Page 499 Configuration Guide Configuring GVRP ○ LeaveIn message: Used to deregister a registered attribute.  LeaveAll message After GVRP is enabled, each GVRP application entity will enable its own LeaveAll timer. If the LeaveAll timer of a GVRP entity times out, it will send a LeaveAll message to deregister all attributes, which will cause other GVRP entities to re-register the attribute information.
Page 500 Configuration Guide Configuring GVRP Ethernet Header LLC Header 43~1497 Byte Length Ethernet frame DMAC SMAC Data （≤1500） DSAP SSAP Ctrl Byte Protocol ID Message 1 Message M End Mark GARP PDU Byte Message Attribute Type Attribute List Byte Attribute list Attribute 1 Attribute M End Mark...
Page 501 Configuration Guide Configuring GVRP Number of Field Description Bytes Attribute Indicates the attribute value. The attribute value of GVRP is VLAN ID, but Value the attribute value of LeaveAll is invalid. End Mark Indicates the end mark of GVRP PDU, 0x00. Protocols and Standards ...
Page 502 Configuration Guide Configuring GVRP Configuring Basic Features Overview When the GVRP function is enabled, the device can send GVRP packets containing the VLAN information, dynamically create or delete VLANs and add or remove ports to/from VLANs. Devices synchronize respective VLAN information to maintain communication in the topology. This function can reduce the manual configuration workload and simplify VLAN management.
Page 503 Configuration Guide Configuring GVRP Prerequisites  Configure the interface as a Layer 2 interface. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enable the function of creating VLANs dynamically. gvrp dynamic-vlan-creation enable Creating VLANs dynamically is disabled by default.
Page 504 Configuration Guide Configuring GVRP and static VLAN information, according to which the peer device determines the VLAN to be created.  Non-Applicant: Do not collect the VLAN information of local port, and do not notify the VLAN information on local device. Restrictions and Guidelines ...
Page 505 Configuration Guide Configuring GVRP Restrictions and Guidelines  Use the gvrp registration mode normal command to allow dynamically create, register, or unregister VLANs on a port.  Use the gvrp register mode disable command to disallow dynamically create, register, or unregister VLANs on a port.
Page 506 Configuration Guide Configuring GVRP Restrictions and Guidelines  The tunnel function takes effect only when the GVRP BPDU tunnel is enabled in both global configuration mode and interface configuration mode. In the global configuration mode, run the l2protocol-tunnel gvrp command to enable the GVRP BPDU tunnel function globally. In Layer 2 Ethernet interface configuration mode or the Layer 2 link aggregation configuration mode, run the l2protocol-tunnel gvrp enable command...
Page 507 Configuration Guide Configuring GVRP destination MAC address 0180.c200.0006, no matter whether GVRP is enabled. If the device has GVRP enabled, it will use GVRP BPDU frames for GVRP calculation; otherwise, it will discard GVRP packets. However, in specific applications, devices may be required to transparently transmit GVRP packets.
Page 508 Configuration Guide Configuring GVRP Table 1-2 Monitoring Command Purpose clear gvrp statistics interface-type Clears port statistics. interface-number show gvrp statistics { interface-type Displays port statistics. interface-number | show gvrp status Displays the current GVRP status. show gvrp configuration Displays the current GVRP configuration. show l2protocol-tunnel gvrp Displays the GVRP BPDU tunnel information.
Page 509 Configuration Guide Configuring GVRP DeviceA> enable DeviceA# configure terminal DeviceA(config)# vlan range 2-10 DeviceA(config-vlan)# exit Create VLANs 11 to 20 for user network communication on Device C. DeviceC> enable DeviceC# configure terminal DeviceC(config)# vlan range 11-20 DeviceC(config-vlan)# exit (2) Enable the dynamic creation function of VLAN. Enable the dynamic creation function of VLAN on Device A.
Page 510 Configuration Guide Configuring GVRP DeviceA(config)# gvrp enable Enable the GVRP function on Device B. DeviceB(config)# gvrp enable Enable the GVRP function on Device C. DeviceC(config)# gvrp enable 5. Verification (1) Before the GVRP function is enabled globally, check the static VLAN configuration of the device; check whether the interconnection interface are trunk ports and allow all VLANs to pass.
Page 511 Configuration Guide Configuring GVRP Interface Switchport Mode Access Native Protected VLAN lists -------------------------- ---------- --------- ------ ------ --------- -------------------- GigabitEthernet 0/1 enabled TRUNK Disabled ALL (2) After the GVRP function is enabled globally, check the GVRP configuration of devices. Check whether the GVRP function of Device A has been enabled, and the trunk port normally advertises the GVRP information and dynamically updates the VLAN information.
Page 512 Configuration Guide Configuring GVRP GigabitEthernet 0/1 normal normal (3) After the GVRP function is enabled globally, check the VLANs dynamically created by devices and check whether the trunk ports join dynamic VLANs. Dynamic VLANs 11 to 20 are created on Device A, and the trunk port Gigabit Ethernet 0/2 joins the dynamic VLANs 11 to 20.
Page 513 Configuration Guide Configuring GVRP gvrp dynamic-vlan-creation enable vlan range 1 interface GigabitEthernet 0/1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface GigabitEthernet 0/2 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 ...
Page 514 Configuration Guide Configuring GVRP 2. Topology Figure 1-4 Application Scenario of GVRP BPDU Tunnel Function Service Provider Network G0/5 G0/5 PE 1 PE 2 G0/1 G0/1 G0/1 G0/1 CE 1 CE 2 Customer Network G0/2 G0/2 Customer Customer Network A Network B 3.
Page 515 Configuration Guide Configuring GVRP PE2> enable PE2# configure terminal PE2(config)# vlan 252 PE2(config-vlan)# exit PE2(config)# gvrp dynamic-vlan-creation enable PE2(config)# interface gigabitethernet 0/5 PE2(config-if-GigabitEthernet 0/5)# switchport PE2(config-if-GigabitEthernet 0/5)# switchport mode trunk PE2(config-if-GigabitEthernet 0/5)# switchport trunk native vlan 1 PE2(config-if-GigabitEthernet 0/5)# switchport trunk allowed vlan all PE2(config-if-GigabitEthernet 0/5)# exit PE2(config)# gvrp enable (2) Configure the basic QinQ function on SP devices.
Page 516 Configuration Guide Configuring GVRP CE1> enable CE1# configure terminal CE1(config)# vlan range 60-69 CE1(config-vlan)# exit CE1(config)# gvrp dynamic-vlan-creation enable CE1(config)# interface gigabitethernet 0/1 CE1(config-if-GigabitEthernet 0/1)# switchport CE1(config-if-GigabitEthernet 0/1)# switchport mode trunk CE1(config-if-GigabitEthernet 0/1)# switchport trunk native vlan 1 CE1(config-if-GigabitEthernet 0/1)# switchport trunk allowed vlan all CE1(config-if-GigabitEthernet 0/1)# exit CE1(config)# gvrp enable Enable the GVRP function globally on CE 2 and port Gigabit Ethernet 0/1 in turn.
Page 517 Configuration Guide Configuring GVRP Only static VLANs exist on PE 2; the uplink port Gigabit Ethernet 0/5 is a trunk port and allows all VLANs to pass. PE2# show vlan VLAN Name Status Ports ---------- -------------------------------- --------- ----------------------------------- 1 VLAN0001 STATIC Gi0/1, Gi0/2, Gi0/3, Gi0/4 Gi0/5, Gi0/6, Gi0/7, Gi0/8...
Page 518 Configuration Guide Configuring GVRP (2) Check whether the QinQ function is enabled, the SP device port connected to the user is the Dot1q-tunnel port, and the GVRP tunnel function is enabled. Check the GVRP BPDU tunnel configuration on PE 1, and check whether the interface type is Dot1q-tunnel.
Page 519 Configuration Guide Configuring GVRP Global GVRP Configuration: GVRP Feature:enabled GVRP Dynamic VLAN Creation:enabled Join Timers(ms):200 Leave Timers(ms):600 Leaveall Timers(ms):10000 Port based GVRP Configuration: PORT Applicant Status Registration Mode ----------------------- -------------------- --------------------- GigabitEthernet 0/5 normal normal Check whether the GVRP function of CE 1 has been enabled, and the trunk port normally advertises the GVRP information and dynamically updates the VLAN information.
Page 520 Configuration Guide Configuring GVRP ---------- -------------------------------- --------- ----------------------------------- 1 VLAN0001 STATIC Gi0/1, Gi0/2, Gi0/3, Gi0/4 Gi0/5, Gi0/6, Gi0/7, Gi0/8 250 VLAN0250 STATIC Gi0/1, Gi0/5 251 VLAN0251 STATIC Gi0/5 252 DVLAN0252 DYNAMIC Gi0/5 Dynamic VLAN 251 has been created on PE 2, and the trunk port Gigabit Ethernet 0/5 joins the dynamic VLAN 251.
Page 521 Configuration Guide Configuring GVRP l2protocol-tunnel gvrp gvrp enable gvrp dynamic-vlan-creation enable vlan range 1,250-251 interface GigabitEthernet 0/1 switchport mode dot1q-tunnel switchport dot1q-tunnel allowed vlan add untagged 250 switchport dot1q-tunnel native vlan 250 l2protocol-tunnel gvrp enable interface GigabitEthernet 0/5 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 ...
Page 522 Configuration Guide Configuring GVRP switchport trunk allowed vlan only 1-4094  CE 2 configuration file gvrp enable gvrp dynamic-vlan-creation enable vlan range 1,70-79 interface GigabitEthernet 0/1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 7.
Page 523 Configuration Guide Contents Contents 1 Configuring QinQ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Background and Function ....................1 1.1.3 QinQ Packet Format ...................... 1 1.1.4 QinQ Packet Forwarding ....................2 1.1.5 Basic QinQ Encapsulation ..................... 3 1.1.6 Selective QinQ Encapsulation ..................
Page 524 Configuration Guide Contents 1.4.4 Procedure ........................9 1.5 Configuring C-Tag-Based Selective QinQ Encapsulation ............10 1.5.1 Overview ........................10 1.5.2 Restrictions and Guidelines ..................10 1.5.3 Prerequisites ........................ 10 1.5.4 Procedure ........................10 1.6 Configuring ACL-Based Selective QinQ Encapsulation ............11 1.6.1 Overview ........................
Page 525 Configuration Guide Contents 1.9.2 Restrictions and Guidelines ..................18 1.9.3 Prerequisites ........................ 18 1.10 Configuring Layer-2 Protocol Tunneling ................19 1.10.1 Overview ........................19 1.10.2 Restrictions and Guidelines ..................19 1.10.3 Configuration Tasks ....................20 1.10.4 Configuring STP Packet Tunneling ................20 1.10.5 Configuring GVRP Packet Tunneling ................
Page 526 Configuration Guide Configuring QinQ Configuring QinQ Introduction 1.1.1 Overview When a client packet enters a provider edge (PE), the QinQ technology first encapsulates the packet with a public virtual local area network (VLAN) tag before transmitting the packet in the SP network. The private VLAN tag, if any, in the client packet is regarded as data.
Page 527 Configuration Guide Configuring QinQ ○ Type: Consisting of 2 bytes; 0x8100 indicates 802.1Q frame. Devices that do not support IEEE 802.1Q will drop such frames received. ○ PRI: Consisting of 3 bits, indicating layer-2 priority. The value range is 0 to 7, corresponding to CoS priorities of QoS.
Page 528 Configuration Guide Configuring QinQ 2. QinQ Forwarding A QinQ-encapsulated packet will be transmitted in the SP network. Generally, devices directly forward the QinQ packet with dual tags. During the transmission, you may need to modify the VIDs in the inner and outer tags. In this case, you can configure a modification policy on the access, trunk, hybrid, or uplink port to modify QinQ tags (Modifying QinQ...
Page 529 Configuration Guide Configuring QinQ After receiving packets, the dot1q-tunnel port regards all the packets as untagged regardless of whether they carry tags, determines whether the packets belong to the native VLAN of the local interface, learns the corresponding relationship between the client-end MAC address and the native VLAN, and stores it in the MAC address table.
Page 530 Configuration Guide Configuring QinQ 1.1.8 VLAN Mapping The VLAN mapping function can convert client VLAN IDs and SP VLAN IDs to implement inter-VLAN layer-2 communication. This function takes effect on the access, trunk, hybrid, or uplink ports. VLAN mapping is a function of modifying tags, not adding tags.
Page 531 Configuration Guide Configuring QinQ If basic QinQ encapsulation is used, the VLAN ID in the outer tag is native VLAN ID. When receiving a response packet from the peer end, the device can find the corresponding relationship between the client MAC address and the outer VLAN in the MAC address table.
Page 532 Configuration Guide Configuring QinQ identified as a special packet by the SP device and participate in the SP topology calculation, affecting the SP network topology. Therefore, the STP and GVRP packets of the client network must be transmitted through a tunnel in the SP network, so that the SP can forward the client's special packets as ordinary packets.
Page 533 Configuration Guide Configuring QinQ Configuration Task Summary 1.3.1 Configuring Tag Adding QinQ tag adding includes the following tasks: (1) Configure the QinQ encapsulation mode of the dot1q-tunnel port. Select at least one of them to configure. ○ Configuring Basic QinQ Encapsulation ○...
Page 534 Configuration Guide Configuring QinQ the untagged form.  If port-based QinQ is enabled, you do not need to add the VLAN of the client network to the allowed VLAN list of the dot1q-tunnel port. If selective QinQ is enabled, add the VLAN of the client network to the allowed VLAN list of the interface in the tagged or untagged form based on the actual conditions.
Page 535 Configuration Guide Configuring QinQ Configuring C Tag-Based Selective QinQ Encapsulation 1.5.1 Overview Encapsulate outer VLAN tags (S-Tags) in packets based on inner tags to ensure preferential transmission and management of layer-2 VPN and service flows. 1.5.2 Restrictions and Guidelines  This function must be configured based on the basic QinQ, and prevails over the basic QinQ policy.
Page 536 Configuration Guide Configuring QinQ ○ Enter the Layer 2 aggregate interface configuration mode. interface aggregateport interface-number | range aggregateport interface-range } (3) Configure the Layer 2 Ethernet interface as a dot1q-tunnel port. switchport mode dot1q-tunnel A Layer 2 interface works in access mode by default. (4) Configure to add the SP VLAN to the untagged VLAN list of the dot1q-tunnel port.
Page 537 Configuration Guide Configuring QinQ Caution  The policy of adding the VID based on ACL prevails over those based on C-Tag and port.  When an ACL is deleted, the related policy will be automatically deleted.  Upon receiving a packet with two or more tags, the dot1q-tunnel port cannot add an outer tag to the packet based on the flow-based matching rule.
Page 538 Configuration Guide Configuring QinQ vlan range svidA,svidB Only VLAN 1 exists by default. Return to the global configuration mode. exit (3) Enter the interface configuration mode to configure the interface for connecting the client network. ○ Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range...
Page 539 Configuration Guide Configuring QinQ When an outer VLAN tag is added, the user priority of the outer VLAN tag can be set according to the user priority of the inner VLAN tag through priority mapping so that the network QoS priority policy can be used after the packet is encapsulated with an outer VLAN tag.
Page 540 Configuration Guide Configuring QinQ ○ Enter the Layer 2 Ethernet interface configuration mode interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the Layer 2 aggregate interface configuration mode. interface aggregateport interface-number | range aggregateport interface-range } (4) Configure the CoS priority for trusted packets of the interface. mls qos trust cos The default trust mode of an interface is untrust.
Page 541 Configuration Guide Configuring QinQ interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the Layer 2 aggregate interface configuration mode. interface aggregateport interface-number | range aggregateport interface-range } (4) Configure the CoS priority for trusted packets of the interface. mls qos trust cos The default trust mode of an interface is untrust.
Page 542 Configuration Guide Configuring QinQ  Configure the interface as an Uplink port. 1.8.4 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enter the interface configuration mode, and configure the uplink port (the port where the SP's network edge device connects to the public network).
Page 543 Configuration Guide Configuring QinQ For the outbound packets on access, trunk, hybrid and uplink ports, this function can modify the VID of the outer tag based on the packet content identified by ACL. 1.9.2 Restrictions and Guidelines  The policy of modifying the VID based on ACL prevails over those based on port and C-Tag. ...
Page 544 Configuration Guide Configuring QinQ No policy of modifying the outer VID based on the outer VID of input packets is configured by default. (7) Configure the policy of modifying the outer VID based on the outer and inner VIDs of packet. dot1q new-outer-vlan new-svid translate old-outer-vlan...
Page 545 Configuration Guide Configuring QinQ 1.10.3 Configuration Tasks The configuration includes the following tasks:  Configuring STP Packet Tunneling  Configuring GVRP Packet Tunneling 1.10.4 Configuring STP Packet Tunneling 1. Overview If the STP function is enabled for the SP device and STP BPDU packets of the client network need to be transmitted, this function must be configured.
Page 546 Configuration Guide Configuring QinQ ○ Enter the Layer 2 aggregate interface configuration mode. interface aggregateport interface-number | range aggregateport interface-range } (6) Enable STP packet tunnelling function on the dot1q-tunnel port. l2protocol-tunnel stp enable The STP packet tunneling function is disabled on the dot1q-tunnel port by default. 1.10.5 Configuring GVRP Packet Tunneling 1.
Page 547 Configuration Guide Configuring QinQ The GVRP packet tunneling function is disabled for the dot1q-tunnel port by default. 1.11 Monitoring Run the show commands to check the running status of a configured function to verify the configuration effect. This section also describes the debug command used for outputting debugging information. Caution System resources are occupied when debugging information is output.
Page 548 Configuration Guide Configuring QinQ 1.12 Configuration Examples 1.12.1 Configuring Basic QinQ to Implement Layer-2 VPN 1. Requirements An SP provides a VPN for Company A and Company B, as shown in Figure 1-6. Basic QinQ is enabled on PEs to meet the layer-2 VPN requirement. On the public network, Company A and Company B belong to different VLANs, and client data packets are transmitted on different native VLANs to implement the simple layer-2 VPN.
Page 549 Configuration Guide Configuring QinQ The public network transmission VLAN is the native VLAN of the dot1q-tunnel, and belongs to the allowed untagged VLAN list of the port.  Configure the interface on the PE that connects to the public network as a trunk, hybrid, or uplink port. When the connection interface between SP devices is a trunk or hybrid port, do not configure the native VLAN of the trunk or hybrid port as the native VLAN of dot1q-tunnel port.
Page 550 Configuration Guide Configuring QinQ PE1(config-if-GigabitEthernet 0/2)# switchport dot1q-tunnel native vlan 20 PE1(config-if-GigabitEthernet 0/2)# switchport dot1q-tunnel allowed vlan add untagged 20 PE1(config-if-GigabitEthernet 0/2)# exit On PE 2, configure VLAN 20 to implement tunnel transmission for the data of Company B's network. PE2(config)# vlan 20 PE2(config-vlan)# exit PE2(config)# interface gigabitethernet 0/2...
Page 551 Configuration Guide Configuring QinQ CE-A1# configure terminal CE-A1(config)# vlan range 1-100 CE-A1(config-vlan)# exit CE-A1(config)# interface gigabitethernet 0/1 CE-A1(config-if-GigabitEthernet 0/1)# switchport CE-A1(config-if-GigabitEthernet 0/1)# switchport mode trunk CE-A1(config-if-GigabitEthernet 0/1)# switchport trunk native vlan 1 CE-A1(config-if-GigabitEthernet 0/1)# switchport trunk allowed vlan all CE-A1(config-if-GigabitEthernet 0/1)# exit CE-A1(config)# interface gigabitethernet 0/2 CE-A1(config-if-GigabitEthernet 0/2)# switchport CE-A1(config-if-GigabitEthernet 0/2)# switchport mode access...
Page 552 Configuration Guide Configuring QinQ CE-B1(config-if-GigabitEthernet 0/2)# switchport mode access CE-B1(config-if-GigabitEthernet 0/2)# switchport access vlan 60 Create client VLANs 1–200 on CE-B2; configure the interface GigabitEthernet 0/1 for connecting to the PE as a trunk port; configure the client interface GigabitEthernet 0/2 to join VLAN 60 (the configuration of other client interfaces is omitted here).
Page 553 Configuration Guide Configuring QinQ Native vlan: 10 Allowed vlan list:1,10, Tagged vlan list: ========Interface Gi0/2======== Native vlan: 20 Allowed vlan list:1,20, Tagged vlan list: Display the dot1q-tunnel configuration of PE 2. PE2# show interfaces dot1q-tunnel ========Interface Gi0/1======== Native vlan: 10 Allowed vlan list:1,10, Tagged vlan list: ========Interface Gi0/2========...
Page 554 Configuration Guide Configuring QinQ GigabitEthernet 0/1 enabled TRUNK Disabled ALL GigabitEthernet 0/2 enabled ACCESS Disabled ALL (5) Take Hosts 2 and 3 as examples to verify that clients in Company A can implement layer-2 interworking. Configure an IP address for Host 2. Host2>...
Page 555 Configuration Guide Configuring QinQ Host2# ping 192.168.60.5 Sending 5, 100-byte ICMP Echoes to 192.168.60.5, timeout is 2 seconds: < press Ctrl+C to break > ..Success rate is 0 percent (0/5). 6. Configuration Files  Configuration files of PE 1 and PE 2 vlan range 1,10,20 interface GigabitEthernet 0/1 switchport...
Page 556 Configuration Guide Configuring QinQ switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface gigabitethernet 0/2 switchport switchport mode accessswitchport access vlan 60 7. Common Errors  The same company has different native VLANs on the dot1q-tunnel ports of PE 1 and PE 2, which leads to the failure of interworking.
Page 557 Configuration Guide Configuring QinQ 2. Topology Figure 1-7 Selective QinQ Implements Layer-2 VPN HGW2 VLAN 2 VLAN 2~30 VLAN 10 IPTV VLAN 102 G0/2 G0/1 G0/2 G0/1 G0/30 VLAN 30 VLAN 102~130 IPTV VLAN 20 IPTV VLAN 130 HGW30 3. Notes ...
Page 558 Configuration Guide Configuring QinQ PE(config-if-GigabitEthernet 0/1)# switchport PE(config-if-GigabitEthernet 0/1)# switchport mode dot1q-tunnel PE(config-if-GigabitEthernet 0/1)# switchport dot1q-tunnel native vlan 1 PE(config-if-GigabitEthernet 0/1)# switchport dot1q-tunnel allowed vlan add untagged 1,10,20 If the dot1q-tunnel receives the frames of client VLANs 2–30 (C-Tag), the frames will be encapsulated with the tag (S-Tag) of SP VLAN 10.
Page 559 Configuration Guide Configuring QinQ CE(config-if-GigabitEthernet 0/30)# switchport CE(config-if-GigabitEthernet 0/30)# switchport mode trunk CE(config-if-GigabitEthernet 0/30)# switchport trunk native vlan 1 CE(config-if-GigabitEthernet 0/30)# switchport trunk allowed vlan only 30,130 CE(config-if-GigabitEthernet 0/30)# end CE# write 5. Verification (1) Display the PE configuration. Display the interface configuration of the PE. PE# show interfaces switchport Interface Switchport Mode...
Page 560 Configuration Guide Configuring QinQ GigabitEthernet 0/2 enabled Trunk Disabled 2,102 GigabitEthernet 0/3 enabled Trunk Disabled 3,103 …… GigabitEthernet 0/30 enabled Trunk Disabled 30,130 6. Configuration Files  Configuration file of the PE vlan range 1,10,20 interface GigabitEthernet 0/1 switchport switchport mode dot1q-tunnel switchport dot1q-tunnel allowed vlan add untagged 1, 10,20 switchport dot1q-tunnel native vlan 1 dot1q outer-vid 100 register inner-vid 2-30...
Page 561 Configuration Guide Configuring QinQ 1.12.3 Configuring ACL-Based Selective QinQ to Implementing Layer-2 VPN and Service Flow Management 1. Requirements If the service flows of client network are not classified according to VLAN, but according to the MAC address, IP address, or protocol type, or there are a large number of old low-end network access devices on the client network and the service flows cannot be effectively distinguished using VLAN ID, the packets from the client network cannot be encapsulated with outer tags based on their C-tags to realize transparent transmission and implement QoS policies.
Page 562 Configuration Guide Configuring QinQ  The SP network provides a CoS-based QoS priority policy, and the packets of client network are attached with tags. You can configure priority mapping to modify the CoS value of the outer tag. In this way, the packet is transmitted based on the corresponding QoS priority policy of the SP after being encapsulated with an outer tag, and flexible control is implemented on the packet priority on the dot1q-tunnel.
Page 563 Configuration Guide Configuring QinQ PE1(config-if-GigabitEthernet 0/2)# switchport trunk native vlan 1 PE1(config-if-GigabitEthernet 0/2)# switchport trunk allowed vlan allPE1(config-if-GigabitEthernet 0/2)# end PE1# write 5. Verification (1) Display the interface configuration of the PE. PE1# show interfaces switchport Interface Switchport Mode Access Native Protected VLAN lists -------------------------------- ---------- --------- ------ ------ --------- ----------------...
Page 564 Configuration Guide Configuring QinQ switchport dot1q-tunnel native vlan 1 dot1q-tunnel cos 3 remark-cos 5 traffic-redirect access-group acl1 nested-vlan 100 in traffic-redirect access-group acl2 nested-vlan 200 in mls qos trust cos interface GigabitEthernet 0/2 switchport switchport mode uplink switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 7.
Page 565 Configuration Guide Configuring QinQ 2. Topology Figure 1-9 VLAN Mapping Implements Aggregation of Different Services VLAN10<-VLAN100 VLAN11<-VLAN101 VLAN10 VLAN12<-VLAN102 G0/2 VLAN10->VLAN100 VLAN11 G0/3 VLAN11->VLAN101 IPTV VLAN12->VLAN102 VLAN12 G0/1 G0/4 HGW1 VLAN1000 VoIP G0/2 IPTV G0/1 G0/1 G0/2 G0/3 VLAN1001 Floor Campus VLAN1002 VLAN10...
Page 566 Configuration Guide Configuring QinQ policy for the input direction for the uplink data on HGW 2: Map VLAN 10 as VLAN 200; map VLAN 11 as VLAN 201; map VLAN 12 as VLAN 202. To avoid waste of the bandwidth, configure GigabitEthernet 0/3 to allow only the data of VLANs 200 to 202 to pass through.
Page 567 Configuration Guide Configuring QinQ HGW1# write (2) Configure HGW 2. Create a VLAN after mapping, configure the uplink port, and configure the VLAN mapping policy for input direction for the downlink data. HGW2> enable HGW2# configure terminal HGW2(config)# vlan range 10-12 HGW2(config-vlan-range)# exit HGW2(config)# interface gigabitethernet 0/1 HGW2(config-if-GigabitEthernet 0/1)# switchport...
Page 568 Configuration Guide Configuring QinQ Floor(config-if-GigabitEthernet 0/2)# vlan-mapping-in vlan 10 remark 100 Floor(config-if-GigabitEthernet 0/2)# vlan-mapping-in vlan 11 remark 101 Floor(config-if-GigabitEthernet 0/2)# vlan-mapping-in vlan 12 remark 102 Floor(config-if-GigabitEthernet 0/2)# exit Create a VLAN after mapping, and for the uplink data of HGW 2, create the VLAN mapping policy for input direction on the downlink interface.
Page 569 Configuration Guide Configuring QinQ Campus(config)# interface gigabitethernet 0/2 Campus(config-if-GigabitEthernet 0/2)# switchport Campus(config-if-GigabitEthernet 0/2)# switchport mode uplink Campus(config-if-GigabitEthernet 0/2)# switchport trunk native vlan 1 Campus(config-if-GigabitEthernet 0/2)# switchport trunk allowed vlan all Campus(config-if-GigabitEthernet 0/2)# end Campus# write 5. Verification (1) Verify the configuration of HGW 1. Display the VLAN configuration of HGW 1.
Page 570 Configuration Guide Configuring QinQ --------------------- ---------- --------- ------ ------ --------- ---------------------- GigabitEthernet 0/1 enabled UPLINK Disabled ALL GigabitEthernet 0/2 enabled ACCESS Disabled ALL GigabitEthernet 0/3 enabled ACCESS Disabled ALL GigabitEthernet 0/4 enabled ACCESS Disabled ALL (3) Verify the configuration of the floor device. Display the VLAN configuration of the floor device.
Page 571 Configuration Guide Configuring QinQ Ports Type Outer-VID Inner-VID-list ------ ---------- ---------- -------------- Gi0/1 Add-outer 1000 100,200 Gi0/1 Add-outer 1001 101,201 Gi0/1 Add-outer 1002 102,202 6. Configuration Files  Configuration file of HGW 1 vlan range 1,10-12 interface GigabitEthernet 0/1 switchport switchport mode uplink switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094vlan-mapping-in vlan 100 remark 10...
Page 572 Configuration Guide Configuring QinQ switchport mode access switchport access vlan 10 interface GigabitEthernet 0/3 switchport switchport mode access switchport access vlan 11 interface GigabitEthernet 0/4 switchport switchport mode access switchport access vlan 12  Configuration file of the floor device vlan range 1,100-102,200-202 interface GigabitEthernet 0/1 switchport...
Page 573 Configuration Guide Configuring QinQ switchport dot1q-tunnel native vlan 1dot1q outer-vid 1000 register inner-vid 100,200 dot1q outer-vid 1001 register inner-vid 101,201 dot1q outer-vid 1002 register inner-vid 102,202 interface GigabitEthernet 0/2 switchport switchport mode uplink switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 1.12.5 Configuring Layer-2 Protocol Tunneling Based on QinQ 1.
Page 574 Configuration Guide Configuring QinQ  Configure the QinQ encapsulation mode. Basic QinQ is taken as an example (for details, see "1.12.1 Configuring Basic QinQ to Implement Layer-2 VPN") to configure the native VLAN of dot1q-tunnel as VLAN 10, and VLAN 10 is used as the public network transmission channel. A client data packet is first encapsulated with one VLAN 10 tag, and then forwarded on the public network.
Page 575 Configuration Guide Configuring QinQ Verify that the GVRP tunneling function is enabled globally and on the interface at the same time. The verification methods on PE1 and PE2 are the same. PE1 is taken as an example. Verify PE 1. PE1# show l2protocol-tunnel gvrp L2protocol-tunnel: Gvrp Enable L2protocol-tunnel destination mac address: 01d0.f800.0006...
Page 576 Configuration Guide Contents Contents 1 Configuring MSTP ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Background and Functions .................... 1 1.1.3 STP ..........................2 1.1.4 RSTP ..........................12 1.1.5 MSTP ........................... 18 1.1.6 Protocols and Standards ..................... 27 1.2 Restrictions and Guidelines .....................
Page 577 Configuration Guide Contents 1.5.3 Prerequisites ........................ 30 1.5.4 Procedure ........................30 1.6 Configuring the Bridge Priority and Port Priority..............31 1.6.1 Overview ........................31 1.6.2 Restrictions and Guidelines ..................31 1.6.3 Prerequisites ........................ 32 1.6.4 Procedure ........................32 1.7 Configuring the Port Path Cost ....................32 1.7.1 Overview ........................
Page 578 Configuration Guide Contents 1.10.4 Procedure ........................37 1.11 Enabling Protocol Migration ....................38 1.11.1 Overview ........................38 1.11.2 Procedure ........................39 1.12 Configuring Spanning Tree Compatibility for Interfaces............39 1.12.1 Overview ........................39 1.12.2 Prerequisites ......................39 1.12.3 Procedure ........................39 1.13 Enabling the STP Function ....................
Page 579 Configuration Guide Contents 1.16.2 Restrictions and Guidelines ..................46 1.16.3 Prerequisites ......................46 1.16.4 Procedure ........................46 1.17 Configuring an Edge Port ...................... 47 1.17.1 Overview ........................47 1.17.2 Restrictions and Guidelines ..................47 1.17.3 Configuration Tasks ....................47 1.17.4 Configuring Autoedge ....................47 1.17.5 Configuring the Port Fast Attribute ................
Page 580 Configuration Guide Contents 1.20.2 Restrictions and Guidelines ..................57 1.20.3 Prerequisites ......................57 1.20.4 Procedure ........................57 1.21 Configuring BPDU Transparent Transmission ..............58 1.21.1 Overview ........................58 1.21.2 Restrictions and Guidelines ..................58 1.21.3 Procedure ........................58 1.22 Monitoring ..........................58 1.23 Configuration Examples ......................
Page 581 Configuration Guide Configuring MSTP Configuring MSTP Introduction 1.1.1 Overview The Spanning Tree Protocol (STP) is a Layer 2 management protocol used to eliminate Layer 2 loops by blocking redundant links in the network. It enables a backup link in the case of a link failure. With the network development and update, multiple STP versions become available.
Page 582 Configuration Guide Configuring MSTP  MSTP can generate multiple spanning trees by VLAN instance to implement traffic balancing. 1.1.3 1. Overview STP, defined by the Institute of Electrical and Electronics Engineers (IEEE) 802.1D standard, is used to break physical loops at the data link layer in a LAN and prevent broadcast storms, so as to implement link redundancy. Layer 2 devices connected using single lines have no redundant lines and devices.
Page 583 Configuration Guide Configuring MSTP the TCN BPDU to its upstream device until the TCN BPDU reaches the root bridge. By setting the TC flag bit in the configuration BPDU to 1, the root bridge informs all bridges in the spanning tree of the network topology change, and asks them to clear dynamic MAC address entries of ports and relearn MAC addresses.
Page 584 Configuration Guide Configuring MSTP Field Bytes Description The value is 0x0026, indicating that the packet length is 38 bytes (3 bytes of the LLC Length header and 35 bytes of the BPDU). The LLC header occupies three bytes in three fields, as described in Table 1-2.
Page 585 Configuration Guide Configuring MSTP Field Bytes Description Bridge identifier of the device. It consists of a 2-byte bridge priority and a 6-byte bridge MAC address. Bridge ID In the example, the priority value is 0x8000, which indicates 32768, and the bridge MAC address is 00-d0-f8-22-35-4a.
Page 586 Configuration Guide Configuring MSTP Bridges exchange BPDUs to obtain information and generate a stable optimal tree topology. The most basic elements in the information are listed as follows: ○ Root ID: ID of the root bridge recognized by this local bridge. It consists of the bridge priority and MAC address of the root.
Page 587 Configuration Guide Configuring MSTP  Root path cost Root path cost is the cumulative path cost from the port to the root bridge. A link between two directly connected ports is called a "segment". A segment with a higher network bandwidth has a lower path cost. The total cost calculated based on the path costs of all ports in the necessary lines from a port to the root is the cumulative path cost from the port to the root bridge.
Page 588 Configuration Guide Configuring MSTP RSTP and MSTP Function Port Port Receiving Sending Receiving Forwarding Port State Port State Address Role Role BPDUs BPDUs Data Data Learning Disable Disabled Disable Discarding Blocking A, B Discarding Blk, A, B Listening Discarding R, D R, D Learning R, D...
Page 589 Configuration Guide Configuring MSTP (8) If a port is disabled or the link is faulty, the port returns to disable state. 7. Generating a Spanning Tree Topology STP automatically calculates and generates a spanning tree topology for a LAN according to a set of bridge parameters configured by the user.
Page 590 Configuration Guide Configuring MSTP Figure 1-4 Basic Topology of STP Device A Device C G0/1 G0/2 ROOT G0/2 G0/1 Device B Root Port Designated Port Disable Port G0/1 G0/2 8. Maintaining a Spanning Tree Topology After a spanning tree topology becomes stable, only designated ports and root ports are in forwarding state while other ports are in blocking state.
Page 591 Configuration Guide Configuring MSTP is 50s, that is, 20 + 2 × 15 = 50.  Device B deems that root bridge A is faulty and considers itself as the root bridge if the following situation occurs: Port GigabitEthernet 0/1 of Device A or the link from root bridge A to Device B is faulty and downstream Device B fails to receive BPDU<1,0,1,1>...
Page 592 Configuration Guide Configuring MSTP 1.1.4 RSTP 1. Overview RSTP, defined by IEEE 802.1W, evolves from STP and is compatible with IEEE 802.1D STP downward. RSTP has all functions of the conventional STP protocol and is capable of preventing loops and providing redundant links.
Page 593 Configuration Guide Configuring MSTP Field Bytes Description An RST BPDU uses all the eight bits. In the example, the value is 0x7c, that is, 0111 1100. Bit 7: TCA. The value 1 indicates that a topology change is known. Bit 6: Agreement. The value 1 indicates consent to status switching. Bit 5: Forwarding.
Page 594 Configuration Guide Configuring MSTP 3. Port Roles RSTP uses alternate ports and backup ports to replace blocking ports, and adds the edge port auto-identification function. Therefore, RSTP supports six types of ports:  Root port: A port with the shortest path to the root bridge. ...
Page 595 Configuration Guide Configuring MSTP BPDU from the upstream device, resulting in long convergence time in the case of a topology change. After an RSTP topology is stable, non-root switches automatically send configuration BPDUs at an interval of Hello Timer regardless of whether they receive configuration BPDUs from the root bridge. ...
Page 596 Configuration Guide Configuring MSTP Figure 1-7 Fast Convergence of RSTP Device A Device B RST BPDU Device A Device B Proposal BPDU Device A Device B Root Bridge Designated Bridge Agreement BPDU Device A Device B Root Bridge RST BPDU Proposal BPDU Root Port Designated Port...
Page 597 Configuration Guide Configuring MSTP (2) Forwarding: The designated port of Device A enters forwarding state after receiving the Agreement BPDU, and sends the RST BPDU with the Forwarding bit set to 1 at an interval of Hello Time. After receiving the RST BPDU, the root port of Device B enters forwarding state.
Page 598 Configuration Guide Configuring MSTP 1.1.5 MSTP 1. Overview MSTP, defined by the IEEE 802.1s standard, is capable of ironing out drawbacks of STP, RSTP (only one spanning tree is generated for a device), and Per-VLAN Spanning Tree (PVST) (one spanning tree is generated for each VLAN).
Page 599 Configuration Guide Configuring MSTP VLAN to be unable to communicate with each other. As shown in Figure 1-10, Devices A and B are in VLAN 1, and Devices C and D are in VLAN 2. Assume that the topology tree calculated by STP is shown in the figure. Port FastEthernet 0/2 of Device A is blocked, and the link between Devices A and B is blocked.
Page 600 Configuration Guide Configuring MSTP 4. Multiple Spanning Tree Region Devices that run the MSTP protocol, have the same configuration name, revision number, and instance mappings constitute a multiple spanning tree (MST) region. Configuration names, revision numbers, and instance mappings are recorded in the MST CFG ID field of MST BPDUs and they can be configured. ...
Page 601 Configuration Guide Configuring MSTP Figure 1-11 Traffic Sharing Implemented by MSTP Instance 1 vlan 1-50 Instance 2 vlan 51-100 BID=0.MAC A BID=4096.MAC A Device A Device A G0/1 G0/2 G0/1 G0/2 VLAN 1~50 VLAN 51~100 G0/1 G0/1 G0/1 G0/1 G0/2 G0/2 G0/2 G0/2...
Page 602 Configuration Guide Configuring MSTP unrelated to each other and unrelated to the CST. If two MST regions are configured in a topology shown in Figure 1-10, the calculated topology is shown in Figure 1-12 after MSTP runs. Figure 1-12 Preventing a Communication Failure of Ports in the Same VLAN by MSTP Instance 1 VLAN 1 Instance 1 VLAN 2 Device A...
Page 603 Configuration Guide Configuring MSTP The region root of region 2 is Device B. Suppose that three spanning trees are calculated for the three instances in region 2, and the roots of the three spanning trees are all Device B. On Device B, the port with the smallest root path cost to the CIST root is the master port.
Page 604 Configuration Guide Configuring MSTP 8. Port Roles MSTP introduces a new port role to the region root: master port, which is the port with the smallest root path cost from a region to the CIST root. The master port is the "outlet" of all instances in a region, and all instances can forward data through the master port.
Page 605 Configuration Guide Configuring MSTP RST BPDU. MSTP-specific fields start from the 37th byte, and the MSTI configuration message field at the end is composed of multiple MSTI configuration messages. The fields are described in Table 1-10. Table 1-10 Format of an MST BPDU Field Bytes Description...
Page 606 Configuration Guide Configuring MSTP Field Bytes Description Age of a BPDU, that is, keepalive time of the packet. The value is 0x0000 in the Message Age example. Maximum timeout time of a BPDU, after which the link to the root switch is Max Age considered to be faulty.
Page 607 Configuration Guide Configuring MSTP Field Bytes Description MSTI configuration message. The configuration message of each MSTI occupies 16 bytes. If there are n MSTIs, they occupy n × 16 bytes. Fields in the configuration message of a single MSTI are described as follows: MSTI (1-byte) MSTI Flags: MSTI flag.
Page 608 Configuration Guide Configuring MSTP ○ Configuring the Path Cost Calculation Method ○ Configuring the Path Cost Value (4) (Optional) Configuring Spanning Tree Time Parameters Enabling the STP Function 1.3.2 Configuring RSTP The RSTP basic configuration includes the following tasks: Configuring the Spanning Tree Mode (Optional) Configuring the Bridge Priority and Port Priority (Optional)
Page 609 Configuration Guide Configuring MSTP ○ Configuring Root Guard ○ Configuring Loop Guard  Configuring BPDU Source MAC Address Check  Configuring an Edge Port ○ Configuring Autoedge ○ Configuring the Port Fast Attribute  Configuring BPDU Guard or BPDU Filter ○...
Page 610 Configuration Guide Configuring MSTP (2) Enter the global configuration mode. configure terminal (3) Configure the spanning tree mode. spanning-tree mode mstp rstp The default spanning tree mode is MSTP. Configuring an MST Region 1.5.1 Overview This section describes how to configure an MST region to change device members in the MST region, so as to affect the spanning tree topology.
Page 611 Configuration Guide Configuring MSTP Enter the global configuration mode. configure terminal Create a group of VLANs. vlan { vlan-id | range vlan-range } Only VLAN 1 exists by default. Return to the global configuration mode. exit (2) Configure instance-VLAN mappings. Enter the MST configuration mode.
Page 612 Configuration Guide Configuring MSTP 112, 128, 144, 160, 176, 192, 208, 224, and 240. The default value is 128. Different port priorities can be configured for different instances on the same port, and an independent spanning tree can be generated for each instance based on the configuration.
Page 613 Configuration Guide Configuring MSTP 1.7.3 Configuring the Path Cost Calculation Method 1. Overview By default, the device automatically calculates the port path cost according to the physical interface rate, and the calculation method in the specification (as shown in Table 1-11). The cost of path with high rate is low, and vice versa.
Page 614 Configuration Guide Configuring MSTP enable (2) Enter the global configuration mode. configure terminal (3) Configure port path cost. spanning-tree pathcost method long long standard short The port path cost is calculated using the long method in the IEEE 802.1t standard by default. 1.7.4 Configuring the Path Cost Value 1.
Page 615 Configuration Guide Configuring MSTP Configuring Spanning Tree Time Parameters 1.8.1 Overview The timer in STP affects the spanning tree election and recovery performance. You can use the spanning-tree command to configure the following time parameters. Each configuration command can only carry one parameter. Only one of the following time parameters can be carried in the spanning-tree command: ...
Page 616 Configuration Guide Configuring MSTP by factor) × Hello Time. If a device fails to receive a BPDU from the upstream device within the timeout time, the spanning tree is re-calculated. The value range is from 1 to 30, and the default value is 20. 1.8.3 Procedure (1) Enter the privileged EXEC mode.
Page 617 Configuration Guide Configuring MSTP 1.9.2 Restrictions and Guidelines Hop-count:-count: Indicates the number of devices that a BPDU can pass through before it is discarded. The value range is from 1 to 40 and the default value is 20. 1.9.3 Procedure (1) Enter the privileged EXEC mode.
Page 618 Configuration Guide Configuring MSTP ○ Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the Layer 2 aggregate interface configuration mode. interface aggregateport interface-number | range aggregateport interface-range } (4) Configure fast convergence for spanning trees. spanning-tree link-type point-to-point shared...
Page 619 Configuration Guide Configuring MSTP Figure 1-16 Forcing Protocol Migration to RSTP 1.11.2 Procedure (1) Enter the privileged EXEC mode. enable (2) Clear the original protocol and force the device to migrate to the RSTP protocol. clear spanning-tree detected-protocols interface interface-type interface-number ] 1.12 Configuring Spanning Tree Compatibility for Interfaces 1.12.1...
Page 620 Configuration Guide Configuring MSTP spanning-tree compatible enable The spanning tree compatibility function of interfaces is disabled by default. 1.13 Enabling the STP Function 1.13.1 Overview Unless otherwise specified, STP should be enabled on each device. 1.13.2 Restrictions and Guidelines STP and the Transparent Interconnection of Lots of Links (TRILL) protocol of data centers are mutually exclusive.
Page 621 Configuration Guide Configuring MSTP Figure 1-1 Basic Topology of M-LAG Layer 3 Layer 3 Layer 3 Device A Peer Link Device B Device Layer 2 Layer 2 Device C Device C  Domain ID Domain ID is the unique identifier of the M-LAG system to distinguish different M-LAGs. Two devices in the M-LAG are paired by synchronizing with each other and comparing their domain ID.
Page 622 Configuration Guide Configuring MSTP Guide for details.  The spanning tree configuration of M-LAG member devices must be the same, that is, the MST configuration information, bridge priority, port priority and port path cost of the VAP group must be the same. Otherwise, the V-STP function will not take effect.
Page 623 Configuration Guide Configuring MSTP incorrect network topology change. To prevent this situation, you can configure the root guard function on designated ports of the root bridge. If the root port, master port, and alternate port on a non-root bridge periodically receive BPDUs with a higher priority from the upstream bridge, the spanning tree topology will keep unchanged.
Page 624 Configuration Guide Configuring MSTP spanning-tree guard root command to enable the root guard function on an interface, or run the spanning-tree guard root command to disable the root guard function of the interface.  When a port is blocked due to root guard, you can run the spanning-tree guard none command in Layer 2 Ethernet interface configuration mode or Layer 2 aggregate interface configuration mode to disable the root...
Page 625 Configuration Guide Configuring MSTP  In global configuration mode, run the spanning-tree loopguard default command to enable the loop guard function on all Layer 2 Ethernet interface and Layer 2 aggregate interfaces, or run the no spanning-tree loopguard default command to disable the loop guard function of all Layer 2 Ethernet interface and Layer 2 aggregateinterfaces.
Page 626 Configuration Guide Configuring MSTP 1. BPDU Source MAC Address Check If the peer device connects to the local device in a point-to-point manner and the MAC address of the peer device is certain, the BPDU source MAC address check function can be configured on the local device. After this function is enabled, the device receives only BPDU frames matching the designated source MAC address and discards all the other BPDU frames.
Page 627 Configuration Guide Configuring MSTP 1.17 Configuring an Edge Port 1.17.1 Overview After the spanning tree role election is complete, a designated port needs to wait for twice the period of Forward Delay (2 × 15 = 30s) before entering forwarding state. Designated ports can be converted into edge ports via automatic recognition or manual configuration.
Page 628 Configuration Guide Configuring MSTP forwarding state, the autoedge function does not take effect. It takes effect only when the designated port restarts fast negotiation (for example, the network cable is removed and then inserted). 2. Restrictions and Guidelines You can use the spanning-tree autoedge disabled command to disable the autoedge function.
Page 629 Configuration Guide Configuring MSTP Figure 1-17 Positions of Edge Ports Edge Port 2. Restrictions and Guidelines  Oly a Layer 2 Ethernet interface or Layer 2 aggregate interface can be configured as an edge port.  In global configuration mode, you can use the spanning-tree portfast default command to configure all Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as edge ports, use the...
Page 630 Configuration Guide Configuring MSTP 1.18 Configuring BPDU Guard or BPDU Filter 1.18.1 Overview If a device interface is directly connected to a network terminal, BPDU guard or BPDU filter can be configured on the interface to prevent illegitimate access, BPDU attacks, or loops in downstream devices. BPDU guard and BPDU filter can be enabled globally and take effect only on edge ports, or enabled and take effect only on specific interfaces.
Page 631 Configuration Guide Configuring MSTP 3. Prerequisites  Configure the interface as a Layer 2 interface. 4. Procedure (global configuration mode) Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal ○ Enable the global BPDU guard function. The function takes effect only on edge ports.
Page 632 Configuration Guide Configuring MSTP 3. Prerequisites  Configure the interface as a Layer 2 interface. 4. Procedure (global configuration mode) Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal ○ Enable the global BPDU filter function. The function takes effect only on edge ports.
Page 633 Configuration Guide Configuring MSTP the device receives TC packets in this period, it performs another deletion operation after the period expires, to prevent frequent deletion of MAC address entries and ARP entries.  TC guard TC protection can reduce the frequency of deleting dynamic MAC address entries and ARP entries, but many deletion operations still need to be performed in the case of TC packet attacks, which affects the normal operation of devices.
Page 634 Configuration Guide Configuring MSTP tc-protection command to disable TC protection. 3. Prerequisites  Configure the interface as a Layer 2 interface. 4. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enable TC guard on all Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. spanning-tree tc-protection TC guard is disabled globally by default.
Page 635 Configuration Guide Configuring MSTP 3. Prerequisites  Configure the interface as a Layer 2 interface. 4. Procedure (global configuration mode) Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal ○ Enable TC guard on all Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. spanning-tree tc-protection tc-guard By default, TC guard is disabled globally.
Page 636 Configuration Guide Configuring MSTP (2) Enter the global configuration mode. configure terminal (3) Enter the interface configuration mode. ○ Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the Layer 2 aggregate interface configuration mode. interface aggregateport interface-number |...
Page 637 Configuration Guide Configuring MSTP 1.20.2 Restrictions and Guidelines  This function takes effect only when it is enabled in both global configuration mode and interface configuration mode. ○ Run the l2protocol-tunnel stp command to enable the global BPDU tunnel function or run the l2protocol-tunnel stp command to disable the global BPDU tunnel function.
Page 638 Configuration Guide Configuring MSTP 1.21 Configuring BPDU Transparent Transmission 1.21.1 Overview According to the IEEE 802.1Q standard, BPDUs use 0180.c200.0000 as the destination MAC address. When a device supporting IEEE 802.1Q receives a frame with the destination address of 0180.c200.0000, it recognizes the frame as a BPDU and will not forward it.
Page 639 Configuration Guide Configuring MSTP Table 1-12 Monitoring Command Purpose show spanning-tree forward-time hello-time max-age max-hops Displays the global spanning tree configuration. instance-id | pathcost method tx-hold-count show spanning-tree counters Displays statistics on sent and received STP packets. show spanning-tree inconsistentports Displays ports blocked due to root guard or loop guard.
Page 640 Configuration Guide Configuring MSTP Command Purpose debug mstp statetran Debugs the port state transition state machine. debug mstp transmit Debugs the MSTP transmission state machine. clear spanning-tree counters interface Clears statistics on packets sent and received by a port. interface-type interface-number ] clear spanning-tree mst instance-id Clears the STP topology change information.
Page 641 Configuration Guide Configuring MSTP 2. Topology Figure 1-18 MSTP Basic Topology Instance 2 Instance 1 Device A Device B Device A Device B Device A Device B G0/2 G0/2 G0/2 G0/2 G0/2 G0/2 G0/1 G0/1 G0/1 G0/1 G0/1 G0/1 Device C Device C Device C G0/2...
Page 642 Configuration Guide Configuring MSTP 32768 (no configuration is required) for Device C so that Device B becomes the root bridge. ○ On Device A, set the path cost to 1 for port GigabitEthernet 0/2 and 4 for port GigabitEthernet 0/1 so that port GigabitEthernet 0/2 becomes the root port of Device A.
Page 643 Configuration Guide Configuring MSTP DeviceA(config-if-GigabitEthernet 0/2)# switchport trunk native vlan 1 DeviceA(config-if-GigabitEthernet 0/2)# switchport trunk allowed vlan all DeviceA(config-if-GigabitEthernet 0/2)# spanning-tree mst 2 cost 1 DeviceA(config-if-GigabitEthernet 0/2)# exit Configure port GigabitEthernet 0/1 as a trunk port. In instance 2, set the path cost of the port to 4. DeviceA(config)# interface gigabitethernet 0/1 DeviceA(config-if-GigabitEthernet 0/1)# switchport DeviceA(config-if-GigabitEthernet 0/1)# switchport mode trunk...
Page 644 Configuration Guide Configuring MSTP DeviceB(config-if-GigabitEthernet 0/1)# switchport mode trunk DeviceB(config-if-GigabitEthernet 0/1)# switchport trunk native vlan 1 DeviceB(config-if-GigabitEthernet 0/1)# switchport trunk allowed vlan all DeviceB(config-if-GigabitEthernet 0/1)# spanning-tree mst 0 cost 4 DeviceB(config-if-GigabitEthernet 0/1)# spanning-tree mst 1 cost 4 DeviceB(config-if-GigabitEthernet 0/1)# exit Enable the STP function globally.
Page 645 Configuration Guide Configuring MSTP Add downlink ports GigabitEthernet 0/3–0/6 to VLANs. Configure the ports as edge ports and configure BPDU guard. DeviceC(config)# interface gigabitethernet 0/3 DeviceC(config-if-GigabitEthernet 0/3)# switchport DeviceC(config-if-GigabitEthernet 0/3)# switchport mode access DeviceC(config-if-GigabitEthernet 0/3)# switchport access vlan 10 DeviceC(config-if-GigabitEthernet 0/3)# spanning-tree autoedge disabled DeviceC(config-if-GigabitEthernet 0/3)# spanning-tree portfast DeviceC(config-if-GigabitEthernet 0/3)# spanning-tree bpduguard enable DeviceC(config-if-GigabitEthernet 0/3)# exit...
Page 646 Configuration Guide Configuring MSTP Revision : 0 Instance Vlans Mapped -------- -------------------------------------------- : 1-9, 11-19, 21-29, 31-39, 41-4094 : 10, 30 : 20, 40 ----------------------------------------------------- Check instance mappings on Device B. DeviceB# show spanning-tree mst configuration Multi spanning tree protocol : Enable Name Revision : 0 Instance Vlans Mapped...
Page 647 Configuration Guide Configuring MSTP Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/1 Desg FWD 200000 False Gi0/2 Desg FWD 20000 False MST 1 vlans map : 10, 30 Region Root Priority 4096 Address 0074.9cee.f49e this bridge is region root Bridge ID Priority...
Page 648 Configuration Guide Configuring MSTP Bridge ID Priority 8192 Address 00d0.f8ee.8c1e Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/1 Root FWD 1 False Gi0/2 Desg FWD 4...
Page 649 Configuration Guide Configuring MSTP this bridge is root Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec Bridge ID Priority 32768 Address 0074.9cee.53ca Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ----------------...
Page 650 Configuration Guide Configuring MSTP Gi0/1 Altn BLK 4 False Gi0/2 Root FWD 1 False Gi0/3 Desg FWD 20000 True Gi0/4 Desg FWD 20000 True Gi0/5 Desg FWD 20000 True Gi0/6 Desg FWD 20000 True (5) Check "DesignatedRoot", "RootPort", and "RootCost" of each device in instance 1. Check the "DesignatedRoot", "RootPort", and "RootCost"...
Page 651 Configuration Guide Configuring MSTP PortOperPortFast : Disabled PortAdminAutoEdge : Enabled PortOperAutoEdge : Disabled PortAdminLinkType : auto PortOperLinkType : point-to-point PortBPDUGuard : Disabled PortBPDUFilter : Disabled PortGuardmode : Guard loop ###### MST 0 vlans mapped :1-9, 11-19, 21-29, 31-39, 41-4094 PortState : forwarding PortPriority : 128 PortDesignatedRoot : 4096.0074.9cee.f49e PortDesignatedCost : 0...
Page 652 Configuration Guide Configuring MSTP PortAdminPathCost : 4 PortOperPathCost : 4 Inconsistent states : normal PortRole : alternatePort (7) Verify that port fast is configured on ports GigabitEthernet 0/3–0/6 of Device C ("PortAdminPortFast : Enabled"), the ports work in port fast state ("PortOperPortFast : Enabled"), and BPDU guard is enabled on the ports (“PortBPDUGuard: Enabled”).
Page 653 Configuration Guide Configuring MSTP ###### MST 2 vlans mapped :20, 40 PortState : forwarding PortPriority : 128 PortDesignatedRoot : 4098.00d0.f8ee.8c1e PortDesignatedCost : 0 PortDesignatedBridge :32770.0074.9cee.53ca PortDesignatedPortPriority : 128 PortDesignatedPort : 1 PortForwardTransitions : 1 PortAdminPathCost : 20000 PortOperPathCost : 20000 Inconsistent states : normal PortRole : designatedPort 6.
Page 654 Configuration Guide Configuring MSTP spanning-tree mst configuration instance 0 vlan 1-9, 11-19, 21-29, 31-39, 41-4094 instance 1 vlan 10, 30 instance 2 vlan 20, 40 spanning-tree mst 0 priority 8192 spanning-tree mst 1 priority 8192 spanning-tree mst 2 priority 4096 spanning-tree sysmac 00d0.f8ee.8c1e vlan range 1,10,20,30,40...
Page 655 Configuration Guide Configuring MSTP spanning-tree guard loop spanning-tree mst 2 cost 4 spanning-tree mst 1 cost 1 spanning-tree mst 0 cost 1 interface GigabitEthernet 0/2 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 spanning-tree guard loop spanning-tree mst 2 cost 1 spanning-tree mst 1 cost 4...
Page 656 Configuration Guide Configuring MSTP 7. Common Errors  When no bridge priority lower than that of the root bridge but higher than that of access devices is configured for non-root devices, the non-root core devices and access devices will determine upstream devices by comparing MAC addresses in the spanning tree calculation.
Page 657 Configuration Guide Configuring MSTP 2. Topology Figure 1-19 MSTP+VRRP Dual-Core Topology Router G0/5 G0/5 G0/3 G0/3 Device A Device B G0/4 G0/4 G0/1 G0/2 G0/2 G0/1 G0/1 G0/1 G0/2 G0/2 Device C Device D G0/6 G0/3 G0/6 G0/3 G0/4 G0/5 G0/4 G0/5 VLAN10...
Page 658 Configuration Guide Configuring MSTP the link recovers, the priority is restored. The value range is from 1 to 255 and the default value is 10.  Configure priority parameters: The VRRP priority change value needs to be taken into account together with the VRRP priority.
Page 659 Configuration Guide Configuring MSTP DeviceA(config)# spanning-tree mst 1 priority 4096 DeviceA(config)# spanning-tree mst 2 priority 8192 DeviceA(config)# spanning-tree Configure the MSTP function for core Device B. Create VLANs, and map instance 1 to VLAN 10 and VLAN 30 and instance 2 to VLAN 20 and VLAN 40. Set the bridge priority to 8192 for instances 0 and 1 and 4096 for instance 2 to make Device B become the root bridge of instance 2.
Page 660 Configuration Guide Configuring MSTP Configure port GigabitEthernet 0/5 of Device B as a Layer 3 interface and set the IP address to 10.10.2.1/24. Then, this port serves as the monitoring port of VLAN 20 and VLAN 40. DeviceB(config)# interface gigabitethernet 0/5 DeviceB(config-if-GigabitEthernet 0/5)# no switchport DeviceB(config-if-GigabitEthernet 0/5)# ip address 10.10.2.1 255.255.255.0 DeviceB(config-if-GigabitEthernet 0/5)# exit...
Page 661 Configuration Guide Configuring MSTP DeviceB(config-if-VLAN 40)# ip address 192.168.40.3 255.255.255.0 DeviceB(config-if-VLAN 40)# vrrp 40 ip 192.168.40.1 DeviceB(config-if-VLAN 40)# vrrp 40 priority 120 DeviceB(config-if-VLAN 40)# vrrp 40 track gigabitethernet 0/5 30 DeviceB(config-if-VLAN 40)# exit Configure the backup device (Device A). Enter an SVI and configure an SVI address. Add the SVI to the VRRP group and configure a virtual gateway IP address for the VRRP group.
Page 662 Configuration Guide Configuring MSTP DeviceA(config-if-range)# switchport mode trunk DeviceA(config-if-range)# switchport trunk native vlan 1 DeviceA(config-if-range)# switchport trunk allowed vlan all DeviceA(config-if-range)# end DeviceA# write Configure downlink ports GigabitEthernet 0/1–0/2 of Device B as trunk ports. DeviceB(config)# interface range gigabitethernet 0/1-2 DeviceB(config-if-range)# switchport DeviceA(config-if-range)# switchport mode trunk DeviceA(config-if-range)# switchport trunk native vlan 1...
Page 663 Configuration Guide Configuring MSTP DeviceC(config)# interface gigabitethernet 0/6 DeviceC(config-if-GigabitEthernet 0/6)# switchport DeviceC(config-if-GigabitEthernet 0/3)# switchport mode access DeviceC(config-if-GigabitEthernet 0/6)# switchport access vlan 40 DeviceC(config-if-GigabitEthernet 0/6)# end DeviceC# write Configure Device D. DeviceD(config)# interface gigabitethernet 0/3 DeviceD(config-if-GigabitEthernet 0/3)# switchport DeviceC(config-if-GigabitEthernet 0/3)# switchport mode access DeviceD(config-if-GigabitEthernet 0/3)# switchport access vlan 10 DeviceD(config-if-GigabitEthernet 0/3)# exit DeviceD(config)# interface gigabitethernet 0/4...
Page 664 Configuration Guide Configuring MSTP Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Desg FWD 19000 False Gi0/1 Desg FWD 200000 False Gi0/2 Desg FWD 200000 False MST 1 vlans map : 10,30 Region Root Priority 4096 Address 00d0.f822.3344...
Page 665 Configuration Guide Configuring MSTP Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Root FWD 19000 False Gi0/1 Desg FWD 200000 False Gi0/2 Desg FWD 200000 False MST 1 vlans map : 10,30...
Page 666 Configuration Guide Configuring MSTP Bridge ID Priority 32768 Address 001a.a979.00ea Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec Interface Role Sts Cost Prio Type OperEdge ---------------- ---- --- ---------- -------- ----- --------------- Gi0/2 Altn BLK 200000 False Gi0/1 Root FWD 200000...
Page 667 Configuration Guide Configuring MSTP DeviceB# show vrrp brief Interface Grp Pri timer Own Pre State Master addr Group addr VLAN 10 100 3 Backup 192.168.10.2 192.168.10.1 VLAN 20 120 3 Master 192.168.20.3 192.168.20.1 VLAN 30 100 3 Backup 192.168.30.2 192.168.30.1 VLAN 40 120 3 Master 192.168.40.3 192.168.40.1...
Page 668 Configuration Guide Configuring MSTP instance 0 vlan 1-9, 11-19, 21-29, 31-39, 41-4094 instance 1 vlan 10, 30 instance 2 vlan 20, 40 spanning-tree mst 0 priority 4096 spanning-tree mst 1 priority 4096 spanning-tree mst 2 priority 8192 spanning-tree sysmac 00d0.f822.3344 vlan range 1,10,20,30,40 interface GigabitEthernet 0/1 switchport...
Page 669 Configuration Guide Configuring MSTP interface vlan 20 ip address 192.168.20.2 255.255.255.0 vrrp 20 ip 192.168.20.1 interface vlan 30 ip address 192.168.30.3 255.255.255.0 vrrp 30 ip 192.168.30.1 vrrp 30 priority 120 vrrp 30 track gigabitethernet 0/5 30 interface vlan 40 ip address 192.168.40.2 255.255.255.0 vrrp 40 ip 192.168.40.1 ...
Page 670 Configuration Guide Configuring MSTP port-group 1 interface AggregatePort 1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface gigabitethernet 0/5 no switchport ip address 10.10.2.1 255.255.255.0 interface vlan 10 ip address 192.168.10.2 255.255.255.0 vrrp 10 ip 192.168.10.1 interface vlan 20 ip address 192.168.20.3 255.255.255.0...
Page 671 Configuration Guide Configuring MSTP interface GigabitEthernet 0/2 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface GigabitEthernet 0/3 switchport switchport mode access switchport access vlan 10 spanning-tree bpduguard enable spanning-tree portfast interface GigabitEthernet 0/4 switchport switchport mode access switchport access vlan 20...
Page 672 Configuration Guide Configuring MSTP 1.23.3 Configuring Spanning Tree Compatibility for MSTP Interfaces 1. Requirements In the topology as shown in Figure 1-20, enable MSTP on Device A and Device B and configure the same instance mappings on the devices: Associate instance 1 with VLAN 10 and add port GigabitEthernet 0/1 to VLAN 10;...
Page 673 Configuration Guide Configuring MSTP DeviceA(config-if-GigabitEthernet 0/2)# switchport mode access DeviceA(config-if-GigabitEthernet 0/2)# switchport access vlan 20 DeviceA(config-if-GigabitEthernet 0/2)# spanning-tree compatible enable DeviceA(config-if-GigabitEthernet 0/2)# exit (3) Enable the STP function. DeviceA(config)# spanning-tree DeviceA(config)# end DeviceA# write 5. Verification (1) If no spanning tree compatibility is configured for interfaces, check the spanning tree configuration as follows.
Page 674 Configuration Guide Configuring MSTP Region Root Priority 32768 Address 0074.9cee.53ca this bridge is region root Bridge ID Priority 32768 Address 0074.9cee.53ca Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/1 Desg FWD 20000 False Gi0/2 Desg FWD 20000 False...
Page 675 Configuration Guide Configuring MSTP Gi0/2 Altn BLK 20000 False MST 2 vlans map : 20 Region Root Priority 32768 Address 0074.9cee.53ca this bridge is region root Bridge ID Priority 32768 Address 0074.9cee.f49e Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/1 Altn BLK 20000 False...
Page 676 Configuration Guide Configuring MSTP ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/1 Desg FWD 20000 False The spanning tree is pruned in instance 2. Only port GigabitEthernet 0/2 belonging to VLAN 20 is the designated port. MST 2 vlans map : 20 Region Root Priority 32768 Address...
Page 677 Configuration Guide Configuring MSTP Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/1 Root FWD 20000 False The spanning tree is pruned in instance 2. Only port GigabitEthernet 0/2 belonging to VLAN 20 is the root port and there is no alternate port.
Page 678 Configuration Guide Configuring MSTP tree compatibility function cannot perform spanning tree pruning based on instances. In this case, there is no necessary to configure the spanning tree compatibility function. 1.23.4 Configuring BPDU Tunnel 1. Requirements In the typical QinQ network topology shown in Figure 1-21, the upper part is the service provider network while the lower part is the customer network.
Page 679 Configuration Guide Configuring MSTP  Configure the uplink and downlink ports of CE 1 and CE 2 as trunk ports. 4. Procedure (1) Configure MSTP on PE 1 and PE 2. Set the bridge priority to 4094 for instances 0 and 1 and 8192 for instance 2 on PE 1. PE1>...
Page 680 Configuration Guide Configuring MSTP (3) Configure the uplink ports of PE 1 and PE 2 as the uplink ports. The configurations on PE 1 are the same as those on PE 2. The following uses PE 1 as an example. PE1(config)# interface gigabitethernet 0/5 PE1(config-if-GigabitEthernet 0/5)# switchport PE1(config-if-GigabitEthernet 0/5)# switchport mode uplink...
Page 681 Configuration Guide Configuring MSTP (2) Verify that the STP tunnel function is enabled in both global configuration mode and interface configuration mode on PE 1 and PE 2. The configurations on PE 1 are the same as those on PE 2. The following uses PE 1 as an example.
Page 682 Configuration Guide Configuring MSTP this bridge is region root Bridge ID Priority 8192 Address 0074.9cee.f49e Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/5 Root FWD 20000 False Check the spanning tree topology on PE 2. For instances 0 and 1, PE 1 is the root of PE 2 and port GigabitEthernet 0/5 is the root port.
Page 683 Configuration Guide Configuring MSTP this bridge is region root Bridge ID Priority 4096 Address 00d0.f8ee.8c1e Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/5 Desg FWD 20000 False (4) Check that CE 1 and CE 2 have independent spanning tree topologies. Check the spanning tree topology on CE 1.
Page 684 Configuration Guide Configuring MSTP 6. Configuration Files  PE 1 configuration file l2protocol-tunnel stp spanning-tree mst configuration instance 0 vlan 1-9, 11-19, 21-29, 31-39, 41-4094 instance 1 vlan 10, 30 instance 2 vlan 20, 40 spanning-tree mst 0 priority 4096 spanning-tree mst 1 priority 4096 spanning-tree mst 2 priority 8192 spanning-tree...
Page 685 Configuration Guide Configuring MSTP interface GigabitEthernet 0/1 switchport switchport mode dot1q-tunnel switchport dot1q-tunnel allowed vlan add untagged 10 switchport dot1q-tunnel native vlan 10 l2protocol-tunnel stp enable interface GigabitEthernet 0/5 switchport switchport mode uplink switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 ...
Page 686 Configuration Guide Configuring MSTP interface GigabitEthernet 0/2 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 7. Common Errors  The Layer 2 protocol tunnel function is not enabled in both global configuration mode and interface configuration mode.
Page 687 Configuration Guide Configuring MSTP DeviceA(config-if-GigabitEthernet 0/1)# switchport mode trunk DeviceA(config-if-GigabitEthernet 0/1)# switchport trunk native vlan 1 DeviceA(config-if-GigabitEthernet 0/1)# switchport trunk allowed vlan all DeviceA(config-if-GigabitEthernet 0/1)# exit DeviceA(config)# interface gigabitethernet 0/2 DeviceA(config-if-GigabitEthernet 0/2)# switchport DeviceA(config-if-GigabitEthernet 0/2)# switchport mode trunk DeviceA(config-if-GigabitEthernet 0/2)# switchport trunk native vlan 1 DeviceA(config-if-GigabitEthernet 0/2)# switchport trunk allowed vlan all DeviceA(config-if-GigabitEthernet 0/2)# spanning-tree mst 0 port-priority 16 DeviceA(config-if-GigabitEthernet 0/2)# exit...
Page 688 Configuration Guide Configuring MSTP Root ID Priority Address 0074.9cee.53ca this bridge is root Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec Bridge ID Priority Address 0074.9cee.53ca Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec Interface Role Sts Cost Prio...
Page 689 Configuration Guide Configuring MSTP Interface Role Sts Cost Prio OperEdge Type ---------------- ---- --- ---------- -------- -------- ---------------- Gi0/1 Desg FWD 20000 False Gi0/2 Desg FWD 20000 False Check the spanning tree topology on Device B. Device A is still the root of Device B, but port GigabitEthernet 0/1 of Device B becomes the root port, and port GigabitEthernet 0/2 becomes an alternate port.
Page 690 Configuration Guide Configuring MSTP  Device B configuration file spanning-tree interface GigabitEthernet 0/1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 interface GigabitEthernet 0/2 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 ...
Page 691 Configuration Guide Configuring MSTP  GigabitEthernet 0/3 and 0/4 join AggregatePort 3, which is used as the peer link of M-LAG to synchronize data and transmit partial traffic. As the dual-active detection link of Device A and Device B, Gigabit Ethernet 0/5 is used to detect the dual-active status of M-LAG devices when the Peer Link fails.
Page 692 Configuration Guide Configuring MSTP DeviceA(config-if-AggregatePort 3)# exit DeviceA(config)# interface gigabitethernet 0/3 DeviceA(config-if-GigabitEthernet 0/3)# description link-to-DeviceB-G0/3-peerlink DeviceA(config-if-GigabitEthernet 0/3)# port-group 3 mode active DeviceA(config-if-GigabitEthernet 0/3)# exit DeviceA(config)# interface gigabitethernet 0/4 DeviceA(config-if-GigabitEthernet 0/4)# description link-to-DeviceB-G0/4-peerlink DeviceA(config-if-GigabitEthernet 0/4)# port-group 3 mode active DeviceA(config-if-GigabitEthernet 0/4)# exit Configure the IP address of the Layer 3 SVI of the Peer Link as 20.20.20.1/24.
Page 693 Configuration Guide Configuring MSTP DeviceA(config)# interface aggregateport 2 DeviceA(config-if-AggregatePort 2)# switchport DeviceA(config-if-AggregatePort 2)# switchport mode trunk DeviceA(config-if-AggregatePort 2)# switchport trunk native vlan 1 DeviceA(config-if-AggregatePort 2)# switchport trunk allowed vlan all DeviceA(config-if-AggregatePort 2)# vap 2 DeviceA(config)# interface gigabitethernet 0/2 DeviceA(config-if-GigabitEthernet 0/2)# description link-to-DeviceD-G0/2 DeviceA(config-if-GigabitEthernet 0/2)# port-group 2 mode active DeviceA(config-if-GigabitEthernet 0/2)# exit (3) Configure the M-LAG function on Device B.
Page 694 Configuration Guide Configuring MSTP Configure the local IP address of the dual-active detection channel as 192.168.3.2, and the peer IP address as 192.168.3.1. DeviceB(config)# vap domain 1 DeviceB(config-vap-domain)# data-sync local 20.20.20.2 peer 20.20.20.1 DeviceB(config-vap-domain)# peer-keepalive local 192.168.3.2 peer 192.168.3.1 DeviceB(config-vap-domain)# exit Configure VAP 1: Create AggregatePort 1 and join VAP 1.
Page 695 Configuration Guide Configuring MSTP DeviceC(config-if-GigabitEthernet 0/1)# exit DeviceC(config)# interface gigabitethernet 0/2 DeviceC(config-if-GigabitEthernet 0/2)# description link-to-DeviceB-G0/1 DeviceC(config-if-GigabitEthernet 0/2)# switchport DeviceC(config-if-GigabitEthernet 0/2)# port-group 1 mode active DeviceC(config-if-GigabitEthernet 0/2)# exit (5) Create AggregatePort 2 on Device D, and configure the uplink interfaces GigabitEthernet 0/1 and 0/2 as member ports of AggregatePort 2.
Page 696 Configuration Guide Configuring MSTP 4. Verification (1) Run the show vap summary command to check whether M-LAG has been established successfully. Check the establishment of M-LAG on Device A. Device A is the Master, AggregatePort 3 of the peer link is Up, and AggregatePort 1 and AggregatePort 2 of the downstream channel are Up.
Page 697 Configuration Guide Configuring MSTP Check whether the V-STP function is enabled on Device A. The value in Local bridge mac field indicates that the MAC address of local bridge is 00d0.f822.363c, and the value in Selected bridge mac field indicates that the MAC address of the virtual bridge is 00d0.f822.363c. DeviceA# show spanning-tree v-stp information V-STP status : enable...
Page 698 Configuration Guide Configuring MSTP Desg FWD 19000 False Desg FWD 19000 False Check the STP calculation results of Device B. Device A (00d0.f822.363c) is the root. MAC address in the Bridge ID of the device is 00d0.f822.363c, not 8005.8822.b467, which is the MAC address of Device B, indicating that the V-STP function virtualizes the M-LAG active and standby devices into a bridge device M-LAG Domain 1 (00d0.
Page 699 Configuration Guide Configuring MSTP Check the STP calculation results of Device D. M-LAG Domain 1 (00d0.f822.363c) formed by Device A and Device B is the root. AggregatePort 2 of Devcie D is the Root port and is in Forwarding state. GigabitEthernet 0/3 is the Alternate port, and is in Blocking state.
Page 700 Configuration Guide Configuring MSTP switchport port-group 3 mode active interface GigabitEthernet0/5 no switchport description link-to-DeviceB-G0/5 ip address 192.168.3.1 255.255.255.0 interface AggregatePort1 switchport switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan only 1-4094 vap 1 interface AggregatePort2 switchport switchport mode trunk switchport trunk native vlan 1...
Page 701 Configuration Guide Configuring MSTP switchport port-group 1 mode active interface GigabitEthernet 0/2 description link-to-DeviceD-G0/1 switchport port-group 2 mode active interface GigabitEthernet 0/3 description link-to-DeviceA-G0/3-peerlink switchport port-group 3 mode active interface GigabitEthernet 0/4 description link-to-DeviceA-G0/4-peerlink switchport port-group 3 mode active interface GigabitEthernet 0/5 no switchport description link-to-DeviceA-G0/5 ip address 192.168.3.2 255.255.255.0...
Page 702 Configuration Guide Configuring MSTP ip address 20.20.20.2 255.255.255.0 vap domain 1 data-sync local 20.20.20.2 peer 20.20.20.1 peer-keepalive local 192.168.3.2 peer 192.168.3.1  Device C configuration file hostname DeviceC spanning-tree sysmac 0074.9cee.53ca vlan 1 interface GigabitEthernet 0/1 description link-to-DeviceA-G0/1 switchport port-group 1 mode active interface GigabitEthernet 0/2 description link-to-DeviceB-G0/1 switchport...
Page 703 Configuration Guide Configuring MSTP switchport trunk allowed vlan only 1-4094 6. Common Errors  If the M-LAG member devices are not connected successfully, the spanning tree cannot be virtualized successfully. In this case, check whether the state of the M-LAG aggregate interface is correct and whether the interface configuration is correct.
Page 704 Configuration Guide Contents Contents 1 Configuring ERPS ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Control VLAN and Data VLAN ..................1 1.1.3 Basic Model of an Ethernet Ring ................... 1 1.1.4 RPL and Nodes ......................3 1.1.5 ERPS Packet .........................
Page 705 Configuration Guide Contents 1.5.1 Overview ........................9 1.5.2 Restrictions and Guidelines ................... 9 1.5.3 Procedure ........................9 1.6 Configuring Major Rings to Associate with Subrings .............. 10 1.6.1 Overview ........................10 1.6.2 Restrictions and Guidelines ..................10 1.6.3 Procedure ........................10 1.7 Configuring Subring Topology Change Notification ..............
Page 706 Configuration Guide Contents 1.11.2 Procedure ........................13 1.12 Monitoring ..........................13 1.13 Configuration Examples ......................14 1.13.1 Configuring Single-Ring Protection ................14 1.13.2 Configuring Tangent-Ring Protection ................. 17 1.13.3 Configuring Intersecting-Ring Protection ..............22 1.13.4 Configuring Load Balancing ..................30 1.13.5 Modifying ERPS Configuration ..................
Page 707 Configuration Guide Configuring ERPS Configuring ERPS Introduction 1.1.1 Overview Ethernet Ring Protection Switching (ERPS), also known as G.8032, is a ring protection protocol developed by the International Telecommunication Union (ITU). It is a data link layer protocol specially designed for Ethernet rings.
Page 708 Configuration Guide Configuring ERPS Figure 1-1 Basic Topologies of Ethernet Rings Node1 Node4 Node5 Node8 Node10 Node13 Node15 G0/5 G0/7 Node7 G0/3 G0/1 G0/6 Major ring Major ring Major ring Major ring Sub ring 主环 ERPS 1 ERPS 2 ERPS 3 ERPS 4 ERPS 5 G0/2...
Page 709 Configuration Guide Configuring ERPS 4. Ring Member Port An Ethernet ring has two ring member ports on each node that it passes through: the west east ports. As shown in Figure 1-1:  If an ERPS ring is a closed major ring, each node that the ring passes through has two interfaces used as west east ports for adding the node to the ERPS ring.
Page 710 Configuration Guide Configuring ERPS Figure 1-2 Typical Topology of Tangent Rings RPL owner RPL owner for ERPS1 for ERPS2 G0/1 G0/2 G0/1 G0/2 G0/1 G0/2 Node 1 Node 4 Node 6 ERPS1 ERPS2 G0/2 G0/3 G0/1 G0/2 G0/1 G0/4 G0/1 G0/2 Node 2 Node 3...
Page 711 Configuration Guide Configuring ERPS failure.  NR packet: When the failed link is restored, the node sends an NR packet to notify the RPL owner node of its link recovery.  NR-RB packet: When all nodes in an ERPS ring function properly, the RPL owner node sends NR-RB packets periodically.
Page 712 Configuration Guide Configuring ERPS ○ After receiving this NR-RB packet, other nodes update their MAC address entries and ARP/ND entries, and the node that sends the NR packet stops sending the NR packet and enables the blocked ports. ○ The ring network is restored to the normal state. 1.1.8 Load Balancing One control VLAN identifies one ERPS ring and corresponds to the data VLANs that it needs to protect.
Page 713 Configuration Guide Configuring ERPS Enabling ERPS Globally Configuring a Control VLAN for an Ethernet Ring 1.3.1 Overview A control VLAN, also known as an R-APS VLAN, is used to transmit ERPS protocol packets. A group of interconnected devices in the same control VLAN constitute an Ethernet ring (ERPS ring). For an ERPS ring, the same Ethernet ring R-APS VLAN needs to be configured on each node that it passes through.
Page 714 Configuration Guide Configuring ERPS If an ERPS ring is a closed major ring, each node that the ring passes through has two interfaces used as the west east ports for adding the node to the ERPS ring. If an ERPS ring is a non-closed subring, a non-intersecting node has two interfaces used as the west east...
Page 715 Configuration Guide Configuring ERPS enable Enter the global configuration mode. configure terminal (2) Enter the R-APS VLAN configuration mode of an Ethernet ring. erps raps-vlan vlan-id By default, an Ethernet ring control VLAN does not exist. (3) Configure the Layer 2 Ethernet interface or Layer 2 aggregate interface as a member port of the Ethernet ring.
Page 716 Configuration Guide Configuring ERPS Configuring Major Rings to Associate with Subrings 1.6.1 Overview When there are intersecting rings in an Ethernet ring topology, the major ring needs to be configured to associate with all subrings on all nodes in the major ring (no matter whether the subrings are directly connected to the nodes) so that the ERPS packets of subrings can be transmitted in the major ring.
Page 717 Configuration Guide Configuring ERPS configure terminal (3) Enter the control VLAN configuration mode of a subring. erps raps-vlan sub-ring-vlan-id (4) Enable the subring topology change notification. sub-ring tc-propagation enable Configuring a Protected VLAN for an Ethernet Ring 1.8.1 Overview This section describes how to configure the data VLANs to be protected by an ERPS ring. All VLANs are protected by an ERPS ring by default.
Page 718 Configuration Guide Configuring ERPS Enabling ERPS for an Ethernet Ring 1.9.1 Overview This section describes how to enter the R-APS VLAN configuration mode of a specified Ethernet ring, and enable the ERPS function for this Ethernet ring. If more than one Ethernet ring passes through a node, the ERPS function of each Ethernet ring needs to be enabled separately.
Page 719 Configuration Guide Configuring ERPS (3) Enter the control VLAN configuration mode. erps raps-vlan vlan-id (4) Configure a timer. timer holdoff-time interval1 | guard-time interval2 | wtr-time interval3 } 1.11 Enabling ERPS Globally 1.11.1 Overview After completing all configurations of the ERPS function, you need to enable ERPS globally on each node that an Ethernet ring passes through so that ERPS takes effect.
Page 720 Configuration Guide Configuring ERPS 1.13 Configuration Examples 1.13.1 Configuring Single-Ring Protection 1. Requirements As shown in Figure 1-5, there is only one ring in the network topology. All nodes are connected in a ring in the physical topology. ERPS blocks the RPL to prevent loops, and detects faults on each link between adjacent nodes.
Page 721 Configuration Guide Configuring ERPS Node1> enable Node1# configure terminal Node1(config)# interface range gigabitethernet 0/1-2 Node1(config-if-rang)# switchport Node1(config-if-rang)# switchport mode trunk Node1(config-if-rang)# exit Create an Ethernet ring control VLAN, that is, R-APS VLAN 100. Node1(config)# erps raps-vlan 100 Add the two interfaces GigabitEthernet 0/1 and 0/2 to the Ethernet ring. Node1(config-erps 100)# ring-port west gigabitethernet 0/1 east gigabitethernet Enable the ERPS function for the Ethernet ring.
Page 722 Configuration Guide Configuring ERPS ERPS Information Global Status : Enabled Link monitored by : Not Oam ------------------------------------------- R-APS VLAN : 100 Ring Status : Enabled West Port : Gi0/1 (Forwarding) East Port : Gi0/2 (Forwarding) RPL Port : None Protected VLANs : ALL RPL Owner : Disabled...
Page 723 Configuration Guide Configuring ERPS interface GigabitEthernet 0/2 switchport mode trunk  Configuration file for node 4 erps enable erps raps-vlan 100 ring-port west GigabitEthernet 0/1 east GigabitEthernet 0/2 rpl-port east rpl-Owner state enable interface GigabitEthernet 0/1 switchport mode trunk interface GigabitEthernet 0/2 switchport mode trunk 7.
Page 724 Configuration Guide Configuring ERPS 2. Topology Figure 1-6 Application Scenario of Tangent-Ring Protection RPL owner RPL owner for ERPS1 for ERPS2 G0/1 G0/2 G0/1 G0/2 G0/1 G0/2 Node 1 Node 4 Node 6 ERPS1 ERPS2 G0/2 G0/3 G0/1 G0/2 G0/1 G0/4 G0/1 G0/2...
Page 725 Configuration Guide Configuring ERPS GigabitEthernet 0/2 as an RPL port, and enable the ERPS function for the Ethernet ring. ○ Enable the global ERPS function. 4. Procedure (1) Configure single-ring nodes (node 1 and node 2) of ERPS 1 in the same way. The following uses node 1 as an example.
Page 726 Configuration Guide Configuring ERPS Node3(config-if-range)# exit Node3(config)# erps raps-vlan 200 Node3(config-erps 200)# ring-port west gigabitethernet 0/3 east gigabitethernet Node3(config-erps 200)# state enable Node3(config-erps 200)# exit Enable the global ERPS function. Node3(config)# erps enable (3) Configure node 4 that is a single-ring node and an RPL owner node of ERPS 1. Configure the links of Ethernet ring ports GigabitEthernet 0/1 and 0/2 of ERPS 1 to work in trunk mode.
Page 727 Configuration Guide Configuring ERPS Node5(config-if-GigabitEthernet 0/2)# exit Node5(config)# erps raps-vlan 200 Node5(config-erps 200)# ring-port west gigabitethernet 0/1 east gigabitethernet Node5(config-erps 200)# state enable Node5(config-erps 200)# exit Enable the global ERPS function. Node5(config)# erps enable (5) Configure node 6 that is a single-ring node and an RPL owner node of ERPS 2. Configure the links of Ethernet ring ports GigabitEthernet 0/1 and GigabitEthernet 0/2 of ERPS 2 to work in trunk mode.
Page 728 Configuration Guide Configuring ERPS Guard Time : 500 milliseconds WTR Time : 2 minutes Current Ring State : Idle Associate R-APS VLAN -------------------------------------------- R-APS VLAN : 100 Ring Status : Enabled West Port : Gi 0/1 (Forwarding) East Port : Gi 0/2 (Forwarding) RPL Port : East Port Protected VLANs...
Page 729 Configuration Guide Configuring ERPS 2. Topology Figure 1-7 Application Scenario of Intersecting-Ring Protection RPL owner for ERPS4 G0/1 G0/2 Node 1 Node 7 Node 4 Node 6 G0/5 G0/5 ERPS4 G0/1 G0/2 G0/1 G0/4 G0/1 RPL owner for ERPS3 RPL owner ERPS3 G0/2 G0/3...
Page 730 Configuration Guide Configuring ERPS ○ Enable the global ERPS function.  Node 4 is the intersecting node of the major ring ERPS 1 and subrings ERPS 2, ERPS 3, and ERPS4. Notes for configuring this node are as follows: ○ Configure the major ring R-APS VLAN 100, add GigabitEthernet 0/1 and GigabitEthernet 0/2 to R-APS VLAN 100, associate the major ring with subrings R-APS VLANs 200, 300, and 400, and enable the ERPS function for the Ethernet ring.
Page 731 Configuration Guide Configuring ERPS Node1(config-if-range)# switchport mode trunk Node1(config-if-range)# exit Node1(config)# erps raps-vlan 100 Node1(config-erps 100)# ring-port west gigabitethernet 0/1 east gigabitethernet Node1(config-erps 100)# rpl-port east rpl-owner Node1(config-erps 100)# associate sub-ring raps-vlan 200,300,400 Node1(config-erps 100)# state enable Node1(config-erps 100)# exit Configure the subring ERPS 4 of the intersecting rings.
Page 732 Configuration Guide Configuring ERPS Node3# configure terminal Node3(config)# interface range gigabitethernet 0/1-2 Node3(config-if-range)# switchport Node3(config-if-range)# switchport mode trunk Node3(config-if-range)# exit Node3(config)# erps raps-vlan 100 Node3(config-erps 100)# ring-port west gigabitethernet 0/1 east gigabitethernet Node3(config-erps 100)# associate sub-ring raps-vlan 200,300,400 Node3(config-erps 100)# state enable Node3(config-erps 100)# exit Configure the link mode for ports in ERPS 2, configure an R-APS VLAN for ERPS 2, add interfaces to the subring, and enable the ERPS function.
Page 733 Configuration Guide Configuring ERPS Node4(config-erps 100)# ring-port west gigabitethernet 0/1 east gigabitethernet Node4(config-erps 100)# associate sub-ring raps-vlan 200,300,400 Node4(config-erps 100)# state enable Node4(config-erps 100)# exit Configure the link mode for ports in subring ERPS 2, configure an R-APS VLAN for subring ERPS 2, add interfaces to the subring, and enable the ERPS function.
Page 734 Configuration Guide Configuring ERPS Node5(config-if-range)# switchport Node5(config-if-range)# switchport mode trunk Node5(config-if-range)# exit Node5(config)# erps raps-vlan 200 Node5(config-erps 200)# ring-port west gigabitethernet 0/1 east gigabitethernet Node5(config-erps 200)# rpl-port west rpl-owner Node5(config-erps 200)# state enable Node5(config-erps 200)# exit Enable the global ERPS function. Node5(config)# erps enable (6) Configure node 6.
Page 735 Configuration Guide Configuring ERPS Node7(config)# erps enable 5. Verification Run the show erps command on each node to verify the configuration. The following uses node 3 as an example. Node3# show erps ERPS Information Global Status : Enabled Link monitored by : Not Oam -------------------------------------------- R-APS VLAN...
Page 736 Configuration Guide Configuring ERPS Current Ring State : Idle Associate R-APS VLAN : 200,300,400 6. Common Errors  The Ethernet ring ERPS function is enabled, but the global ERPS function is not enabled. In this case, the ERPS function does not take effect. ...
Page 737 Configuration Guide Configuring ERPS are non-RPL owner nodes. Notes for configuring these nodes are as follows: ○ Configure R-APS VLAN 100, add interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2 to the Ethernet ring, configure VLANs corresponding to instance 1 protected by the Ethernet ring, and enable the ERPS function for the Ethernet ring.
Page 738 Configuration Guide Configuring ERPS Configure node 4. Node4> enable Node4# configure terminal Node4(config)# spanning-tree mst configuration Node4(config-mst)# instance 1 vlan 1-2000 Node4(config-mst)# instance 2 vlan 2001-4094 Node4(config-mst)# exit (2) Configure a single-ring node, namely, node 1. Configure the links of the Ethernet ring ports (GigabitEthernet 0/1 and GigabitEthernet 0/2) to work in trunk mode.
Page 739 Configuration Guide Configuring ERPS Node2(config-erps 100)# protected-instance 1 Node2(config-erps 100)# ring-port west gigabitethernet 0/1 east gigabitethernet Node2(config-erps 100)# state enable Node2(config-erps 100)# exit Configure VLANs in instance 2 protected by ERPS 2, add the ports to the Ethernet ring, and enable the ERPS function.
Page 740 Configuration Guide Configuring ERPS Configure the links of the Ethernet ring ports (GigabitEthernet 0/1 and GigabitEthernet 0/2) to work in trunk mode. Node4(config)# interface range gigabitethernet 0/1-2 Node4(config-if-rang)# switchport Node4(config-if-rang)# switchport mode trunk Node4(config-if-rang)# exit Configure VLANs in instance 1 protected by ERPS 1, add the ports to the ring, specify the RPL owner port, and enable the ERPS function.
Page 741 Configuration Guide Configuring ERPS Associate R-APS VLAN -------------------------------------------- R-APS VLAN : 200 Ring Status : Enabled West Port : Gi 0/1 (Forwarding) East Port : Gi 0/2 (Blocking) RPL Port : West Port Protected VLANs : 2001-4094 RPL Owner : Enabled Holdoff Time : 0 milliseconds Guard Time...
Page 742 Configuration Guide Configuring ERPS  Enable the ERPS function for this ring.  Modify the ERPS timers. 4. Procedure (1) Configure node 1. In interface configuration mode, shut down a link in the ring to prevent loops. Node1> enable Node1# configure terminal Node1(config)# interface gigabitethernet 0/1 Node1(config-if-GigabitEthernet 0/1)# shutdown Node1(config-if-GigabitEthernet 0/1)# exit...
Page 743 Configuration Guide Configuring ERPS -------------------------------------------- R-APS VLAN : 100 Ring Status : Enabled West Port : Gi 0/1 (Forwardin) East Port : Gi 0/3 (Forwardin) RPL Port : None Protected VLANs : ALL RPL Owner : Enabled Holdoff Time : 0 milliseconds Guard Time : 500 milliseconds WTR Time...
Page 744 Configuration Guide Contents Contents 1 Configuring LLDP ..........................1 Introduction ..........................1 Overview ........................1 LLDP Packet ........................1 LLDPDU ......................... 2 TLV ..........................3 LLDP Packet Transmission Mechanism ................ 6 LLDP Packet Receiving Mechanism................6 Protocols and Standards ....................7 Restrictions and Guidelines .......................
Page 745 Configuration Guide Contents Overview ........................10 Procedure ........................10 Configuring Packet Sending Interval ..................11 Overview ........................11 Restrictions and Guidelines ..................11 Procedure ........................11 Configuring TTL Multiplier ......................11 Overview ........................11 Restrictions and Guidelines ..................11 Procedure ........................11 Configuring LLDP Packet Sending Delay Time ..............
Page 746 Configuration Guide Contents Procedure ........................16 Configuring Interface to Publish City Location ..............16 Overview ........................16 Restrictions and Guidelines ..................17 Procedure ........................17 Configuring Interface to Publish Emergency Contact Number ..........18 Overview ........................18 Restrictions and Guidelines ..................18 Procedure ........................
Page 747 Configuration Guide Contents Restrictions and Guidelines ..................23 Procedure ........................23 Monitoring ..........................24 Configuration Examples ......................25 Checking the Neighbors Connected to the Device by Using the LLDP Function ..25 Configuring the LLDP Error Detection Function ............27...
Page 748 Configuration Guide Configuring LLDP Configuring LLDP Introduction Overview The Link Layer Discovery Protocol (LLDP) is a L2 discovery protocol defined in the IEEE 802.1AB standard. It is used to discover a topology and identify topological changes. LLDP encapsulates local information of a device into LLDP data units (LLDPDUs) in the type length value (TLV) format and then sends the LLDPDUs to neighbors.
Page 749 Configuration Guide Configuring LLDP Field Byte Description Type Ethernet type, which is 0x88CC. LLDPDU 400-1500 LLDP data unit. Frame check sequence. Table 1-2 describes the related fields of an LLDP packet encapsulated in SNAP format. Description of Fields in an LLDP Packet Encapsulated in SNAP Format Field Byte Description...
Page 750 Configuration Guide Configuring LLDP The data unit field in the LLDP frame is LLDPDU, which is composed of a series of variable length information elements. Each information element is called a TLV. The device supporting LLDP function records the status information of the device to the TLV to and advertise it to the neighbor, and obtains the status information of the neighbor through the TLV.
Page 751 Configuration Guide Configuring LLDP TTL of local information on a neighbor. When a device receives Time To Live TLV Mandatory a TLV with TTL of 0, it deletes the neighbor information. Port Description TLV Descriptor of the interface sending an LLDPDU. Optional System Name TLV Device name.
Page 752 Configuration Guide Configuring LLDP TLV Type Description TLV Type is 1. Rate and duplex mode of an interface, MAC/PHY Configuration//Status TLV and whether auto-negotiation is supported and enabled. Power Via MDI TLV TLV Type is 2. Power supply capacity of an interface. TLV Type is 3.
Page 753 Configuration Guide Configuring LLDP TLV Type Description Inventory – Manufacturer Name TLV Name of the manufacturer of a MED device. Inventory – Model Name TLV Module name of a MED device. Asset identifier of a MED device, used for inventory management and Inventory –...
Page 754 Configuration Guide Configuring LLDP provides information about a new neighbor or information update of an existing neighbor and stores the neighbor information locally. The device sets the TTL of neighbor information according to the value of TTL TLV in the packet. If the value of TTL TLV is 0, the neighbor information needs to be aged immediately. Protocols and Standards ...
Page 755 Configuration Guide Configuring LLDP Enabling the LLDP Function Overview This section describes how to enable or disable the LLDP function globally and on an interface. The LLDP function is enabled globally and on an interface by default. The function configuration is optional. Restrictions and Guidelines ...
Page 756 Configuration Guide Configuring LLDP Configuring the LLDP Packet Encapsulation Format Overview The same LLDP packet encapsulation format needs to be configured on the local device and its neighbors in interface configuration mode to ensure their normal communication. You can use the no lldp encapsulation snap command to configure the LLDP packet encapsulation format as SNAP, or use the...
Page 757 Configuration Guide Configuring LLDP  When the LLDP work mode of the interface is tx, the interface can only send packets but not receive packets.  When the LLDP work mode of the interface is rx, the interface can only receive packets but not send packets.
Page 758 Configuration Guide Configuring LLDP Configuring Packet Sending Interval Overview The time interval for sending LLDP packet refers to the period for sending LLDP packet. A short period indicates high LLDP transmission frequency, increasing the system resource consumption. If the period is too long, the peer device may not discover the local device in time.
Page 759 Configuration Guide Configuring LLDP lldp hold-multiplier ttl-value By default, the TTL multiplier of LLDP packet is 4. Configuring LLDP Packet Sending Delay Time Overview When the status information of a local device changes, the local device will send a LLDP packet to neighbor devices immediately.
Page 760 Configuration Guide Configuring LLDP configure terminal Configure the fast sending count of LLDP packets. lldp fast-count fast-count-value By default, the fast sending count of LLDP packets is Configuring LLDP Management Address Overview The LLDP management address is used to identify a device on the network and is transmitted in the Management Address TLV field in the basic management TLV.
Page 761 Configuration Guide Configuring LLDP Address TLV), you can use this function to configure whether to publish these optional TLVs in the LLDPDU.  Table 1-4 shows TLVs defined by IEEE 802.1. TLV types are optional. You can use this function to configure whether to publish Port VLAN ID TLV, Port And Protocol VLAN ID TLV and VLAN Name TLV in the LLDPDU.
Page 762 Configuration Guide Configuring LLDP ○ power: Power Via MDI TLV, which describes the power supply capability of the interface.  Run the lldp tlv-enable med-tlv command to configure the interface to publish LLDP-MED TLVs. Run the no lldp tlv-enable med-tlv command to configure the interface not to publish LLDP-MED TLVs.
Page 763 Configuration Guide Configuring LLDP Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Enter the interface configuration mode. ○ Enter the Layer 2 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } ○...
Page 764 Configuration Guide Configuring LLDP configure the common address and device type. Next, enter the interface configuration mode of a specified interface, and configure the interface to publish the city location information (common address, device type) in the Location Identification TLV. Restrictions and Guidelines ...
Page 765 Configuration Guide Configuring LLDP By default, no LLDP city location information exists. Configure the city location information. Configure common address information. country state county city division neighborhood street-group leading-street-dir trailing-street-suffix street-suffix number street-number-suffix landmark additional-location-information name postal-code building unit floor room type-of-place postal-community-name...
Page 766 Configuration Guide Configuring LLDP contact number is encapsulated in LLDP MED TLV (Link Layer Discovery Protocol Media Endpoint Discovery). location elin identifier id indicates that the interface is allowed to publish the emergency contact number in the Location Identification TLV. The value range of the policy ID is 1-1024. LLDP emergency contact number must be configured first before the TLV can be published.
Page 767 Configuration Guide Configuring LLDP Restrictions and Guidelines  network-policy profile [ profile-number ]: Allow the interface to publish Network Policy TLV and advertise the VLAN configuration of the interface, supported application types (such as voice or video), Layer 2/Layer 3 priority information, etc. profile-number indicates the network policy ID, with a value range of 1-1024. When the device is connected to an IP phone, if the IP phone supports LLDP-MED, you can configure the Network Policy TLV to issue policies to the IP phone.
Page 768 Configuration Guide Configuring LLDP details.  You can use the show lldp tlv-config interface interface-type interface-number ] command to view the TLV publish status on the interface. The STATUS field indicates the configured publish status, and the DEFAULT field indicates the default publish status. Procedure Enter the privileged EXEC mode.
Page 769 Configuration Guide Configuring LLDP Configuring Ignore PVID Detection Overview You can configure the ignore PVID detection function on the device. Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Configure the ignore PVID detection function. lldp ignore pvid-error-detect By default, the Ignore PVID detection function is disabled.
Page 770 Configuration Guide Configuring LLDP Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal (Optional) Configure the interval for sending LLDP alarms. lldp timer notification-interval trap By default, the interval for sending LLDP alarm is 5 seconds. Enter the interface configuration mode.
Page 771 Configuration Guide Configuring LLDP interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the Layer 3 Ethernet interface configuration mode. interface { ethernet-type interface-number | range ethernet-type interface-range } ○ Enter the management interface configuration mode. interface mgmt interface-number Enable the LLDP error detection function.
Page 772 Configuration Guide Configuring LLDP Command Purpose show lldp statistics global interface Displays LLDP statistics. interface-type interface-number ] show lldp status interface interface-type Displays the LLDP status information. interface-number ] show lldp tlv-config [interface interface-type Displays the configuration of TLVs to be advertised by interface-number ] an interface.
Page 773 Configuration Guide Configuring LLDP Verification Check information about the neighbor connected to port GigabitEthernet 0/2 of Device A. It can be seen that GigabitEthernet 0/2 of Device A is connected to GigabitEthernet 0/1 of Device B, and the neighbor supports the bridging (B) and routing (R) functions.
Page 774 Configuration Guide Configuring LLDP Port description 802.1 organizationally information Port VLAN ID : 101 Port and protocol VLAN ID(PPVID) : 0 PPVID Supported : NO PPVID Enabled : NO VLAN name of VLAN 101 : VLAN0101 Protocol Identity 802.3 organizationally information Auto-negotiation supported : YES Auto-negotiation enabled...
Page 775 Configuration Guide Configuring LLDP Verification Forcibly set the rate of GigabitEthernet 0/2 of Device A to 100 Mbps. When the system prompts a mismatch with the rate and duplex mode of the connected port on the neighbor, the LLDP error detection function takes effect.
Page 776 Configuration Guide Contents Contents 1 Configuring Loop Detection ....................... 1 1.1 Overview ............................ 1 1.2 Applications ..........................1 1.2.1 Loop Occurring on the Downlink Hub Connected to an Access Switch ......1 1.2.2 Loop Occurring on Two Ports of a Switch ..............2 1.2.3 Loop Occurring Between Two Access Switches or Distribution Switches ....
Page 777 Configuration Guide Contents 1.7.2 Restrictions and Guidelines ................... 7 1.7.3 Procedure ........................7 1.8 Monitoring ..........................7...
Page 778 Configuration Guide Configuring Loop Detection Configuring Loop Detection Overview Software defined network (SDN) loop detection is a loop detection solution managed on an SDN controller. SDN loop detection uses the Rapid Link Detection Protocol (RLDP) and storm traffic detection function to detect the loop occurrence event and loop removal event.
Page 779 Configuration Guide Configuring Loop Detection 1.2.2 Loop Occurring on Two Ports of a Switch 1. Scenario Distribution switch Access Access switch 1 switch 2 Note A loop occurs on two ports of a switch. 2. Deployment  Enable loop detection on the SDN controller and set the loop policy to shutdown access. ...
Page 780 Configuration Guide Configuring Loop Detection 2. Deployment  Enable loop detection on the SDN controller and set the loop policy to shutdown access.  Enable loop detection globally on all access switches and distribution switches on the network according to the configuration on the SDN controller, and set the loop policy to shutdown access.
Page 781 Configuration Guide Configuring Loop Detection 1.3.1 Basic Concepts 1. RLDP Protocol A port with RLDP enabled periodically sends loop packets. Loop packets are L2 multicast packets. If such packets are received by the same or different ports of a device, it is considered that a loop occurs in any of the following cases: The transmission and receiving ports of the packets are the same routed ports or the same members of an L3 aggregate port;...
Page 782 Configuration Guide Configuring Loop Detection 1.3.2 Feature 1. Storm Traffic Detection RLDP has the following disadvantages:  It is a private protocol. RLDP loop packets may be discarded after reaching the device of another vendor, causing a loop detection failure. ...
Page 783 Configuration Guide Configuring Loop Detection (2) Enter the global configuration mode. configure terminal (3) Enable loop detection and set the loop policy to shutdown-access. loop-detect enable shutdown access-mode Loop detection is disabled by default. (4) (Optional) Set the automatic port recovery time after a port where a loop occurs is shut down. loop-detect shutdown-recover-time interval The default automatic port recovery time after shutdown is 300 seconds.
Page 784 Configuration Guide Configuring Loop Detection 1.7.2 Restrictions and Guidelines Virtual switch link (VSL) ports do not support the storm detection function. Aggregate ports do not support the storm detection function. After loop detection is enabled, the storm detection function takes effect on members of aggregate ports. The storm detection function must be used in combination with loop detection.
Page 785 IP Service Configuration ARP Configuration IPv4 Basics Configuration DHCP Configuration DHCP Client Configuration DHCP Snooping Configuration DNS Configuration IPv6 Basics Configuration DHCPv6 Configuration DHCPv6 Client Configuration DHCPv6 Snooping Configuration ND Snooping Configuration Tunnel Configuration TCP Configuration IP REF Configuration...
Page 786 Configuration Guide Contents Contents 1 Configuring ARP ..........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Basic Concepts ......................1 1.1.3 Principles ........................2 1.1.4 Protocols and Standards ....................5 1.2 Configuration Task Summary ....................5 1.3 Configuring a Static ARP Entry ....................6 1.3.1 Overview ........................
Page 787 Configuration Guide Contents 1.5.2 Configuration Tasks ..................... 11 1.5.3 Configuring a Limit on the Number of Unresolved ARP Entries ........12 1.5.4 Configuring an ARP Learning Limit for an Interface ............ 12 1.5.5 Configuring Fast ARP Entry Aging for an Interface ............. 13 1.5.6 Configuring ARP Packet Rate Statistics Collection .............
Page 788 Configuration Guide Contents 1.11 Enabling ARP Trust Detection ....................18 1.11.1 Overview ........................18 1.11.2 Restrictions and Guidelines ..................19 1.11.3 Procedure ........................19 1.12 Enabling ARP-based IP Guard ....................19 1.12.1 Overview ........................19 1.12.2 Procedure ........................19 1.13 Configuring ARP Packet Filtering ..................20 1.13.1 Overview ........................
Page 789 Configuration Guide Contents 1.18 Monitoring ..........................23 1.19 Configuration Examples ......................25 1.19.1 Configuring Proxy ARP ....................25...
Page 790 Configuration Guide Configuring ARP Configuring ARP Introduction 1.1.1 Overview If two IP-enabled hosts need to communicate, a sender must learn the IP address and media access control (MAC) address of the receiver. With the MAC address, the sending host encapsulates IP datagrams into the data link layer (DLL) frames and transmits them over the physical network.
Page 791 Configuration Guide Configuring ARP  IP address of sender: Indicates a source IP address, that is, the IP address of a sender device.  Ethernet address of destination: Indicates a destination MAC address, that is, the hardware address of a destination device.
Page 792 Configuration Guide Configuring ARP Figure 1-2 ARP Implementation in the Same Network Segment Router A Switch A Switch B ARP Request ARP Reply Host A Host B Host C Host D As illustrated in Figure 1-2, host A has learned the IP address of host B and wants to send IP packets to host B.
Page 793 Configuration Guide Configuring ARP As illustrated in Figure 1-3, host A has learned the IP address of host C. For example, when host A sends an IP packet to host C, the address resolution process is as follows: Host A looks up in its ARP table and does not find the mapping between IP and MAC addresses of port GigabitEthernet 0/1 on the default gateway router A that is reachable to host C.
Page 794 Configuration Guide Configuring ARP Gratuitous ARP packets have the following purposes:  Detecting IP address conflict If the device receives a gratuitous ARP packet and finds that the IP address in the packet is the same as its own IP address, it sends an ARP reply to notify the peer of the IP address conflict.
Page 795 Configuration Guide Configuring ARP  Configuring a Static ARP Entry  Configuring Dynamic ARP Learning Attributes  Configuring ARP Entry Management  Enabling Trusted ARP  Enabling Gratuitous ARP  Enabling Proxy ARP  Configuring Local Proxy ARP  Configuring Any IP ARP ...
Page 796 Configuration Guide Configuring ARP Configuring Dynamic ARP Learning Attributes 1.4.1 Overview The dynamic ARP learning function is enabled by default. You can configure ARP learning attributes as needed, for example, specify ARP entry timeout time, the number of times and interval that an ARP request can be transmitted consecutively, strict dynamic ARP learning function, ARP scanning, and scheduled automatic ARP scanning.
Page 797 Configuration Guide Configuring ARP (4) Configure the ARP timeout time. arp timeout time The default timeout time of dynamic ARP entries in the ARP cache is 3600 seconds. 1.4.4 Configuring ARP Request Retransmission 1. Overview The device sends a certain number of ARP requests at a certain time interval during address resolution until the device receives an ARP reply.
Page 798 Configuration Guide Configuring ARP 1.4.5 Disabling Dynamic ARP Learning 1. Overview The dynamic ARP learning function can be disabled on an interface. Then, the interface will not perform dynamic ARP learning. 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode.
Page 799 Configuration Guide Configuring ARP (4) Enable strict dynamic ARP learning. arp strict-learning enable Strict dynamic ARP learning is disabled by default. 1.4.7 Configuring ARP Scanning 1. Overview This function is usually used together with the Web-based dynamic-to-static ARP entry conversion function. After ARP scanning is enabled on an interface, the device scans neighbors in the specified range and learns the ARP entries of these neighbors.
Page 800 Configuration Guide Configuring ARP 2. Restrictions and Guidelines  Since this function adds a strict confirmation procedure in the ARP learning process, it affects the efficiency of ARP learning.  The scanning interval ranges from 1 to 30, in minutes. ...
Page 801 Configuration Guide Configuring ARP  Configuring Fast ARP Entry Aging for an Interface  Configuring ARP Packet Rate Statistics Collection  Configuring the ARP Alarm Rate Limit 1.5.3 Configuring a Limit on the Number of Unresolved ARP Entries 1. Overview In a local area network (LAN), ARP attacks and scanning may cause a large number of unresolved ARP entries generated on the gateway.
Page 802 Configuration Guide Configuring ARP interface aggregateport interface-number ○ Enter the SVI configuration mode. interface vlan interface-number (4) Configure an ARP learning limit for the interface. arp cache interface-limit limit The number of ARP entries that can be learned by an interface is not limited by default. 1.5.5 Configuring Fast ARP Entry Aging for an Interface 1.
Page 803 Configuration Guide Configuring ARP 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enable ARP packet rate statistics collection. arp rate-statistic enable The ARP packet rate statistics collection is disabled by default. (4) (Optional) Configure the interval for ARP packet rate statistics collection.
Page 804 Configuration Guide Configuring ARP (3) Enable trusted ARP. service trustedarp Trusted ARP is disabled by default. (4) (Optional) Enable VLAN translation when a trusted ARP entry is added. arp trusted user-vlan vlan-id translated-vlan vlan-id The VLAN translation is disabled when a trusted ARP entry is added by default. Configure this command only when the VLAN delivered by the server differs from the valid VLAN in the trusted ARP entry.
Page 805 Configuration Guide Configuring ARP (4) Enter the interface configuration mode. ○ Enter the Layer 3 Ethernet interface configuration mode. interface ethernet-type interface-number ○ Enter the Layer 3 link aggregation configuration mode. interface aggregateport interface-number ○ Enter the SVI configuration mode. interface vlan interface-number (5) Enable the function of sending gratuitous ARP requests.
Page 806 Configuration Guide Configuring ARP Configuring Local Proxy ARP 1.9.1 Overview After local proxy ARP is enabled, the device can help hosts obtain the MAC addresses of other hosts in the same subnet. 1.9.2 Restrictions and Guidelines This function can be configured only on SVIs. 1.9.3 Procedure (1) Enter the privileged EXEC mode.
Page 807 Configuration Guide Configuring ARP dynamic ARP entry and direct route are removed and the user cannot receive the reply. ○ The device acts as a proxy to respond to ARP requests. After the user host learns the MAC address of the device, if any IP ARP is disabled and then enabled again on the interface, the user cannot receive the reply.
Page 808 Configuration Guide Configuring ARP 1.11.2 Restrictions and Guidelines  Since this function adds a strict confirmation procedure in the ARP learning process, it affects the efficiency of ARP learning.  After this function is disabled, the device no longer performs NUD for learning or updating ARP entries. 1.11.3 Procedure (1) Enter the privileged EXEC mode.
Page 809 Configuration Guide Configuring ARP (3) Enable ARP-based IP guard. arp anti-ip-attack attack-num The default number of IP packets for triggering the discarding of ARP entries is 3. 1.13 Configuring ARP Packet Filtering 1.13.1 Overview  ARP packet filtering supports the following functions: Filters out received gratuitous APR packets.
Page 810 Configuration Guide Configuring ARP 1.14 Restraining the Device from Sending ARP Requests to Authenticated VLANs 1.14.1 Overview In gateway authentication mode, all sub VLANs in a super VLAN are authenticated VLANs by default. Users in an authenticated VLAN have to pass authentication to access the network. After authentication, a static ARP entry is generated on the device.
Page 811 Configuration Guide Configuring ARP request of the destination ARP address if it does not have an ARP entry corresponding to the destination IP address. After the host existence judgment prior to proxy ARP service is disabled, if the proxy conditions are met, the master ARP device directly acts as a proxy upon receiving an ARP request, without judging whether the ARP entry corresponding to the destination IP address has been resolved.
Page 812 Configuration Guide Configuring ARP 1.17 Configuring ARP Learning for a Specific Network Segment 1.17.1 Overview When you manage a specific network segment of a Layer 3 interface, run the arp disable-learning command to disable ARP learning of the specific network segment. After configuration, the interface does not learn any dynamic ARP of the network segment.
Page 813 Configuration Guide Configuring ARP Table 1-1 Monitoring Command Purpose show arp trusted [ ipv4-address [ mask ] ] Displays trusted ARP entries. clear arp-cache trusted [ ipv4-address Clears trusted ARP entries. [ mask ] ] clear arp-cache vrf-name | [ ipv4-address [ mask ] ] | [ interface Clears dynamic ARP entries.
Page 814 Configuration Guide Configuring ARP debug arp Displays the statistics on ARP packets sent and received. debug arp event Displays the creation and deletion status of ARP entries. 1.19 Configuration Examples 1.19.1 Configuring Proxy ARP 1. Requirements As shown in Figure 1-4, the IP addresses of host A and host B are on the same network segment, but are isolated in two LANs by routers.
Page 815 Configuration Guide Configuring ARP Configure an IP address for a Layer 3 Ethernet port GigabitEthernet 0/2. DeviceA(config)# interface gigabitethernet 0/2 DeviceA(config-if-GigabitEthernet 0/2)# ip address 172.2.1.1 24 DeviceA(config-if-GigabitEthernet 0/2)# exit Configure the static route to 172.1.2.0/16. DeviceA(config)# ip route 172.1.2.0 255.255.0.0 gigabitethernet 0/2 (2) Configure device B.
Page 816 Configuration Guide Configuring ARP  Device B configuration file hostname DeviceB ip route 172.1.1.0 255.255.0.0 gigabitethernet 0/2 interface gigabitethernet 0/1 ip address 172.1.2.2 24 ip proxy-arp interface gigabitethernet 0/2 ip address 172.2.1.2 24...
Page 817 Configuration Guide Contents Contents 1 Configuring IPv4 Basics ........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Basic Concepts ......................1 1.1.3 Principles ........................4 1.1.4 Protocols and Standards ....................7 1.2 Configuration Task Summary ....................7 1.3 Configuring an IP Address for an Interface ................8 1.3.1 Overview ........................
Page 818 Configuration Guide Contents 1.6.1 Overview ........................11 1.6.2 Configuration Tasks ..................... 11 1.6.3 Enabling the Function of Sending TTL Timeout Messages ......... 11 1.6.4 Enabling the Timestamp Query ................... 12 1.6.5 Enabling the Function of Sending ICMP Destination Unreachable Messages ... 12 1.6.6 Enabling the Function of Sending ICMP Redirection Messages.........
Page 819 Configuration Guide Contents 1.11.3 Procedure ........................16 1.12 Monitoring ..........................16 1.13 Configuration Examples ......................17 1.13.1 Configuring IPv4 Addresses for Network Communication ........17...
Page 820 Configuration Guide Configuring IPv4 Basics Configuring IPv4 Basics Introduction 1.1.1 Overview Internet Protocol (IP) is one of the most core protocols in the Transmission Control Protocol (TCP)/IP protocol suite and works at the network layer. Each IP device in the network needs a logical virtual address, which is used by the IP protocol to realize communication between devices.
Page 821 Configuration Guide Configuring IPv4 Basics Figure 1-2 Class B Network Class B network Network ID Host identifier  For a class C address, the three most significant bits are "110", and the following 21 bits indicate a network ID, and the last 8 bits indicate a local address. There are 2 =2,097,152 class C networks in total.
Page 822 Configuration Guide Configuring IPv4 Basics Class Address Range Status 192.0.0.0~192.0.0.255 Reserved Class C network 192.0.1.0~223.255.254.255 Available 223.255.255.0~223.255.255.255 Reserved Class D network 224.0.0.0~239.255.255.255 Multicast addresses 240.0.0.0~255.255.255.254 Reserved Class E network 255.255.255.255 Broadcast addresses 2. Private Network IP Addresses Private network IP addresses are not used in the Internet. If the devices to which private addresses are assigned need to be connected to the Internet, these IP addresses need to be converted into valid Internet addresses.
Page 823 Configuration Guide Configuring IPv4 Basics subnets. Some bits of the host address are used as the network ID to decrease the host capacity and increase the number of networks. In this case, network masks are called subnet masks. 5. MTU Maximum transmission unit (MTU) is the maximum size, in bytes, of the data transmitted by the data link layer to its upper layer, such as IP.
Page 824 Configuration Guide Configuring IPv4 Basics  The IP addresses of the borrowed interfaces cannot be borrowed from other interfaces.  If a borrowed interface has multiple IP addresses, only the primary IP address can be borrowed.  The IP address of one interface can be lent to multiple interfaces. ...
Page 825 Configuration Guide Configuring IPv4 Basics 4. ICMP Packet Internet Control Message Protocol (ICMP) is a sub protocol of the TCP/IP protocol suite and is used to transfer control messages between IP hosts and network devices to notify certain devices of packet transmission exceptions.
Page 826 Configuration Guide Configuring IPv4 Basics discover the path MTU. When there are too many other ICMP error messages, the ICMP destination unreachable message may not be sent. As a result, the path MTU discovery function fails. To avoid this problem, you should limit the transmission rate of ICMP destination unreachable messages and other ICMP error messages respectively.
Page 827 Configuration Guide Configuring IPv4 Basics  Configuring the IP Source Route Option Configuring an IP Address for an Interface 1.3.1 Overview This section describes how to configure an IP address for an interface for communication over the IP network. IP addresses can be manually configured or obtained through DHCP. In general, an interface only needs to be configured with one IP address to achieve communication with other hosts.
Page 828 Configuration Guide Configuring IPv4 Basics 1.3.4 Configuring an IP Address Combination for an Interface 1. Restrictions and Guidelines The IP address combination configuration command can be configured only on switch virtual interfaces (SVIs) and management (MGMT) interfaces. The IP address combination configuration command and the static IP address configuration command as well as DHCP are mutually exclusive, but the IP address combination configuration command can be used to configure both static IP addresses and DHCP.
Page 829 Configuration Guide Configuring IPv4 Basics interface aggregateport interface-number ○ Enter the SVI interface configuration mode. interface vlan interface-number (4) Configure an IP broadcast address. ip broadcast-address ipv4-address The default IP broadcast address of an interface is 255.255.255.255. Configuring the Default Gateway for a Management Interface 1.4.1 Overview This section describes how to configure the default gateway for a management interface.
Page 830 Configuration Guide Configuring IPv4 Basics 1.5.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enter the interface configuration mode. ○ Enter the Layer 3 Ethernet interface configuration mode. interface ethernet-type interface-number ○...
Page 831 Configuration Guide Configuring IPv4 Basics ip ttl-expires enable The function of sending TTL timeout messages is enabled by default. 1.6.4 Enabling the Timestamp Query (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enable the timestamp query function. ip icmp timestamp The timestamp query function is enabled by default.
Page 832 Configuration Guide Configuring IPv4 Basics ○ Enter the SVI interface configuration mode. interface vlan interface-number (4) Enable the function of sending ICMP redirection messages. ip redirects The function of sending ICMP redirection messages is enabled by default. 1.6.7 Enabling the Function of Sending ICMP Mask Reply Messages (1) Enter the privileged EXEC mode.
Page 833 Configuration Guide Configuring IPv4 Basics converted into an integral multiple of 10 milliseconds. For example, if the transmission rate is set to 3 packets per 15 milliseconds, two ICMP error packets are actually sent per 10 milliseconds. 1.7.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode.
Page 834 Configuration Guide Configuring IPv4 Basics The default MTU of an IP packet is 1500 bytes. Configuring the IP Fragment Reassembly 1.9.1 Overview By default, a device reassembles IP packets sent to the CPU, and then determines whether to forward them or process them locally.
Page 835 Configuration Guide Configuring IPv4 Basics 1.11.2 Restrictions and Guidelines Enabling the IP source route option may cause network attacks such as source address spoofing and IP spoofing. 1.11.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enable the IP source route option.
Page 836 Configuration Guide Configuring IPv4 Basics 1.13 Configuration Examples 1.13.1 Configuring IPv4 Addresses for Network Communication 1. Requirements As shown in Figure 1-5, device A is connected to a LAN (belonging to VLAN 1), which involves two network segments: 172.16.1.0/24 and 172.16.2.0/24. Computers on the two network segments are required to access the Internet through device A and hosts on the two network segments can also communicate with each other.
Page 837 Configuration Guide Configuring IPv4 Basics Set the gateway to 172.16.2.1/24 on the hosts. 5. Verification Run the ping command on device A to check the connectivity with the hosts in the 172.16.1.0/24 network segment. DeviceA# ping 172.16.1.2 Sending 5, 100-byte ICMP Echoes to 172.16.1.2, timeout is 2 seconds: <...
Page 838 Configuration Guide Contents Contents 1 Configuring DHCP ..........................1 1.1 Introduction ..........................1 1.2 Principles............................ 2 1.2.1 Basic Concepts ......................2 1.2.2 Message Format ......................3 1.2.3 DHCP Lease Process ....................6 1.2.4 DHCP Server ......................... 7 1.2.5 DHCP Relay Agent ......................8 1.2.6 DHCP Associated with VRRP Monitoring ..............
Page 839 Configuration Guide Contents 1.3.12 Configuring IP Address Exclusion................21 1.3.13 Configuring IP Address Conflict Detection ..............21 1.3.14 Configuring Compulsory NAK Reply ................. 22 1.3.15 Configuring Preferential Assignment of External DNS Server Addresses ....23 1.3.16 Configuring VRRP Monitoring ..................23 1.3.17 Configuring ARP-based Go-Offline Detection ............
Page 840 Configuration Guide Configuring DHCP Configuring DHCP Introduction 1. Overview Dynamic Host Configuration Protocol (DHCP) is a local area network (LAN) protocol that dynamically assigns reusable network addresses and additional configurations to hosts. DHCP uses User Datagram Protocol (UDP) as its transport protocol to send and receive DHCP messages through port 67. DHCP works in client/server mode.
Page 841 Configuration Guide Configuring DHCP Principles 1.2.1 Basic Concepts  DHCP server A DHCP server is implemented based on RFC 2131. It assigns IP addresses to hosts and manages these IP addresses.  DHCP client A DHCP client enables a device to automatically obtain an IP address and other configurations from a DHCP server.
Page 842 Configuration Guide Configuring DHCP 1.2.2 Message Format 1. DHCP Packet Figure 1-1 DHCP Packet op (1) htype (1) hlen (1) hops (1) xid (4) secs (2) flags (2) ciaddr (4) yiaddr (4) siaddr (4) giaddr (4) chaddr (16) sname (64) file (128) options (variable) The following describes fields contained in a DHCP packet:...
Page 843 Configuration Guide Configuring DHCP  siaddr (server IP address): IP address of the server from which a DHCP client obtains boot configurations.  giaddr (gateway IP address): IP address of the first DHCP relay agent that a request packet of a DHCP client passes through.
Page 844 Configuration Guide Configuring DHCP Figure 1-2 Option Format Option type Option length Value (variable)  Option type: option number.  Option length: length of the information content.  Value: information content. 4. Common DHCP Options The type value of the Options field ranges from 1 to 255. Common DHCP options include: ...
Page 845 Configuration Guide Configuring DHCP Figure 1-3 Option 43  Option 82: relay agent information Option 82 records the location information of a DHCP client. When a DHCP relay agent receives a request packet destined for a DHCP server from a DHCP client, the DHCP relay agent adds Option 82 to the packet and forwards the packet to the DHCP server.
Page 846 Configuration Guide Configuring DHCP server and requests another IP address from the server after 10s. ○ If the lease record does not exist or the DHCP server cannot assign an IP address to the client due to some reasons, the DHCP server sends a DHCP NAK packet to inform the DHCP client that no proper IP address can be assigned.
Page 847 Configuration Guide Configuring DHCP 4. Compulsory NAK Reply In wireless applications, DHCP clients usually move from one network to another. When receiving a REQUEST packet from a client for lease renewal, a DHCP server replies with a NAK packet for the client if the server finds that the network segment of the client is changed or the lease expires.
Page 848 Configuration Guide Configuring DHCP 2. Typical Applications Figure 1-6 DHCP Relay Application Scenario DHCP Server 30.0.0.2 DHCP Relay 30.0.0.1/16 DHCP Client VLAN 10 VLAN 20 10.0.0.0/16 20.0.0.0/16 VLAN 10 and VLAN 20 are on the network segments 10.0.0.1/16 and 20.0.0.1/16, respectively. A DHCP server with the IP address 30.0.0.2 is in network segment 30.0.0.1/16.
Page 849 Configuration Guide Configuring DHCP Figure 1-8 Option 82 Remote ID 4. Custom Option 82 Option 82 can be customized. A DHCP relay agent can form an Option 82 based on the physical port that receives DHCP request packets and the MAC address and the name of the device. Figure 1-9 Figure 1-10 show the formats of the sub-options.
Page 850 Configuration Guide Configuring DHCP Figure 1-12 Application in an MPLS VPN Environment VPN 1 DHCP Client A MPLS Network DHCP Relay G0/1 192.168.4.1/24 G0/2 192.168.4.1/24 DHCP Server VPN 2 DHCP Client B As shown in Figure 1-12, in an MPLS VPN environment, DHCP Client A is connected to GigabitEthernet 0/1 on a DHCP relay agent, and DHCP Client B is connected to GigabitEthernet 0/2 on the DHCP relay.
Page 851 Configuration Guide Configuring DHCP Figure 1-14 Subnet-Selection Sub-option type Length Subnet-Selection 1 Byte 1 Byte 4 Bytes  Server-ID-Override: In an MPLS VPN environment, request packets from a DHCP client cannot be directly sent to a DHCP server. A DHCP relay agent uses this option to carry the IP address of the interface directly connected to the DHCP client.
Page 852 Configuration Guide Configuring DHCP 1.3.2 Configuration Task Summary Enabling DHCP Server (2) (Optional) Configuring Static IP Address Assignment Configuring Dynamic Assignment of IP Addresses and Network Parameters (4) (Optional) Configuring DHCP Address Pool Management Function (5) (Optional) Providing the Boot Image File Name (6) (Optional) Assigning IP Addresses Based on Class Rules (7) (Optional)
Page 853 Configuration Guide Configuring DHCP The DHCP server function is disabled by default. 1.3.4 Configuring Static IP Address Assignment 1. Overview Deliver specific IP addresses and configurations to specific DHCP clients, such as servers and printers. 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode.
Page 854 Configuration Guide Configuring DHCP configure terminal (3) Create an address pool and enter the DHCP address pool configuration mode. ip dhcp pool dhcp-pool (4) Configure the primary network segment for dynamic assignment in a DHCP address pool. network network-number mask [ low-ipv4-address high-ipv4-address ] No primary network segment for dynamic assignment in a DHCP address pool is configured by default.
Page 855 Configuration Guide Configuring DHCP  Configuring an Address Lease Time  Adding Trusted ARP Entries During Address Assignment  Forcibly Disabling Gateway Assignment  Enabling or Disabling an Address Pool  Configuring an Alarm Threshold for an Address Pool 2. Configuring an Address Lease Time (1) Enter the privileged EXEC mode.
Page 856 Configuration Guide Configuring DHCP 5. Enabling or Disabling an Address Pool (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Create an address pool and enter the DHCP address pool configuration mode. ip dhcp pool dhcp-pool (4) Enable or disable the address pool.
Page 857 Configuration Guide Configuring DHCP When multiple boot servers are defined, the first defined boot server has the highest priority. A DHCP client selects the next boot server only when it fails to communicate with the first defined boot server. (5) (Optional) Configure the boot file name for a DHCP client. bootfile file-name No boot file name is configured for a DHCP client by default.
Page 858 Configuration Guide Configuring DHCP Option 82 matching rule is configured by default. (7) Return to the global configuration mode. exit (8) Enter the DHCP address pool configuration mode. ip dhcp pool dhcp-pool (9) Associate an address pool with a class. class class-name No class is associated with a DHCP address pool by default.
Page 859 If a DHCP server is deployed illegally, when clients request IP addresses from this server, clients are assigned with wrong addresses. This server is a rogue server. Ruijie devices with DHCP enabled provide a command to enable rogue server detection. After rogue server detection is enabled, DHCP packets are checked for Option 54 (Server Identifier).
Page 860 Configuration Guide Configuring DHCP 2. Procedure Enter the privileged EXEC mode. enable Enter the global configuration mode. configure terminal Configure rogue server detection. ip dhcp server detect Rogue server detection is disabled by default. 1.3.12 Configuring IP Address Exclusion 1. Overview An excluded address is an IP address or address segment excluded from the address pool of a DHCP server, so that the DHCP server does not assign this IP address or address segment to a client.
Page 861 Configuration Guide Configuring DHCP 3. Configuring the Number of Ping Operations Executed for Address Conflict Detection (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Configure the number of ping operations executed by a DHCP server when it detects IP address conflicts. ip dhcp ping packets [ ping-times ] A DHCP server pings a conflicted IP address two times by default.
Page 862 Configuration Guide Configuring DHCP 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Configure compulsory NAK reply for a DHCP server. ip dhcp force-send-nak Compulsory NAK reply is enabled by default. 1.3.15 Configuring Preferential Assignment of External DNS Server Addresses 1.
Page 863 Configuring ARP-based Go-Offline Detection 1. Overview Ruijie devices with DHCP enabled provide a command to enable ARP-based go-offline detection. After this function is enabled, a DHCP server receives an ARP entry aging notification when a client goes offline, and reclaims the client's IP address. If the client does not go online within a period of time (5 minutes by default), the DHCP server reclaims the IP address and assigns it to another client.
Page 864 Configuration Guide Configuring DHCP Configuring DHCP Relay 1.4.1 Overview When a DHCP client and a DHCP server are in different network segments, a DHCP relay agent is required for dynamic IP address management. 1.4.2 Configuration Task Summary Configuring Basic DHCP Relay Functions (2) Configuring extended DHCP relay functions: All the configuration tasks below are optional.
Page 865 Configuration Guide Configuring DHCP The IP address of the DHCP server is not configured for the DHCP relay agent by default. The DHCP server address can be globally configured or configured on an Layer 3 interface. A maximum of 20 DHCP server addresses can be globally configured or configured on each Layer 3 interface. When an interface receives a DHCP request packet, the DHCP server list on the interface prevails over that configured globally.
Page 866 Configuration Guide Configuring DHCP load in specific environments, enable the Server-ID check function on the DHCP relay agent, so as to send the DHCP REQUEST packet only to the DHCP server specified in this option. In this case, the DHCP relay agent sends DHCP request packets only to the specified server. If this function is not configured, the DHCP relay agent sends DHCP request packets to all configured DHCP servers.
Page 867 Configuration Guide Configuring DHCP 1.4.7 Configuring Multiple Gateway IP Addresses 1. Overview After the function of configuring multiple gateway IP addresses is enabled, a DHCP relay agent can use multiple interface IP addresses to send address requests to a DHCP server. Generally, the primary IP address is used as the gateway IP address, and the DHCP server assigns a network segment based on the gateway IP address.
Page 868 Configuration Guide Configuring DHCP ip dhcp relay force-send-reply-pack The function of forcing a DHCP relay agent to send a reply packet is disabled by default. 1.4.9 Configuring the Source IP Address of DHCP Relay Packets 1. Overview You can run the ip dhcp relay source command on an interface to configure the source IP address of DHCP relay packets.
Page 869 Configuration Guide Configuring DHCP enable (2) Enter the global configuration mode. configure terminal (3) Configure the function of discarding DHCP request packets from VXLAN tunnels. ip dhcp relay discard overlay-tunnel A DHCP relay agent receives DHCP request packets from VXLAN tunnels by default. Monitoring Run the show command to check the configuration.
Page 870 Configuration Guide Configuring DHCP show ip dhcp dns dynamic Displays DNS server addresses obtained from an external DHCP server when the device works in the PPPoE or DHCP client mode. show ip dhcp history Displays DHCP historical lease records. show ip dhcp identifier Displays the address pool ID and address usage of a DHCP server.
Page 871 Configuration Guide Configuring DHCP 3. Notes Configure Device A:  Configure the IP address of the interface.  Enable the DHCP server service and configure address pool parameters. 4. Procedure (1) Configure Device A. Configure the IP address of the interface. DeviceA>...
Page 872 Configuration Guide Configuring DHCP  The DHCP Server service is not enabled. 1.6.2 Dynamically Assigning IP Addresses 1. Requirements As shown in Figure 1-17, Device A serving as a DHCP server dynamically assigns IP addresses to clients in the same network segment. The address pool is divided into two network segments: 192.1.1.0/25 and 192.1.1.128/25.
Page 873 Configuration Guide Configuring DHCP DeviceA(config-if-GigabitEthernet 0/2)# exit Enable the DHCP Server service. DeviceA(config)# service dhcp Configure network parameters of pool 1. DeviceA(config)# ip dhcp pool pool1 DeviceA(dhcp-config)# network 192.1.1.0 255.255.255.128 DeviceA(dhcp-config)# default-router 192.1.1.1 DeviceA(dhcp-config)# dns-server 192.1.1.130 DeviceA(dhcp-config)# domain-name test.com DeviceA(dhcp-config)# lease 5 DeviceA(dhcp-config)# exit Configure network parameters of pool 2.
Page 874 Configuration Guide Configuring DHCP service dhcp ip dhcp pool pool1 network 192.1.1.0 255.255.255.128 default-router 192.1.1.1 dns-server 192.1.1.130 domain-name test.com lease 5 ip dhcp pool pool2 network 192.1.1.128 255.255.255.128 default-router 192.1.1.129 dns-server 192.1.1.130 domain-name test.com lease 3 7. Common Errors  No address pool is configured.
Page 875 Configuration Guide Configuring DHCP ○ Configure the IP address of the interface. ○ Configure a route from Device B to GigabitEthernet 0/1 on Device A. ○ Enable the DHCP server service and configure address pool parameters. 4. Procedure (1) Configure Device A: Configure the IP address of the interface.
Page 876 Configuration Guide Configuring DHCP DeviceB(config)# show ip dhcp pool Pool name Total Distributed Remained Percentage ------------ ----------- ----------- -------- ----------- pool1 0.99206 6. Configuration Files  Device A configuration file hostname DeviceA interface gigabitethernet 0/1 ip address 192.1.1.1 255.255.255.0 interface gigabitethernet 0/2 service dhcp ip helper-address 172.2.2.1 ...
Page 877 Configuration Guide Configuring DHCP 2. Topology Figure 1-19 Assigning IP Addresses Based on Class Rules 3. Notes  Configure Device A: ○ Configure the IP address of the interface. ○ Enable the DHCP relay function. ○ Enable the Option 82 function. ...
Page 878 Configuration Guide Configuring DHCP DeviceB> enable DeviceB# configure terminal DeviceB(config)# interface gigabitethernet 0/1 DeviceB(config-if-GigabitEthernet 0/1)# ip address 172.2.2.1 255.255.255.0 DeviceB(config-if-GigabitEthernet 0/1)# exit Configure a static route to network segment 192.1.1.0/24. DeviceB(config)# ip route 192.1.1.0 255.255.255.0 gigabitethernet 0/1 Enable the DHCP Server function. DeviceB(config)# service dhcp Configure a class rule.
Page 879 Configuration Guide Configuring DHCP hostname DeviceB ip route 192.1.1.0 255.255.255.0 gigabitethernet 0/1 service dhcp interface gigabitethernet 0/1 ip address 172.2.2.1 255.255.255.0 ip dhcp class myclass relay agent information relay-information hex 060223* ip dhcp pool pool1 network 192.1.1.0 255.255.255.0 default-router 192.1.1.1 dns-server 192.1.1.2 class myclass address range 192.1.1.200 192.1.1.254...
Page 880 Configuration Guide Contents Contents 1 Configuring DHCP Client ........................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.1.3 Protocols and Standards ....................2 1.2 Enabling DHCP Client Function ....................2 1.2.1 Overview ........................2 1.2.2 Restrictions and Guidelines ................... 2 1.2.3 Procedure ........................
Page 881 Configuration Guide Configuring DHCP Client Configuring DHCP Client Introduction 1.1.1 Overview Dynamic Host Configuration Protocol (DHCP) is a local area network (LAN) protocol based on the User Datagram Protocol (UDP) for dynamically assigning reusable network resources over port 68, for example, IP addresses.
Page 882 Configuration Guide Configuring DHCP Client DHCP server saves the configuration information of the DHCP client temporarily for reuse in next IP address application by the DHCP client. 1.1.3 Protocols and Standards  RFC 2131: Dynamic Host Configuration Protocol  RFC 2132: DHCP Options and BOOTP Vendor Extensions ...
Page 883 Configuration Guide Configuring DHCP Client Caution The output debugging information occupies system resources. Therefore, disable the debugging function immediately after use. Table 1-1 Monitoring Command Purpose show dhcp lease Displays lease information of a DHCP client. debug ip dhcp client Debugs DHCP packets.
Page 884 Configuration Guide Configuring DHCP Client DeviceB# configure terminal DeviceB(config)# service dhcp Configure the interface IP address used to connect to the DHCP client. DeviceB(config)# interface gigabitethernet 0/1 DeviceB(config-if-GigabitEthernet 0/1)# ip address 20.1.1.2 255.255.255.0 DeviceB(config-if-GigabitEthernet 0/1)# exit Configure the interface IP address used to connect to the DNS server. DeviceB(config)# interface gigabitethernet 0/2 DeviceB(config-if-GigabitEthernet 0/2)# ip address 20.1.2.2 255.255.255.0 DeviceB(config-if-GigabitEthernet 0/2)# exit...
Page 885 Configuration Guide Configuring DHCP Client  Device B configuration file hostname DeviceB service dhcp ip dhcp excluded-address 20.1.1.2 interface gigabitethernet 0/1 ip address 20.1.1.2 255.255.255.0 interface gigabitethernet 0/2 ip address 20.1.2.2 255.255.255.0 ip dhcp pool User network 20.1.1.0 255.255.255.0 dns-server 20.1.2.1...
Page 886 Configuration Guide Contents Contents 1 Configuring DHCP Snooping ......................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.1.3 Applications ........................3 1.1.4 Protocols and Standards ....................6 1.2 Restrictions and Guidelines ....................... 6 1.3 Configuration Task Summary ....................7 1.4 Configuring Basic DHCP Snooping Functions ................
Page 887 Configuration Guide Contents 1.13 Configuring an Interface in the Suppression State ..............10 1.14 Configuring the Maximum Number of Users Bound to a VLAN ..........11 1.15 Configuring Option 82 ......................11 1.15.1 Overview ........................11 1.15.2 Restrictions and Guidelines ..................11 1.15.3 Procedure ........................
Page 888 Configuration Guide Configuring DHCP Snooping Configuring DHCP Snooping Introduction 1.1.1 Overview The Dynamic Host Configuration Protocol (DHCP) snooping function allows a device to snoop DHCP packets exchanged between clients and a server to record and monitor the IP address usage and filter out invalid DHCP packets, including request packets from the clients and response packets from the server.
Page 889 Configuration Guide Configuring DHCP Snooping  DHCP Snooping packet suppression To shield all the DHCP packets on a specific client, enable DHCP Snooping packet suppression on its untrusted ports.  DHCP Snooping rate limit DHCP Snooping rate limit can be configured using the rate limit command of Network Foundation Protection Policy (NFPP).
Page 890 Configuration Guide Configuring DHCP Snooping According to the invalid DHCP packet types introduced in the “Basic Concepts" section, the device first checks the giaddr and chaddr fields in packets and then checks whether the restrictive conditions for this packet type are met. 3.
Page 891 Configuration Guide Configuring DHCP Snooping Device is an access device, DHCP Server A is in the controlled area, and DHCP Server B is beyond the controlled area.  DHCP Snooping is enabled on Device to monitor DHCP packets.  The port on Device for connecting to DHCP Server A is configured as a DHCP trusted port to forward response packets.
Page 892 Configuration Guide Configuring DHCP Snooping response packets.  The rest of ports on Device are configured as DHCP untrusted ports to filter response packets.  DHCP source MAC addresses need to be verified on untrusted ports of Device to filter out invalid DHCP packets.
Page 893 Configuration Guide Configuring DHCP Snooping The working process of the device in this scenario is the same as that in “Guarding Against IP/MAC Address Spoofing". 6. Detecting ARP Attacks The device with DHCP Snooping enabled checks the ARP packets from untrusted ports and filter out the ARP packets unmatched with the assignments of the DHCP server.
Page 894 Configuration Guide Configuring DHCP Snooping Configuration Task Summary DHCP Snooping configuration includes the following tasks: The following configuration tasks are mutually exclusive. Please configure only one task.  Configuring DHCP Snooping Configuring Basic DHCP Snooping Functions (Optional) Disabling DHCP Snooping on a VLAN (Optional) Enabling Source MAC Address Verification (Optional)
Page 895 Configuration Guide Configuring DHCP Snooping ○ Enter the Layer 2 link aggregation configuration mode. interface aggregateport interface-number (5) Configure an interface as a DHCP Snooping trusted port. ip dhcp snooping trust All interfaces are DHCP Snooping untrusted ports by default. Run this command to configure the interface connected to an authorized DHCP server as a trusted port.
Page 896 Configuration Guide Configuring DHCP Snooping Writing Dynamic User Information in the DHCP Snooping Binding Database to a Flash Memory at a Scheduled Time (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Write dynamic user information in the DHCP Snooping binding database to a flash memory at a scheduled time.
Page 897 Configuration Guide Configuring DHCP Snooping DHCP Snooping does not support BOOTP binding by default. 1.10 Enabling DHCP Snooping to Support Relay Request Packet Processing (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enable DHCP Snooping to support relay request packet processing. ip dhcp snooping check-giaddr DHCP Snooping does not support relay request packet processing by default.
Page 898 Configuration Guide Configuring DHCP Snooping enable (2) Enter the global configuration mode. configure terminal (3) Enter the interface configuration mode. ○ Enter the Layer 2 Ethernet interface configuration mode. interface ethernet-type interface-number ○ Enter the Layer 2 link aggregation configuration mode. interface aggregateport interface-number (4) Configure an interface in the suppression state so as to discard all DHCP packets sent to the interface.
Page 899 Configuration Guide Configuring DHCP Snooping 1.15.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Add Option 82 to DHCP request packets. ip dhcp snooping information option standard-format user-defined Option 82 is not added to DHCP request packets by default. (4) (Optional) Set Remote ID to a user-defined string or the host name.
Page 900 Configuration Guide Configuring DHCP Snooping 1.16 Enabling DHCP Snooping Monitoring 1.16.1 Overview After the DHCP Snooping monitoring function is enabled, DHCP Snooping only copies DHCP packets and generates binding entries based on the interaction status, but does not check the validity of the packets. 1.16.2 Restrictions and Guidelines The DHCP Snooping monitoring and DHCP Snooping functions are mutually exclusive.
Page 901 Configuration Guide Configuring DHCP Snooping Command Purpose Debugs the DHCP Snooping function based on the MAC debug snooping ipv4 event address. debug snooping ipv4 mac-address H.H.H Debugs all DHCP Snooping functions. 1.18 Configuration Examples 1.18.1 Configuring DHCP Snooping 1. Requirements DHCP clients can obtain IP addresses from legitimate DHCP servers dynamically.
Page 902 Configuration Guide Configuring DHCP Snooping Device# show ip dhcp snooping Switch DHCP snooping status ENABLE DHCP snooping verify hardware address status DISABLE DHCP snooping database write-delay time 0 seconds DHCP snooping option 82 status DISABLE DHCP snooping Support bootp bind status DISABLE Interface Trusted...
Page 903 Configuration Guide Contents Contents 1 Configuring DNS ..........................1 1.1 Overview ............................ 1 1.2 Principles............................ 1 1.2.1 Static Domain Name Resolution ..................1 1.2.2 Dynamic Domain Name Resolution ................1 1.2.3 DNS Proxy ........................2 1.2.4 Protocols and Standards ....................2 1.3 Configuration Task Summary ....................
Page 904 Configuration Guide Contents 1.8.1 Configuring Static Domain Name Resolution ..............6 1.8.2 Configuring Dynamic Domain Name Resolution ............8 1.8.3 Configuring DNS Proxy ....................9...
Page 905 Configuration Guide Configuring DNS Configuring DNS Overview Domain Name System (DNS) is important and commonly used in a Transmission Control Protocol/Internet Protocol (TCP/IP) network environment. The main function of DNS is to convert a domain name that is easy to remember into an IP address that is hard to remember.
Page 906 Configuration Guide Configuring DNS As shown in Figure 1-1, a resolver is integrated with a cache to form a DNS client, which accepts DNS requests from user programs and makes responses accordingly. In general, user programs (such as ping and traceroute), a cache, and a resolver are on the same host, but a DNS server is on a different host.
Page 907 Configuration Guide Configuring DNS Configuring Static Domain Name Resolution 1.4.1 Overview Static domain name resolution allows a user to preset the mappings between domain names and IP addresses on a device. The system can find the IP address mapped to a domain name from the device without obtaining the required IP address from a DNS server on the network.
Page 908 Configuration Guide Configuring DNS 1.5.3 Prerequisites The IP address of a DNS server has been obtained. 1.5.4 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal Enable DNS domain name resolution. ip domain-lookup mgmt-name ] ] DNS domain name resolution is enabled by default.
Page 909 Configuration Guide Configuring DNS 1.6.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enable the DNS proxy function. ip dns proxy enable DNS proxy is disabled by default. (4) (Optional) Configure the IP address mapped to a domain name. (IPv4 network) ip dns proxy host host-name ipv4-address No static mapping between a domain name and an IPv4 address is configured by default.
Page 910 Configuration Guide Configuring DNS If the port range is too narrow, the concurrent processing performance of the device is affected. If the port range is too wide, excessive flow table entry resources will be occupied and the egress device needs to adjust the flow table restriction synchronously.
Page 911 Configuration Guide Configuring DNS 2. Topology Figure 1-2 Topology of Static Domain Name Resolution 3. Notes Manually create the mapping between www.test.com and IP address 192.168.10.2 in the static resolution table of device A. 4. Procedure (1) Configure device A. Configure an IP address for the Layer 3 Ethernet interface GigabitEthernet 0/1.
Page 912 Configuration Guide Configuring DNS 6. Configuration Files Device A configuration file hostname DeviceA interface gigabitethernet 0/1 ip address 192.168.10.1 24 ip host www.test.com 192.168.10.2 1.8.2 Configuring Dynamic Domain Name Resolution 1. Requirements As shown in Figure 1-3, device A is a DNS client, which can resolve domain names through the DNS server on the network.
Page 913 Configuration Guide Configuring DNS 5. Verification Run the show hosts command to display the configured DNS server. DeviceA(config)# show hosts Name servers are: 192.168.10.2 static Host type Address TTL(sec) 6. Configuration Files Device A configuration file hostname DeviceA interface gigabitEthernet 0/1 ip address 192.168.10.1 24 ip name-server 192.168.10.2 1.8.3...
Page 914 Configuration Guide Configuring DNS 3. Notes  On device A, enable the DNS proxy function.  On device A, set the IP address mapped to test.com to 10.1.1.2/24.  On device A, set the IP address of the DNS server to 192.168.31.206/24. 4.
Page 915 Configuration Guide Configuring DNS ip dns proxy enable ip dns proxy host test.com 10.1.1.2 ip dns proxy nameserver 192.168.31.206 #endif /* include(dns_client) */...
Page 916 Configuration Guide Contents Contents 1 Configuring IPv6 Basics ........................1 1.1 Overview ............................ 1 1.2 Advantages ..........................1 1.3 Principles............................ 2 1.3.1 IPv6 Basics ........................2 1.3.2 ICMPv6 Protocol ......................12 1.3.3 IPv6 PMTUD ........................ 13 1.3.4 IPv6 Neighbor Discovery Protocol ................14 1.3.5 Protocols and Standards .....................
Page 917 Configuration Guide Contents 1.5.2 Configuration Task Summary ..................23 1.5.3 Configuring a Static Neighbor Entry ................23 1.5.4 Configuring ND Entry Management ................24 1.5.5 Configuring Address Resolution .................. 26 1.5.6 Configuring NUD ......................27 1.5.7 Configuring DAD ......................28 1.5.8 Configuring Redirection ....................
Page 918 Configuration Guide Configuring IPv6 Basics Configuring IPv6 Basics Overview As the Internet develops rapidly and IPv4 address space is becoming exhausted, IPv4 limitations become more and more obvious. At present, many researches and practices on Internet Protocol Next Generation (IPng) have been conducted.
Page 919 Configuration Guide Configuring IPv6 Basics from the nodes identified by the source addresses. ESP provides data encryption to realize end-to-end encryption.  Better QoS support A new field in the IPv6 packet header defines how to identify and process data streams. The Flow Label field in the IPv6 packet header is used to authenticate a data stream, and users can propose requirements on the communication quality by using this field.
Page 920 Configuration Guide Configuring IPv6 Basics 2. IPv6 Address Structure An IP address consists of two parts:  Network prefix: n bits, similar to the network ID in an IPv4 address.  Interface ID: (128 – n) bits, similar to the host ID in an IPv4 address. Therefore, the length of the network prefix can be expressed using an additional value according to the classless inter-domain routing (CIDR), and this value is separated from an IPv6 address by a slash (/), for example, 12AB::CD30:0:0:0:0/60, the prefix length used for routing in the address is 60 bits.
Page 921 Configuration Guide Configuring IPv6 Basics Figure 1-1 Link-Local Address 10 bits 54 bits 64 bits 1111 1110 10 Interface ID A link-local address is used to number hosts on a single network link. The address identified by the first 10 bits in the prefix is the link-local address.
Page 922 Configuration Guide Configuring IPv6 Basics Figure 1-4 Format of an IPv4-compatible IPv6 Address ○ The format of an IPv4-mapped IPv6 address is as follows: Figure 1-5 Format of an IPv4-mapped IPv6 Address IPv4-compatible IPv6 addresses are mainly used on automatic tunnels. Nodes on automatic tunnels support both IPv4 and IPv6.
Page 923 Configuration Guide Configuring IPv6 Basics Table 1-1 Common Multicast Address Scope Types Binary Value Hexadecimal Value Scope Type 0001 Local interface scope 0010 Local link scope 0011 Local subnet scope 0100 Local management scope 0101 Local site scope 1000 Organization scope 1110 Global scope ...
Page 924 Configuration Guide Configuring IPv6 Basics Caution Anycast addresses can be allocated only to devices not hosts and cannot be used as source addresses of packets. RFC 2373 defines an anycast address called subnet-router anycast address. The following figure shows the format of a subnet-router anycast address.
Page 925 Configuration Guide Configuring IPv6 Basics Figure 1-9 Format of an IPv6 Packet Header Version Traffic Class Flow Label Payload Length Next header Hop Limit Source Address (128 bits) 40 Bytes Destination Address (128 bits) Next header Variable Length Extension Header Information Data The IPv6 packet header consists of 40 bytes, in unit of eight bytes.
Page 926 Configuration Guide Configuring IPv6 Basics This field contains eight bits. Every time a device forwards a packet, the hop value is reduced by 1. If the hop value reaches 0, this packet will be discarded. It is similar to the lifetime field in the IPv4 packet header. ...
Page 927 Configuration Guide Configuring IPv6 Basics Figure 1-10 IPv6 Routing Header The Segments Left field is used to indicate the number of intermediate nodes specified in the routing header that a packet passes through from the current node to the final destination address. Currently, two routing types are defined: 0 and 2.
Page 928 Configuration Guide Configuring IPv6 Basics Table 1-2 Changes of Fields Transmission Fields Related to the Type 0 Routing Fields in the IPv6 Header Node Header Segments Left = 2 Source address = 1000::2 Host A Address 1 = 1002::1 (address of router 3) Destination address = 1001::1 (address of router 2) Address 2 = 1003::2 (address of host 2)
Page 929 Configuration Guide Configuring IPv6 Basics Figure 1-13 Type 0 Routing Header Used to Initiate DoS Attacks 10. IPv6 Hop-limit An IPv6 data packet passes through routers from the source address to the destination address. If a hop limit is configured, it decreases by one every time the packet passes through a router. When the hop limit decreases to 0, the router discards the packet to prevent this useless packet from being unlimitedly transmitted on the network and wasting network bandwidth.
Page 930 Configuration Guide Configuring IPv6 Basics interface.  Time Exceeded (Type=3) ○ Code=0, indicating that the hop limit is exceeded during transmission. ○ Code=1, fragmentation timeout.  Parameter Problem (Type=4), indicating that an error occurs in the IPv6 header or extension header. ○...
Page 931 Configuration Guide Configuring IPv6 Basics As shown in the preceding figure, if the length of a packet to be sent by a host is greater than the PMTU, the router discards this packet and sends an ICMPv6 Packet Too Big message containing its PMTU to the host. The host fragments the packet based on the new PMTU.
Page 932 Configuration Guide Configuring IPv6 Basics (2) After receiving the NS packet, device B judges whether the destination address of the packet is its own IPv6 address. If yes, device B can learn the link layer address of device A and returns an NA packet containing its link layer address in unicast mode.
Page 933 Configuration Guide Configuring IPv6 Basics If no unicast address is configured for a newly started host, the host uses the unspecified address (0:0:0:0:0:0:0:0) as the source address of the RS packet. Otherwise, the host uses the configured unicast address as the source address and the multicast address of all devices in the local link (FF02::2) as the destination address in the RS packet.
Page 934 Configuration Guide Configuring IPv6 Basics Figure 1-17 Router Discovery/Prefix and Parameter Discovery Device A Device B Device C ICMPv6 type = 134 Source = Link-local address of this router Destination = Multicast address FF02::1 for all nodes on the local link Data = Options, router lifetime, address prefix list, and some other parameters automatically configured for the host.
Page 935 Configuration Guide Configuring IPv6 Basics (6) (Optional) Configuring the Default Gateway for a Management Interface (7) Configure the sending of ICMPv6 packets. The following configuration tasks are optional. Select either of them for configuration according to the actual condition. ○ Configuring the Specified Source Address for Sending ICMPv6 Packets ○...
Page 936 Configuration Guide Configuring IPv6 Basics IPv6 is disabled on an interface by default. (5) Configure an IPv6 address for the interface. The configuration steps below are mutually exclusive. Please configure only one task. ○ Manually configure an IP address for the interface. ipv6 address ipv6-address/prefix-length...
Page 937 Configuration Guide Configuring IPv6 Basics ipv6 bytes The MTU value of an IPv6 packet is the same as the value on an interface by default. 1.4.5 Configuring the IPv6 Fragment Reassembly Function 1. Overview By default, a device reassembles the IPv6 packets sent to the CPU, and then determines whether to forward them or process them locally.
Page 938 Configuration Guide Configuring IPv6 Basics 1.4.7 Configuring the IPv6 Hop Limit 1. Overview This section describes how to configure the hop limit for unicast packets to prevent infinite transmission of the packets on the network. 2. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode.
Page 939 Configuration Guide Configuring IPv6 Basics 2. Restrictions and Guidelines You can configure a specified address, like the address of the loopback interface, as the source address of ICMPv6 packets to simplify judgment. 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode.
Page 940 Configuration Guide Configuring IPv6 Basics 3. Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Configure the transmission rate of the ICMPv6 error message. ipv6 icmp error-interval too-big ] interval [ bucket-size ] Ten messages are transmitted within 100 ms by default.
Page 941 Configuration Guide Configuring IPv6 Basics converted into a static one. An effective static neighbor entry will be always reachable. An invalid static neighbor entry refers to a static neighbor entry with the configured IPv6 address not matching the address configured on the interface (not within any IPv6 network segment of this interface, or in conflict with the address of this interface).
Page 942 Configuration Guide Configuring IPv6 Basics configure terminal (3) Enter the interface configuration mode. ○ Enter the Layer 3 Ethernet interface configuration mode. interface ethernet-type interface-number ○ Enter the Layer 3 link aggregation configuration mode. interface aggregateport interface-number ○ Enter the SVI configuration mode. interface vlan interface-number (4) Configure the maximum number of ND entries that can be learned by an interface.
Page 943 Configuration Guide Configuring IPv6 Basics (3) Enter the interface configuration mode. ○ Enter the Layer 3 Ethernet interface configuration mode. interface ethernet-type interface-number ○ Enter the Layer 3 link aggregation configuration mode. interface aggregateport interface-number ○ Enter the switch virtual interface (SVI) configuration mode. interface vlan interface-number (4) Enable the interface to learn ND entries via DAD NS packets.
Page 944 Configuration Guide Configuring IPv6 Basics ○ Enter the Layer 3 Ethernet interface configuration mode. interface ethernet-type interface-number ○ Enter the Layer 3 link aggregation configuration mode. interface aggregateport interface-number ○ Enter the SVI configuration mode. interface vlan interface-number (6) Configure the NS packet retransmission interval. ipv6 nd ns-interval interval...
Page 945 Configuration Guide Configuring IPv6 Basics nd reachable-time time By default, the value in an RA packet is 0 (indicating unspecified), and the duration in which a neighbor is considered reachable in neighbor discovery is 30,000 ms. (5) (Optional) Configure the duration in which a neighbor keeps in stale state. ipv6 nd stale-time time...
Page 946 Configuration Guide Configuring IPv6 Basics 1.5.8 Configuring Redirection 1. Overview If a router receiving an IPv6 packet finds a better next hop, it sends an ICMP Redirect packet to inform the host of the better next hop. The host will directly send the IPv6 packet to the better next hop next time. ICMPv6 redirection has the same function as ICMP Redirect packets of IPv4.
Page 947 Configuration Guide Configuring IPv6 Basics (4) Enable the sending of RA packets on this interface. ipv6 nd suppress-ra No RA packets are sent by an IPv6 interface by default. (5) (Optional) Configure the address prefix to be advertised in an RA packet. ipv6 nd prefix { ipv6-prefix/prefix-length |...
Page 948 Configuration Guide Configuring IPv6 Basics ipv6 nd ra dns server ipv6-address { valid-lifetime | infinite sequence number The address of the DNS recursive resolution server in an RA packet is not configured by default. ○ Configure the DNS suffix in an RA packet. Run the following commands in turn. no ipv6 nd ra dns search-list suppress The DNSSL option is not carried in an RA packet by default.
Page 949 Configuration Guide Configuring IPv6 Basics (3) Configure the interval for ND packet rate statistics collection. ipv6 nd packet rate-statistics interval interval The ND packet rate statistics collection is disabled by default. 1.5.12 Configuring Local ND Proxy 1. Overview After local ND proxy is enabled on an interface, when receiving NS messages that request addresses of other hosts, the device replies with NA messages containing its MAC address.
Page 950 Configuration Guide Configuring IPv6 Basics ○ Enter the Layer 3 link aggregation configuration mode. interface aggregateport interface-number ○ Enter the SVI configuration mode. interface vlan interface-number (5) Configure the name of the prefix pool bound to the interface. ipv6 nd prefix pool pool-name No prefix pool is bound to an interface by default.
Page 951 Configuration Guide Configuring IPv6 Basics Table 1-3 IPv6 Monitoring Command Purpose clear ipv6 neighbors vrf-name ] [ interface-type Clears the dynamically learned neighbor entries. interface-number ] clear ipv6 neighbors oob Clears the dynamically learned neighbor entries on a management interface. show ipv6 address...
Page 952 Configuration Guide Configuring IPv6 Basics Configuration Examples 1.7.1 Manually Configuring IPv6 Addresses 1. Requirements Host A and host B communicate with each other through IPv6 addresses. 2. Topology Figure 1-18 Topology of IPv6 Addresses 3. Notes Enable IPv6 on an interface and configure an IPv6 address. 4.
Page 953 Configuration Guide Configuring IPv6 Basics interface GigabitEthernet 0/1 is Up, ifindex: 2, vrf_id 0 address(es): Mac Address: 00:50:56:b0:05:99 INET6: FE80::250:56FF:FEB0:599 , subnet is FE80::/64 INET6: 1000::1 , subnet is 1000::/64 Joined group address(es): FF01::1 FF02::1 FF02::2 FF02::1:FF00:0 FF02::1:FF00:1 FF02::1:FFB0:599 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1...
Page 954 Configuration Guide Configuring IPv6 Basics 6. Configuration Files Device A configuration file hostname DeviceA interface gigabitethernet 0/1 ipv6 enable ipv6 address 1000::1/64 no ipv6 nd suppress-ra interface gigabitethernet 0/2 ipv6 enable ipv6 address 2000::1/64 no ipv6 nd suppress-ra 1.7.2 Enabling Stateless IPv6 Address Auto-configuration 1.
Page 955 Configuration Guide Configuring IPv6 Basics (2) Configure device B. DeviceB> enable DeviceB# configure terminal DeviceB(config)# interface gigabitethernet 0/1 DeviceB(config-if-GigabitEthernet 0/1)# ipv6 address autoconfig 5. Verification On device B, run the show ipv6 interface command to check that the interface automatically obtains an IPv6 address.
Page 956 Configuration Guide Configuring IPv6 Basics !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms. 6. Configuration Files  Device A configuration file hostname DeviceA interface gigabitEthernet 0/1 ipv6 enable ipv6 address 2000::1/64 no ipv6 nd suppress-ra  Device B configuration file hostname DeviceB interface gigabitEthernet 0/1...
Page 957 Configuration Guide Contents Contents 1 Configuring DHCPv6 .......................... 1 1.1 Introduction ..........................1 1.2 Principles............................ 1 1.2.1 Basic Concepts ......................1 1.2.2 Packet Format ........................ 4 1.2.3 Requesting/Allocating Addresses .................. 4 1.2.4 Requesting/Allocating Prefixes ..................8 1.2.5 Stateless Service ......................9 1.2.6 DHCPv6 Relay Agent.....................
Page 958 Configuration Guide Contents 1.6 Configuring the DHCPv6 Server to Assign Other Network Parameters ......... 14 1.6.1 Overview ........................14 1.6.2 Configuration Tasks ..................... 15 1.6.3 Configuring the DNS Address to Be Assigned from a DHCPv6 Server to a DHCPv6 Client ..........................15 1.6.4 Configuring the Domain Name to Be Assigned from a DHCPv6 Server to a DHCPv6 Client ..........................
Page 959 Configuration Guide Configuring DHCPv6 Configuring DHCPv6 Introduction The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is a protocol that allows a DHCPv6 server to transfer configurations to IPv6 nodes, such as IPv6 address, domain name server (DNS) address, network information service (NIS) server address, and Simple Network Time Protocol (SNTP) server address. Compared with other IPv6 address assignment methods, such as manual configuration and Stateless Address Autoconfiguration (SLAAC), DHCPv6 has the following advantages: ...
Page 960 Temporary addresses (TAs), which are hardly used  PD, prefix delegation Based on the address type, IAs are classified into IA_NA, IA_TA, and IA_PD types. Ruijie DHCPv6 servers support only IA_NA and IA_PD. 5. Binding A DHCPv6 binding is a manageable address information structure. An address binding on a DHCPv6 server...
Page 961 Configuration Guide Configuring DHCPv6 data on a server is presented in the form of an address binding table. Bindings that contain IAs use DUID, IA-Type, or IAID as the index, and bindings that contain configurations use DUID as the index. 6.
Page 962 Configuration Guide Configuring DHCPv6 1.2.2 Packet Format 1. Format of Packets Exchanged Between a DHCPv6 Client and a DHCPv6 Server Figure 1-2 Format of Packets Exchanged Between a DHCPv6 Client and a DHCPv6 Server  Message type: Identifies the message type of a DHCPv6 packet. ...
Page 963 Configuration Guide Configuring DHCPv6 After being configured with available addresses, a DHCPv6 server can assign IPv6 addresses to hosts in the network and record the assigned addresses to improve the network manageability. 1. Principles Network hosts serve as DHCPv6 clients and DHCPv6 servers to implement address assignment, update, confirmation, and release through message exchanges.
Page 964 Configuration Guide Configuring DHCPv6 Figure 1-5 Two-Way Message Exchange A DHCPv6 client sends a SOLICIT message with the destination address FF02::1:2 and destination port 547 on the local link to request an address, a prefix, and configuration parameters. The SOLICIT message contains the Rapid Commit option.
Page 965 Configuration Guide Configuring DHCPv6 Figure 1-7 Rebinding DHCPv6 Client DHCPv6 Server REQUEST (multicast) REPLAY (unicast) RENEW (multicast) REBIND (multicast) REPLAY (unicast) If no response is received within T2 after the DHCPv6 client sends a RENEW message to the DHCPv6 server, the DHCPv6 client sends a REBIND multicast message to the DHCPv6 server for rebinding the address and prefix.
Page 966 Configuration Guide Configuring DHCPv6 6. Confirmation After moving to a new link or encountering a restart, a DHCPv6 client needs to confirm whether the original address is still available. Figure 1-9 Confirmation DHCPv6 Client DHCPv6 Server CONFIRM REPLY The DHCPv6 client sends a CONFIRM message to the DHCPv6 server on the new link to check whether the original address is still available.
Page 967 Configuration Guide Configuring DHCPv6 Downlink network devices serve as DHCPv6 clients to exchange messages with the DHCPv6 server to implement prefix assignment, update, and release. Downlink network devices obtain, update, rebind, and release prefixes by using the four-way or two-way message exchange mechanism similar to that for assigning addresses.
Page 968 Configuration Guide Configuring DHCPv6 enabling a DHCPv6 client to send packets to a DHCPv6 server on a different link. A DHCP relay agent is often deployed on the link where a DHCPv6 client resides. It is used to forward interaction packets between the DHCPv6 client and a DHCPv6 server.
Page 969 Configuration Guide Configuring DHCPv6 3. Multi-Level DHCPv6 Relay Agents Figure 1-14 Multi-Level DHCPv6 Relay Agents DHCPv6 Client DHCPv6 Relay DHCPv6 Relay DHCPv6 Server REQUEST RELAY-FORWARD RELAY-FORWARD RELAY-REPLY RELAY-REPLY REPLY A DHCPv6 relay agent encapsulates and decapsulates messages between a DHCPv6 client and a DHCPv6 server on different links to enable communication between them.
Page 970 Configuration Guide Configuring DHCPv6 IPv4 authentication information of the client and synchronizes the information to the authentication server. The authentication server authenticates or records the client based on the information. 1.2.8 Protocols and Standards  RFC 3315: Dynamic Host Configuration Protocol for IPv6 ...
Page 971 Configuration Guide Configuring DHCPv6 1.5.3 Configuring the IA_NA Address Prefix to Be Assigned from a DHCPv6 Server to a DHCPv6 Client (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Create a DHCPv6 address pool and enter the DHCPv6 address pool configuration mode. ipv6 dhcp pool pool-name...
Page 972 Configuration Guide Configuring DHCPv6 (5) Configure the local prefix pool associated with the DHCPv6 server. prefix-delegation pool pool-name [ lifetime { valid-lifetime | infinite } { preferred-lifetime | infinite } ] No local prefix pool associated with the DHCPv6 server is configured by default. 1.5.6 Configuring Excluded Addresses on a DHCPv6 Server (1) Enter the privileged EXEC mode.
Page 973 Configuration Guide Configuring DHCPv6 The DHCPv6 server uses Option 52 to specify the IPv6 address of a Control and Provisioning of Wireless Access Points (CAPWAP) access controller (AC). 1.6.2 Configuration Tasks All the configuration tasks below are optional. Perform the configuration tasks as required. ...
Page 974 Configuration Guide Configuring DHCPv6 enable (2) Enter the global configuration mode. configure terminal (3) Enter the DHCPv6 address pool configuration mode. ipv6 dhcp pool pool-name No DHCPv6 address pool is configured by default. (4) Configure the boot file Uniform Resource Locator (URL) to be assigned from a DHCPv6 server to a DHCPv6 client.
Page 975 Configuration Guide Configuring DHCPv6 enable (2) Enter the global configuration mode. configure terminal (3) (Optional) Configure the format of Interface-ID on a DHCPv6 relay agent. dhcp relay option interface-id format user-defined text The interface name is specified in Interface-ID on a DHCPv6 relay agent by default. (4) (Optional) Configure the format of the MAC address in user-defined options on a DHCPv6 relay agent.
Page 976 Configuration Guide Configuring DHCPv6 address of the DHCPv6 server. After receiving the RELAY-FORWARD packet, the DHCPv6 server records the source IP address of the packet and uses it as the destination address of the RELAY-REPLY packet. That is, the response packet is destined for the IP address or interface specified by using the source interface designation function of the relay agent, so as to bypass the uplink interface of the DHCPv6 relay agent.
Page 977 Configuration Guide Configuring DHCPv6 Run the debug command to outputting debugging information. Caution The output debugging information occupies system resources. Therefore, disable the debugging function immediately after use. Run the clear command to clear information Caution Running the clear commands may lose vital information and thus interrupt services. Table 1-1 Monitoring Command...
Page 978 Configuration Guide Configuring DHCPv6 Command Purpose debug ipv6 dhcp detail Debugs DHCPv6. debug ipv6 dhcp relay Debugs a DHCPv6 relay agent. debug ipv6 dhcp server Debugs a DHCPv6 server. 1.10 Configuration Examples 1.10.1 Dynamically Assigning IPv6 Addresses 1. Requirements As shown in Figure 1-15, a DHCPv6 client in network segment 1001::1:0/64 requests address information from a DHCPv6 server (Device A) in the same subnet.
Page 979 Configuration Guide Configuring DHCPv6 DeviceA(config-if-VLAN 2)# ipv6 enable DeviceA(config-if-VLAN 2)# ipv6 address 1001::1:1/64 DeviceA(config-if-VLAN 2)# ipv6 dhcp server v6 Cancel suppression of RA messages released on the device. DeviceA(config-if-VLAN 2)# no ipv6 nd suppress-ra Set the configuration flag of managed addresses to 1, that is, enable hosts to obtain IPv6 addresses from the DHCPv6 server.
Page 980 Configuration Guide Configuring DHCPv6 1.10.2 Dynamically Assigning IPv6 Address Prefixes 1. Requirements As shown in Figure 1-16, Device B is a DHCPv6 client and requests an IPv6 address prefix (2001::1/64), DNS address, domain name, and other network parameters from Device A (a DHCPv6 server). 2.
Page 981 Configuration Guide Configuring DHCPv6 Set the configuration flags of other information to 1, that is, enable hosts to obtain other information except IPv6 addresses from the DHCPv6 server. DeviceA(config-if-VLAN 2)# ipv6 nd other-config-flag (2) Configure Device B: Configure an interface address. DeviceB>...
Page 982 Configuration Guide Configuring DHCPv6 6. Configuration Files  Device A configuration file hostname DeviceA ipv6 local pool myprefix 2001::1/64 64 ipv6 dhcp pool v6_pd dns-server 1001::1:2 domain-name example.com prefix-delegation pool myprefix interface vlan 2 ipv6 address 1001::1:1/64 ipv6 dhcp server v6_pd no ipv6 nd suppress-ra ipv6 nd managed-config-flag ipv6 nd other-config-flag...
Page 983 Configuration Guide Configuring DHCPv6 2. Topology Figure 1-17 Configuring DHCPv6 Relay 3. Notes  Enable the DHCPv6 Server function on Device A and configure addresses and other parameters.  Enable the DHCPv6 Relay function on Device B with the destination address pointed to VLAN 1 on Device ...
Page 984 Configuration Guide Configuring DHCPv6 DeviceB#configure terminal DeviceB(config)# interface vlan 2 DeviceB(config-if-VLAN 2)# ipv6 enable DeviceB(config-if-VLAN 2)# ipv6 address 2001::2/64 DeviceB(config-if-VLAN 2)# exit Configure a downlink interface address and enable the DHCPv6 Relay function. DeviceB(config)#interface vlan 1 DeviceB(config-if-VLAN 1)# ipv6 enable DeviceB(config-if-VLAN 1)# ipv6 address 1001::1/64 DeviceB(config-if-VLAN 1)# ipv6 dhcp relay destination 2001::2 (3) Configure Device C:...
Page 985 Configuration Guide Configuring DHCPv6 6. Configuration Files  Device A configuration file hostname DeviceA ipv6 dhcp pool v6 iana-address prefix 1001::/64 excluded-address 1001::1 1001::2 dns-server 1001::2 domain-name example.com interface vlan 1 ipv6 address 2001::1/64 ipv6 dhcp server v6 no ipv6 nd suppress-ra ipv6 nd managed-config-flag ipv6 nd other-config-flag ...
Page 986 Configuration Guide Contents Contents 1 Configuring DHCPv6 Client ....................... 1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.1.3 Protocols and Standards ....................1 1.2 Restrictions and Guidelines ....................... 1 1.3 Configuring DHCPv6 Client to Request an IPv6 Address ............1 1.3.1 Overview ........................
Page 987 Configuration Guide Configuring DHCPv6 Client Configuring DHCPv6 Client Introduction 1.1.1 Overview The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is used to assign IPv6 addresses, IPv6 prefixes, and other network configuration parameters to client hosts. When a device serves as a DHCPv6 client, the device can: ...
Page 988 Configuration Guide Configuring DHCPv6 Client 1.3.2 Restrictions and Guidelines The DHCPv6 Client function can be configured only on L3 interfaces. 1.3.3 Procedure (1) Enter the privileged EXEC mode. enable (2) Enter the global configuration mode. configure terminal (3) Enter the interface configuration mode. ○...
Page 989 Configuration Guide Configuring DHCPv6 Client interface ethernet-type interface-number ○ Enter the Layer 3 link aggregation configuration mode. interface aggregateport interface-number ○ Enter the SVI configuration mode. interface vlan interface-number (4) Enable the DHCPv6 Client function to request an IPv6 address prefix. ipv6 dhcp client pd prefix-name [...
Page 990 Configuration Guide Contents Contents 1 Configuring DHCPv6 Snooping ......................1 1.1 Introduction ..........................1 1.1.1 Overview ........................1 1.1.2 Principles ........................1 1.1.3 Applications ........................6 1.1.4 Protocols and Standards ....................8 1.2 Restrictions and Guidelines ....................... 8 1.3 Configuration Task Summary ....................9 1.4 Configuring Basic DHCPv6 Snooping Functions ..............
Page 991 Configuration Guide Configuring DHCPv6 Snooping Configuring DHCPv6 Snooping Introduction 1.1.1 Overview Dynamic Host Configuration Protocol for IPv6 (DHCPv6) snooping snoops DHCPv6 packets are exchanged between clients and servers, including request packets from the clients and response packets from the servers. These packets are used to record and monitor usage of IPv6 addresses and filter out invalid DHCPv6 packets.
Page 992 Configuration Guide Configuring DHCPv6 Snooping DHCPv6 server may fail to use the network due to address conflicts. By snooping packets between the clients and servers, DHCPv6 Snooping summarizes user entries, including IPv6 addresses, Media Access Control (MAC) addresses, VLAN IDs (VIDs), ports, and lease time to build the DHCPv6 Snooping binding database, ensuring proper use of IPv6 addresses.
Page 993 Configuration Guide Configuring DHCPv6 Snooping ○ A valid DHCPv6 RELEASE or DHCPv6 DECLINE packet from a client is snooped. ○ A client user runs the clear command to delete a binding or prefix entry. 3. DHCPv6 Option 18 or 37 Some network administrators want to assign and manage IP addresses based on information about the network devices connected user clients (that is, client locations).
Page 994 Configuration Guide Configuring DHCPv6 Snooping Figure 1-2 Default Padding Content of Interface ID in Extended Padding Format Sub Length Interface ID Length VLAN ID 0065 Sub Type Interface ID Type Slot Port The following figure shows the extended padding content in extended padding format. Figure 1-3 Extended Padding Content of Interface ID in Extended Padding Format Sub Length...
Page 995 Configuration Guide Configuring DHCPv6 Snooping after the sub-option length field. For default padding content, the content type is set to 0. For extended padding content, the content type is set to 1. The following figure shows the default padding content in extended padding format. Figure 1-5 Default Padding Content of Remote ID in Extended Padding Format Sub Length...
Page 996 Configuration Guide Configuring DHCPv6 Snooping Dev Slot --- ---- ------> The slot ID is 0. ------> The slot ID is 1. ------> The slot ID is 2. ------> The slot ID is 3. ------> The slot ID is 4. ------> The slot ID is 5. In this case, the slot ID of the AP is 6.
Page 997 Configuration Guide Configuring DHCPv6 Snooping As shown in the following figure, request packets sent from a DHCPv6 client are checked. The RELEASE and DECLINE packets from clients must match the entries in the DHCPv6 Snooping binding database. Figure 1-8 Guarding Against Forged DHCPv6 Packets DHCPv6 client C Forged DHCPv6...
Page 998 Configuration Guide Configuring DHCPv6 Snooping Figure 1-9 Guarding Against IPv6/MAC Address Spoofing Legal IPv6 packet (MAC address A, Device IPv6 address A) Untrusted port Trusted port Untrusted DHCPv6 server DHCP client A port MAC address A IPv6 address A Forged IPv6 packet Forged IPv6 packet (MAC address B, (MAC address A,...
Page 999 Configuration Guide Configuring DHCPv6 Snooping Configuration Task Summary DHCPv6 Snooping configuration includes the following tasks: Configuring Basic DHCPv6 Snooping Functions Configuring Optional DHCPv6 Snooping Functions (3) (Optional) Configuring Option 18 or 37 Configuring Basic DHCPv6 Snooping Functions 1.4.1 Overview Enable basic DHCPv6 Snooping functions to filter out invalid DHCPv6 packets and control the transmission scope of DHCPv6 packets.
Page 1000 Configuration Guide Configuring DHCPv6 Snooping ○ Write all dynamic user information in the DHCPv6 Snooping binding database to a flash memory at a scheduled time. ipv6 dhcp snooping database write-delay time The function of writing all dynamic user information in the DHCPv6 Snooping binding database to a flash memory at a scheduled time is not configured by default.